ZwReadVirtualMemory and PatchGuard

I have a question about calling the rout开发者_JS百科ine ZwReadVirtualMemory from my driver. I noticed it is not exported by ntokskrnl after dumping the EAT. How and where can I find the virtual address for this routine?

Is it located in the ssdt? if so, does not patchguard prevent me from reading there anyway? Or is that only for writing.

Also, this is for windows 7 x64.

Thanks!

ZwReadVirtualMemory is not exported from kernel. But you can find it in SSDT. Use ntdll trick. Don't worry about PatchGuard. It prevents only from code modification, reading is ok.

Also take into consideration that ZwReadVirtualMemory is not the only way to read virtual memory.

Bear in mind that SSDT on win 64 doesn't hold pointers to functions. It holds offsets which are relative to the start of nt!KiServiceTable. Also one of the viable ways of finding SSDT is to perform some sort of pattern scan in order to locate. Basically for 64 bits just forget with tinkering freely with the SSDT. For more information read this

Furthermore - patchguard is just for modification of system-critical components.