var unreadAlerts = '1';
You have one unread private message from dkota titled Welcome to the Forum!

I want to learn more
#1
I knew about Dll Injection&Reflect DLL lnjection,Fileless.it use fixed memory address.
As me, I want to change memory address of my malware as real time. it means "float" or "flow" as river in memory. If Memory was river,malware is small ship.it has not fixed memory address.ofcourse it is fileless .
Totaly,it is Fileless malware and it has not fixed memory.are u ok?..
Could you help me?
Report
#2
Simye Wrote: I knew about Dll Injection&Reflect DLL lnjection,Fileless.it use fixed memory address.
As me, I want to change memory address of my malware as real time. it means "float" or "flow" as river in memory. If Memory was river,malware is small ship.it has not fixed memory address.ofcourse it is fileless .
Totaly,it is Fileless malware and it has not fixed memory.are u ok?..
Could you help me?

You could try Process Hollowing
Link: https://attack.mitre.org/techniques/T1055/012/
Reply Quote // Report
#3
take a look at my answer on CryptBB. Let me know if I got the question right and also if you need further assistance or concrete code examples.
Reply Quote // Report
#4
NexusNoctis Wrote: take a look at my answer on CryptBB. Let me know if I got the question right and also if you need further assistance or concrete code examples.

Please don't post answers like this, this does not help anyone and only complicates matters when you reference a different post in a different forum.
It's wiser to either copy-paste the post, or, to write a new one.
If you have any questions, please PM dkota
Reply Quote //
#5
prince97 Wrote:
NexusNoctis Wrote: take a look at my answer on CryptBB. Let me know if I got the question right and also if you need further assistance or concrete code examples.

Please don't post answers like this, this does not help anyone and only complicates matters when you reference a different post in a different forum.
It's wiser to either copy-paste the post, or, to write a new one.

Yes, very true. Sorry about that. I'm often just very lazy. Essentially what I was saying to truly float in memory you need to have kernel level access so you can allocate memory everywhere you want and so on. However, you can easily do things like that in virtual memory by making your program essentially a looping linked list and have each node allocate new executable memory pages for the next node and continue execution there. Has ofc. some challenges to it, but I'm sure one can figure that out with that initial idea.
Reply Quote // Report
#6
NexusNoctis Wrote:
prince97 Wrote:
NexusNoctis Wrote: take a look at my answer on CryptBB. Let me know if I got the question right and also if you need further assistance or concrete code examples.

Please don't post answers like this, this does not help anyone and only complicates matters when you reference a different post in a different forum.
It's wiser to either copy-paste the post, or, to write a new one.

Yes, very true. Sorry about that. I'm often just very lazy. Essentially what I was saying to truly float in memory you need to have kernel level access so you can allocate memory everywhere you want and so on. However, you can easily do things like that in virtual memory by making your program essentially a looping linked list and have each node allocate new executable memory pages for the next node and continue execution there. Has ofc. some challenges to it, but I'm sure one can figure that out with that initial idea.


I think the kernel can't just do that right? It would crash the system if it overrides memory addresses on random
Reply Quote // Report
#7
Simye Wrote: As me, I want to change memory address of my malware as real time. it means "float" or "flow" as river in memory. If Memory was river,malware is small ship.it has not fixed memory

very beautiful analogy.
Reply Quote // Report


Quick Reply
Message
Type your reply to this message here.



Possibly Related Threads…
Thread Author Replies Views Last Post
  where can i learn how to use NMAP zilly 5 38 Yesterday, 02:14 PM
Last Post: mangeky023



Users browsing this thread: purely_cabbage
var thread_deleted = "0"; if(thread_deleted == "1") { $("#quick_reply_form, .new_reply_button, .thread_tools, .inline_rating").hide(); $("#moderator_options_selector option.option_mirage").attr("disabled","disabled"); }