I spent a few days tracking down where an extra page in some image regions is coming from. That ultimately resulted in this post: https://ynwarcs.github.io/Win11-24H2-CFG. It's pretty long & technical so feel free to skim over it.

Basically, there's now hotpatching on Windows 11 24H2, and most of system modules are marked as hotpatchable, which makes kernel code extend their image region by a single page. This page will store new CFG functions, presumably so that they can be hotpatched painlessly. x64dbg assumed that the image region only contains header + sections, which caused the linked bug. This fix handles that, but I made it a little more generic (i.e. we don't assume there's only going to be a single page, or even that the leftover size in the region is page-aligned), if you want me to make the checks more specific to this page, let me know. At the moment, there's only a single page but this could change in the future I guess.

One more thing to note about this page is that it's seen as committed by the debugger, but is actually not committed by the OS, causing VirtualProtect to fail. I tried to tinker around and see if I could get it to work properly, but nothing really worked. This doesn't cause any specific bugs, but stuff like e.g. software breakpoints or writing to the memory on this page doesn't work. Since the debugger doesn't report back any issues about the failure of VirtualProtect, it's not obvious why the operation failed.

✅ Download x64dbg 1.0.1874 (commit e1eb85add9 by @ynwarcs)

I think the solution should be to check for that flag + build number and insert those pages as fake pages earlier. This way other potential logic errors could be hidden.