hi,all.
I need to get the address of an unexported(not undocumented!) native api: ZwWriteProcessMemory. Is there any good way to address the issue?
Appreciate your reply!
> I need to get the address of an unexported(not undocumented!) native api:
ZwWriteProcessMemory.
If you don’t mind, could you please explain to us why, in your opinion, you need it so badly…
Is there any good way to address the issue?
Sure. The best thing to do here is to get familiar with the basics of kernel-mode development. At this point you will realize that there is no need for ZwWriteProcessMemory() in the kernel mode, in the first place , because you can always attach your thread to the target process’s user address space by KeStackAttachProcess()…
PS. If you need the address of a function that is exported by ntdll.dll and not exported by ntoskrnl.exe, you can get its address via SSDT (this is just an info - in vast majority of cases calling
functions that are not exported by ntoskrnl.exe is a bad idea)…
Anton Bassov
Where is this documented? What is it you need to do - kernel mode driver, user mode application, or native application, or, perhaps, are you looking to do something like hook a system service?
mm
Thanks your for both of your replies.
Why i need to use this function is that , as far as i’m concerned, hook this sys call may be a good way to monitor malicious remote thread injection.,and I had tried a couple of ways (such as set thread creation callback and hook ZwCreateThread) to monitor thread injection, but they yield lots of false alarms.
Perhaps, there is a better way to slove the problem rather than hooking ZwWriteProcessMemory.
WriteProcessMemroy exists in win32, so it also exists is SSDT?
> Where is this documented?
Nowhere, apart from Gary Nebbett’s “Native API REference”…
What is it you need to do - kernel mode driver, user mode application, or native application,
Well, once the OP says it is *unexported*, it somehow implies that he wants to call it from the kernel mode - although this function is exported by ntdll.dll, it is not exported by ntoskrnl.exe.
Therefore, as far as drivers are concerned, this function is unexported…
or, perhaps, are you looking to do something like hook a system service?
Very unlikely - after all, in order to start thinking about hooking system services, one needs to know at least how they are dispatched. However, judging from his post, the OP is unaware of the SSDT’s very existence…
Anton Bassov
You could also use the fact that NT has support for portable executers, map the dll, exe or sys that exports you desired function and then use IMAGE_EXPORT_DIRECTORY to get the address of the function