What is the point of VirtualProtect when any process, including malware, can use it?

c++ c memory hook detours
12,675

Solution 1

Someone could easily write that piece of malware, but how would they get the target to execute it?

VirtualProtect allows me to make memory executable selectively. This means that I can mark the buffer where I store untrusted data as non-executable, and the security vulnerability that I have that allows the untrusted user to modify the return address of my function cannot jump to that buffer and execute code there, thus stopping an attacker from executing VirtualProtect himself.

It also allows me to make memory read-only. This means I can mark the area next to the untrusted buffer read-only, and a buffer overflow cannot overwrite more essential data. Thus, no remote code in my application, no VirtualProtect by the attacker.

Once the attacker somehow gains access to the system, he can use VirtualProtect to remove protections of processes at the same security level, but at this point you have already lost anyway.

Solution 2

I have used VirtualProtect to help track down an improper memory access.

I allocated a page of memory, initialized it, then marked it Unreadable/Unwriteable, and then another component in our mega-monolithic program improperly accessed my pointer. As soon as that component tried to write to an unwritable page, we saw the Access Violation, and we knew who the offending party was.

(prior to this, we only knew that memory had been overwritten... but we did not know which component was doing it).

Solution 3

Mostly to prevent attacks and to allow for JITs and the like. Without VirtualProtect you have no way to mark the page as non-writable and executable or vice versa. That said if the system already has malware on it then the issue is so to speak already past the airtight door. In the ideal case a process can also use ACLs to prevent another process from inspecting its memory or changing it's memory protections. This is how secure playback works.

If malware is already on the system then nothing you do will work because the malware may be in kernel mode. In which case it already can do whatever it likes.

Share:
12,675
Timothy Hanes
Author by

Timothy Hanes

Updated on June 04, 2022

Comments

  • Timothy Hanes
    Timothy Hanes almost 2 years

    I understand that the VirtualProtect function changes the permissions on a page in memory without question. Surely this ends up with no immediate purpose when any running process is able to use it?

    For example, someone could easily write a piece of malware which uses the VirtualProtectEx function in order to detour instructions and cause havoc. On the other hand, a user may have a legitimate reason for allowing a process to modify memory (ie. game cheats).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

When are variables removed from memory in C++?
C/C++ fill struct array with one value
C++ - Detours WinSock Hooking
Memory Allocation for Recursive Functions
C++ Function Hook (memory address only)
How to initialize a pointer to a specific memory address in C++
What is a glibc free/malloc/realloc invalid next size/invalid pointer error and how to fix it?
How to determine the hardware (CPU and RAM) on a machine?
Aligned and unaligned memory accesses?
How can I hook Windows functions in C/C++?