2

Most tutorials about crypters assume that popular antiviruses don't scan programs executed directly from memory. However from what I've seen, some of them (e.g. Nod32) are able to scan RAM in search for known patterns. This makes me wonder... here's what I know:

[Malicious file] --> [Encrypter] --> [Stub + encrypted malicious file] --> [final executable]

If we run the final executable file, the Stub decrypts the malicious code, loads it to RAM and then executes it. I think that an antivirus program should detect the malicious code while it resides in RAM in an already decrypted form, waiting to be executed. Am I wrong?

user3125731
  • 123
  • 3

1 Answers1

1

You're right; it's possible for an antivirus to pause the proceedings and scan executable code that was loaded into memory. The kernel function to hook would be NtProtectVirtualMemory, which changes the protection on a chunk of memory (whether it can be read, written, or executed). If a process suddenly changed a writable chunk of memory to executable, that would be a perfect opportunity to see what might now be run.

If a process set a page to simultaneously writable and executable (so it could write and then immediately jump), that's already cause for concern before anything is even written, because the existence such a page helps open the door for exploits even in legitimate programs. Alternatively, the antivirus could just take note of such pages and spring into action on the next kernel call the process makes from code residing there.

Ben N
  • 2,491
  • 1
  • 12
  • 22