MmSecureVirtualMemoryEx function (ntddk.h)
This routine probes the requested address range and protects the specified address range from having its protection made more restrictive and being deleted.
Syntax
HANDLE MmSecureVirtualMemoryEx(
PVOID Address,
SIZE_T Size,
ULONG ProbeMode,
ULONG Flags
);
Parameters
Address
Pointer to the base address to probe and secure.
Size
Specifies the size, in bytes, of the range to secure.
ProbeMode
Specifies the most restrictive page protection that is allowed. Use PAGE_READWRITE to specify that the address range must remain both readable and writable, or use PAGE_READONLY to specify that the address range must only remain readable.
| ProbeMode | Meaning |
|---|---|
| PAGE_READWRITE | Protection cannot be changed to PAGE_NOACCESS or PAGE_READONLY. All other protection changes are allowed. |
| PAGE_READONLY | Protection cannot be changed to PAGE_NOACCESS. All other protection changes are allowed. |
Flags
Specifies one or more of the following flags:
| Flag | Description |
|---|---|
| MM_SECURE_EXCLUSIVE | Securing only succeeds if there are no other secures already pinned anywhere onto the VAD in question. |
| MM_SECURE_NO_CHANGE | Once applied, no protection changes are allowed for the supplied virtual address region. The region can still be deleted if the process is exiting. |
| MM_SECURE_USER_MODE_ONLY | The protection specified by this securing will only be applied to subsequent calls from user mode that are trying to change the protection (kernel mode callers will bypass this securing). |
| MM_SECURE_NO_INHERIT | If the process is cloned, then unlike the parent process, VAD of the child process will not be secured. |
Return value
Returns a value resembling a handle to be used only to unsecure the range.
If the range could not be locked because of protection problems, noncommitted memory or invalid parameters, this routine returns NULL.
Remarks
Use MmSecureVirtualMemoryEx instead of MmSecureVirtualMemory if you need to specify MM_SECURE_NO_CHANGE so that no protection change will be allowed on the supplied view.
The return value from this function can only be used with MmUnsecureVirtualMemory. The driver calls that routine to return the range to a normal state.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 10, version 1809 |
| Header | ntddk.h |
| IRQL | APC_LEVEL |