Stephen Torri wrote:
I am trying to create a custom Windows PE loader (binary & DLL) for the purpose of security research. I am having a difficult time finding how to allocate memory for a binary at the desired address in memory (especially if its non-relocatable). I would like to see why I cannot get memory allocated at the exact address request in the binary headers. Is there a program or system call that allows me to see a list of memory address ranges allocated to the running processes on a system?
In Wine, if you put the program in a sleep with kernel32.Sleep() or sleep(3), you can cat /proc/<pid>/maps to see which memory is allocated.
That or, cause the program to crash or enter winedbg with a break point, then winedbg will give you a backtrace containing the list of modules loaded at each address.
I think the default load address of PE exes is 0x00400000, so it's possible that address is already taken by the first .exe you loaded.
Mike