Skip to content

This x64dbg plugin sets the page protection for memory mapped views in scenarios which cause NtProtectVirtualMemory to fail.

License

Notifications You must be signed in to change notification settings

changeofpace/Force-Page-Protection

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Force Page Protection

Summary

This x64dbg plugin sets the page protection for memory mapped views in scenarios which cause NtProtectVirtualMemory to fail.

Motivation

NtProtectVirtualMemory will fail for memory mapped views with valid arguments in these scenarios:

  1. The view is mapped with the undocumented allocation type: SEC_NO_CHANGE (0x00400000).

  2. The desired protection is incompatible with the view's initial protection. Example: trying to set the protection for a view with an initial protection of PAGE_READONLY to PAGE_EXECUTE_READWRITE.

  3. The view and/or backing section are created using large pages (unconfirmed / not currently supported).

A process can utilize these cases as an anti-patching mechanism. A demo of this can be found here.

This plugin defeats this technique by remapping the view with the desired protection.

Usage

Added Commands

  • ForcePageProtection
  • fpp

Syntax

ForcePageProtection [address, protection]

This command attempts to set the page protection for the memory region that contains address. The protection argument is interpretted as a hex value representing a PAGE_* constant.1 If no arguments are specified, the address is set to the active address in the disassembly view, and the protection is set to PAGE_EXECUTE_READWRITE (0x40).

Example

Given the following virtual address space for a process:

Address             Size                 Type   Protection
00000000`00010000   00000000`00010000    MAP    -RW--
00000000`00020000   00000000`0000C000    PRV    ERW--
00000000`00030000   00000000`00004000    MAP    -R---
00000000`00040000   00000000`00001000    MAP    -R---
...
ForcePageProtection 32000, 40

Will attempt to set all pages in the range 30000 - 33FFF to PAGE_EXECUTE_READWRITE.

Building

A post-build event require the "X96DBG_PATH" environment variable to be defined to the x64dbg installation directory.

Notes

The following protection values are currently not supported:

  • PAGE_TARGETS_INVALID
  • PAGE_TARGETS_NO_UPDATE
  • PAGE_ENCLAVE_THREAD_CONTROL
  • PAGE_ENCLAVE_UNVALIDATED
  • PAGE_REVERT_TO_FILE_MAP

References

demo: Self-Remapping-Code

1: MSDN: Memory Protection Constants

About

This x64dbg plugin sets the page protection for memory mapped views in scenarios which cause NtProtectVirtualMemory to fail.

Resources

License

Stars

Watchers

Forks

Packages

No packages published