获取最近的空闲内存VirtualAllocEx

Question

我希望获得最近的空闲内存地址来为CodeCave分配内存，但我希望它在jmp指令限制0xffffffff-80000000内，我正在尝试以下代码，但没有太多幸运。

    DWORD64 MemAddr = 0;
DWORD64 Address = 0x0000000140548AE6 & 0xFFFFFFFFFFFFF000;
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID);
if (hProc){
    for (DWORD offset = 0; (Address + 0x000000007FFFEFFF)>((Address - 0x000000007FFFEFFF) + offset); offset += 100)
        {
MemAddr = (DWORD64)VirtualAllocEx(hProc, (DWORD64*)((Address - 0x000000007FFFEFFF) + offset),MemorySize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
         if ((DWORD64)MemAddr){
        break;
         }
    }

    CloseHandle(hProc);
    return (DWORD64)MemAddr;

}返回0；

目标进程为64位。

Answer 1

如果目标进程是x64，那么也要确保您正在为x64编译。

我将此代码用于相同的目的，即在4 4GB地址范围内查找空闲内存，以便为x64钩子执行x64 jmps。

char* AllocNearbyMemory(HANDLE hProc, char* nearThisAddr)
{
    char* begin = nearThisAddr;
    char* end = nearThisAddr + 0x7FFF0000;
    MEMORY_BASIC_INFORMATION mbi{};

    auto curr = begin;

    while (VirtualQueryEx(hProc, curr, &mbi, sizeof(mbi)))
    {
        if (mbi.State == MEM_FREE)
        {
            char* addr = (char*)VirtualAllocEx(hProc, mbi.BaseAddress, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
            if (addr) return addr;
        }
        curr += mbi.RegionSize;
    }

    return 0;
}

请记住，这里没有错误检查，只有一个简单的PoC