Malware and Memory Execution

How Software Runs on a Computer

• All software must run inside of memory to execute.
• It is loaded from disk → into memory → processed by the CPU.
• Malware, like any other software, must reside in memory to function.

Memory Structure and Processes

A variety of components exist in memory, such as:

• Processes
• Threads
• Buffers
• Memory management functions
• DLLs (Dynamic-Link Libraries)

Malware Execution Strategies

Two Main Approaches:

1. Run as a separate process
   Malware creates its own identifiable process in memory.
2. Process Injection
   Malware injects itself into an existing process.
   Benefits:
   • Avoids detection (malicious process not directly visible).
   • Inherits rights and permissions of the host process (can lead to privilege escalation).

Understanding Process Memory

• Each running process has a defined memory space (start to end address).
• Malware injection occurs between these addresses.
• Allows malware to blend into legitimate memory usage.

DLL Injection (A Common Technique)

• DLL: Dynamic-Link Library (shared library used by multiple applications).

Steps for DLL Injection:

1. Attacker places a malicious DLL on a storage device accessible to the system.
2. Attacker modifies the target process to include a path to the DLL.
3. During execution, the process loads the DLL from disk into memory.
4. The malicious code is now active, operating as part of the legitimate process.

Why it's effective:

• It hides malware inside a trusted process.
• Malware gains the same execution context as the target process.