Access violation writing to a memory mapped section

RsQUE · May 23, 2025, 4:38pm

I run this code in PASSIVE_LEVEL irql at DriverEntry.

	InitializeObjectAttributes(&ObjectAttributes, &KnownNtdll, OBJ_KERNEL_HANDLE, NULL, NULL);
	ZwOpenSection(&NtdllHandle, SECTION_ALL_ACCESS, &ObjectAttributes);

	ZwMapViewOfSection(NtdllHandle, ZwCurrentProcess(), (PVOID*)&NtdllBase,
0, 0, NULL, &ViewSize, ViewUnmap, 0, PAGE_EXECUTE_READWRITE);

It works very well, I can read from it. The object name is \KnownDlls\ntdll.dll. But whenever I try to write to it, I get an access violation bugcheck.

Tim_Roberts · May 23, 2025, 5:48pm

You can't change the page protection on an image section, for what I hope are obvious reasons. The protection parameter is ignored.

RsQUE · May 23, 2025, 6:42pm

Yeah, figured it out already. Thanks.