can someone please help me with NtProtectVirtualMemory, I been trying to get to get it to work for over an hour, it says it works but definitely does not
.586
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\ntdll.inc
includelib \masm32\lib\ntdll.lib
.data
user32 db 'user32.dll',0
MessageBoxAptr db 'MessageBoxA',0
.data?
MsgBoxPtr dd ?
byteswritten dd ?
oldprotect dd ?
.code
start:
invoke LoadLibrary,addr user32
invoke GetProcAddress,eax,addr MessageBoxAptr
mov MsgBoxPtr,eax
invoke NtProtectVirtualMemory,-1, MsgBoxPtr,1,PAGE_EXECUTE_READWRITE,addr oldprotect
;invoke VirtualProtect, MsgBoxPtr,1,PAGE_EXECUTE_READWRITE, addr oldprotect ;this works fine
.if eax!=0
;write test
mov eax, MsgBoxPtr
mov byte ptr [eax], 0CCh ;int 3
.endif
invoke ExitProcess,0
end start
i'm not apihooking, I just used a api address as a quick test. If you run this it'll crash at where you try and modify its memory because you don't have write access.VirtualProtect works fine though :\ http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html examples its parameters, i've googled nonstop but it hasn't helped me. If anyone can shed some light, i'll be eternally greateful, thankyou.
why to use an undocumented Api ? -> VirtualProtect should work as expected
MsgBoxPtr - try addr MsgBoxPtr
bytes to protect is also a pointer - you have 1 ?
VirtualProtect is documented ,made the same thing and can be used without problem.