Open Advanced Windows Exploitation
  • Introduction
    • Welcome
      • Subscribe
      • Contents
      • Intended Audience
      • Required Software and Tools
      • Thank You and Support
  • Custom Shellcode
    • 64-bit Architecture
      • 64-bit Enhancements
      • Calling Conventions
    • Shellcode Workflow
      • Visual Studio Code
      • Netwide Assembler
      • Windbg Preview
      • Workflow
    • Writing Shellcode
      • NULL-Free Position-Independent Shellcode
      • Finding kernel32.dll
      • Resolving Symbols
      • Finding VMAs
      • MessageBox Shellcode
      • Avoiding NULL
      • GetLastError
    • Reverse Shell
      • Exercise
      • Solution
  • Exploit Mitigations
    • Understanding the Battlefield
      • Memory Corruption
      • Vulnerability Primitives
      • Overview of Mitigations
    • Our Old Foes
      • DEP
      • ASLR
  • Memory Management
    • Memory Basics
      • Pages
      • Shared Memory
    • Memory Management
      • The Stack
      • The Heap
        • Heap Grooming and Overflow
        • Virtual Functions in C++
        • The Heap Continued
        • Kernel Mode Heap
      • Managed Memory
  • The Kernel
    • Kernel Basics
      • Kernel Structures
      • Kernel Debugging Options
      • Navigating the Kernel
      • Analysing the Kernel
    • Access Tokens
      • Access Token Basics
      • Token Theft
  • Drivers
    • Driver Basics
      • Implementing a Driver
      • Reversing Our Driver
      • A Basic User Mode Application
  • First Kernel Exploit
    • A Kernel Exploit
      • CVE 2020-17382
      • IDA Free
      • Writing A Basic Fuzzer
      • Controlling RIP
      • Meet SMEP
      • ROP to the Rescue
      • kASLR
      • Priv Esc Shellcode
    • Exploit Code
  • References
    • References
Powered by GitBook
On this page
  1. Memory Management
  2. Memory Basics

Shared Memory

Shared memory is a mechanism that allows multiple processes or components, such as DLLs, to access and exchange data in a shared region of memory.

PreviousPagesNextMemory Management

Last updated 1 year ago

Shared memory is important for System DLLs (Dynamic-Link Libraries) in Windows because it allows multiple processes to load and share the same DLL in memory. This eliminates the need for redundant copies of the DLL and reduces memory consumption. By sharing the DLL, processes can save memory resources and benefit from improved performance and efficiency. Additionally, shared memory enables efficient communication and coordination between processes using the DLL, facilitating seamless integration and collaboration within the system.

The diagram below shows this feature:

The modules loaded in to a process are loaded in to virtual addresses which are mapped in to RAM when the code is executed. The System DLLs are mapped to the same physical RAM in all processes.

Given this feature we may be forgiven for wondering how DLL patching can occur if DLLs are shared between processes.

AMSI (Antimalware Scan Interface) patching refers to the technique used by adversaries to modify the AMSI DLL code in order to evade or disable antivirus and antimalware scans. By patching or altering the AMSI implementation, adversaries can prevent their malicious code or scripts from being detected or blocked by security software, thereby increasing their chances of successful exploitation or intrusion.

Windows implements a feature called Copy on Write. This is a memory management technique in Windows where multiple processes or threads can share the same memory pages until a write operation occurs. When a process modifies a shared memory page, instead of making a physical copy of the entire page, a new private copy is created for that process, ensuring that changes made by one process do not affect others:

Once the patched process is terminated, the modified copy of the AMSI DLL is freed from memory but the original DLL remains.

Shared Memory
Copy on Write Operation