Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Windows/C++: why are loaded module memory bytes changing at run-time?

Tags:

c++

memory

module

windows

patch

I'm trying to detect whether a loaded module is being patched at run-time by a malicious process. In this case the module is an EXE being run.

My detection scheme is as follows:

MODULEINFO mInfo;
GetModuleInformation(myProc, myInstance, &modInfo, sizeof(MODULEINFO));

//

char* hash1 = hashBytes(mInfo.lpBaseOfDll, mInfo.SizeOfImage);

//.....some time later

char* hash2 = hashBytes(mInfo.lpBaseOfDll, mInfo.SizeOfImage);

//

bool moduleIsModified = compareHashes(hash1, hash2); //false == we're patched!

This worked fine at first...hashes would be identical if no patches occurred, and I could detect my own patches (bytes within the module address space changed with VirtualProect/CopyMemory) successfully.

However, I discovered that if I put the following code between the generation of hash1/hash2, the hashes will no longer match:

//char* hash1 = ....

std::ifstream stream(pathToModule); //this causes hashes to no longer match???

//char* hash1 = ....

Why is the creation of a file stream to a module changing the pre-loaded bytes of the module? My assumption that the module would sit statically in memory after being loaded (assuming no malicious patches) is obviously incorrect...but why? Is there a specific area of a module's loaded bytes that are dynamic?

like image 672
Tyson Avatar asked Jul 26 '21 06:07

Tyson

People also ask

What is the memory layout of a running process?

A typical memory layout of a running process. 1. Text Segment: A text segment , also known as a code segment or simply as text, is one of the sections of a program in an object file or in memory, which contains executable instructions.

What is the memory layout of C program?

Memory Layout of C Programs. A typical memory representation of C program consists of following sections. 2. 3. 5. 1. Text Segment: A text segment , also known as a code segment or simply as text, is one of the sections of a program in an object file or in memory, which contains executable instructions.

What is compile time memory allocation?

Compile time memory allocation means reserving memory for variables, constants during the compilation process. So you must exactly know how many bytes you require? Many text also refer compile time memory allocation as static or stack memory allocation.

What is the memory usage of a variable?

In programming each variable, constant occupies space in memory, defined by their data type. The compiler reserves required memory (bytes) during compilation according to the specified data type. For example, there is a declaration statement int number; here, int is data type and number is variable (also referred as identifier).

Video Answer

1 Answers

Paul Sanders' question pointed me in the right direction.

The .data segment of the module was changing during runtime, so excluding that segment from my hash keeps the result the same.

like image 188
Tyson Avatar answered Oct 21 '22 13:10

Tyson
Sign in to Comment

Related questions

Why does this std::queue/list of pointers to structs not free memory until List.Size() == 0?
Undefined symbols for architecture arm64 after linking a static library in iOS app
Compilation time message (after preprocessor) to use with `if constexpr`
SIMD vector memory load in LLVM
Passing function into function with std::function and template argument
False sharing prevention with alignas is broken
How are conversions applied to bit-field types in conditional operators?
How do i assert, compile time, that the nth element of a tuple is an optional of some type?
Qt deploy cannot find Visual Studio installation directory
OpenCL ray tracer works fine on CPU but not (always) on GPU
Using a Data Converter to Display 3D Volume as Images
decltype(fun()) for consteval methods
Constructing (but not destucting) an object of a class with a deleted or non-user-provided private destructor
Disambiguating an overloaded function with a given pack of parameters
Access to own private constructors via derived class constructor inheritance
Compiler segfault during explicit template instantiation on clang 11
Simple std::any implementation based on function pointers
When mixing C and C++ code, does main() need to be in the C++ part?
Is there a sensible scenario, where the == operator is not the negation of the !=
Compiler variance for ambiguous copy-assignment from empty-braces

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!