"ZwProtectVirtualMemory" protection can be easily bypassed,
so it is easy to code patch the protected module memory.
Can this bypassed mechanism be improved to avoid being used by hackers.
By reloading the "ntdll. DLL" component and calling the copy function body
of "ZwProtectVirtualMemory", the "ZwProtectVirtualMemory" function of vmprotect hook is bypassed.
Can "ZwProtectVirtualMemory" bypassed mechanism be improved to avoid being used by hackers
Re: Can "ZwProtectVirtualMemory" bypassed mechanism be improved to avoid being used by hackers
Do you really think that you can protect Ntxxx APIs in user mode without own kernel driver? It's impossible.