[rnd.usr]

Hello.

Is it possible to change the protection in the newly injected memory in a process? Let's say from RWX to RX. If it's possible, can you name a malware that does this?

I know it's possible to strip the "MZ" header but if you also change the protection there should be no way to detect an injected process, am I right?

Thanks

[Vrtule]

Hello,

if you mean a code (or a DLL) injected into a user mode process, there is a function named VirtualProtect (or VirtualProtectEx) that is capable of changing memory protection (on the paging basis). However, I am not sure how you want to use this function to make the malware undetectable. In theory, you can create an executable-only region which makes it unreadable. AFAIR such a region cannot be created by using only paging (there is not bit in page tables that restricts read access). Well, it is possible to achieve this via segmentation but I am not sure how to use it in terms of malware detection prevention.

And except sections created with the SEC_NO_CHANGE flag, the memory protection can be changed back without any problem, so your executable-only region can be made readable again by simply calling VirtualProtect(Ex).

[rnd.usr]

Hello,

if you mean a code (or a DLL) injected into a user mode process, there is a function named VirtualProtect (or VirtualProtectEx) that is capable of changing memory protection (on the paging basis). However, I am not sure how you want to use this function to make the malware undetectable. In theory, you can create an executable-only region which makes it unreadable. AFAIR such a region cannot be created by using only paging (there is not bit in page tables that restricts read access). Well, it is possible to achieve this via segmentation but I am not sure how to use it in terms of malware detection prevention.

And except sections created with the SEC_NO_CHANGE flag, the memory protection can be changed back without any problem, so your executable-only region can be made readable again by simply calling VirtualProtect(Ex).

Yes, I'am talking about VirtualProtect and how to change memory protection, that's correct. If a malware is injecting code into an already running process, the injected region will always be RWX, so that's why it's really easy to find injected code. Volatility does this with its plug-in 'malfind' that detects RWX and if you see the "MZ" header you know that you found the payload.

So is it possible to inject code into a process and then change the protection of the newly injected region?

[Vrtule]

So is it possible to inject code into a process and then change the protection of the newly injected region?

I think so. Or does VirtualProtect(Ex) reports you an error when you try it? Why don't you wipe out the MZ signature (and probably other parts of the PE structure that are not relevant after its startup)?

[rnd.usr]

I think so. Or does VirtualProtect(Ex) reports you an error when you try it? Why don't you wipe out the MZ signature (and probably other parts of the PE structure that are not relevant after its startup)?

Hi, sorry for late answer.

No, I'am not coding anything yet, I was just thinking for a method to bypass some common detection methods. Yes, the malware family Conficker does delete the PE structure but you can still find tracks in memory like VAD tags and memory permissions so that's why I thought changing the RWX to something else would bypass detection.

[Vrtule]

No, I'am not coding anything yet, I was just thinking for a method to bypass some common detection methods. Yes, the malware family Conficker does delete the PE structure but you can still find tracks in memory like VAD tags and memory permissions so that's why I thought changing the RWX to something else would bypass detection.

Well, you certainly can change protection of a memory region but if it contains executable code, the PAGE_EXECUTE must be allowed. Windows XP may be the exception (IIRC I was able to execute code in memory protected by PAGE_READWRITE).

I do not understand what you mean by VAD tags. It is possible to remove the VAD(s) representing the area with your data and code from the VAD (AVL) tree, so VirtualQuery(Ex) will be bypassed. THis won't help on 32-bit versions of Windows where you can search the whole address space by manually trying to access individual 64 KB regions. But things might get more interesting on x64.