如何使用VirtualAllocEx为代码洞穴腾出空间?

如何使用VirtualAllocEx为代码洞穴腾出空间? 我目前拥有一块很less有“可用空间”的软件,我读了VirtualAllocEx来制作这个空间。

Solutions Collecting From Web of "如何使用VirtualAllocEx为代码洞穴腾出空间?"

在关于“代码洞穴”的问题被清除后,你可以找到有趣的下面的代码,枚举在当前进程VirtualAllocEx分配的块,并找到所有的PE(DLL和EXE本身)。

 SYSTEM_INFO si; MEMORY_BASIC_INFORMATION mbi; DWORD nOffset = 0, cbReturned, dwMem; GetSystemInfo(&si); for (dwMem = 0; dwMem<(DWORD)si.lpMaximumApplicationAddress; dwMem+=mbi.RegionSize) { cbReturned = VirtualQueryEx (GetCurrentProcess(), (LPCVOID)dwMem, &mbi, sizeof(mbi)); if (cbReturned) { if ((mbi.AllocationProtect & PAGE_EXECUTE_WRITECOPY) && (mbi.Protect & (PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY))) { if (*(LPWORD)mbi.AllocationBase == IMAGE_DOS_SIGNATURE) { IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)mbi.AllocationBase; if (pDosHeader->e_lfanew) { IMAGE_NT_HEADERS32 *pNtHeader = (IMAGE_NT_HEADERS32 *) ((PBYTE)pDosHeader + pDosHeader->e_lfanew); if (pNtHeader->Signature != IMAGE_NT_SIGNATURE) continue; // now you can examine of module loaded in current process } } } } } 

该代码可能看起来像一个大循环。 实际上,它是一个典型的应用程序,它使得大约200个循环,因此在加载EXE时,所有依赖的DLL都会经过VirtualAllocEx分配的所有块。

 #include <stdio.h> #include <windows.h> #include <commctrl.h> unsigned long pid; HANDLE process; GetWindowThreadProcessId(listview, &pid); process = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_READ | PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, FALSE, pid); int *vptr = (int *)VirtualAllocEx(process, NULL, sizeof(int), MEM_COMMIT, PAGE_READWRITE); 

参考
– MSDN VirtualAllocEx函数
– CodeProject 窃取程序的内存
– StackOver 什么是代码洞?…?

HTH,