Guard Pages

From ema
Jump to navigation Jump to search
EMA ID: ema-1270
Description: Blocks of code are encrypted individually, and decrypted temporarily only upon execution. One variant uses self-debugging to accomplish.
Associated Behavior: memory dump obstruction

Supporting Details:

Modify binary to touch all pages then pause; take memory snapshot.

Date Malware Family URL
April 5, 2010