Skip to content
/ ZwDetectMemoryRead Public

neat way to detect memory read using nt layer function.

License

MIT license
14 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

vxcall/ZwDetectMemoryRead

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
NullifyZwDetectMemoryRead
NullifyZwDetectMemoryRead
 
 
ZwDetectMemoryRead
ZwDetectMemoryRead
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
CMakeLists.txt
CMakeLists.txt
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

ZwDetectMemoryRead

This is based on this gist by @dkrutsko. all credit should off to him.

While this gist is approaching with QueryWorkingSetEx, this piece of code is using ZwQueryVirtualMemory. What got my attention is, official document says ZwQueryVirtualMemory solely support MEMORY_BASIC_INFORMATION, but actually supports PSAPI_WORKING_SET_EX_INFORMATION under the hood. I managed to figure it out by observing it with debugger.

It must not be something new technique but was cool for me anyways.

How to see this works in action

This program first allocates arbitrary 0x1000 size memory and print the address, so u read it with whatever way. either RPM or internally get the pointer of the address and dereference it. Then this program will detect the read operation.

About

neat way to detect memory read using nt layer function.

Resources

Readme

License

MIT license
Activity

Stars

14 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Sponsor this project

Packages

No packages published

Languages