Attack Method: Code Modification.

Description: Code modification attacks work simply by modifying existing code in memory, usually to change the behaviour of a particular part of a program (for example, to make a firewall always allow traffic, or to make an anti-virus program never detect viruses). To do this, the attacking process must have write access to the memory space of the target process (which DiamondCS Process Guard can easily prevent).

Example: This is a very simple but real-world example of a code modification attack. The following picture shows a disassembly of code from an actual firewall:

This section of code determines whether the triggered event has matched a blocking rule. For example, if the event was a connection to TCP port 25 and there was a rule that said "block all connections to TCP port 25" then the packet would be dropped and the connection attempt wouldn't occur - this is the fundamental nature of firewalls, to permit or deny packets from getting through.

The Attack: A trojan or other malicious program can easily patch the code, and in this example it could modify the code so that it always jumps to the "permitted" section of code:

In this case the patch is only two bytes (EB 1A, written to address 0x004016C8).

Attack Result: In this example, all traffic will be permitted after the code patch has been applied - even if there's a blocking rule for that event, thus bypassing the security of the firewall altogether. This attack is relatively easy for a trojan to execute.

Solution: DiamondCS Process Guard is easily able to protect against all code manipulation attacks by preventing Write access to the target process(es).

Related websites:
 MSDN: WriteProcessMemory
 MSDN: VirtualProtectEx