Fatal编程技术网
  • memory/
  • Memory 获取最近的可用内存VirtualAllocEx

Memory 获取最近的可用内存VirtualAllocEx

memory process

Memory 获取最近的可用内存VirtualAllocEx,memory,process,Memory,Process,我想获得最近的可用内存地址,以便为CodeCave分配内存,但我希望它在jmp指令限制0xffffffff-80000000内,我正在尝试以下代码,但运气不佳 DWORD64 MemAddr = 0; DWORD64 Address = 0x0000000140548AE6 & 0xFFFFFFFFFFFFF000; HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); if (hProc){ f

我想获得最近的可用内存地址,以便为CodeCave分配内存,但我希望它在jmp指令限制0xffffffff-80000000内,我正在尝试以下代码,但运气不佳

    DWORD64 MemAddr = 0;
DWORD64 Address = 0x0000000140548AE6 & 0xFFFFFFFFFFFFF000;
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID);
if (hProc){
    for (DWORD offset = 0; (Address + 0x000000007FFFEFFF)>((Address - 0x000000007FFFEFFF) + offset); offset += 100)
        {
MemAddr = (DWORD64)VirtualAllocEx(hProc, (DWORD64*)((Address - 0x000000007FFFEFFF) + offset),MemorySize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
         if ((DWORD64)MemAddr){
        break;
         }
    }

    CloseHandle(hProc);
    return (DWORD64)MemAddr;
} 返回0

目标进程为64位。

如果目标进程为x64,请确保您也在为x64编译

我使用这段代码也是为了同样的目的,在4GB地址范围内寻找空闲内存,以便为x64钩子执行x64 JMP

char*AllocNearbyMemoryHANDLE hProc,char*nearThisAddr { char*begin=nearThisAddr; char*end=nearThisAddr+0x7FFF0000; 存储器基本信息mbi{}; 自动电流=开始; 而VirtualQueryExhProc、curr和mbi、sizeofmbi { 如果mbi.State==MEM_FREE { char*addr=char*VirtualAllocExhProc,mbi.BaseAddress,0x1000,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE; 如果addr返回addr; } curr+=mbi.RegionSize; } 返回0; } 请记住,没有错误检查,只有一个简单的PoC