|
the packer change the code section permission with VirtualProtect and put W for unpack the code and write, but when finish the unpacking forget change the permision to RE only and quit W, and jump to execute the code.
All code of the process will be writable if are NOT executable (RE only o viceversa RW only), but the code section will be writable and executable REW, the DEP is bypassed by the packer using VirtualProtect for write the code section, and let the code easy for copy and execute.
ricnar
|