Memory violation types
The following table provides a description of each violation type, the operating system on which the violation type is applied, and the violation type number returned by the User API.
# | Violation Type | Description | Applies To |
---|---|---|---|
1 | Stack pivot | The stack for a thread has been replaced with a different stack. Generally the system will only allocate a single stack for a thread. An attacker would use a different stack to control execution in a way that is not blocked by data execution prevention (DEP). | Windows macOS Linux |
2 | Stack protect | The memory protection of a thread's stack has been modified to enable execution permissions. Stack memory should not be executable, so usually this means that an attacker is preparing to run malicious code stored in stack memory as part of an exploit, an attempt which would otherwise be blocked by data execution prevention (DEP). | Windows macOS Linux |
3 | Overwrite code | Code residing in a process's memory has been modified using a technique that may indicate an attempt to bypass data execution prevention (DEP). | Windows |
4 | Remote allocation of memory | A process has allocated memory in another process. Most allocations will only occur within the same process. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system. | macOS |
5 | Remote mapping of memory | A process has introduced code and/or data into another process. This may indicate an attempt to begin executing code in another process and thereby reinforce a malicious presence. | macOS |
6 | Remote write to memory | A process has modified memory in another process. This is usually an attempt to store code or data in previously allocated memory (see OutOfProcessAllocation) but it is possible that an attacker is trying to overwrite existing memory in order to divert execution for a malicious purpose. | Windows macOS |
7 | Remote write PE to memory | A process has introduced code and/or data into another process. This may indicate an attempt to begin executing code in another process and thereby reinforce a malicious presence. | Windows |
8 | Remote overwrite code | A process has modified executable memory in another process. Under normal conditions executable memory will not be modified, especially by another process. This usually indicates an attempt to divert execution in another process. | Windows |
9 | Remote unmap of memory | A process has removed a Windows executable from the memory of another process. This may indicate an intent to replace the executable image with a modified copy for the purpose of diverting execution. | Windows |
10 | Remote thread creation | A process has created a new thread in another process. A process's threads are usually only created by that same process. This is generally used by an attacker to activate a malicious presence that has been injected into another process. | Windows macOS |
11 | Remote APC scheduled | A process has diverted the execution of another process's thread. This is generally used by an attacker to activate a malicious presence that has been injected into another process. | Windows |
12 | LSASS read | Memory belonging to the Windows Local Security Authority process has been accessed in a manner that indicates an attempt to obtain users' passwords. | Windows |
13 | RAM scraping | A process is trying to read valid magnetic stripe track data from another process. Typically related to point of sale systems (POS). | Windows |
22 | Zero allocate | A null page has been allocated. The memory region is typically reserved, but in certain circumstances it can be allocated. Attacks can use this to setup privilege escalation by taking advantage of some known null de-reference exploit, typically in the kernel. | Windows macOS |
23 | DYLD injection | An environment variable has been set that will cause a shared library to be injected into a launched process. Attacks can modify the plist of applications like Safari or replace applications with bash scripts, that cause their modules to be loaded automatically when an application starts. | macOS Linux |
24 | Malicious payload | A generic shellcode and payload detection associated with exploitation has been detected. | Windows |
25 | Dangerous VBA macro | A dangerous action by an Office Visual Basic for applications (VBA) macro. This includes starting a shell, deleting files, calling certain COM objects, and referencing functions from external libraries. | Windows |
26 | Doppelganger | A process using a portable executable (PE) file that exists in an unfinalized state so the file can be manipulated to look like a different PE. | Windows |
27 | Memory permission changes in other processes | A process modifying memory permissions in another process that it did not create (not a child process). | Windows |
28 | Memory permission changes child processes | A process modifying memory permissions in another process that was not created by it (not a parent process). | Windows |
30 | System call monitoring | An attempt to set up the monitoring of system calls done by another process. | Windows |
31 | Direct system calls | An attempt to use undocumented and unstable system calls directly without going through the documented system interfaces. | Windows |
32 | System DLL overwrite | An overwrite of the system library (ntdll). | Windows |
34 | Stolen system token | A privilege escalation by stealing an authentication token of a system process with the highest privileges. | Windows |
35 | Dangerous environment variable | A process is reading an environment variable that has high abuse potential and may have been set by an attacker. | Windows |
36 | Low integrity process start | An executable file that is dropped and subsequently loaded by a low integrity process in a temp directory. | Windows |
37 | Dangerous COM object | A potentially dangerous COM object is being created. | Windows |
38 | Injection via APC | A process is using an Asynchronous Procedure Call (APC) or start remote thread to call LoadLibrary or similar function in order to inject arbitrary code into target process. | Windows |