Joined: 09 Aug 2013
|Posted: Fri Jul 08, 2016 8:36 pm Post subject: 64 bit programs invalid AllocationBase ?
|I'm trying to modify SEGnosis's SigMaker plugin (link in notehub post below) to use the capstone disassembly library since it supports x64 (and the ADE32 code SEGnosis used doesn't) but I've found that VirtualQueryEx is frequently returning 0 for the allocation base or a value such that it + the size until the next region (found by SEGnosis by looking until a different allocation base is returned) does not include the address/bytes I'm searching for...
I noticed yesterday when I got it working with x86 and started with the x64 tutorial program that it was returning 0 for the AllocationBase, though today it's returning a non-zero result but I can't find a pattern of bytes that I know exist (48 8D 05 ED 4B 2E 00). Can anyone provide ideas as to why? However, for some x64 processes it does work, for others it returns 0, and others act like the x64 tutorial (it finds a non-zero AllocationBase but not the right bytes). All the x86 processes seem to simply work as expected lol
Also, since it's semi-related, what is the difference between the DISASSEMBLERCONTEXT callbackroutine's selectedAddress and the callbackroutineOnPopup's selectedAddress (as SEGnosis notes, the one in OnPopup is not the actual selected address, but the non-Popup is only called on right click, not when the shortcut is used)? I've found good documentation on what everything is difficult to find...
dropbox link to modified code (Visual Studio 2015 community solution): notehub dot org / sz4s0 (can't post links yet)
Disclaimer: I'm a novice... but I have completed Harvard's CS50 (intro with C) course so I understand the absolute basics... But I still don't understand everything and I certainly couldn't have written the original code myself lol I simply haven't had experience with it.
Oh, I guess I should mention the point of the plugin is to generate an AOB that doesn't use hard coded values... not 100% sure how useful that is during game updates since the registers could change too and this doesn't wildcard that info... but, regardless, that's the idea behind the plugin.