我想获取最近的空闲内存地址为CodeCave分配内存,但我希望它在jmp指令限制0xffffffff-80000000内,我尝试以下代码但没有太多运气。
DWORD64 MemAddr = 0;
DWORD64 Address = 0x0000000140548AE6 & 0xFFFFFFFFFFFFF000;
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID);
if (hProc){
for (DWORD offset = 0; (Address + 0x000000007FFFEFFF)>((Address - 0x000000007FFFEFFF) + offset); offset += 100)
{
MemAddr = (DWORD64)VirtualAllocEx(hProc, (DWORD64*)((Address - 0x000000007FFFEFFF) + offset),MemorySize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if ((DWORD64)MemAddr){
break;
}
}
CloseHandle(hProc);
return (DWORD64)MemAddr;
} 返回0;
目标流程为64位。
答案 0 :(得分:0)
如果目标进程是x64,则请确保您也正在为x64进行编译。
我出于相同的目的使用了此代码,以找到4GB地址范围内的空闲内存,以便为x64挂钩执行x64 jmp。
char* AllocNearbyMemory(HANDLE hProc, char* nearThisAddr)
{
char* begin = nearThisAddr;
char* end = nearThisAddr + 0x7FFF0000;
MEMORY_BASIC_INFORMATION mbi{};
auto curr = begin;
while (VirtualQueryEx(hProc, curr, &mbi, sizeof(mbi)))
{
if (mbi.State == MEM_FREE)
{
char* addr = (char*)VirtualAllocEx(hProc, mbi.BaseAddress, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (addr) return addr;
}
curr += mbi.RegionSize;
}
return 0;
}
请记住,没有错误检查,只有一个简单的PoC