You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for this superb tool.
I am using the examine_memcheck::exm_mc_run() as a dll injection mechanism for processes created in suspended mode. The code works flawlessly for 32 bit process but for 64 bit processes I am getting the following message: (487) Attempt to access invalid address.
I have checked this for calc.exe on 64 bit Windows 7 machine. The injection was performed from a 64 bit process and target was also 64 bit process. The complete message was: Can not protect page 0x000000010001B9B8 in process handle 0x0000000000000064 failed: ( 487) Attempt to access invalid address.
I have used the dumpbin utility to verify the entry point and it appears to be correctly calculated (see the part of dumpbin output below).
The code crashes in method exm_process_entry_point_patch() at the very first VirtualProtectEx. Any suggestion to correct it. Thanks.
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
8664 machine (x64)
6 number of sections
4A5BC9D4 time date stamp Tue Jul 14 05:27:08 2009
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
22 characteristics
Executable
Application can handle large (>2GB) addresses
OPTIONAL HEADER VALUES
20B magic # (PE32+)
9.00 linker version
60E00 size of code
7F200 size of initialized data
0 size of uninitialized data
1B9B8 entry point (000000010001B9B8)
1000 base of code
100000000 image base (0000000100000000 to 00000001000E2FFF)
1000 section alignment
200 file alignment
6.01 operating system version
6.01 image version
6.01 subsystem version
0 Win32 version
E3000 size of image
600 size of headers
The text was updated successfully, but these errors were encountered:
Never mind resolved the issue. The problem was due to address space layout randomization (ASLR) for calc.exe. The solution is to calculate the runtime process base address, then get the loaded images base address and add AddressOfEntryPoint to it. Tested it for 32 and 64 bit applications on Windows 7 64 bit.
Thanks for this superb tool.
I am using the
examine_memcheck::exm_mc_run()
as a dll injection mechanism for processes created in suspended mode. The code works flawlessly for 32 bit process but for 64 bit processes I am getting the following message:(487) Attempt to access invalid address.
I have checked this for calc.exe on 64 bit Windows 7 machine. The injection was performed from a 64 bit process and target was also 64 bit process. The complete message was:
Can not protect page 0x000000010001B9B8 in process handle 0x0000000000000064 failed: ( 487) Attempt to access invalid address.
I have used the dumpbin utility to verify the entry point and it appears to be correctly calculated (see the part of dumpbin output below).
The code crashes in method
exm_process_entry_point_patch()
at the very firstVirtualProtectEx
. Any suggestion to correct it. Thanks.The text was updated successfully, but these errors were encountered: