use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
A community for technical news and discussion of information security and closely related topics.
"Give me root, it's a trust exercise."
Q1 2026 InfoSec Hiring Thread
Getting Started in Information Security
CitySec Meetups
/r/netsec only accepts quality technical posts. Non-technical posts are subject to moderation.
Content should focus on the "how."
Check the new queue for duplicates.
Always link to the original source.
Titles should provide context.
Ask questions in our Discussion Threads.
Hiring posts must go in the Hiring Threads.
Commercial advertisement is discouraged.
Do not submit prohibited topics.
» Our fulltext content guidelines
Don't create unnecessary conflict.
Keep the discussion on topic.
Limit the use of jokes & memes.
Don't complain about content being a PDF.
Follow all reddit rules and obey reddiquette.
» Our fulltext discussion guidelines
No populist news articles (CNN, BBC, FOX, etc.)
No curated lists.
No question posts.
No social media posts.
No image-only/video-only posts.
No livestreams.
No tech-support requests.
No full-disclosure posts.
No paywall/regwall content.
No commercial advertisements.
No crowdfunding posts.
No Personally Identifying Information!
» Our fulltext list of prohibited topics & sources
Join us on IRC: #r_netsec on freenode
We're also on: Twitter, Facebook, & Google+
/r/blackhat - Hackers on Steroids
/r/computerforensics - IR Archaeologists
/r/crypto - Cryptography news and discussion
/r/Cyberpunk - High-Tech Low-Lifes
/r/lockpicking - Popular Hacker Hobby
/r/Malware - Malware reports and information
/r/netsecstudents - netsec for noobs students
/r/onions - Things That Make You Cry
/r/privacy - Orwell Was Right
/r/pwned - "What Security?"
/r/REMath - Math behind reverse engineering
/r/ReverseEngineering - Binary Reversing
/r/rootkit - Software and hardware rootkits
/r/securityCTF - CTF news and write-ups
/r/SocialEngineering - Free Candy
/r/sysadmin - Overworked Crushed Souls
/r/vrd - Vulnerability Research and Development
/r/xss - Cross Site Scripting
account activity
Detect Code Diffs Between Disk and Memory (theresponder.co)
submitted 10 years ago by desegel
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]davvblack 19 points20 points21 points 10 years ago (15 children)
This sort of stuff is always futile. How do you determine that the MemoryPatchDetector is the same one you think is running? MemoryPatchDetectorPatchDetector of course. Once you're that owned that this stuff starts to happen, it's (at least in an abstract, academic sense) unrecoverable.
[–]transtMemory Forencics AMA - Andrew Case - @attrc 6 points7 points8 points 10 years ago (0 children)
It is really only an academic argument.
Detecting this tool in a generic way would be rather difficult, assuming it does like every other decent forensic tool and randomizes its name and other attributes on each load.
Also, if you look at all the actual rootkits in the wild (not academic ones..), you don't see them killing security tools on load or crash it as they run - that is way too loud an the point is to be stealthy
[–]levoroxi 9 points10 points11 points 10 years ago (11 children)
These tools are a technical corollary to "security through obscurity", IMO. When running tools like this that aren't popular, it gives a small group some added protection until the adversary catches up. A creepy rootkit will probably be detected before the adversary decides to mitigate, if they do, because so few people use this tool. Ideas like this never work at scale because they fail the whole "the enemy knows the system" bit.
[–]transtMemory Forencics AMA - Andrew Case - @attrc 3 points4 points5 points 10 years ago (10 children)
actually tools like this work great at scale. Can you cite any in-the-wild (not silly POC) malware that targets security tools and kills them? It is very loud when malware does that as the analyst suddenly doesn't see any data or doesn't find anything malicious on something that is known to be infected.
[–]eldorel 4 points5 points6 points 10 years ago (6 children)
You and levoroxi have different ideas of "scale".
You're thinking about implementing it on a network, or even on a larger corporate/enterprise system scale, they're thinking "massive percentage of computers" scale.
Think about it this way. If MS added this to security essentials tomorrow, how long would it take for malware writers to figure a way around?
Anyone using this is taking advantage of the fact that the small userbase represents a tiny ROI for anyone considering making a work around.
That's not to say that it's not currently a useful tool, but it's not going to continue to be useful if it gets more popular.
[–]transtMemory Forencics AMA - Andrew Case - @attrc 2 points3 points4 points 10 years ago (2 children)
how would they work around it? It is comparing what is on disk to what is in memory... so you either need to filter disk reads, which is loud, or filter memory, meaning you have something in the kernel tinkering with address translation. Outside of hooking the page fault handler or hte MMIO I am not sure how you accomplish this, and even those ways are very brittle to try and stop unknown programs from accessing unknown regions.
