Guard Pages

From ema
Jump to navigation Jump to search
EMA ID: ema-1270
Description: Blocks of code are encrypted individually, and decrypted temporarily only upon execution. One variant uses self-debugging to accomplish.
Associated Behavior: memory dump obstruction

Supporting Details:
*Mitigation*:

Modify binary to touch all pages then pause; take memory snapshot.


References:
Date Malware Family URL
April 5, 2010 https://gironsec.com/code/packers.pdf


Retrieved from "https://collaborate.mitre.org/ema/index.php?title=Ema-1270&oldid=6355"