Can comodo HIPS detect this malware technique?

A POC is available. Anyone who can compile this and test?


Let me first say that the PoC only launches a messagebox thus no alert by a HIPS would be shown. However, if it were modified to say execute another process or make changes to the file system, etc. then it would be picked up. This technique just dynamically changes the memory page permissions of where the code resides from being executable to non-executeable and back again. Where executable code is located in memory makes no difference for a HIPS or sandbox because the code still resides in the address space of the application and thus any actions carried out will be shown as coming from the application.

The only way to evade a HIPS, sandbox, or other type of security software is to get code execution in the kernel. Once you’re in kernel land its game over.