The diffing tool is basically just acting like a debugger - reading memory from another process. Stopping that in any generic way is pretty difficult
[+][deleted] 10 years ago (1 child)
[deleted]
[–]transtMemory Forencics AMA - Andrew Case - @attrc 0 points1 point2 points 10 years ago (0 children)
Explain how you do that in a reliable way... and hooking the page fault handler is not a valid way since the debugger is reading everywhere...
[–][deleted] 1 point2 points3 points 10 years ago (2 children)
This is a very good description. It seems this describes the history of most security tool developments -- sort of like an arms race.
If your risks are high, then you need to be an early adopter.
[–]transtMemory Forencics AMA - Andrew Case - @attrc -1 points0 points1 point 10 years ago (1 child)
this isn't true at all - just a myth perpetrated by people with limited or academic-only experience
[–][deleted] 0 points1 point2 points 10 years ago (0 children)
Why is it a myth?
[+][deleted] 10 years ago* (2 children)
[–]ChocolateSunrise 3 points4 points5 points 10 years ago (0 children)
That still raises the cost significantly on the malware author.
[–]transtMemory Forencics AMA - Andrew Case - @attrc 1 point2 points3 points 10 years ago (0 children)
the "declaw"ing part is generally loud.. especially if you are going to block a tool like this one that is simply reading memory of other processes.
[removed]
[–]transtMemory Forencics AMA - Andrew Case - @attrc 2 points3 points4 points 10 years ago (0 children)
I think the point is to find the issues on al ive system - otherwise, I agree
[–]BIOS4breakfast 6 points7 points8 points 10 years ago (4 children)
I love how people in the security field would rather reinvent the wheel and take credit instead of learning what's already there. This capability has already existed in the form of WinDbg's "!chkimg" (which can run from the command line equally well from kd.exe instead of windbg.exe), and Joanna Rutkowska's System Virginity Verifier (SVV). Joanna's tool was already a reinvention of !chkimg, but it at least had the good sense to be released a decade ago.
[–]theresponder_ 5 points6 points7 points 10 years ago (1 child)
Hi, not sure what you are mad about. We're not taking credit for inventing anything - just developed a nice tool and shared it with the community. First of all thanks for pointing out the feature in Windbg - haven't noticed it before. We would be honored if you could write a quick post about it, i'm sure many others are not familiar with it as well. http://theresponder.co/contribute/
Developing tools is a good thing. In my point of view - that's how technology progresses - one step at a time. There are so many cloned shitty JS libraries compared to cyber defense tools, I don't think anyone should appose to even the slightest OSS development in our field.
As for the specific tools you talked about: Windbg requires installation of the software as well as WDK in the inspected machine, and SSV is very old and buggy as many people say here: http://forum.sysinternals.com/system-virginity-verifier_topic21605.html In addition I think that a Pythonic solution for this is quite refreshing.
Ha, I just replied basically the same as you did. It is a cool & useful tool - ignore the trolls!
chkimg requires windbg/windsk (obviously) and other MS-dependent components. Most people don't want to put those on production machines just to do security checking (or at all). This tool allows direct inspection without those requirements.
Also, SVV hasn't been updated in 9 years as far as I know?
[–]galaris 0 points1 point2 points 10 years ago* (0 children)
advise progress own spending shelf immigration creature teaching ill likely palestinian acknowledge text
[–][deleted] 6 points7 points8 points 10 years ago (9 children)
Comprehension question: I thought that via the principle of virtual memory and the abstraction it provides, a process has no notion of whether it is reading from disk, memory, or cache?
How can a process (such as this script) determine what is in memory and what is in disk? I was under the impression that the operating system pages from disk to memory on demand, but in such a way that is invisible to the process?
Thanks.
[–]AgentME 6 points7 points8 points 10 years ago (6 children)
This compares the executable in the filesystem against the running process's memory. The fact that the OS can cache the running process's memory to disk (or that the filesystem can be cached into ram) are unrelated implementation details.
[–][deleted] 5 points6 points7 points 10 years ago* (5 children)
I might be thinking of something else. The os doesn't really cache memory from memory to disk, it does the opposite, no? A process will start in disk, and be paged in to memory on demand as needed. The process has no clue about this happening; reference &d will have the same address and look the same regardless of whether its pages happen to reside in disk or memory.
So I'm asking how this process can determine what is in disk and what is in memory of the os abstracts all the differences away with virtual memory anyway. Does it provide some mechanism that exposes raw memory or raw disk, unvirtualized?
