I read data from address space using ReadProcessMemory function. I try read from all blocks that have MEM_PRIVATE type. But i get error (function returns 0) when that block have PAGE_GUARD protection, why?
Thanks to all.
A page that has PAGE_GUARD protection is guaranteed to not be accessible. Any access to it generates a page fault, reflected back into the process that owns the page as a STATUS_GUARD_PAGE_VIOLATION exception. This feature is used heavily in Windows to detect and recover from the condition this site is named for.
The last two pages of the stack of a thread are guard pages. When a program recursively blows up, consumes all the stack space and triggers the exception, the operating system remaps those pages to make them usable as emergency stack space and re-raises a STATUS_STACK_OVERFLOW exception. Which allows the program to deal with the heart attack. A brief message and program termination is the usual outcome.
Tripping the page guard exception is a one-shot affair, once you do there is no guard anymore. Clearly it is very, very important that only the code in the process trips it. There's no scenario where you poking around into the address space of another process and tripping the exception it is ever going to come to good end. Beyond the process have no idea what happened, and thus never being able to respond to the exception properly, it also removes the safety-hatch. If you poke one of the stack guard pages then you'd instantly terminate the program.
Should be obvious by now, you are intentionally restricted from accessing these pages by using ReadProcessMemory(). Nothing good can possibly happen when you do. The return value tells you "nothing to see here, move on".