Shared Memory

Shared memory is a mechanism that allows multiple processes or components, such as DLLs, to access and exchange data in a shared region of memory.

Shared memory is important for System DLLs (Dynamic-Link Libraries) in Windows because it allows multiple processes to load and share the same DLL in memory. This eliminates the need for redundant copies of the DLL and reduces memory consumption. By sharing the DLL, processes can save memory resources and benefit from improved performance and efficiency. Additionally, shared memory enables efficient communication and coordination between processes using the DLL, facilitating seamless integration and collaboration within the system.

The diagram below shows this feature:

Shared Memory

The modules loaded in to a process are loaded in to virtual addresses which are mapped in to RAM when the code is executed. The System DLLs are mapped to the same physical RAM in all processes.

Given this feature we may be forgiven for wondering how DLL patching can occur if DLLs are shared between processes.

AMSI (Antimalware Scan Interface) patching refers to the technique used by adversaries to modify the AMSI DLL code in order to evade or disable antivirus and antimalware scans. By patching or altering the AMSI implementation, adversaries can prevent their malicious code or scripts from being detected or blocked by security software, thereby increasing their chances of successful exploitation or intrusion.

Windows implements a feature called Copy on Write. This is a memory management technique in Windows where multiple processes or threads can share the same memory pages until a write operation occurs. When a process modifies a shared memory page, instead of making a physical copy of the entire page, a new private copy is created for that process, ensuring that changes made by one process do not affect others:

Copy on Write Operation

Once the patched process is terminated, the modified copy of the AMSI DLL is freed from memory but the original DLL remains.