NtWriteVirtualMemory
Ring -1Detect cross-process memory writes used in injection techniques.
Overview
NtWriteVirtualMemory is the syscall used to write memory into another process. This is a key primitive for most injection techniques including shellcode injection, DLL injection, and process hollowing.
Detection Logic
The hypervisor hooks NtWriteVirtualMemory and checks if the target process is different from the calling process:
if (TargetProcessId != CurrentProcessId) {
// Cross-process write detected
LogEvent(source, target, address, size);
}Captured Information
- • Source process — Process making the write call
- • Target process — Process being written to
- • Target address — Memory address being written
- • Write size — Number of bytes written
- • Return address — Caller location in source process
Common Injection Patterns
| Technique | NtWriteVirtualMemory Usage |
|---|---|
| Shellcode Injection | Write shellcode to allocated memory |
| DLL Injection | Write DLL path string for LoadLibrary |
| Process Hollowing | Write new PE image over hollowed process |
| Thread Hijacking | Write shellcode before context change |
Why Hypervisor Level?
Kernel-mode hooks can be bypassed by direct syscalls. The hypervisor sees all syscalls regardless of how they're invoked:
Kernel Hooks
- • Can be bypassed by direct syscall
- • Visible to integrity checks
- • May trigger PatchGuard
EPT Hooks
- • Cannot be bypassed
- • Invisible to integrity checks
- • PatchGuard safe
UI Features
- • Hypervisor tab — View all cross-process write events
- • Process filter — Focus on specific source/target
- • Size filter — Filter by write size
- • Timeline — See injection attempts over time
IPS Rule Examples
Hypervisor: VmWrite | Target: lsass.exe | Action: Block
Hypervisor: VmWrite | Source: powershell.exe | Action: Alert