This x64dbg plugin sets the page protection for memory mapped views in scenarios which cause NtProtectVirtualMemory to fail.
NtProtectVirtualMemory will fail for memory mapped views with valid arguments in these scenarios:
-
The view is mapped with the undocumented allocation type: SEC_NO_CHANGE (0x00400000).
-
The desired protection is incompatible with the view's initial protection. Example: trying to set the protection for a view with an initial protection of PAGE_READONLY to PAGE_EXECUTE_READWRITE.
-
The view and/or backing section are created using large pages (unconfirmed / not currently supported).
A process can utilize these cases as an anti-patching mechanism. A demo of this can be found here.
This plugin defeats this technique by remapping the view with the desired protection.
- ForcePageProtection
- fpp
ForcePageProtection [address, protection]
This command attempts to set the page protection for the memory region that contains address. The protection argument is interpretted as a hex value representing a PAGE_* constant.1 If no arguments are specified, the address is set to the active address in the disassembly view, and the protection is set to PAGE_EXECUTE_READWRITE (0x40).
Given the following virtual address space for a process:
Address Size Type Protection
00000000`00010000 00000000`00010000 MAP -RW--
00000000`00020000 00000000`0000C000 PRV ERW--
00000000`00030000 00000000`00004000 MAP -R---
00000000`00040000 00000000`00001000 MAP -R---
...
ForcePageProtection 32000, 40
Will attempt to set all pages in the range 30000 - 33FFF
to PAGE_EXECUTE_READWRITE.
A post-build event require the "X96DBG_PATH" environment variable to be defined to the x64dbg installation directory.
The following protection values are currently not supported:
- PAGE_TARGETS_INVALID
- PAGE_TARGETS_NO_UPDATE
- PAGE_ENCLAVE_THREAD_CONTROL
- PAGE_ENCLAVE_UNVALIDATED
- PAGE_REVERT_TO_FILE_MAP
demo: Self-Remapping-Code