Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Image loaded with NoChange set

John-6John-6 Member Posts: 57
I'm injecting a dll (bad I know) using kernel APCs (undocumented I know) on a 64-bit system into a WOW64 process. The dll injects fine, as it does with straight 32 or 64-bit applications but for some reason with WOW64, NoChange is set in page protections. When I attempt to use ZwProtectVirtualMemory to change protections to READWRITE in order to provide some fixups, it fails with c0000045 (STATUS_INVALID_PAGE_PROTECTION).

I'm curious why NoChange would be set in WOW64 for this injected dll and more importantly, how I can prevent it from being set. Or, while it would defeat the purpose of the flag in the first place, if there is any way to remove it?

VAD @ ffffe000722ddbe0
Start VPN 742d0 End VPN 742dc Control Area ffffe0007453f650
FirstProtoPte ffffc0006cf6a790 LastPte ffffc0006cf6a7f0 Commit Charge 4 (0n4)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ImageMap ViewShare NoChange EXECUTE_WRITECOPY

0: kd> dt ffffe000722ddbe0 _MMVAD_SHORT
nt!_MMVAD_SHORT
+0x000 VadNode : _RTL_BALANCED_NODE
+0x000 NextVad : (null)
+0x018 StartingVpn : 0x742d0
+0x01c EndingVpn : 0x742dc
+0x020 StartingVpnHigh : 0 ''
+0x021 EndingVpnHigh : 0 ''
+0x022 CommitChargeHigh : 0 ''
+0x023 SpareNT64VadUChar : 0 ''
+0x024 ReferenceCount : 0n0
+0x028 PushLock : _EX_PUSH_LOCK
+0x030 u : <unnamed-tag>
+0x034 u1 : <unnamed-tag>
+0x038 EventList : 0xffffe000`72d15860 _MI_VAD_EVENT_BLOCK
0: kd> dt ffffe000722ddbe0+0x30 _MMVAD_FLAGS
nt!_MMVAD_FLAGS
+0x000 VadType : 0y010
+0x000 Protection : 0y00111 (0x7)
+0x000 PreferredNode : 0y000000 (0)
+0x000 NoChange : 0y1
+0x000 PrivateMemory : 0y0
+0x000 Teb : 0y0
+0x000 PrivateFixup : 0y0
+0x000 ManySubsections : 0y0
+0x000 Spare : 0y000000000000 (0)
+0x000 DeleteInProgress : 0y0
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!