Detecting (un)Intentionally Hidden Injected Code by Examining Page Table Entries

Presented at Black Hat Europe 2019, Dec. 5, 2019, 10 a.m. (25 minutes)

Malware utilizes code injection techniques to either manipulate other processes (e.g. done by banking trojans) or hide its existence. With some exceptions, such as ROP gadgets, the injected code needs to be executable by the CPU (at least at some point in time).

In this talk, we will cover hiding techniques that prevent executable pages (containing injected code) from being reported by current memory forensic plugins. These techniques can either be implemented by malware in order to hide its injected code (as already observed) or can, in one case, unintentionally be taken care of by the operating system through its paging mechanism. In a second step, we present an approach to reveal such pages despite the mentioned hiding techniques by examining Page Table Entries. This approach has been implemented as a plugin for the memory forensic framework Rekall, which automatically reports any memory region containing executable pages.

The talk will also contain several live demonstrations, showing the successful hiding from current memory forensic plugins and the detection with our plugin.


  • Frank Block - Security Researcher, ERNW Research GmbH
    Frank Block is a security researcher working for ERNW Research GmbH with more than 10 years of experience, and an external PhD student at the University of Erlangen-Nuremberg (Department Informatik) with a focus on memory forensics. His main expertise lies with the analysis of incidents and the penetration testing of enterprise networks and web applications. When not involved in customer projects, he enjoys doing research in all kinds of areas (e.g. Wireless technologies) and gives trainings on topics such as hacking and incident analysis.


Similar Presentations: