bypass ProcessDynamicCodePolicy mitigation policy flagged processes.

[iradization]

Unprotected processes may set the ProcessDynamicCodePolicy flag on, which prevents the driver from allocate new executable memory on their virtual memory space and fail injDrv.

I guess that the intention was that no user-space program may alter this settings, but there must be a way from driver to avoid this bit, since it has more privileges.

I know that there are methods to detect mitigation policy flags such as NtQueryInformationProcess and set them using SetProcessMitigationPolicy(), but they all uses undocumented structures. I wonder if there's an alternative way to do so from driver...

Is there any way to avert this bit from driver once process has started, or allocate the memory for injected code before this policy is being enforced ?

thanks

[wbenny]

That's correct, it has been discussed in #6. Unprotecting such process would require altering undocumented structures that change rapidly between Windows versions. For this reason I didn't include this functionality. Project Blackbone has this issue resolved, please, consult its source code to get an idea it can be done.