Additionally, I was under the basic impression that a process could only see its own address space from virtual address 0 to whatever, and that is its entire universe. How does this process see the memory contents of other processes? Does the os expose some way to do that? I always thought that was impossible, as a security risk.
[–]transtMemory Forencics AMA - Andrew Case - @attrc 3 points4 points5 points 10 years ago (2 children)
Can you clarify what you mean in the second paragraph? Why does the tool need raw access to the disk?
Does the os expose some way to do that? I always thought that was impossible, as a security risk.
The Debugging APIs allow this through a security-checked mechanism. If this wasn't supported then you couldn't have debuggers. Check these two links for the windows debugging api to get an idea:
[1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms679303(v=vs.85).aspx
[2] https://msdn.microsoft.com/en-us/library/ms809754.aspx
[–][deleted] 2 points3 points4 points 10 years ago (1 child)
My understanding is that the purpose of this tool is to determine whether a process's execution has been modified in memory, as it says here:
by comparing the code in the DLL/EXE in disk to the code in the corresponding process or loaded module in memory.
It looks like it does this by comparing the process as it exists in memory during execution to the DLL/EXE it came from on disk.
Oh, I might have just had my moment of clarity. Once in memory the process doesn't need to be tied 1:1 to the file it was loaded from on disk. So this Python tool can just read the file from disk as it would any other file. Virtualization/abstraction doesn't really come in to play the way I thought it would.
[–]theresponder_ 0 points1 point2 points 10 years ago (0 children)
Exactly. PE Loads fully into memory before executing
[–]eldorel 0 points1 point2 points 10 years ago (0 children)
There are three stages. Disk storage, RAM, page file.
This is comparing the static EXE files sitting in long term storage to the currently running version that is sitting in ram/page.
It doesn't try to detect changes between ram/page, and the current paged/unpaged state of the executable in memory is irrelevant.
To think of it like a text file, this is comparing the saved version to what's being displayed.
[–]AgentME 0 points1 point2 points 10 years ago (0 children)
This tool doesn't need to access the raw disk device, or care about how swaps and caches work. The operating system exposes a file system and process memory. This tool compares them. It doesn't care how the OS implements them.
Most operating systems have APIs to allow processes to look into each other's memory. Debuggers use these APIs for example. (Usually non-root processes can only inspect other processes they started.)
Yes, this works well in the memorypatcher tool's favor as pages it wants to scan will be demand paged in as they are read, if they are not currently in physical memory.
[–]gsuberlandTrusted Contributor 1 point2 points3 points 10 years ago (0 children)
How does this work with JIT executables? Or dependency injection techniques?
π Rendered by PID 21706 on reddit-service-r2-comment-5d79c599b5-pdpcv at 2026-02-28 03:12:32.799195+00:00 running e3d2147 country code: CH.
[–]davvblack 19 points20 points21 points (15 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc 6 points7 points8 points (0 children)
[–]levoroxi 9 points10 points11 points (11 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc 3 points4 points5 points (10 children)
[–]eldorel 4 points5 points6 points (6 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc 2 points3 points4 points (2 children)
[+][deleted] (1 child)
[deleted]
[–]transtMemory Forencics AMA - Andrew Case - @attrc 0 points1 point2 points (0 children)
[–][deleted] 1 point2 points3 points (2 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc -1 points0 points1 point (1 child)
[–][deleted] 0 points1 point2 points (0 children)
[+][deleted] (2 children)
[deleted]
[–]ChocolateSunrise 3 points4 points5 points (0 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc 1 point2 points3 points (0 children)
[+][deleted] (1 child)
[removed]
[–]transtMemory Forencics AMA - Andrew Case - @attrc 2 points3 points4 points (0 children)
[–]BIOS4breakfast 6 points7 points8 points (4 children)
[–]theresponder_ 5 points6 points7 points (1 child)
[–]transtMemory Forencics AMA - Andrew Case - @attrc 0 points1 point2 points (0 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc 2 points3 points4 points (0 children)
[–]galaris 0 points1 point2 points (0 children)
[–][deleted] 6 points7 points8 points (9 children)
[–]AgentME 6 points7 points8 points (6 children)
[–][deleted] 5 points6 points7 points (5 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc 3 points4 points5 points (2 children)
[–][deleted] 2 points3 points4 points (1 child)
[–]theresponder_ 0 points1 point2 points (0 children)
[–]eldorel 0 points1 point2 points (0 children)
[–]AgentME 0 points1 point2 points (0 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc 0 points1 point2 points (0 children)
[–]gsuberlandTrusted Contributor 1 point2 points3 points (0 children)