Hello,

I'm currently playing with VirtualAlloc and wrote a simple, small test program in ASM, the size of the image is just 16 kB. To further reduce the amount of memory being used I linked with params /HEAP:0x1000,1000 and /Stack:0x8000,1000. After that I thought it must be "absolutely sure" that memory address 600000h is free and can be used as first parameter for my VirtualAlloc call. This worked for Win98SE, but failed on WinXP.

The module list in XP when the app is running is:

VALLOCA.EXE   400000     16384 0 VALLOCA.EXE
USER32.dll 77D10000     589824 0 USER32.dll
GDI32.dll 77EF0000     286720 0 GDI32.dll
kernel32.dll 7C800000   1073152 0 kernel32.dll
ntdll.dll 7C910000     749568 0 ntdll.dll


And the info returned by VirtualQuery is:

00400000     1000 commit   400000 execute_writecopy readonly image
00401000     1000 commit   400000 execute_writecopy execute_read image
00402000     2000 commit   400000 execute_writecopy readonly image
00404000     C000 free
00410000   103000 commit   410000 readonly readonly mapped
00513000     D000 free
00520000   4B000 commit   520000 execute_read execute_read mapped
0056B000   2B5000 reserve   520000 execute_read mapped
00820000 774F0000 free
77D10000     1000 commit 77D10000 execute_writecopy readonly image


As one can see, there are some large regions (one starting at 410000, the other at 520000), with together occupying more than 4 MB address space, both marked as mapped. Where do those regions come from (and - if possible - how can I prevent that)? Is there a tool which tells me who has allocated this memory?

Posted on 2005-09-11 05:50:52 by japheth
410000 is your exe i think
Posted on 2005-09-11 18:33:38 by Qages

no, my exe is loaded at 400000h.
Posted on 2005-09-11 19:06:42 by japheth
Hm, this does look pretty damn weird to me.

Try making a loader app that loads your target process in SUSPENDED mode, since this gives you a chance to VirtualQueryEx *before* loaded DLLs init-code is called - it might very well be some of the standard modules that allocate memory.
Posted on 2005-09-11 20:24:23 by f0dder

> Try making a loader app that loads your target process in SUSPENDED mode, since this gives you a chance to
> VirtualQueryEx *before* loaded DLLs init-code is called

I loaded it with WinDbg, and when WinDbg stops (ntdll.DbgBreakPoint) the regions aren't allocated:


00400000     1000 commit   400000 execute_writecopy readonly image
00401000     1000 commit   400000 execute_writecopy execute_read image
00402000     2000 commit   400000 execute_writecopy readonly image
00404000 7790C000 free
77D10000     1000 commit 77D10000 execute_writecopy readonly image
77D11000   5F000 commit 77D10000 execute_writecopy execute_read image
77D70000     2000 commit 77D10000 execute_writecopy writecopy image
77D72000   2E000 commit 77D10000 execute_writecopy readonly image
77DA0000   150000 free


But when I press F5 and reach my code, they are.


Posted on 2005-09-12 06:25:48 by japheth

the test app is a console app, but used wsprintf (which caused user32.dll and gdi32.dll to map into the process address space).
I just generated a slightly modified version, which didn't use wsprintf, instead it used a very simple static CRT, thus avoiding to load user32.dll and gdi32.dll. Now these regions are gone!?


VALLOCBX.EXE   400000     20480 0 VALLOCBX.EXE
kernel32.dll 7C800000   1073152 0 kernel32.dll
ntdll.dll 7C910000     749568 0 ntdll.dll



00400000     1000 commit   400000 execute_writecopy readonly image
00401000     1000 commit   400000 execute_writecopy execute_read image
00402000     1000 commit   400000 execute_writecopy readonly image
00403000     1000 commit   400000 execute_writecopy readwrite image
00404000     1000 commit   400000 execute_writecopy readonly image
00405000   BFB000 free
01000000     2000 reserve 1000000 readwrite private
01002000 7B7FE000 free
7C800000     1000 commit 7C800000 execute_writecopy readonly image
7C801000   82000 commit 7C800000 execute_writecopy execute_read image


Now there are just 2 pages reserved at 01000000h (dont ask me why).

Very strange.

Posted on 2005-09-12 06:45:53 by japheth