The subject matter looks bring mystery feel to reader? People who like to pop music might heard a famous song by Pink Floyd. Yes, it is Dark side of the moon. Rumors told that dark side of the earth (Moon) have another civilization living there? Is it true?
In computer world, memory leaks issues happened not a new topics. Hacker relies on this error can implant malware. The Google Chrome browser found a memory leak issue on Nov 2014. User found that some elements of the DOM (Document Object Model), or handlers, are not being released properly. Below 3 items of memory leak criteria can bring an idea to you what is the definition of memory leak.
- Applications stay in memory when not in use
- System run–time is expected to be unlimited
- Systems typically have lower total available system memory
Hottest target lure the hackers
Svchost.exe is the important process of your Windows 7/8/8.1/10 operating system that contains the group of individual services. Windows uses these services for the various system functions. There can be multiple svchost.exe instances, and one instance may include several services. In most cases the Svchost.exe (netsvcs) encounter high CPU and high usage problem. This symptom might infected by a virus or a malware program.
How malware do this job?
Malware relies on system process design limitation, creates another section in its own address space and copies the svchost.exe content into the created section and then patches the svchost.exe. For more detail, please see below:
So called Process Hollowing
- Malware starts the svchost.exe process in suspended mode which gets loaded into the address.
- Malware determines the base address of the legitimate process by reading PEB+8 (PEB.ImageBaseAddress) and then deallocates the executable section of the legitimate process. Afterwards allocates the memory in the legitimate process with read, write and execute permission at a different address.
- Copy and inject executable to allocate memory address.
- Malware then overwrites the PEB.ImageBaseAdress of the legitimate process with the newly allocated address.
- Changes the start address of the suspended thread to the address of entry point of the injected executable by setting CONTEXT._Eax and using SetThreadContext api and resumes the thread.
Above scenario is one of the example of memory leak vulnerability. If you are interested of this issue. It is not difficult to find out by yourself!