On Fri Sep 22 15:46:59 2023 +0000, Aidan Khoury wrote:

The native RtlImageHeader does not have boundary checks. I cannot do this check on RtlImageHeader's return value safely since that would be after RtlImageHeader has already potentially accessed an invalid address.

it has an exception handler around it, so

* either the field is not on a readable page and the exception will be fired, and you'll get a NULL pointer (SAFE) * or the field is on a readable page but with a wrong magic value, and you'll get a NULL pointer (SAFE) * or the field is on a readable page, with the expected magic value, and you'll a non NULL pointer, that you can check if it fits or not in mapped view before reading into it (SAFE)