Memory Access protection

I’m curious regarding the memory access protection, how good does it work? For example, does it protect from reading an applications memory by ring0 drivers and/or low level API’s like NtReadVirtualMemory? If not, it would be pretty useless as it would still be extremely easy to workaround that… I couldn’t find a single thing about this in the documentation, so if someone can enlighten me, please do so :slight_smile:

(Also posted in a subforum, but I think this is more in place here)

Write a simple driver, then try to load it hehe and then check if it can access. What the question is about?

Seems an aweful lot of trouble as I’m pretty sure someone here knows the answer to it :slight_smile: I want to protect an application by not allowing it’s memory to be read from any another application.

There is a a way, I am not sure though, but you’ll need to added the wanted application with customized settings, by going ti d+ → Computer Secuity → add → 1) application path, 2) customize → which acess → modify → allow/blocked application.

I hope this helps

Yeah, I already set it up like that, thanks :slight_smile: My question however is simple, how good is this protection: does it protect against ring0 drivers, and/or low level API’s like NtReadVirtualMemory? Because if this is not the case the whole memory access protection would be useless.

That I can’t say. I hope a mod or a developer can tell you.

Yeah, I hope so. Haven’t seen much developers/mods going around here lately though :frowning:

You could try to ask Melih and egmen for more info. Jackob might also know something

I PMed Melih and egemen, couldn’t find Jackob. Still haven’t heard from them though.

Jacob - I added a k without seeing it.

PMed all of them, still no response. Any other person with insight into this? Thanks!

The following still stands as I wrote in your duplicate topic:

In short CIS will prevent to let unknown programs, or gives the user the ability to prevent when using D+ and disabled sandbox, to load a driver (get kernel access). But once a program has kernel access it is end of exercise for each and every application when the program has malicious intent.

Thanks for the explanation Eric :slight_smile: Didn’t know Ring 1 was the same as kernel mode access