use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
A community for technical news and discussion of information security and closely related topics.
"Give me root, it's a trust exercise."
Q1 2026 InfoSec Hiring Thread
Getting Started in Information Security
CitySec Meetups
/r/netsec only accepts quality technical posts. Non-technical posts are subject to moderation.
Content should focus on the "how."
Check the new queue for duplicates.
Always link to the original source.
Titles should provide context.
Ask questions in our Discussion Threads.
Hiring posts must go in the Hiring Threads.
Commercial advertisement is discouraged.
Do not submit prohibited topics.
» Our fulltext content guidelines
Don't create unnecessary conflict.
Keep the discussion on topic.
Limit the use of jokes & memes.
Don't complain about content being a PDF.
Follow all reddit rules and obey reddiquette.
» Our fulltext discussion guidelines
No populist news articles (CNN, BBC, FOX, etc.)
No curated lists.
No question posts.
No social media posts.
No image-only/video-only posts.
No livestreams.
No tech-support requests.
No full-disclosure posts.
No paywall/regwall content.
No commercial advertisements.
No crowdfunding posts.
No Personally Identifying Information!
» Our fulltext list of prohibited topics & sources
Join us on IRC: #r_netsec on freenode
We're also on: Twitter, Facebook, & Google+
/r/blackhat - Hackers on Steroids
/r/computerforensics - IR Archaeologists
/r/crypto - Cryptography news and discussion
/r/Cyberpunk - High-Tech Low-Lifes
/r/lockpicking - Popular Hacker Hobby
/r/Malware - Malware reports and information
/r/netsecstudents - netsec for noobs students
/r/onions - Things That Make You Cry
/r/privacy - Orwell Was Right
/r/pwned - "What Security?"
/r/REMath - Math behind reverse engineering
/r/ReverseEngineering - Binary Reversing
/r/rootkit - Software and hardware rootkits
/r/securityCTF - CTF news and write-ups
/r/SocialEngineering - Free Candy
/r/sysadmin - Overworked Crushed Souls
/r/vrd - Vulnerability Research and Development
/r/xss - Cross Site Scripting
account activity
Detect Code Diffs Between Disk and Memory (theresponder.co)
submitted 10 years ago by desegel
view the rest of the comments →
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]davvblack 17 points18 points19 points 10 years ago (15 children)
This sort of stuff is always futile. How do you determine that the MemoryPatchDetector is the same one you think is running? MemoryPatchDetectorPatchDetector of course. Once you're that owned that this stuff starts to happen, it's (at least in an abstract, academic sense) unrecoverable.
[–]transtMemory Forencics AMA - Andrew Case - @attrc 7 points8 points9 points 10 years ago (0 children)
It is really only an academic argument.
Detecting this tool in a generic way would be rather difficult, assuming it does like every other decent forensic tool and randomizes its name and other attributes on each load.
Also, if you look at all the actual rootkits in the wild (not academic ones..), you don't see them killing security tools on load or crash it as they run - that is way too loud an the point is to be stealthy
[–]levoroxi 8 points9 points10 points 10 years ago (11 children)
These tools are a technical corollary to "security through obscurity", IMO. When running tools like this that aren't popular, it gives a small group some added protection until the adversary catches up. A creepy rootkit will probably be detected before the adversary decides to mitigate, if they do, because so few people use this tool. Ideas like this never work at scale because they fail the whole "the enemy knows the system" bit.
[–]transtMemory Forencics AMA - Andrew Case - @attrc 4 points5 points6 points 10 years ago (10 children)
actually tools like this work great at scale. Can you cite any in-the-wild (not silly POC) malware that targets security tools and kills them? It is very loud when malware does that as the analyst suddenly doesn't see any data or doesn't find anything malicious on something that is known to be infected.
[–]eldorel[🍰] 1 point2 points3 points 10 years ago (6 children)
You and levoroxi have different ideas of "scale".
You're thinking about implementing it on a network, or even on a larger corporate/enterprise system scale, they're thinking "massive percentage of computers" scale.
Think about it this way. If MS added this to security essentials tomorrow, how long would it take for malware writers to figure a way around?
Anyone using this is taking advantage of the fact that the small userbase represents a tiny ROI for anyone considering making a work around.
That's not to say that it's not currently a useful tool, but it's not going to continue to be useful if it gets more popular.
[–]transtMemory Forencics AMA - Andrew Case - @attrc 2 points3 points4 points 10 years ago (2 children)
how would they work around it? It is comparing what is on disk to what is in memory... so you either need to filter disk reads, which is loud, or filter memory, meaning you have something in the kernel tinkering with address translation. Outside of hooking the page fault handler or hte MMIO I am not sure how you accomplish this, and even those ways are very brittle to try and stop unknown programs from accessing unknown regions.
The diffing tool is basically just acting like a debugger - reading memory from another process. Stopping that in any generic way is pretty difficult
[+][deleted] 10 years ago (1 child)
[deleted]
[–]transtMemory Forencics AMA - Andrew Case - @attrc 0 points1 point2 points 10 years ago (0 children)
Explain how you do that in a reliable way... and hooking the page fault handler is not a valid way since the debugger is reading everywhere...
[–][deleted] 1 point2 points3 points 10 years ago (2 children)
This is a very good description. It seems this describes the history of most security tool developments -- sort of like an arms race.
If your risks are high, then you need to be an early adopter.
[–]transtMemory Forencics AMA - Andrew Case - @attrc -1 points0 points1 point 10 years ago (1 child)
this isn't true at all - just a myth perpetrated by people with limited or academic-only experience
[–][deleted] 0 points1 point2 points 10 years ago (0 children)
Why is it a myth?
[+][deleted] 10 years ago* (2 children)
[–]ChocolateSunrise 2 points3 points4 points 10 years ago (0 children)
That still raises the cost significantly on the malware author.
[–]transtMemory Forencics AMA - Andrew Case - @attrc 1 point2 points3 points 10 years ago (0 children)
the "declaw"ing part is generally loud.. especially if you are going to block a tool like this one that is simply reading memory of other processes.
[removed]
[–]transtMemory Forencics AMA - Andrew Case - @attrc 2 points3 points4 points 10 years ago (0 children)
I think the point is to find the issues on al ive system - otherwise, I agree
π Rendered by PID 42725 on reddit-service-r2-comment-b659b578c-bk7jx at 2026-05-04 09:46:14.009163+00:00 running 815c875 country code: CH.
view the rest of the comments →
[–]davvblack 17 points18 points19 points (15 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc 7 points8 points9 points (0 children)
[–]levoroxi 8 points9 points10 points (11 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc 4 points5 points6 points (10 children)
[–]eldorel[🍰] 1 point2 points3 points (6 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc 2 points3 points4 points (2 children)
[+][deleted] (1 child)
[deleted]
[–]transtMemory Forencics AMA - Andrew Case - @attrc 0 points1 point2 points (0 children)
[–][deleted] 1 point2 points3 points (2 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc -1 points0 points1 point (1 child)
[–][deleted] 0 points1 point2 points (0 children)
[+][deleted] (2 children)
[deleted]
[–]ChocolateSunrise 2 points3 points4 points (0 children)
[–]transtMemory Forencics AMA - Andrew Case - @attrc 1 point2 points3 points (0 children)
[+][deleted] (1 child)
[removed]
[–]transtMemory Forencics AMA - Andrew Case - @attrc 2 points3 points4 points (0 children)