Little-Ki · October 25, 2020 07:26
diff --git a/IRQL and memory protect b/IRQL and memory protect
 // To write other's memory in kernel, there has other rules, IRQL and memory protection.
 // If you try to write memory when memory protection is enabled, you will get BSOD. 

 // In order to write other's memory, we should disable memory protection first and upgrade IRQL to level 2 (normally is 0).
 // The sign of memory protection state is in CR0 register. So just modify it can change state.
 // To change IRQL level, use KeRaiseIrqlToDpcLevel and KeLowerIrql, in 64 bits system, IRQL state stored in CR8 register, in 32 bits mode, it's in KPCR.

 // Code:

 KIRQL WPOFFx64()
 {
 	KIRQL	irql	= KeRaiseIrqlToDpcLevel();
 	UINT64	cr0	= __readcr0();
 	cr0 &= 0xfffffffffffeffff;
 	__writecr0( cr0 );
 	_disable();
 	return(irql);
 }

 void WPONx64( KIRQL irql )
 {
 	UINT64 cr0 = __readcr0();
 	cr0 |= 0x10000;
 	_enable();
 	__writecr0( cr0 );
 	KeLowerIrql( irql );
 }
	// To write other's memory in kernel, there has other rules, IRQL and memory protection.
	// If you try to write memory when memory protection is enabled, you will get BSOD.

	// In order to write other's memory, we should disable memory protection first and upgrade IRQL to level 2 (normally is 0).
	// The sign of memory protection state is in CR0 register. So just modify it can change state.
	// To change IRQL level, use KeRaiseIrqlToDpcLevel and KeLowerIrql, in 64 bits system, IRQL state stored in CR8 register, in 32 bits mode, it's in KPCR.

	// Code:

	KIRQL WPOFFx64()
	{
	KIRQL irql = KeRaiseIrqlToDpcLevel();
	UINT64 cr0 = __readcr0();
	cr0 &= 0xfffffffffffeffff;
	__writecr0( cr0 );
	_disable();
	return(irql);
	}

	void WPONx64( KIRQL irql )
	{
	UINT64 cr0 = __readcr0();
	cr0 \|= 0x10000;
	_enable();
	__writecr0( cr0 );
	KeLowerIrql( irql );
	}