Can "ZwProtectVirtualMemory" bypassed mechanism be improved to avoid being used by hackers

Issues related to VMProtect
Post Reply
paituo
Posts: 15
Joined: Thu Dec 03, 2020 12:44 am

Can "ZwProtectVirtualMemory" bypassed mechanism be improved to avoid being used by hackers

Post by paituo »

"ZwProtectVirtualMemory" protection can be easily bypassed,
so it is easy to code patch the protected module memory.

Can this bypassed mechanism be improved to avoid being used by hackers.

By reloading the "ntdll. DLL" component and calling the copy function body
of "ZwProtectVirtualMemory", the "ZwProtectVirtualMemory" function of vmprotect hook is bypassed.
5E5EAF47-0094-4452-BE25-761DBC472D4A.png
5E5EAF47-0094-4452-BE25-761DBC472D4A.png (32.82 KiB) Viewed 2835 times
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: Can "ZwProtectVirtualMemory" bypassed mechanism be improved to avoid being used by hackers

Post by Admin »

Do you really think that you can protect Ntxxx APIs in user mode without own kernel driver? It's impossible.
Post Reply