I’ve updated wow64ext library, there are two new functions:
- VirtualAllocEx64
- VirtualFreeEx64
Those are equivalent of standard VirtualAllocEx and VirtualFreeEx, but works with 64-bits addresses. There is additional source code provided in \sample\main.cpp that shows how to use those new functions:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | printf("Alloc/Free test:\nRequesting 0x1000 bytes of memory at 0x70000020000 ...\n"); DWORD64 mem = VirtualAllocEx64(hProcess, 0x70000020000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if (0 == mem) { printf("VirtualAllocEx64 failed.\n"); CloseHandle(hProcess); return 0; } printf("Memory allocated at: %016I64X\n", mem); VirtualQueryEx64(hProcess, mem, &mbi64, sizeof(mbi64)); printf("Query memory: %016I64X %016I64X %08X %08X %08X\n", mbi64.BaseAddress, mbi64.RegionSize, mbi64.Protect, mbi64.Type, mbi64.State); printf("Freeing memory: %s\n", VirtualFreeEx64(hProcess, mem, 0, MEM_RELEASE) ? "success" : "failure"); VirtualQueryEx64(hProcess, mem, &mbi64, sizeof(mbi64)); printf("Query memory: %016I64X %016I64X %08X %08X %08X\n", mbi64.BaseAddress, mbi64.RegionSize, mbi64.Protect, mbi64.Type, mbi64.State); |
After successful execution it will show that both new functions works perfectly:
Alloc/Free test:
Requesting 0x1000 bytes of memory at 0x70000020000 ...
Memory allocated at: 0000070000020000
Query memory: 0000070000020000 0000000000001000 00000004 00020000 00001000
Freeing memory: success
Query memory: 0000070000020000 000000FEF5050000 00000001 00000000 00010000
green values are memory protection flags:
- 00000004 – PAGE_READWRITE
- 00000001 – PAGE_NOACCESS
yellow values represents state of memory pages:
- 00001000 – MEM_COMMIT
- 00010000 – MEM_FREE
Link to library hosted on google code: http://code.google.com/p/rewolf-wow64ext/
Direct link to zip package: http://rewolf-wow64ext.googlecode.com/files/rewolf.wow64ext.zip
very good stuff!
ReWolf , you can add functions: NtMapViewOfSection,QueueUserAPC, ResumeThread\CreateThread ?