mantvydasb
commented
1 year ago Thanks, updated the page by including your comment.
Closed GuyPerson7018 closed 1 year ago
mantvydasb
commented
1 year ago Thanks, updated the page by including your comment.
At the page on AddressOfEntryPoint Code Injection without VirtualAllocEx RWX, this is not really done without using RWX. As shown in the first picture, the entrypoint memory page is already under RX permissions, and as shown here, the only reason this method works is because WriteProcessMemory is being nice and trying to change RX to RWX temporarily, which would end up creating an RWX page anyways, essentially making this technique still easily detectable by EDRs that look for RWX regions.