On Wed, Apr 3, 2019 at 10:31 AM Igor Zhbanov <i.zhbanov@xxxxxxxxxxxx> wrote: > I'm trying to reduce attacker's possibilities to inject any new unauthorized > code. Currently it could be: (snip) > 4) Anonymous executable pages (either new or existing changing to writable). > ^ This is what I'm talking about. Because it's relatively easy to create > anonymous executable page to stay below the radar. Because even if you > enable signature checking for all opened files it would be possible to > simply download the code and execute it directly from the anonymous pages. There's two possible cases here: 1) The application is legitimate but can be convinced to open and execute malicious code. There should be no such applications that download code from the internet and execute it directly, so this can be prevented by requiring that files be signed (which has to be done to protect against attackers just using an interpreted language instead) 2) The application is actively malicious. In this case this approach is insufficient - an actively malicious application can interpret code rather than executing it directly. This can only be prevented by not signing malicious applications. When you talk about "staying below the radar" it implies that you're talking about case 2, but the proposed solution is only a speed bump rather than a blocker.
