Skip to content
/ QueryWorkingSetExample Public

Just an example of a well-known technique to detect memory tampering via Windows Working Sets.

License

MIT license
11 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Midi12/QueryWorkingSetExample

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
doc/images
doc/images
 
 
.gitignore
.gitignore
 
 
CMakeLists.txt
CMakeLists.txt
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.c
main.c
 
 

Repository files navigation

QueryWorkingSet AntiTamper Example

Just an example of a well-known technique to detect memory tampering via Windows Working Sets.

Non-writable pages are being shared among processes that need them. Each process reads the same copy. Once one process modifies the protection of a page to write to it, the system will copy the page and serve the process its own copy. Once in this state, the Shared member of the PSAPI_WORKING_SET_INFORMATION (returned by QueryWorkingSet(Ex) API(s)) will be FALSE (0).

A process can check his .text section (or any non-writable section) by querying his Working Set (using QueryWorkingSet(Ex) API(s)) and checking the Shared member (and may have use of the ShareCount member).

  • Running without a debugger img.png

  • Running under a debugger (you need to place a breakpoint somewhere in main.c main() routine) img.png

The page RVA in the screenshot above would be 0x5000, once you load the built sample into your favorite disassembler you can notice that the page at RVA 0x5000 is where you put the breakpoint.

Have fun 🏴‍☠️

About

Just an example of a well-known technique to detect memory tampering via Windows Working Sets.

Topics

anti-tampering win-api

Resources

Readme

License

MIT license
Activity

Stars

11 stars

Watchers

3 watching

Forks

6 forks
Report repository

Languages