Permissions

Question 1

PAGE_EXECUTE

Answer 1

The memory can be executed, but not written. This protection cannot be userd for mapped files.

Question 2

PAGE_EXECUTE_READ

Answer 2

The memory can be executed or read, but not written

Question 3

PAGE_EXECUTE_READWRITE

Answer 3

The memory can be executed, read, or written. Injected code regions almost always have this protection.

Question 4

PAGE_EXECUTE_WRITECOPY

Answer 4

Enables execute, read-only, or copy-on-write access to a mapped view of a file. It cannot be set by calling VirtualAlloc or VirtualAllocEx. DLLs almost always have this protection.

Question 5

PAGE_NOACCESS

Answer 5

Disables all access to the memory. This protection cannot be used for mapped files. Applications can prevent accidental reads/write to data by setting this protection.

Question 6

PAGE_READONLY

Answer 6

The memory can be read, but not executed or written.

Question 7

PAGE_READWRITE

Answer 7

The memory can be read or written, but not executed.

Question 8

PAGE_WRITECOPY

Answer 8

Enables read-only or copy-on-write access to a mapped view of a file. It cannot be set by calling VirtualAlloc or VirtualAllocEx.

Question 9

Process Environmental Block (PEB)

Answer 9

Every _EPROCESS structure contains a member called _PEB. The PEB contains the full path to the process’ executable, the full command line that starts the process, the current working directory, pointers to the process’ heaps, standard handles, and three doubly linked lists that contain the full path to DLLs loaded by the process.