Bangeter 01-basic_malware_techniques_4.2.pdf

A process is an instance of a running program

• Code
• Data
• a process is code loaded and running in memory (by OS loader)
• Process is an abstraction provided by the OS

DLL = Dynamic Link Library

• A DLL is a library that contains code and data that can be used by more than on program at the same time.
• By using a DLL, a program can be modularized into separate components.
• Additionally, updates are easier to apply to each module without affecting other parts of the program.
• DLLs can often be related to functionalities of a process.
  • E.g. crypto functionality, networking, etc...

• Code of main program
• Static / global data
• DLLs of processes including static & global data
• Heap
• Stack

• Executable: Main module -> PE file mapped into memory (eg. Chrome.exe)
• DLLs imported by main module
• One stack per thread. Used for storing local variables.

• Protection attributes:
  • PAGE_EXECUTE
  • PAGE_EXECUTE_READ
  • PAGE_EXECUTE_READWRITE
• Type
  • MEM_IMAGE: Indicates that the memory pages within the region are mapped into the view of an image section.
  • MEM_MAPPED Indicates that the memory pages within the region are mapped into the view of a section.
  • MEM_PRIVATE Indicates that the memory pages within the region are private (that is not shared by other processes)
• States:
  • Commited
  • Reserved

Image:

The memory represnts an executable file, such as an EXE or DLL, that has been loaded into a process by the image loader.

• Does not include executable files loaded as data files.
• Executable code regions are typically read/execute only and shareable
• Data regions, such as initialized date, are typically read/write or coppy-on-write.

Mapped File:

The memory is shareble and represents a file on disk. Mapped files are often resource DLLs and typically contain application data. 

Sharable memory is memory that can be shared with other processes and is backed by RAM or by the paging file.