> For the complete documentation index, see [llms.txt](https://codex-7.gitbook.io/codexs-terminal-window/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://codex-7.gitbook.io/codexs-terminal-window/red-team/red-team-dev/loader-dev/in-memory-opsec/memory-permissions-and-allocation-types.md). # Memory Permissions and Allocation Types ## Memory Permission Values Memory permissions are often used by memory scanners to find memory regions to scan. memory regions permission values can be found here at MSDN: Memory scanners are more likely to scan memory regions that have the **EXECUTE** permission enabled, due to malicious code potentially being executed from them. Memory regions with the memory protection of `PAGE_EXECUTE_READWRITE` are very likely to be scanned by memory scanners, as it is abnormal for processes to use memory with this protection value. For executing shellcode, it is more OPSEC safe to set the memory region to `PAGE_READWRITE` to write shellcode to it, before setting it to `PAGE_EXECUTE_READ` to execute it. That way, the memory region never exists with the permission of `PAGE_EXECUTE_READWRITE`. Sleep protection may be used to set shellcode memory regions to other memory protection values during beacon's sleep phase, such as `PAGE_NOACCESS`. ## Memory Allocation Types More complete documentation of memory types: The main memory allocation types we use in malware development are: * Private Commit * Image ### Private Commit This memory type is allocated with VirtualAlloc. It normally contains program data etc. Putting shellcode here may be ok sometimes. ### Image This memory is allocated by the Windows PE loader when it loads a PE file from disk into memory to be executed. You should store any PE images in memory with this memory type to avoid suspicion. Take note of memory permission and allocation types when putting your malicious code in memory. Some techniques like traditional process hollowing have OPSEC implications, such as overwriting the PE image with memory of the Private Commit type (while PE images in memory should all be of the Image type). This is a huge red flag of in memory PE loading, so be careful. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://codex-7.gitbook.io/codexs-terminal-window/red-team/red-team-dev/loader-dev/in-memory-opsec/memory-permissions-and-allocation-types.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.