Getting error code 487 (Attempt to access invalid address) for 64 bit application

[manishshukla]

Thanks for this superb tool.
I am using the examine_memcheck::exm_mc_run() as a dll injection mechanism for processes created in suspended mode. The code works flawlessly for 32 bit process but for 64 bit processes I am getting the following message:
(487) Attempt to access invalid address.

I have checked this for calc.exe on 64 bit Windows 7 machine. The injection was performed from a 64 bit process and target was also 64 bit process. The complete message was:
Can not protect page 0x000000010001B9B8 in process handle 0x0000000000000064 failed: ( 487) Attempt to access invalid address.

I have used the dumpbin utility to verify the entry point and it appears to be correctly calculated (see the part of dumpbin output below).

The code crashes in method exm_process_entry_point_patch() at the very first VirtualProtectEx. Any suggestion to correct it. Thanks.

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
            8664 machine (x64)
               6 number of sections
        4A5BC9D4 time date stamp Tue Jul 14 05:27:08 2009
               0 file pointer to symbol table
               0 number of symbols
              F0 size of optional header
              22 characteristics
                   Executable
                   Application can handle large (>2GB) addresses

OPTIONAL HEADER VALUES
             20B magic # (PE32+)
            9.00 linker version
           60E00 size of code
           7F200 size of initialized data
               0 size of uninitialized data
           1B9B8 entry point (000000010001B9B8) 
            1000 base of code
       100000000 image base (0000000100000000 to 00000001000E2FFF)
            1000 section alignment
             200 file alignment
            6.01 operating system version
            6.01 image version
            6.01 subsystem version
               0 Win32 version
           E3000 size of image
             600 size of headers

[manishshukla]

Never mind resolved the issue. The problem was due to address space layout randomization (ASLR) for calc.exe. The solution is to calculate the runtime process base address, then get the loaded images base address and add AddressOfEntryPoint to it. Tested it for 32 and 64 bit applications on Windows 7 64 bit.

[vtorri]

thank you for your interest.
btw, don't hesitate to propose patches. I have very few time these months.

notealso that there is the view tool in examine that should do something similar than dumpbin. It also display ASLR for exemple