NtWriteVirtualMemory

Prototype

NTSTATUS NtWriteVirtualMemory(
  HANDLE  ProcessHandle,
  PVOID   BaseAddress,
  PVOID   Buffer,
  SIZE_T  NumberOfBytesToWrite,
  PSIZE_T NumberOfBytesWritten
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 3A 00 00 00      mov eax, 0x3A
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Implemented by `MmCopyVirtualMemory` inside ntoskrnl.exe with `PreviousMode = UserMode`, which forces full probe-and-lock of both buffers. The SSN `0x3A` has been unchanged across every shipped Win10/11 build — the table layout simply hasn't moved this entry. Note that the kernel performs the copy via a transient mapping; it does not require the page in the target to be writable from userland, only that the section permissions allow kernel writes. That is why injecting into read-only pages still succeeds in many cases.

Common malware usage

The `Write` step of the classic OpenProcess → VirtualAllocEx → WriteProcessMemory → CreateRemoteThread chain. Used to land shellcode, an IAT-fixed PE, or a reflective loader stub into a remote process. Beyond shellcode injection it is also abused to overwrite function prologues for inline hooking, to patch `AMSI.dll!AmsiScanBuffer` or `clr.jit!compileMethod` for AMSI/ETW bypasses, and as the write primitive in PPID-spoofing and process-doppelgänging variants. Brute Ratel, Cobalt Strike, Sliver, Qakbot and IcedID all rely on it as part of their loader chain.

Detection opportunities

Cross-process writes are surfaced primarily through Sysmon Event ID 10 (`ProcessAccess`) when the requested access mask contains `PROCESS_VM_WRITE` (0x0020) or `PROCESS_VM_OPERATION` (0x0008). The ETW Threat Intelligence provider also emits write notifications on certain protected processes. EDRs hook `NtWriteVirtualMemory` in ntdll; direct syscalls bypass the hook but the kernel still updates target VAD reference counts and can be observed via `PsSetCreateProcessNotifyRoutineEx` callbacks if the write triggers a later thread creation. Writes targeting other-session processes, or processes with `lsass.exe`/browser binaries as the target, deserve elevated scoring.

Direct syscall examples

; Direct syscall stub for NtWriteVirtualMemory (SSN 0x3A, stable across all Win10/11)
NtWriteVirtualMemory PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 3Ah          ; SSN
    syscall
    ret
NtWriteVirtualMemory ENDP

// Write shellcode into a previously-allocated remote region.
SIZE_T written = 0;
NTSTATUS st = NtWriteVirtualMemory(hRemote, remote_base,
                                   shellcode, shellcode_len, &written);
if (!NT_SUCCESS(st) || written != shellcode_len) {
    // partial write: typically PAGE_NOACCESS encountered halfway
    return st;
}

// Cargo: ntapi = "0.4"
use std::arch::asm;

#[unsafe(naked)]
unsafe extern "system" fn nt_write_virtual_memory_stub() {
    // SSN 0x3A across every supported build.
    asm!(
        "mov r10, rcx",
        "mov eax, 0x3A",
        "syscall",
        "ret",
        options(noreturn),
    );
}

MITRE ATT&CK mappings

• T1055Process Injection
• T1055.002Portable Executable Injection
• T1055.012Process Hollowing
• T1106Native API