breaker09 wrote:I am trying to modify the memory of ntdll.dll .text section from kernelmode. This code worked fine for me in Windows 8.1, but it's causing a crash now in Windows 10:In case that the target region inside ntdll.dll is under copy-on-write, you change the region in all processes sharing the same copy of that region. This behavior is usually not desired. So, are you aware of this? NtProtectVirtualMemory should do the job.
Code: Select allI've also now tried to add KeSetAffinityThread now, as suggested, so that my code looks like this:_disable(); ULONG64 cr0 = __readcr0(); __writecr0(cr0 & ~(1 << 16)); memcpy(pntdll_addr, patch, sizeof(patch)); __writecr0(cr0); _enable();
Code: Select allBut I am still not able to write to the code section without a crash. :(KAFFINITY cpuBitMap = KeQueryActiveProcessors(); PKTHREAD pKThread = KeGetCurrentThread(); KeSetAffinityThread(pKThread, 0); _disable(); ULONG64 cr0 = __readcr0(); __writecr0(cr0 & ~(1 << 16)); memcpy(pntdll_addr, patch, sizeof(patch)); __writecr0(cr0); _enable(); KeSetAffinityThread(pKThread, cpuBitMap);
Am I using KeSetAffinityThread correctly there?
Or did something change in Windows 10 now?
A forum for reverse engineering, OS internals and malware analysis
Vrtule wrote:In case that the target region inside ntdll.dll is under copy-on-write, you change the region in all processes sharing the same copy of that region. This behavior is usually not desired. So, are you aware of this? NtProtectVirtualMemory should do the job.That is exactly the behavior I desire here. :) I want to change ntdll for all processes, and the strange thing is that the code worked perfectly fine in Windows 8.1. But now in Windows 10, any attempt to write to ntdll memory, even after disabling the WP bit, seems to make my code crash. I will try using NtProtectVirtualMemory and see if that does the job.
