m0rethan3
m0rethan3
as i know ZwMapViewOfSection maps memory to usermode address space and i tried it but im searching way to map it into system one to not leave traces in usermode
MmMapIoSpace cannot map page tables such as PTE/PDE after win 10 1803 build
because im using this library https://github.com/can1357/physical_mem_controller and dont want to rewrite code for appoach you described but it sounds good
ok big thanks for explanation i think i'll try way you described
oh and you can just patch vulnerable driver itself to not mess with windows kernel images and probably PatchGuard cases
and forgot to say, according to this blog post https://blog.can.ac/2018/04/28/escape-smep-exploiting-capcom-safely/ actually you don’t need to disable interrupts because some NT kernel routines may not work at all
ye i know but you anyway can patch that vulnerable driver (just need to find some ioctl that you don’t use) instead of ntoskrnl syscall and replace all physmem scanning...
any dll can be injected with any loadlibrary injector if dll located in SysWOW64 folder and you can play on VAC-secured servers without problems