5

Modern operating systems have memory protections such as Data Execution Prevention, No Execute bit for Data, Read-only bit for text/code sections etc. I don't understand how packers work when these memory protections are in place. Where do the packers unpack the compressed/encrypted binaries when the code pages are marked Read-Only and data pages are marked for No Execute?

DarthGizka
  • 2,010
  • 1
  • 13
  • 30
anilmwr
  • 153
  • 3

1 Answers1

10

The unpacker will request a page of memory from the OS that is marked write and unpack the code into there. Once the unpacking is done it will use VirtualProtect on windows or mprotect on posix compliant systems to change the protection bits to read-only and execute (or allocate the page as read-write+execute in the first place and skip making it read+execute-only).

In other words the application gets enough control over the protection bits to do run-time code generation.

ratchet freak
  • 617
  • 4
  • 5
  • 3
    Or (for Windows), unpack into an existing PE section whose characteristics are marked as RWX, thus having the PE loader do the page protection work. – Jason Geffner Jan 07 '16 at 14:33