I wrote a small procedure for scanning import tables of PE images.
It works fine on normal files, but always gives AVs with system dlls
like kernel32.dll, user32.dll etc.
I suspect it has something to do with the fact that import table
addresses for these PEs lie in a shared memory space beyond $80000000.
Are there any special privileges I should specify when loading the file
with CreateFile and CreateFileMapping?
I took care to specify the security attributes, but to no avail.
Attributes and descriptor are initialized like this:
-----------------------------
var
SA: TSecurityAttributes;
SD: TSecurityDescriptor;
begin
FillChar(SA, 0, SizeOf(TSecurityAttributes));
FillChar(SD, 0, SizeOf(TSecurityDescriptor));
SA.lpSecurityDescriptor := nil;
SA.nLength := SizeOf(TSecurityAttributes);
SA.bInheritHandle := True;
if (Win32Platform = VER_PLATFORM_WIN32_NT) then begin
InitializeSecurityDescriptor(@SD, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(@SD, True, nil, False);
SA.lpSecurityDescriptor := @SD;
end;
...
------------------------------
What am I missing?
Regards,
Aleksander Oven
