Guard Pages

From ema
Jump to navigation Jump to search
EMA ID: ema-1270
Description: Blocks of code are encrypted individually, and decrypted temporarily only upon execution. One variant uses self-debugging to accomplish.
Associated Behavior: memory dump obstruction

Supporting Details:
*Mitigation*:

Modify binary to touch all pages then pause; take memory snapshot.


References:
Date Malware Family URL
April 5, 2010 https://gironsec.com/code/packers.pdf