|
|
|
|
|
|
by ndh2
2868 days ago
|
|
|
Hi Bruce. This is a fantastic article, but I needed to read it twice to understand everything. Very dense in information, and sometimes the order of things make it hard to follow. Sometimes you tell us what you did (e. g. modified the virtual memory scanner) before telling us why (what CFG is, how it works), which was confusing. > It turns out that reproducing the slow scanning from the sampling data was quite easy. This was the first thing that went over my head. Going from one stack trace to reproducing it is quite the jump. Maybe add a sentence "The interesting part of this trace is NtQueryVirtualMemory, which is used to scan process memory." Might be obvious to you, but for me that trace was "just a bunch of Windows stuff" at first. |
|
|
The full investigation covered about two weeks and I was having trouble condensing the story into a single post. I appreciate having a particular problematic transition pointed out. Fixed.