I try to use direct NT system calls (low level api calls). "Usual" code is (example):
.data
memInfo MEMORY_BASIC_INFORMATION <>
numBytes dd 16d
.data?
pMem dd ?
oldProtect dd ?
.code
start:
invoke GetModuleHandle,chr$("kernel32.dll")
mov pMem,eax
invoke VirtualQuery,pMem,addr memInfo,sizeof MEMORY_BASIC_INFORMATION 32 bit syscall is:
push offset oldProtect
push PAGE_EXECUTE_READWRITE
push offset numBytes; IN OUT PULONG NumberOfBytesToProtect,
push offset pMem
push 0FFFFFFFFh ;current process handle
push offset @f ;dont know about this
push offset @f ;stack aligment???
mov eax,89h ;number of syscall
mov edx,esp
sysenter
@@:add esp,5*4Parameters is five, because we use Nt-api
NtProtectVirtualMemory.
In 64 bit there is:
mov rcx,INVALID_HANDLE_VALUE ;first argument
mov rdx,ppMem
lea r8,numBytes
mov r9,PAGE_EXECUTE_READWRITE
lea rax,oldProtect
mov qword ptr [rsp+32],rax;mov qword ptr [rsp+20h],rax
push rax ; dont know about this, stack aligment??
mov r10, rcx
mov eax, 50h ;syscall number
syscall
Syscall numbers you can get here
https://j00ru.vexillium.org/syscalls/nt/32/ , or parse NTDLL export table.
