CodeX's Terminal Window
  • root@codex
  • 🐙Red Team
    • Red Team OPSEC
      • Initial Recon
      • Weaponization
      • Infrastructure
        • Example Red Team Infra
        • Cobalt Strike Redirectors
        • Using SSH Tunneling to secure C2 infra
      • Phishing
      • Internal Recon
      • Lateral Movement
      • Post-Exploitation
      • Exfiltration
      • Cleanup
    • Red Team TTPs
      • Active Directory
      • Persistence
      • Exfiltration
      • Phishing
      • Windows Bypasses
    • Red Team Dev
      • Extending Havoc C2
        • Third Party Agents
          • 1: Understanding the interface
          • 2: Writing the agent
          • 3: Writing the agent handler
          • 4: Testing the agent
      • Loader Dev
        • In Memory OPSEC
          • PE Structures
          • Memory Permissions and Allocation Types
          • In Memory Signatures
          • Thread Stack
          • Windows Events
          • Userland Hooks
          • AMSI & ETW
        • Evasion Adventures
        • Loader basics
        • Sleep masking
        • Mimikatz vs Windows Defender
        • Indirect syscalls
    • Cobalt Strike
      • Modifying the Sleep Mask Kit
      • Discord Beacon Notifications
      • Evading Hunt-Sleeping-Beacons
      • Beacon Object Files
    • Misc. Interesting Stuff
  • 🛡️Blue Team
    • Detecting Cobalt Strike
      • Sleep Mask Kit IOCs
      • Hunting Beacon in the heap
      • Decrypting C2 traffic with known key
  • 🚩CTF Solutions
    • Cyber Defenders Discovery Camp 2021
      • 👁️‍🗨️Lets Go Hunting
      • 🐧Linux Rules The World!
      • 📻Going active
      • 🗄️File it away
      • 😷Behind the mask
  • Box challenges
    • 📦Box Writeups
  • Me myself and I
    • root@codex #
Powered by GitBook
On this page
  • Memory Permission Values
  • Memory Allocation Types
  • Private Commit
  • Image
  1. Red Team
  2. Red Team Dev
  3. Loader Dev
  4. In Memory OPSEC

Memory Permissions and Allocation Types

PreviousPE StructuresNextIn Memory Signatures

Last updated 3 years ago

Memory Permission Values

Memory permissions are often used by memory scanners to find memory regions to scan.

memory regions permission values can be found here at MSDN:

Memory scanners are more likely to scan memory regions that have the EXECUTE permission enabled, due to malicious code potentially being executed from them.

Memory regions with the memory protection of PAGE_EXECUTE_READWRITE are very likely to be scanned by memory scanners, as it is abnormal for processes to use memory with this protection value. For executing shellcode, it is more OPSEC safe to set the memory region to PAGE_READWRITE to write shellcode to it, before setting it to PAGE_EXECUTE_READ to execute it. That way, the memory region never exists with the permission of PAGE_EXECUTE_READWRITE.

Sleep protection may be used to set shellcode memory regions to other memory protection values during beacon's sleep phase, such as PAGE_NOACCESS.

Memory Allocation Types

More complete documentation of memory types:

The main memory allocation types we use in malware development are:

  • Private Commit

  • Image

Private Commit

This memory type is allocated with VirtualAlloc. It normally contains program data etc. Putting shellcode here may be ok sometimes.

Image

This memory is allocated by the Windows PE loader when it loads a PE file from disk into memory to be executed. You should store any PE images in memory with this memory type to avoid suspicion.

Take note of memory permission and allocation types when putting your malicious code in memory. Some techniques like traditional process hollowing have OPSEC implications, such as overwriting the PE image with memory of the Private Commit type (while PE images in memory should all be of the Image type). This is a huge red flag of in memory PE loading, so be careful.

🐙
https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants
https://documentation.help/VMMap/Memory_Types.htm