NTProtectVirtualMemory

Hi guys.
I'm trying to write code that I can hook ntdll
I was able to do that.
But there is a problem.
Does anyone have an idea?


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#include <iostream>
#include <Windows.h>
#include <winternl.h>

 

 
int main()
{
	ZwProtectVirtualMemory = &ZwProtectVirtualMemory10;
	//LPVOID lpProcAddress = GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtReadVirtualMemory");
	LPVOID lpProcAddress = LoadLibrary(L"ntdll.dll");
	LPVOID lpBaseAddress = lpProcAddress;
	DWORD  OldProtection, NewProtection;
	SIZE_T uSize = 10;
	NTSTATUS status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpBaseAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection);
 
 
	if (status != STATUS_SUCCESS) {
		wprintf(L"	[!] ZwProtectVirtualMemory failed.\n");
		return FALSE;
	}
 
	///////////////////////////////////
	 status = VirtualProtect(lpBaseAddress, uSize, PAGE_EXECUTE_READWRITE, &OldProtection);
	//////////////////////////////////
 
	if (status = 0) {
		wprintf(L"	[!] ZwProtectVirtualMemory failed.\n");
		return FALSE;
	}
 
	////////////////////////////////////////////////////////////////////////////
 
	HANDLE process = GetCurrentProcess();
	MODULEINFO mi = {};
	HMODULE ntdllModule = GetModuleHandleA("kernel32.dll");
 
	GetModuleInformation(process, ntdllModule, &mi, sizeof(mi));

	for (WORD i = 9; i <= hookedNtHeader->FileHeader.NumberOfSections; i++) {
	
			DWORD prms= 9;

		}
	}
 

 
	return 0;
}
Last edited on
When I try to use NtProtectVirtualMemory (syscall) instead of VirtualProtect, I get an error.

It would help if you tell what kind of an error you get?

Error code and stack trace would help, bellow is what you could try and verify:

HANDLE process = GetCurrentProcess();

you can try with OpenProcess() instead which gives you a real handle instead of pseudo handle, and specify PROCESS_VM_OPERATION

PAGE_EXECUTE_READWRITE
Protection attributes cannot be assigned to a portion of a page; they can only be assigned to a whole page.

Are you sure bellow address meets the above quote?
(LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress)
not really sure what you have going on bc not enough info or code posted but pretty sure you check a NTSTATUS var as follows...

1
2
3
4

if (NT_SUCCESS(status));



or in your case your checking for failure

 
if (!NT_SUCCESS(status));


that might be part of your problem.
Last edited on
Registered users can post here. Sign in or register to post.