VMProtect Software » Forum


https://vmpsoft.com/forum/

Can "ZwProtectVirtualMemory" bypassed mechanism be improved to avoid being used by hackers

https://vmpsoft.com/forum/viewtopic.php?t=25139

Page 1 of 1

Can "ZwProtectVirtualMemory" bypassed mechanism be improved to avoid being used by hackers

Posted: Wed Nov 10, 2021 11:21 am
by paituo
"ZwProtectVirtualMemory" protection can be easily bypassed,
so it is easy to code patch the protected module memory.

Can this bypassed mechanism be improved to avoid being used by hackers.

By reloading the "ntdll. DLL" component and calling the copy function body
of "ZwProtectVirtualMemory", the "ZwProtectVirtualMemory" function of vmprotect hook is bypassed.
5E5EAF47-0094-4452-BE25-761DBC472D4A.png
5E5EAF47-0094-4452-BE25-761DBC472D4A.png (32.82 KiB) Viewed 3494 times

Re: Can "ZwProtectVirtualMemory" bypassed mechanism be improved to avoid being used by hackers

Posted: Thu Nov 11, 2021 4:10 pm
by Admin
Do you really think that you can protect Ntxxx APIs in user mode without own kernel driver? It's impossible.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited