How does one use VirtualAllocEx do make room for a code cave?

Question

How does one use VirtualAllocEx do make room for a code cave? I am currently in possession of a piece of software with very little "free space" and I read that VirtualAllocEx is used for making this space..

Oleg · Accepted Answer

After the question about "code cave" is cleared, you can find interesting following code which enumerate blocks allocated by VirtualAllocEx in the current process and find all PE (DLLs and the EXE itself).

SYSTEM_INFO si;
MEMORY_BASIC_INFORMATION mbi;

DWORD nOffset = 0, cbReturned, dwMem;
GetSystemInfo(&si);

for (dwMem = 0; dwMem<(DWORD)si.lpMaximumApplicationAddress;
                dwMem+=mbi.RegionSize) {
    cbReturned = VirtualQueryEx (GetCurrentProcess(),  (LPCVOID)dwMem, &mbi,
                                 sizeof(mbi));
    if (cbReturned) {
        if ((mbi.AllocationProtect & PAGE_EXECUTE_WRITECOPY) &&
            (mbi.Protect & (PAGE_EXECUTE | PAGE_EXECUTE_READ | 
                            PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY))) {

            if (*(LPWORD)mbi.AllocationBase == IMAGE_DOS_SIGNATURE) {
                IMAGE_DOS_HEADER *pDosHeader =
                    (IMAGE_DOS_HEADER *)mbi.AllocationBase;

                if (pDosHeader->e_lfanew) {
                    IMAGE_NT_HEADERS32 *pNtHeader = (IMAGE_NT_HEADERS32 *)
                        ((PBYTE)pDosHeader + pDosHeader->e_lfanew);

                    if (pNtHeader->Signature != IMAGE_NT_SIGNATURE)
                        continue;

                    // now you can examine of module loaded in current process
                }
            }
        }
    }
}

The code could looks like a large loop. In reality it is a typical application it makes about 200 loops, so it is very quickly to goes through all blocks allocated with respect of VirtualAllocEx during loading of EXE all all depended DLLs.

How does one use VirtualAllocEx do make room for a code cave?

Answers (2)

Related Questions