Restoring VirtualProtection status?

c++ / delphi package - dll injection and api hooking
Post Reply
Azmodeus
Posts: 60
Joined: Mon May 03, 2004 7:41 am

Restoring VirtualProtection status?

Post by Azmodeus »

When you use HookAPI, or HookCode and the code gets replaced. Do you restore the VirtualProtection flags that VirtualAlloc originally set for the memory in question?

Ie, if the code being hooked was set with PAGE_READONLY, and (i'm guessing here) that the HookAPI process changes the virtual status to something that can be edited. Does it change it back to the original settings?



Next, if a page is guarded with Page_Guard, to you take off the guard settings before you change the status? Or, do you just let the process you are hooking get the guard alert message? I'm hoping here that you catch it yourself in the hookapi, or turn it off and then back on when done.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

If the code was write protected madCodeHook unprotects the code, patches it and then sets the page attribute back to PAGE_EXECUTE_READ. However, the GUARD stuff is ignored right now. I never met a guarded page yet! Do you have an example where madCodeHook is supposed to write to a guarded page?
Post Reply