# Memory Permissions and Allocation Types ## Memory Permission Values Memory permissions are often used by memory scanners to find memory regions to scan. memory regions permission values can be found here at MSDN: Memory scanners are more likely to scan memory regions that have the **EXECUTE** permission enabled, due to malicious code potentially being executed from them. Memory regions with the memory protection of `PAGE_EXECUTE_READWRITE` are very likely to be scanned by memory scanners, as it is abnormal for processes to use memory with this protection value. For executing shellcode, it is more OPSEC safe to set the memory region to `PAGE_READWRITE` to write shellcode to it, before setting it to `PAGE_EXECUTE_READ` to execute it. That way, the memory region never exists with the permission of `PAGE_EXECUTE_READWRITE`. Sleep protection may be used to set shellcode memory regions to other memory protection values during beacon's sleep phase, such as `PAGE_NOACCESS`. ## Memory Allocation Types More complete documentation of memory types: The main memory allocation types we use in malware development are: * Private Commit * Image ### Private Commit This memory type is allocated with VirtualAlloc. It normally contains program data etc. Putting shellcode here may be ok sometimes. ### Image This memory is allocated by the Windows PE loader when it loads a PE file from disk into memory to be executed. You should store any PE images in memory with this memory type to avoid suspicion. Take note of memory permission and allocation types when putting your malicious code in memory. Some techniques like traditional process hollowing have OPSEC implications, such as overwriting the PE image with memory of the Private Commit type (while PE images in memory should all be of the Image type). This is a huge red flag of in memory PE loading, so be careful.