When analyzing malware, what you see on disk is oftentimes not an accurate representation of what’s actually happening in memory.
Today’s malware has a unique way of hiding and likes to bend the rules that most computer programs follow. No matter what it is, there is always something special that makes a malicious program unique and sets it apart from a normal program.
As a Malware reverse engineer, it’s not only my job to discover what that special “thing” is, but to attempt to understand what the malicious program is really doing, and do my best to explain how and why.
The purpose of this article is to provide our readers with an understanding of how malware operates within memory. Since you need to know some basic memory terms before trying to understand how they relate to malware, we’re going to explain some concepts first.