eb : edit memory as Byte valuesed : edit memory as Double-word values (4 bytes)eq : edit memory as Quad-word values (8 bytes)
eb [address] [new value (hex)] pid [process id (hex)]ed [address] [new value (hex)] pid [process id (hex)]eq [address] [new value (hex)] pid [process id (hex)]
nt!Kd_DEFAULT_Maskin a hex byte form and change it to
0xff 0xff 0xff 0xff(modify four bytes).
fffff800`3ad6f010in a hex byte form and change it to
0x90 0x90 0x90(modify three bytes).
fffff800`3ad6f010in Double-word values (4 bytes), change it to
fffff800`3ad6f010in Quad-word values (8 bytes), change it to
IOCTL = IOCTL_DEBUGGER_EDIT_MEMORY, you have to send it in the following structure.
Resultwill be filled by the kernel-mode driver when it returns from the kernel and shows whether the editing was successful or not. The following results can come from the kernel:
Addressis where we want to modify, and it can be both a physical address or a virtual address.
ProcessIdis the process that we want to modify based on its memory layout (cr3), it can't be
MemoryTypeshows whether the
Addressis a physical address or a virtual address.
ByteSizeshows whether we want to modify the target Address in a byte, dword, or qword format.
0x90 0x90then you should provide an array of
0x0000000000000090and append it to the end of the above structure. The count of these chunks is stored at
CountOf64Chunksin the above structure and the final buffer that will be sent into the kernel has a size of