Unprotected processes may set the ProcessDynamicCodePolicy flag on, which prevents the driver from allocate new executable memory on their virtual memory space and fail injDrv.
I guess that the intention was that no user-space program may alter this settings, but there must be a way from driver to avoid this bit, since it has more privileges.
I know that there are methods to detect mitigation policy flags such as NtQueryInformationProcess and set them using SetProcessMitigationPolicy(), but they all uses undocumented structures. I wonder if there's an alternative way to do so from driver...
Is there any way to avert this bit from driver once process has started, or allocate the memory for injected code before this policy is being enforced ?
thanks
Unprotected processes may set the
ProcessDynamicCodePolicyflag on, which prevents the driver from allocate new executable memory on their virtual memory space and fail injDrv.I guess that the intention was that no user-space program may alter this settings, but there must be a way from driver to avoid this bit, since it has more privileges.
I know that there are methods to detect mitigation policy flags such as
NtQueryInformationProcessand set them usingSetProcessMitigationPolicy(), but they all uses undocumented structures. I wonder if there's an alternative way to do so from driver...Is there any way to avert this bit from driver once process has started, or allocate the memory for injected code before this policy is being enforced ?
thanks