A third protection technique I implemented in HeapLocker is string detection.
When you enable string monitoring, HeapLocker will create a new thread to periodically check (every second) newly committed virtual pages that are readable and writable. When a specific string (configured in the registry) is detected inside these pages, HeapLocker will suspend all threads (except this monitoring thread used by HeapLocker) and warn the user that the string was detected.
I’ve had very good result with this technique searching for string “unescape” in Adobe Reader (the string “unescape” must be preceded by an equal sign or followed by a left parentheses). Almost all malicious PDF documents in my collection were detected by this. But like NOP-sled detection, it’s not 100% reliable. Sometimes HeapLocker will scan a page before the string “unescape” has been written to that page.
[…] https://blog.didierstevens.com/2011/02/18/heaplocker-string-detection/ […]
Pingback by HeapLocker:堆喷射检测工具 — Saturday 19 February 2011 @ 2:18
good,ths
Comment by youstar — Saturday 19 February 2011 @ 2:21
[…] HeapLocker: String Detection – blog.didierstevens.com When you enable string monitoring, HeapLocker will create a new thread to periodically check (every second) newly committed virtual pages that are readable and writable. […]
Pingback by Week 7 In Review – 2011 | Portable Digital Video Recorder — Monday 21 February 2011 @ 12:10
[…] will attempt to detect nop sleds and strings in […]
Pingback by Exploit writing tutorial part 11 : Heap Spraying Demystified | Corelan Team — Sunday 1 January 2012 @ 15:09