Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bypass ProcessDynamicCodePolicy mitigation policy flagged processes. #12

Open
iradization opened this issue Aug 12, 2019 · 1 comment
Open

bypass ProcessDynamicCodePolicy mitigation policy flagged processes. #12

iradization opened this issue Aug 12, 2019 · 1 comment

Comments

@iradization
Copy link

iradization commented Aug 12, 2019
edited
Loading

Unprotected processes may set the ProcessDynamicCodePolicy flag on, which prevents the driver from allocate new executable memory on their virtual memory space and fail injDrv.

I guess that the intention was that no user-space program may alter this settings, but there must be a way from driver to avoid this bit, since it has more privileges.

I know that there are methods to detect mitigation policy flags such as NtQueryInformationProcess and set them using SetProcessMitigationPolicy(), but they all uses undocumented structures. I wonder if there's an alternative way to do so from driver...

Is there any way to avert this bit from driver once process has started, or allocate the memory for injected code before this policy is being enforced ?

thanks
@wbenny
Copy link
Owner

wbenny commented Aug 12, 2019
edited
Loading

That's correct, it has been discussed in #6. Unprotecting such process would require altering undocumented structures that change rapidly between Windows versions. For this reason I didn't include this functionality. Project Blackbone has this issue resolved, please, consult its source code to get an idea it can be done.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@wbenny @iradization