none
Getting ZwProtectVirtualMemory function address RRS feed

  • Question

  • On windows 8+, the ZwProtectVirtualMemory is available through MmGetSystemRoutineAddress(). However on windows 7, the function is present but undocumented. Is there any way for me find the function and call it in windows 7, regardless of the merits of using an undocumented function? The fact that the function was made accessible in later windows suggests the function really shouldn't have been hidden in windows 7. Is there a better way for me to find the function than scanning the memory for the unique combination of machine code bytes that make up the function? Thanks.
    Tuesday, April 2, 2019 4:56 AM

Answers

  • No answer is good answer. I wasn't expecting one. I thought I'd ask in case someone somewhere has some titbits. If VirtualProtect and VirtualProtectEx have some connection with ZwProtectVirtualMemory, then those functions could contain the address. This gives me another avenue to explore.
    • Marked as answer by Dev10110110 Tuesday, April 2, 2019 7:08 PM
    • Edited by Dev10110110 Tuesday, April 2, 2019 7:09 PM
    Tuesday, April 2, 2019 7:08 PM

All replies

  • Why don't you use a helper application with VirtualProtectEx? This would also allow you to use FlushInstructionCache to make sure things are stable. Of course the bigger question is why do you think you need this in the first place?


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, April 2, 2019 3:41 PM
  • I need it because I have already used it. I currently have a limp on windows 7. That's not ideal as you can imagine. If a solution is not possible, I guess I will just have to hobble along.

    A helper app will be no go. I am using it for low level memory manipulation, an app wouldn't have the privileges.

    The question is not so much why I need it, but why is the function there?

    Tuesday, April 2, 2019 4:45 PM
  • The function is there to provide support for VirtualProtect and VirtualProtectEx.   The fact that you choose to use an undocumented function in your driver, means that you have to expect it could not be in some systems both past and future.   

    The real question is why do you think you need to do this on an application from the kernel? Most of the uses of VirtualProtectEx are from the application that is having its memory protection changed.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, April 2, 2019 4:54 PM
  • If MmGetSystemRoutineAddress returns it then it is there. It is also in windows 7, I just don't have the address. I have no expectations it will disappear from windows 7, or be changed, since the OS is coming to end of life.

    I have a use for the function is as much as I can say.

    Tuesday, April 2, 2019 5:14 PM
  • No answer is good answer. I wasn't expecting one. I thought I'd ask in case someone somewhere has some titbits. If VirtualProtect and VirtualProtectEx have some connection with ZwProtectVirtualMemory, then those functions could contain the address. This gives me another avenue to explore.
    • Marked as answer by Dev10110110 Tuesday, April 2, 2019 7:08 PM
    • Edited by Dev10110110 Tuesday, April 2, 2019 7:09 PM
    Tuesday, April 2, 2019 7:08 PM