Dalam Immunity Debugger-> Memory Map
Asal
Memory map, item 13
Address=00401000
Size=0000F000 (61440.)
Owner=setup279 00400000
Section=.text
Contains=code
Type=Imag 01001002
Access=R E
Initial access=RWE
Result
Memory map, item 13
Address=00401000
Size=0000F000 (61440.)
Owner=setup279 00400000
Section=.text
Contains=code
Type=Imag 01001002
Access=RWE CopyOnWr
Initial access=RWE
Asal
Memory map, item 13
Address=00401000
Size=0000F000 (61440.)
Owner=setup279 00400000
Section=.text
Contains=code
Type=Imag 01001002
Access=R E
Initial access=RWE
Call Virtual Protect API
0040F253 |. 50 PUSH EAX ; /pOldProtect
0040F254 |. 6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
0040F256 |. 52 PUSH EDX ; |Size
0040F257 |. 68 00104000 PUSH setup279.00401000 ; |Address = setup279.00401000
0040F25C |. E8 1F000000 CALL <JMP.&kernel32.VirtualProtect> ; \VirtualProtect
Result
Memory map, item 13
Address=00401000
Size=0000F000 (61440.)
Owner=setup279 00400000
Section=.text
Contains=code
Type=Imag 01001002
Access=RWE CopyOnWr
Initial access=RWE
Perubahan pada field Access, dari [R E] kepada [RWE CopyOnWr]
No comments:
Post a Comment
Terima kasih