2

Can someone explain to me why author initializes void pointer to a memory location like this. I am just a begginer and I have never seen notation like this before.

void executeCode(){

char* MEMORY_BUFFER = (char*)VirtualAlloc(NULL, sizeof(someCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);

memcpy(MEMORY_BUFFER, someCode, sizeof(someCode));

(*(void(*)())MEMORY_BUFFER)();
}
randomizing randomizer
  • 25
  • 3
  • VirtualAlloc allocates virtual memory from the operating system in page tables. see [here](https://stackoverflow.com/questions/2782628/any-way-to-reserve-but-not-commit-memory-in-linux) memcpy copies from "someCode" to this buffer. Since this is a function pointer, you need to cast it accordingly. (void(*)()) is here the function pointer to MEMORY BUFFER and (*fctptr)() evaluates it. You do void casts, when you want to drop the return or call a function of another return value. – Jay-Pi Mar 01 '20 at 15:12
  • I have submitted an edit to the question to add the "windows" tag, because the function `VirtualAlloc` only applies to the Microsoft Windows platform. On second thought, maybe I shouldn't have done that, because that function is not relevant to the question. Is there a way to take back my suggested edit? – Andreas Wenzel Mar 01 '20 at 15:14
  • @AndreasWenzel -- leave it; this **really is** a Windows question, since the code in the question attempts to execute the code that's copied to the buffer. That's not legal in portable C++. – Pete Becker Mar 01 '20 at 17:31

2 Answers2

1
char *MEMORY_BUFFER = /* whatever */;

MEMORY_BUFFER is a pointer to char. You cannot "execute a string".
You can execute a function if you have a pointer to it.

int (*fxptr)(void) = rand;
printf("%d\n", fxptr()); // execute rand() through the function pointer
printf("%d\n", (*fxptr)()); // dereferencing the function pointer is redundant

The cast

(void(*)())MEMORY_BUFFER

"transforms" (if it were valid) MEMORY_BUFFER to a pointer to function taking a unspecified number of arguments and returning nothing.
You can call the function through that (assuming it's valid) pointer

    ((void(*)())MEMORY_BUFFER)();
    (*(void(*)())MEMORY_BUFFER)(); // no need to dereference function pointer
pmg
  • 106,608
  • 13
  • 126
  • 198
  • Is this a part of os kernel loader? Or a serial code keygen patch? Or maybe another code tampering tool? – Red.Wave Mar 01 '20 at 16:37
  • @Red.Wave: Why not post that comment as a comment to the question, instead of as a comment to the answer? By posting it as a comment to the answer, the answerer will get notified, instead of the person who posted the question. – Andreas Wenzel Mar 01 '20 at 17:20
  • You are right. But the answer is ok & accepted. So another notification on question may falsely imply an intention for a new answer. – Red.Wave Mar 01 '20 at 20:42
1

It looks like c-style casting of MEMORY_BUFFER to pointer to function returning void (void(*)()) with dereference and function call. It would be nice to have it simplified as in

typedef fn_ptr void(*)();

(*(fn_ptr)MEMORY_BUFFER)();
Eric
  • 1,685
  • 1
  • 17
  • 32
  • 2
    Note that the dereference is absolutely superfluous, at least in C. Expressions of function type decay to function pointers in much the same way that expressions of array type decay to [array-element] pointers. – John Bollinger Mar 01 '20 at 18:09