eb : edit memory as Byte valuesed : edit memory as Double-word values (4 bytes)eq : edit memory as Quad-word values (8 bytes)
eb [Address (hex)] [Contents (hex)] [pid ProcessId (hex)]ed [Address (hex)] [Contents (hex)] [pid ProcessId (hex)]eq [Address (hex)] [Contents (hex)] [pid ProcessId (hex)]
nt!Kd_DEFAULT_Mask
in a hex byte form and change it to 0xff 0xff 0xff 0xff
(modify four bytes).[email protected]+10
in a hex byte form and change it to 0xff 0xff 0xff 0xff
(modify four bytes).fffff800`3ad6f010
in a hex byte form and change it to 0x90 0x90 0x90
(modify three bytes).fffff800`3ad6f010
in Double-word values (4 bytes), change it to 245C8948
.fffff800`3ad6f010
in Quad-word values (8 bytes), change it to 88889898`85858686
and92929393`97979898
(16 bytes).IOCTL = IOCTL_DEBUGGER_EDIT_MEMORY
, you have to send it in the following structure.Result
will be filled by the kernel-mode driver when it returns from the kernel and shows whether the editing was successful or not. The following results can come from the kernel:Address
is where we want to modify, and it can be both a physical address or a virtual address.ProcessId
is the process that we want to modify based on its memory layout (cr3), it can't be null
or zero.MemoryType
shows whether the Address
is a physical address or a virtual address.ByteSize
shows whether we want to modify the target Address in a byte, dword, or qword format.0x90 0x90
then you should provide an array of 0x0000000000000090
and 0x0000000000000090
and append it to the end of the above structure. The count of these chunks is stored at CountOf64Chunks
in the above structure and the final buffer that will be sent into the kernel has a size of FinalStructureSize
bytes.DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_EDIT_MEMORY
as RequestedAction
and DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT
as PacketType
.