I am trying to create a custom Windows PE loader (binary & DLL) for the purpose of security research. I am having a difficult time finding how to allocate memory for a binary at the desired address in memory (especially if its non-relocatable). I would like to see why I cannot get memory allocated at the exact address request in the binary headers. Is there a program or system call that allows me to see a list of memory address ranges allocated to the running processes on a system?
Stephen
Stephen Torri wrote:
I am trying to create a custom Windows PE loader (binary & DLL) for the purpose of security research. I am having a difficult time finding how to allocate memory for a binary at the desired address in memory (especially if its non-relocatable). I would like to see why I cannot get memory allocated at the exact address request in the binary headers. Is there a program or system call that allows me to see a list of memory address ranges allocated to the running processes on a system?
In Wine, if you put the program in a sleep with kernel32.Sleep() or sleep(3), you can cat /proc/<pid>/maps to see which memory is allocated.
That or, cause the program to crash or enter winedbg with a break point, then winedbg will give you a backtrace containing the list of modules loaded at each address.
I think the default load address of PE exes is 0x00400000, so it's possible that address is already taken by the first .exe you loaded.
Mike
* On Wed, 6 Dec 2006, Stephen Torri wrote:
I am trying to create a custom Windows PE loader (binary & DLL) for the purpose of security research.
Though my answer isn't directly related to your subject, on a side note I would mention a Process Stalker [1], open src software which (unfortunatelly?) seems to use IDA Pro disassembler and which can be used for researching security of Win32 apps, eg. OE Vulnerabilities: [2].
[1] http://www.openrce.org/downloads/details/171/Process%20Stalker [2] https://www.openrce.org/articles/full_view/12
-
Mike McCormack -
Saulius Krasuckas -
Stephen Torri