tags:

views:

138

answers:

1
Q: 

How to find free memory within a specific address range.

I want to write a small amount of memory inside of a specific address range of my process.

Example

  • amount of memory to allocate: 5 bytes
  • lower bound for address: 0x 00 40 00 00
  • upper bound for address: 0x 00 A0 00 00

The range in which I want to write is already allocated by the process. Therefore, I can't simply allocate new mem with VirtualAlloc.

However, since the pages in the desired address space are used for program code, they are not 100% used. There exists enough space somewhere to write my 5 bytes.

What do I have to do to ensure that I don't overwrite necessary memory?

+3  A: 

I don't think there's a nice, general way to do what you're wanting. Since it looks like you're talking about Windows and about where the default spot to load a PE is, I'll make some assumptions here that might help you.

If you're willing to parse the PE-header, you can generally find slack-space in there. Check out the areas between the sections and before the functions. Depending on how the application was built, you might find areas between functions to be filled with INT3's that would probably be sufficient for what you're looking for.

If you gave us more information on what you're trying to do specifically, we could probably help more. Can you just patch the binary before loading it or do you have to do everything at run-time?

mrduclaw  2009-10-17 18:44:26
I just want to learn the code caving method at some sample binary. I have found 5 INT3's in front of a function. Aren't they needed? Will inform me about this Opcode (seems to be for debuggin)
Etan  2009-10-17 18:52:39
IIRC, the INT3's are there so that if you accidentally point EIP there, the program will crash (think, out-of-bounds string or something). So, no, not really needed since you're going to violate the integrity of the program anyway.
mrduclaw  2009-10-17 18:54:40
Not really crash - debug break.
sean e  2009-10-17 19:50:50
If an INT3 falls in the forest without a debugger there to hear it...
bk1e  2009-10-17 22:57:07
@sean e: It causes a soft break if there's a debugger to catch it, or it crashes with no such exception handling. Since I'm assuming his code-cave example will not always be ran under a debugger, I'm guessing most of the time if he sets it up incorrectly the program will crash and not trigger the non-existent debugger.
mrduclaw  2009-10-18 02:56:58

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS