0

I have gotten very interested in windows kernel mode development recently and I am trying to write a jmp instruction inside a program in usermode. It is important to note my driver is manual mapped to kernel space via drvmap. I can read/write easily with MmCopyVirtualMemory but unfortunately the part of memory I need to write to is protected. I tried multiple methods to no avail. The first method i tried was using ZwProtectVirtualMemory which is an ntdll.dll undocumented function, I imported the function like so in my driver 

extern "C"{__declspec(dllimport) NTSYSAPI NTSTATUS NTAPI ZwProtectVirtualMemory(IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);}

and I call the function like so

KAPC_STATE apc;
KeStackAttachProcess(proc, &apc);
auto addy = (void*)in->addr;
unsigned long old_prot;
ZwProtectVirtualMemory(ZwCurrentProcess(), &addy, (PULONG)in->sz, PAGE_EXECUTE_READWRITE, &old_prot);
KeUnstackDetachProcess(&apc);

That BSODS me giving me the unhandled kmode exception message. The second thing I tried was flipping the 16th bit of the cr0 register but that BSOD'ed me aswell. I also tried mapping an mdl from physical memory but that was way out of my league. Any ideas are appreciated. this issue has been bugging me for days.

Barmar
  • 741,623
  • 53
  • 500
  • 612
iZeusify
  • 140
  • 1
  • 7
  • C or C++? They're not the same, please use the correct tag. – Barmar Mar 02 '19 at 01:18
  • The driver is written in C++ BUT I am importing C functions so I decided to tag the two. – iZeusify Mar 02 '19 at 02:31
  • begin from analyze bsod - what exactly cause it. `ZwProtectVirtualMemory` begin exported from kernel only from win 8.1. and for what you attach/detach process ? and `(PULONG)in->sz` 100% wrong. must be `&in->sz` or `SIZE_T cb = in->sz` and use `&cb` – RbMm Mar 02 '19 at 09:14

0 Answers0