"Andrey Turkin" <[EMAIL PROTECTED]> wrote:
if (map_file_into_view( view, fd, 0, header_size, 0,
VPROT_COMMITTED | VPROT_READ,
- removable ) != STATUS_SUCCESS) goto error;
+ TRUE ) != STATUS_SUCCESS) goto error;
This chunk has nothin to do with the patch description and simply is wrong.
I've hardcoded removevable as TRUE here to force map_file_into_view to
read data and not mmap it (because mmap will map whole 4k page). Why is
it wrong? Some packers depend on this. As I said in patch description,
an alternative would be memset of area beyond header (which would lead
to mmap, then COW a page and then memset of almost 4k).
I reread your explanations and I see now that somehow I misinterpreted your
reasoning. What is the file alignment of the problematic PE file? Is it 512
(0x200) by any chance?
--
Dmitry.
