Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VirtualAllocEx fails on large image size #3

Open
masoudr opened this issue Mar 17, 2018 · 8 comments
Open

VirtualAllocEx fails on large image size #3

masoudr opened this issue Mar 17, 2018 · 8 comments

Comments

@masoudr
Copy link

masoudr commented Mar 17, 2018

Hi,
I'm testing your code it works fine for small image size (like 200KB). But on large image arrays, I get ERROR_INVALID_PARAMETER on VirtualAllocEx because it is trying to access reserved memory.
So I search and ended up to this topic. But I can't figure it out because I think it is going too complicated. How can we just call VirtualAllocEx without specifying a specific address?
Thanks
@ghost
Copy link

ghost commented Apr 1, 2018
edited by ghost
Loading

the first parameter is NULL means Windows will determines where to allocate the region.

@ghost
Copy link

ghost commented Apr 1, 2018

try to increase the stack size

@masoudr
Copy link
Author

masoudr commented Apr 1, 2018

@whitehat84 Thanks for the answer. Can you be more specific,which parameter should I change in this function:

pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(NtHeader->OptionalHeader.ImageBase),
NtHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);

@ehsanr1366
Copy link

@masoudr Hi. How do you solve this problem? I have this challenge. Thanks

@MatthMoestl
Copy link

Hi, I have the same issue - but I found at least something that made it much better:

// Allocate memory for the context.
CTX = (LPCONTEXT)(VirtualAlloc(NULL, sizeof(*CTX), MEM_COMMIT, PAGE_READWRITE));

this and the increased stack size to 8MB ... makes it work for about 85%

maybe this helps you to finally fix it, I am a newbe in this topics

@MatthMoestl
Copy link

Ok I FIXED IT ... works perfect for me :-)

replace
CTX = (LPCONTEXT)(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));

with

CTX = (LPCONTEXT)(VirtualAlloc(NULL, sizeof(*CTX), MEM_COMMIT, PAGE_READWRITE));

and replace :
pImageBase = VirtualAllocEx(PI.hProcess, (LPVOID)(NtHeader->OptionalHeader.ImageBase), NtHeader->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

with

pImageBase = VirtualAllocEx(PI.hProcess, NULL, NtHeader->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

and replace
WriteProcessMemory(PI.hProcess, (LPVOID)(CTX->Ebx + 8), (LPVOID)(&NtHeader->OptionalHeader.ImageBase), 4, 0);

with

WriteProcessMemory(PI.hProcess, (LPVOID)(CTX->Ebx + 8), (LPVOID)(&pImageBase), 4, 0);

@PoloNX
Copy link

PoloNX commented Apr 9, 2022

Hi, I have one error. It says this "E0135 class "_CONTEXT" has no member "Ebx"".
How can I resolve this error ?

@masoudr
Copy link
Author

masoudr commented Apr 12, 2022
edited
Loading

@PoloNX It is because Ebx register isn't available for the X64 platform. But anyway the project doesn't support X64. You need to compile the code for X86 architecture.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@masoudr @MatthMoestl @ehsanr1366 @PoloNX