a question please

Question

a question please

matrixhax opened this issue 2 years ago · 3 comments

hello friends
and thank you for your hard works

i have a questions please
i compiled a driver using examples from this repo
i want to use ZwProtectVirtualMemory
but as described only ntoskrnl symbols was resolved

so i tried to find its address and direct use it
using MmGetSystemRoutineAddress
but i will get BSOD KMOD_UNHANDLED_ECECPTION
isnt this code should work ? as i only used ntoskrnl symbols to locate function in kernel and use it

and if not
is there any better way to solve ?
i want to change protection of user mod process
and __try __except those are not usefull in maped driver ?

Answer 1 · 2022-08-01T10:55:29.000Z

ZwProtectVirtualMemory is in an exports on ntoskrnl win10.

Answer 2 · 2022-08-01T11:00:31.000Z

For ancient system locate pointer to NtProtectVirtualMemory from SSDT and then call it, don't forget to patch previous mode to be KernelMode. MmGetSystemRoutineAddress will not find it as it is not exported by ntoskrnl on older Windows versions.

I'm closing this issue as it has nothing to do with this project.

Answer 3 · 2022-08-01T12:36:11.000Z

thank you for your reply
but didnt answer my other question
can i use __try __except ?
and why ZwProtectVirtualMemory give BSOD ?
i thogut it from ntdll