(Question) wpm / rpm - Githubissues

Zero-Tang / NoirVisor

The Grimoire Hypervisor solution for x86 Processors with experimental nested virtualization support. Remastering with Rust in progress.

MIT License

474 stars 81 forks source link

(Question) wpm / rpm #4

Closed ghost closed 5 years ago

ghost commented 5 years ago

I was reading through the readme and saw that one of the features was "NtOpenProcess Hook", I simply wanted to know if the returned struct:

__kernel_entry NTSYSCALLAPI NTSTATUS NtOpenProcess(
  PHANDLE            ProcessHandle,
  ACCESS_MASK        DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes,
  PCLIENT_ID         ClientId
);

could be used for stealthily reading & writing to process memory.

Zero-Tang commented 5 years ago

I am not sure what you are asking about. There is no returned structure regarding this feature. I do not think this is relevant to stealthily read and write process memory.
Take a look at the NoirVisor/src/xpf_core/windows/msrhook64.asm code file and you will see. I wrote the detour function through Assembly.