ZwProtectVirtualMemory

NTDEV
1

I have a driver that I need to make compatible with Windows 7. The only issue I’m running into now is the use of ZwProtectVirtualMemory. It is not exported in Windows 7 but is with Win 8.1 and 10 (didn’t test Windows 8).

I can’t move the protection code to a service because it may need to be called at boot before any service is loaded. So are there any options to get this same capability with Windows 7 without searching for code signatures or using hard coded offsets?

2

IIRC, Zw…prefix in the kernel mode implies that this function is invoked via SSDT, while Nt…one implies that it is exported directly via IAT. It means that, as long as we are speaking about Zw-style function you may try to call it from the kernel simply via its service index, even if the stub that actually invokes it is not exported by the kernel. The most obvious problem that you may potentially run into is the scenario when the target function simply does not expect a KM caller and makes assumptions about the user mode one. In such case it may, at least in theory, unconditionally jump to the stub that makes a return to the userland, or do some other “funny” thing.

Therefore, try to call it via its service index, and see what happens…

Anton Bassov

3

I just built a driver for Win 7 x64 which calls this function and the
function is available. The prototype is not so you need to define it
yourself but the function is exported.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: xxxxx@gmail.com
To: “Windows System Software Devs Interest List”
Sent: 8/14/2017 11:07:24 AM
Subject: [ntdev] ZwProtectVirtualMemory

>I have a driver that I need to make compatible with Windows 7. The
>only issue I’m running into now is the use of ZwProtectVirtualMemory.
>It is not exported in Windows 7 but is with Win 8.1 and 10 (didn’t test
>Windows 8).
>
>I can’t move the protection code to a service because it may need to be
>called at boot before any service is loaded. So are there any options
>to get this same capability with Windows 7 without searching for code
>signatures or using hard coded offsets?
>
>—
>NTDEV is sponsored by OSR
>
>Visit the list online at:
>http:
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:></http:>