DDK文档中的一个错误

今天我用到一个函数 ZwFreeVirtualMemory 我看了一下DDK3790中的帮助文档
Installable File System Kit
ZwFreeVirtualMemory
ZwFreeVirtualMemory releases, decommits, or both, a region of pages within the virtual address space of a specified process.

NTSTATUS
  ZwFreeVirtualMemory(
    IN PHANDLE  ProcessHandle,
    IN OUT PVOID  *BaseAddress,
    IN OUT PULONG  RegionSize,
    IN ULONG  FreeType
    );
请注意第一个参数类型 是 PHANDLE  而不是HANDLE ,当时我就觉得有点怪,但是还是按文档的说法用,弄了一个小时都失败了 后来跟到此函数代码里面一看才发现居然微软的文档写错了 函数原形应该是
NTSTATUS ZwFreeVirtualMemory(HANDLE ProcessHandle,PVOID *BaseAddress,PULONG FreeSize,ULONG FreeType);

下面是IDA的结果

; NTSTATUS __stdcall ZwFreeVirtualMemory(HANDLE ProcessHandle,PVOID *BaseAddress,PULONG FreeSize,ULONG FreeType)
.text:00405D38                 public _ZwFreeVirtualMemory@16
.text:00405D38 _ZwFreeVirtualMemory@16 proc near       ; CODE XREF: NtTerminateThread(x,x)+141p
.text:00405D38                                         ; LsaFreeReturnBuffer(x)+19p ...
.text:00405D38
.text:00405D38 ProcessHandle   = dword ptr  4
.text:00405D38 BaseAddress     = dword ptr  8
.text:00405D38 FreeSize        = dword ptr  0Ch
.text:00405D38 FreeType        = dword ptr  10h
.text:00405D38
.text:00405D38                 mov     eax, 53h
.text:00405D3D                 lea     edx, [esp+ProcessHandle]
.text:00405D41                 pushf
.text:00405D42                 push    8
.text:00405D44                 call    _KiSystemService
.text:00405D49                 retn    10h
.text:00405D49 _ZwFreeVirtualMemory@16 endp ; sp = -8

/*************************************************/
PAGE:004918C7 ; NTSTATUS __stdcall NtFreeVirtualMemory(HANDLE ProcessHandle,PVOID *BaseAddress,PULONG FreeSize,ULONG FreeType)
PAGE:004918C7                 public _NtFreeVirtualMemory@16
PAGE:004918C7 _NtFreeVirtualMemory@16 proc near       ; DATA XREF: .text:0040B7F4o
………………………………
//比较进程句柄是不是当前进程句柄
PAGE:00491AF0 loc_491AF0:                             ; CODE XREF: NtFreeVirtualMemory(x,x,x,x)+88FCEj
PAGE:00491AF0                 cmp     [ebp+Handle], 0FFFFFFFFh
PAGE:00491AF4                 jnz     loc_51A89A

看样子文档也不一定正确啊

^_^

ZwFreeVirtualMemory
ZwFreeVirtualMemory frees virtual memory in the user mode address range.
NTSYSAPI
NTSTATUS
NTAPI
ZwFreeVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN OUT PULONG FreeSize,
IN ULONG FreeType
);
Parameters
ProcessHandle
A handle of a process object, representing the process from which the virtual memory
should be freed.The handle must grant PROCESS_VM_OPERATION access.
BaseAddress
Points to a variable that specifies the base address of the virtual memory to be freed.
FreeSize
Points to a variable that specifies the size, in bytes, of the virtual memory to free and
receives the size of virtual memory actually freed. If FreeType is MEM_RELEASE, this
value must be zero.
FreeType
A set of flags that describes the type of de-allocation to be performed for the specified
region of pages.The permitted values are:
MEM_DECOMMIT Decommit but maintain reservation
MEM_RELEASE Decommit and free reservation
Return Value
Returns STATUS_SUCCESS or an error status, such as STATUS_UNABLE_TO_FREE_VM,
STATUS_UNABLE_TO_DELETE_SECTION, STATUS_FREE_VM_NOT_AT_BASE,
STATUS_MEMORY_NOT_ALLOCATED, or STATUS_PROCESS_IS_TERMINATING.
Related Win32 Functions
VirtualFree, VirtualFreeEx.
Remarks
VirtualFreeEx exposes almost all of the functionality of ZwFreeVirtualMemory.


看Native api Reference吧 ：)

帖出来:)

恩，还有几个地方也是HANDLE写成了PHANDLE,弄得我蓝屏好多次。
大家要注意啊！！！