pinvoke.net: kernel32.VirtualAllocExNuma

Summary

The VirtualAllocExNuma API - Reserves, commits, or changes the state of a region of memory within the virtual address space of the specified process, and specifies the NUMA node for the physical memory.

C# Signature:

[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress,uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);

VB Signature:

None.

User-Defined Types:

None.

Alternative Managed API:

Do you know one? Please contribute it!

Notes:

None.

Tips & Tricks:

Please add some!

Sample Code:

    LPVOID mem;
    //virtualallocexnuma is used for bypass sandbox. As this api is not present inside sandox environmrnt.
    mem = VirtualAllocExNuma(GetCurrentProcess(), NULL, 1000, MEM_COMMIT | MEM_RESERVE, 0x4, 0);

    // if inside sandbox then virtualallocexnuma will fail and mem will be null. if inside normal machine then it will return address within current process adress space.
    // Therefore effectively we are preventing execution of out exploit in AV's sandbox
    if (!mem)
    {
        exit(0);
    }

Documentation

VirtualAllocExNuma on MSDN