reading/writing other process memory using KbExecuteShellCode #25
Labels
question
Further information is requested
Comments
|
Why are you want to deal with KbExecuteShellCode? There are much more convenient ways to do it. |
|
i made some shellcode that provides KbExecuteShellCode functionality and its more convenient for me to use it than to load or map the driver |
|
If it is a kernelmode shellcode, you could use traditional RW like KeStackAttachProcess -> memcpy -> KeUnstackDetachProcess. Or use an MDL (IoAllocateMdl -> MmProbeAndLockPages -> MmMapLockedPagesSpecifyCache -> MmProtectMdlSystemAddress -> memcpy -> MmUnmapLockedPages -> MmUnlockPages -> IoFreeMdl). But if it is a usermode shellcode, you're unable to switch address spaces, so the only way you could do it - use an MDL. |
|
many thanks very helpful |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
is there way that it can be done?
The text was updated successfully, but these errors were encountered: