Memory Permissions and Allocation Types

Memory Permission Values

Memory permissions are often used by memory scanners to find memory regions to scan.

memory regions permission values can be found here at MSDN: https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants

Memory scanners are more likely to scan memory regions that have the EXECUTE permission enabled, due to malicious code potentially being executed from them.

Memory regions with the memory protection of PAGE_EXECUTE_READWRITE are very likely to be scanned by memory scanners, as it is abnormal for processes to use memory with this protection value. For executing shellcode, it is more OPSEC safe to set the memory region to PAGE_READWRITE to write shellcode to it, before setting it to PAGE_EXECUTE_READ to execute it. That way, the memory region never exists with the permission of PAGE_EXECUTE_READWRITE.

Sleep protection may be used to set shellcode memory regions to other memory protection values during beacon's sleep phase, such as PAGE_NOACCESS.

Memory Allocation Types

More complete documentation of memory types: https://documentation.help/VMMap/Memory_Types.htm

The main memory allocation types we use in malware development are:

• Private Commit

• Image

Private Commit

This memory type is allocated with VirtualAlloc. It normally contains program data etc. Putting shellcode here may be ok sometimes.

Image

This memory is allocated by the Windows PE loader when it loads a PE file from disk into memory to be executed. You should store any PE images in memory with this memory type to avoid suspicion.

Take note of memory permission and allocation types when putting your malicious code in memory. Some techniques like traditional process hollowing have OPSEC implications, such as overwriting the PE image with memory of the Private Commit type (while PE images in memory should all be of the Image type). This is a huge red flag of in memory PE loading, so be careful.