Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


ZwProtectVirtualMemory() returning NTSTATUS 0xC0000018

rax1337rax1337 Member Posts: 1

I am trying to call ZwProtectVirtualMemory() from my driver, when I call it with parameters I think are correct nothing happens and NTSTATUS 0xC0000018 is returned (STATUS_CONFLICTING_ADDRESSES).

Here I grab the PEPROCESS pointer.

if (!NT_SUCCESS(PsLookupProcessByProcessId((void*)request->target_pid, &target_process)))

I know this is correct because I can use this to read and write with MmCopyVirtualMemory(). Then I attempt to call ZwProtectVirtualMemory() like so first I context switch with KeStackAttachProcess() then I attempt to call it.

KAPC_STATE apc;
KeStackAttachProcess(target_process, &apc); 
{
    auto protect_base = (void*)request->target_addr; // ZwProtectVirtualMemory writes to target_addr
    unsigned long old_prot = 0;
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "base : %X size : %i protection : %X" , protect_base, request->size, request->protection);
    status = ZwProtectVirtualMemory(ZwCurrentProcess(), &protect_base, (unsigned long*)&request->size, request->protection, &old_prot);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "returned : %X", status);
}
KeUnstackDetachProcess(&apc);

The first DbgPrintEx() prints the parameters I expect and the second one returns 0xC0000018 like previously stated.

Comments

  • anton_bassovanton_bassov Member Posts: 5,158

    IIRC, Windows memory-protection functions work on per-region basis, rather than per-page one. Therefore, judging from the error that you get, the very first thought that gets into my head is that you are trying to change the protection of some particular page(s) in a region, which conflicts with with the protection of other pages in the given range.

    In general, changing page protection in a random process from a driver does not really seem to be a great idea in itself. Taking into consideration that you are trying to do it by means of calling undocumented functions......well, I would not get too surprised to see a "funny" reaction from the usual suspects.....

    Anton Bassov

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA