http://blogs.msdn.com/b/ntdebugging/archive/2011/01/07/hunting-for-bugs-but-found-a-worm.aspxHi All, my name is Ron Riddle and I&rsquo;m an Escalation Engineer on the core Windows team. I worked an issue recently wherein a svchost.exe was crashing due to heap corruption; so, after enabling Page Heap and breaking out the services as needed, Ien-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.msdn.com/b/ntdebugging/archive/2011/01/07/hunting-for-bugs-but-found-a-worm.aspx#10322710Thu, 21 Jun 2012 18:51:59 GMT91d46819-8472-40ad-a661-2c78acb4018c:10322710Dave Black<p>Hi Ron,</p> <p>Thanks for the post. Could you please clarify your statement in #3 - &quot;By now, I am suspicious of a rogue module&quot;.</p> <p>What did you discover in #1 and #2 that would lead you to have this suspicion?</p> <p>Thanks for your time.</p> <p>[My suspicion was based on the following facts:&nbsp;</p> <ol> <li>Malware authors often conceal rogue modules by removing them from the Loaded Modules list.</li> <li>The debugger could not map the virtual address to any module within the Loaded<br />Modules list.</li> <li>The page was marked as PAGE_EXECUTE_READWRITE, which means it&rsquo;s a code address.&nbsp;</li> </ol> <p>Of course I realize that virtual machines environments also store executable code on one of the heaps, so the above observations are certainly not a dead giveaway, but they are enough to start formulating theories.]</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10322710" width="1" height="1">http://blogs.msdn.com/b/ntdebugging/archive/2011/01/07/hunting-for-bugs-but-found-a-worm.aspx#10113426Sun, 09 Jan 2011 08:35:47 GMT91d46819-8472-40ad-a661-2c78acb4018c:10113426Miro<p>Nice article Ron, thanks for this! An for the rest of GES guys, please post more frequently! :)</p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10113426" width="1" height="1">http://blogs.msdn.com/b/ntdebugging/archive/2011/01/07/hunting-for-bugs-but-found-a-worm.aspx#10113296Sat, 08 Jan 2011 14:18:29 GMT91d46819-8472-40ad-a661-2c78acb4018c:10113296Paulo Oliveira<p>Great stuff Ron!! Thanks for sharing!!</p> <p>Regards,</p> <p>Paulo Oliveira.</p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10113296" width="1" height="1">http://blogs.msdn.com/b/ntdebugging/archive/2011/01/07/hunting-for-bugs-but-found-a-worm.aspx#10113249Sat, 08 Jan 2011 05:48:59 GMT91d46819-8472-40ad-a661-2c78acb4018c:10113249Bob Dobbs<p>That was totally intuitive. I&#39;m so glad Microsoft Windows is easy to use.</p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10113249" width="1" height="1">http://blogs.msdn.com/b/ntdebugging/archive/2011/01/07/hunting-for-bugs-but-found-a-worm.aspx#10113230Sat, 08 Jan 2011 02:50:28 GMT91d46819-8472-40ad-a661-2c78acb4018c:10113230Felix<p>Thanks for the post! Very interesting stuff.</p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10113230" width="1" height="1">