Any solution for protected ke memory by PG #13
Comments
|
Depends on what you are trying to hook really. ExHook works fine for me on 1903, could you check the crash dump? |
|
Hello, for me no bsod if remove this line https://github.com/can1357/ByePg/blob/master/ExHook/main.cpp#L126 "Depends on what you are trying to hook really", yes, i don't know what i need to hook to prevent bsod if i try read/write memory of image win32kbase.sys. (i just try to read 8 bytes of ImageBase (to test bsod or not)) This is my crash dump if i try read memory [just simple memcpy(buffer, (PVOID)module_base, 8);] for win32kbase.sys image:
|
|
Attach to csrss.exe before reading, win32k is only mapped for processes that belong to a valid session. |
Thx, this is helped ! If i try modify win32k image (place hook at some function) or disable DSE (via modification CI.dll ) i get bsod after some time with error CRITICAL_STRUCTURE_CORRUPTION It is possible hook exception for this code via ByePg ? If in FixInfinityHook change KERNEL_SECURITY_CHECK_FAILURE to CRITICAL_STRUCTURE_CORRUPTION will it bring a some positive result? |
no you can not modify protected RX page with only ByePg, you will have to add a little trick to PatchGuard pages to block PatchGuard execution. |
Hello, it is possible to avoid bsod if you want read\write protected (by PG) memory for loaded modules like ‘win32k.sys’ or ‘win32kbase.sys’ via hooking exception table like in your solution ByePg ?
If yes - can you tell what ExceptionCode is needed to ‘hook’. Or just share some code example for this.
Your example ‘ExHook’ looks closer to this solution, but it is bsod for me on 1903-1909.
Thx for attention anyway.
The text was updated successfully, but these errors were encountered: