i call NtProtectVirtualMemory in x64, but alway fail ,
retuan status is alway C00000F1 STATUS_INVALID_PARAMETER_3,
the base address has already PAGE_ALIGN ,
example is the protect address is 0x1`0000a000 ,the RegionSize is 0x2000?
what’s wrong?
It is an undocumented system service, you must use it. What do you want to do ?
because i want to modify the exe’s entry point function, but the function address protect attribute is can not to write, so i use NtProtectVirtualMemory , do you have any suggest?
This is an undocumented system service. You must not use this function.
In user-mode you can use the WIN32 APIs VirtualProtect/VirtualProtectEx to change the protection of a region of pages. Look at the MSDN pages for the details.
From kernel-mode, you can only change the protection of a system mapping of the original buffer. You obtain this system mapping with IoAllocateMdl/MmProbeAndLockPages/MmGetSystemAddressForMdlSafe. You change the protection of the new system mapping using MmProtectMdlSystemAddress.
This way you can obtain, for example, a read/write system mapping of a read-only user or system space mapping.
The MSDN documentation for Windows Drivers contains a section called “Using MDL”.