Sign in with
Sign up | Sign in
Your question

Code injection prevention

Last response: in Antivirus / Security / Privacy
October 9, 2012 1:11:24 AM

Hi, i wanna ask, how does anti-virus prevent injection code from infected exe/sys/com files?
how the software reveals them?
i realised that there is some PE-view process that related, if someone will be able to explain in to me in more details i'll be glad :) 

Best solution

October 9, 2012 4:53:06 AM

Basically, a program is an instruction set, which is held in memory (it is loaded there when you open .exe file). When you do that, some memory gets allocated to that program. Let's say you have 1 KB of memory. 0-99 is reserved for OS, so when you launch the program, 100-199 gets assigned to that program. It starts execution reading memory linearly from 100, then 101, etc. Then, if you launch a malicious program, it will get 200-299 memory space. Code injection is changing the code in memory reserved for other programs.

Let's say 250-299 is the malicious code that's gonna get injected. When you launch the virus, it starts executing from 200, and it will do something like: find memory address, which is currently executed in program 1, and then "Write "GO TO 250" on the following address. Basically it accesses memory space that doesn't belong to it and changes it, forcing the program execution to run unexpectedly.

Anti virus software can easily see this behaviour: invalid memory access is a serious threat if done correctly (which usually changes execution of the program instead of crashing it).

Of course, realistically you will have much more running programs, and the memory layout is a bit more complicated, but I hope you get the idea :) .
October 9, 2012 6:02:25 AM

Well, i sure got the idea
thank you very much
October 18, 2012 1:14:28 PM

Best answer selected by iso421.