RtlProtectMemory question

Apr 5, 2013 at 12:29 AM
I am wondering how overriding dll functions work with EasyHook. The page is probably marked copy on write. But EasyHook makes the page PAGE_EXECUTE_READWRITE and then changes it. Would this not mean the memory would be changed for all processes that are loading the dll? Should easyhook not use PAGE_EXECUTE_WRITECOPY?

I see that multiple processes can Hook and Run fine. I am not sure how.
Apr 5, 2013 at 11:37 PM
Edited Apr 5, 2013 at 11:42 PM
PAGE_EXECUTE_WRITECOPY is not supported by VirtualAlloc/VirtualAllocEx (http://msdn.microsoft.com/en-us/library/windows/desktop/aa366786(v=vs.85).aspx)

The memory is only modified for the process that is being hooked.