hi guys , ive encountered a little problem ... im trying to allocate some free memory below imagebase ..but doesent seem to be doable ..so im wondering is this possible at all from ring3 ? ( hacks ? hehe ) , or will i have to go ring3 to get the power needed to preform this deed .. looking forward to your responses

just seems wierd , since i can VirtualQuery them without a problem

and yes i did check my virtualAlloc call if i allocate addr above image..it works

I don't know why you're having problems. I did a little test, I used TopToBottomNt by Russell Osterlund to view the memory map of my test app.

Then I chose a region of uncommitted memory (0x200000), which is below image base, and used VirtualAlloc to allocate it. No problems.

Then I chose a region of previously committed memory (0x240000 - which happened to be ProcessHeap 1) and again used VirtualAlloc with that address. Surprisingly it didn't give any kind of error but simply returned the address, which was of course already in use. Points out why you need to check if the memory is already allocated before trying to allocate at the same address.

I didn't try it with VirtualAllocEx, allocating to a remote process.

So what's unusual about your situation?

And if you do happen to be allocating user memory in a process from kernel mode with something like IoAllocateMdl / MmMapLockedPagesSpecifyCache, I've only ever seen it allocate at below image base.

Kayaker

hmm that is indeed wierd ...with VirtualAllocEx it continuetly denies to allocate the memory ..ill try to play around with it a little more , but wierd that you are able too , i guess i gotta do some more testing ..i really tried allot of stuff..basicly what im doing

is to virtualquerry from 0x10000 i belive it is( i am at work) ..and then check if the Memory pages are MEM_FREE and then call VirtualAllocEx with the Information from MEM_INFO block , anyways ill play around with it some more..as it seems possible just me fucking up then thnx for reply

update:

yes it does seem to work if you choose the right place..but the Free memory between 0x10000 and 0x20000 seems completely inaccessable via VirtualAlloc ..the exsampels you gave works fine ..but still puzzling

you need to have appropriate access-rights to other Process, for VirtualAlloc/WriteProcMem etc;

Problem Solved:

okay ..you CANNOT allocate the free space as a spare memory section using virtualAlloc ..BUT ! you can expand an already excisting ..so that it will incorporate the free space into its region , and thus allowing you to use the free space.