Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 1  
30 Nov 17 03:27
John
xxxxxx@gmail.com
Join Date: 10 May 2014
Posts To This List: 11
Image loaded with NoChange set

I'm injecting a dll (bad I know) using kernel APCs (undocumented I know) on a 64-bit system into a WOW64 process. The dll injects fine, as it does with straight 32 or 64-bit applications but for some reason with WOW64, NoChange is set in page protections. When I attempt to use ZwProtectVirtualMemory to change protections to READWRITE in order to provide some fixups, it fails with c0000045 (STATUS_INVALID_PAGE_PROTECTION). I'm curious why NoChange would be set in WOW64 for this injected dll and more importantly, how I can prevent it from being set. Or, while it would defeat the purpose of the flag in the first place, if there is any way to remove it? VAD @ ffffe000722ddbe0 Start VPN 742d0 End VPN 742dc Control Area ffffe0007453f650 FirstProtoPte ffffc0006cf6a790 LastPte ffffc0006cf6a7f0 Commit Charge 4 (0n4) Secured.Flink 0 Blink 0 Banked/Extend 0 File Offset 0 ImageMap ViewShare NoChange EXECUTE_WRITECOPY 0: kd> dt ffffe000722ddbe0 _MMVAD_SHORT nt!_MMVAD_SHORT +0x000 VadNode : _RTL_BALANCED_NODE +0x000 NextVad : (null) +0x018 StartingVpn : 0x742d0 +0x01c EndingVpn : 0x742dc +0x020 StartingVpnHigh : 0 '' +0x021 EndingVpnHigh : 0 '' +0x022 CommitChargeHigh : 0 '' +0x023 SpareNT64VadUChar : 0 '' +0x024 ReferenceCount : 0n0 +0x028 PushLock : _EX_PUSH_LOCK +0x030 u : <unnamed-tag> +0x034 u1 : <unnamed-tag> +0x038 EventList : 0xffffe000`72d15860 _MI_VAD_EVENT_BLOCK 0: kd> dt ffffe000722ddbe0+0x30 _MMVAD_FLAGS nt!_MMVAD_FLAGS +0x000 VadType : 0y010 +0x000 Protection : 0y00111 (0x7) +0x000 PreferredNode : 0y000000 (0) +0x000 NoChange : 0y1 +0x000 PrivateMemory : 0y0 +0x000 Teb : 0y0 +0x000 PrivateFixup : 0y0 +0x000 ManySubsections : 0y0 +0x000 Spare : 0y000000000000 (0) +0x000 DeleteInProgress : 0y0
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 21:43.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license