3

How does one use VirtualAllocEx do make room for a code cave? I am currently in possession of a piece of software with very little "free space" and I read that VirtualAllocEx is used for making this space..

Abyx
  • 12,345
  • 5
  • 44
  • 76
Jake
  • 907
  • 4
  • 12
  • 25
  • 2
    Please clarify your question. What do you mean when you say the software has very little "free space"--does it run on a device with limited RAM, is the executable itself small, or what? And what's a "code cave"? – JSBձոգչ Jun 09 '10 at 23:51
  • 1
    @JSBangs: A code cave is an unused block of memory that you can use to inject custom programming code to modify the behaviour of a program. It is an obscure term, I never heard of it until today myself. – Dennis Jun 09 '10 at 23:55
  • 1
    What do you have so far? Do you just need help with `VirtualAllocEx`, or do you also need help with prerequisite code? – Aaron Klotz Jun 10 '10 at 00:01
  • I think a "code cave" is useful for doing the C or ASM equivalent of "monkey patching". – Gabe Jun 10 '10 at 00:34
  • I just need help making room for a codecave in an exe file :-) – Jake Jun 10 '10 at 13:49
  • Can i use VirtualAllocEx in python? – Jake Jun 10 '10 at 13:50

2 Answers2

3

After the question about "code cave" is cleared, you can find interesting following code which enumerate blocks allocated by VirtualAllocEx in the current process and find all PE (DLLs and the EXE itself).

SYSTEM_INFO si;
MEMORY_BASIC_INFORMATION mbi;

DWORD nOffset = 0, cbReturned, dwMem;
GetSystemInfo(&si);

for (dwMem = 0; dwMem<(DWORD)si.lpMaximumApplicationAddress;
                dwMem+=mbi.RegionSize) {
    cbReturned = VirtualQueryEx (GetCurrentProcess(),  (LPCVOID)dwMem, &mbi,
                                 sizeof(mbi));
    if (cbReturned) {
        if ((mbi.AllocationProtect & PAGE_EXECUTE_WRITECOPY) &&
            (mbi.Protect & (PAGE_EXECUTE | PAGE_EXECUTE_READ | 
                            PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY))) {

            if (*(LPWORD)mbi.AllocationBase == IMAGE_DOS_SIGNATURE) {
                IMAGE_DOS_HEADER *pDosHeader =
                    (IMAGE_DOS_HEADER *)mbi.AllocationBase;

                if (pDosHeader->e_lfanew) {
                    IMAGE_NT_HEADERS32 *pNtHeader = (IMAGE_NT_HEADERS32 *)
                        ((PBYTE)pDosHeader + pDosHeader->e_lfanew);

                    if (pNtHeader->Signature != IMAGE_NT_SIGNATURE)
                        continue;

                    // now you can examine of module loaded in current process
                }
            }
        }
    }
}

The code could looks like a large loop. In reality it is a typical application it makes about 200 loops, so it is very quickly to goes through all blocks allocated with respect of VirtualAllocEx during loading of EXE all all depended DLLs.

Oleg
  • 220,925
  • 34
  • 403
  • 798
  • This doesn't answer the question. – Abyx Jan 16 '16 at 18:36
  • Also, there are debuggers for this. – Abyx Jan 16 '16 at 18:39
  • @Abyx: I'm not sure what you mean. The question is mostly how the debugger works and how one can access memory of his own or another process. The first problem is the analyzing the virtual space and to understand who is the owner of the memory. One should make it in it's own process first of all. One can do close things with another process one need just to have enough privileges or to activate `SE_DEBUG_NAME` privilage. The most important to find `IMAGE_DOS_HEADER` (the beginning of the module), all other things are well known. – Oleg Jan 16 '16 at 18:50
  • The question is "how do I do X". You answer is "after you solve X, you can also do Y". This is not an answer. – Abyx Jan 16 '16 at 19:06
  • @Abyx: I understand your opinion. Typically the person, who ask the question write comments, that he wanted something else or another person write his own answer. **Jake** who asked the question wrote no comments and accepted the question. It was one from my first answers, I had very low reputation and could not express me good enough in English. – Oleg Jan 16 '16 at 19:12
  • well, you can fix it now - for example write a new question with self-answer and post link to it here. – Abyx Jan 16 '16 at 19:13
  • @Abyx: Sorry, but I can't full follow you. Somebody had *real problem*, which he had to solve and he asked everybody to help him to give any tips to go forward. Then other wrote his answers to help him. The answer is really old. It's easy to discuss *now* that the earth is round and it's not flat, but it was not so clear some time before. :-) I see no sense to write now a new question with an answer on the old problem, which have for me no interest since many years. Moreover I see no real person whom it could be helpful. I'm sure that one can find *now* enough information about the subject. – Oleg Jan 16 '16 at 20:45
2
#include <stdio.h>
#include <windows.h>
#include <commctrl.h>   

unsigned long pid;
HANDLE process;
GetWindowThreadProcessId(listview, &pid);
process = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_READ | PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, FALSE, pid);

int *vptr = (int *)VirtualAllocEx(process, NULL, sizeof(int), MEM_COMMIT, PAGE_READWRITE);

References
- MSDN VirtualAllocEx Function
- CodeProject Stealing Program's Memory
- StackOver What is a code cave... ?

HTH,

Community
  • 1
  • 1
Dennis
  • 20,275
  • 4
  • 64
  • 80
  • Thank-you by the way, I did not know what a 'code-cave' was until this seeing this question. I learnt the above from quick google and asking a h@cker friend next to me at work. – Dennis Jun 10 '10 at 00:07