Menu
I understand that the VirtualProtect function changes the permissions on a page in memory without question. Surely this ends up with no immediate purpose when any running process is able to use it?
For example, someone could easily write a piece of malware which uses the VirtualProtectEx function in order to detour instructions and cause havoc. On the other hand, a user may have a legitimate reason for allowing a process to modify memory (ie. game cheats).
548
Once the attacker somehow gains access to the system, he can use VirtualProtect to remove protections of processes at the same security level, but at this point you have already lost anyway. Show activity on this post. I have used VirtualProtect to help track down an improper memory access.
A virtual machine is used to simulate an ideal environment replica of the original environment to see how a malware sample interacts with everything from the file system to the registry. Malware testing can go a long way in protecting your network from the most dangerous of cyberattacks.
What is Malware? - Check Point Software What is Malware? What is Malware? A portmanteau of “malicious software”, malware is software designed to achieve malicious purposes on an infected computer. Essentially, malware is like any other type of software, as it uses a combination of custom code and system-provided resources to achieve its goals.
Malware testing can go a long way in protecting your network from the most dangerous of cyberattacks. The ability to simulate multiple instances of OS on the same machine and provide a real environment but in a much-protected manner makes virtualization an extremely powerful tool in behavior-based analysis.
Someone could easily write that piece of malware, but how would they get the target to execute it?
VirtualProtect allows me to make memory executable selectively. This means that I can mark the buffer where I store untrusted data as non-executable, and the security vulnerability that I have that allows the untrusted user to modify the return address of my function cannot jump to that buffer and execute code there, thus stopping an attacker from executing VirtualProtect himself.
It also allows me to make memory read-only. This means I can mark the area next to the untrusted buffer read-only, and a buffer overflow cannot overwrite more essential data. Thus, no remote code in my application, no VirtualProtect by the attacker.
Once the attacker somehow gains access to the system, he can use VirtualProtect to remove protections of processes at the same security level, but at this point you have already lost anyway.
181
I have used VirtualProtect to help track down an improper memory access.
I allocated a page of memory, initialized it, then marked it Unreadable/Unwriteable, and then another component in our mega-monolithic program improperly accessed my pointer. As soon as that component tried to write to an unwritable page, we saw the Access Violation, and we knew who the offending party was.
(prior to this, we only knew that memory had been overwritten... but we did not know which component was doing it).
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
