Skip to main content

Overview

SysWhispers4 provides direct syscall wrappers for Windows NT memory management functions. These bypass user-mode hooks on kernel32.dll and ntdll.dll functions like VirtualAllocEx, WriteProcessMemory, etc.

NtAllocateVirtualMemory

Allocates virtual memory within a process.

Parameters

ProcessHandle
HANDLE
required
Handle to the target process. Use GetCurrentProcess() for local allocation, or a handle from SW4_NtOpenProcess() for remote allocation.
BaseAddress
PVOID*
required
Pointer to a variable that receives the base address of the allocated region. Set to NULL to let the system choose the address.
ZeroBits
ULONG_PTR
required
Number of high-order address bits that must be zero. Use 0 for no restriction.
RegionSize
PSIZE_T
required
Pointer to the size (in bytes) of the region to allocate. Rounded up to page boundary. On success, receives the actual allocated size.
AllocationType
ULONG
required
Type of allocation. Common values:
  • MEM_COMMIT (0x1000) — Commit pages
  • MEM_RESERVE (0x2000) — Reserve address space
  • MEM_COMMIT | MEM_RESERVE (0x3000) — Allocate and commit
Protect
ULONG
required
Memory protection. Common values:
  • PAGE_READONLY (0x02)
  • PAGE_READWRITE (0x04)
  • PAGE_EXECUTE (0x10)
  • PAGE_EXECUTE_READ (0x20)
  • PAGE_EXECUTE_READWRITE (0x40)

Returns

  • STATUS_SUCCESS (0x00000000) on success
  • STATUS_ACCESS_DENIED (0xC0000022) if process handle lacks access
  • STATUS_INVALID_PARAMETER (0xC000000D) for invalid parameters

Example


NtAllocateVirtualMemoryEx

Extended version of NtAllocateVirtualMemory with additional parameters (Windows 10+).

Parameters

Similar to NtAllocateVirtualMemory, with added support for extended parameters (e.g., NUMA node affinity).
ExtendedParameters
PVOID
Pointer to array of MEM_EXTENDED_PARAMETER structures (or NULL).
ExtendedParameterCount
ULONG
Number of extended parameters (use 0 if none).

NtFreeVirtualMemory

Frees virtual memory allocated by NtAllocateVirtualMemory.

Parameters

ProcessHandle
HANDLE
required
Handle to the process.
BaseAddress
PVOID*
required
Pointer to the base address to free.
RegionSize
PSIZE_T
required
Pointer to size. For MEM_RELEASE, must be 0. For MEM_DECOMMIT, specifies size.
FreeType
ULONG
required
  • MEM_DECOMMIT (0x4000) — Decommit pages (keep reservation)
  • MEM_RELEASE (0x8000) — Release entire region

Example


NtWriteVirtualMemory

Writes data to virtual memory in a process.

Parameters

ProcessHandle
HANDLE
required
Handle to the target process with PROCESS_VM_WRITE access.
BaseAddress
PVOID
required
Starting address in the target process where data will be written.
Buffer
PVOID
required
Pointer to the data to write.
NumberOfBytesToWrite
SIZE_T
required
Number of bytes to write.
NumberOfBytesWritten
PSIZE_T
Optional pointer to receive the actual number of bytes written. Can be NULL.

Example: Remote Shellcode Injection


NtReadVirtualMemory

Reads data from virtual memory in a process.

Parameters

ProcessHandle
HANDLE
required
Handle with PROCESS_VM_READ access.
BaseAddress
PVOID
required
Starting address to read from.
Buffer
PVOID
required
Pointer to buffer that receives the data.
NumberOfBytesToRead
SIZE_T
required
Number of bytes to read.
NumberOfBytesRead
PSIZE_T
Optional pointer to receive actual bytes read. Can be NULL.

Example


NtProtectVirtualMemory

Changes memory protection on a region.

Parameters

ProcessHandle
HANDLE
required
Handle with PROCESS_VM_OPERATION access.
BaseAddress
PVOID*
required
Pointer to base address of the region.
RegionSize
PSIZE_T
required
Pointer to size of the region.
NewProtect
ULONG
required
New protection value (e.g., PAGE_EXECUTE_READ).
OldProtect
PULONG
required
Pointer to variable that receives the previous protection value.

Example: RWX → RX After Write


NtQueryVirtualMemory

Retrieves information about a memory region.

Parameters

MemoryInformationClass
MEMORY_INFORMATION_CLASS
required
Type of information:
  • MemoryBasicInformation (0) — Returns MEMORY_BASIC_INFORMATION
MemoryInformation
PVOID
required
Pointer to buffer that receives information.
MemoryInformationLength
SIZE_T
required
Size of the buffer.

Example


NtSetInformationVirtualMemory

Sets virtual memory information (Windows 10+).

Use Cases

  • Prefetch memoryVmPrefetchInformation
  • Set page priority — Performance optimization

Complete Injection Example

Combining memory functions for classic remote injection:

Next Steps

Process & Thread Functions

Open processes, create threads, suspend/resume

File Functions

NT file I/O via syscalls