#pragma warning(disable: 4100)
#include "UnexDriver.h" // includes print() and GetKernelProcAddress()
LONGLONG someFunction() {
return 10;
}
typedef NTSTATUS(_stdcall* ZwProtectVirtualMemory_t)(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) {
UNREFERENCED_PARAMETER(pRegistryPath);
pDriverObject->DriverUnload = UnloadDriver;
ZwProtectVirtualMemory_t ZwProtectVirtualMemory = (ZwProtectVirtualMemory_t)GetKernelProcAddress(L"ZwProtectVirtualMemory");
char bytes[] = { 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0xc3};
ULONG cp = 0;
SIZE_T sz = sizeof(bytes);
PVOID baseAddr = (PVOID)&someFunction;
ZwProtectVirtualMemory(NtCurrentProcess(), &baseAddr, &sz, PAGE_EXECUTE_READWRITE, &cp);
memcpy((void*)&someFunction, bytes, sizeof(bytes));
ZwProtectVirtualMemory(NtCurrentProcess(), &baseAddr, &sz, cp, &cp);
print("%lld", someFunction());
return STATUS_SUCCESS;
}
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject) {
UNREFERENCED_PARAMETER(pDriverObject);
return STATUS_SUCCESS;
}
I am trying to make a basic hook like that but I always get crash called "ATTEMPT_TO_WRITE_READONLY_MEMORY" so I think there are some problems on changing the protection of memory address. I made a search to find a function to change memory protection on kernel but I couldn't find any. Do anybody know?
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…