A simple dynamic RWX allocation scanner. Used to find system libraries that alloc RWX regions on load.

rwxscan.nim

import winim
import std/strutils, os

proc lpwstrc(bytes: array[MAX_PATH, WCHAR]): string =
  result = newString(bytes.len)
  for i in bytes:
    result &= cast[char](i)
  result = strip(result, chars = {cast[char](0)})

var pages = newSeq[int](0)
proc showrwx(trustedDll: string) =

  var mbi: MEMORY_BASIC_INFORMATION
  var offset: LPVOID 
  var process: HANDLE = GetCurrentProcess()
  var processEntry: PROCESSENTRY32
  processEntry.dwSize = cast[DWORD](sizeof(PROCESSENTRY32))


  var module_base: LPVOID
  var module_name: array[MAX_PATH, WCHAR]

  while VirtualQueryEx(process, offset, addr(mbi), sizeof(mbi)) != 0:
    offset = cast[LPVOID](cast[DWORD_PTR](mbi.BaseAddress) + mbi.RegionSize)
    if mbi.AllocationProtect == PAGE_EXECUTE_READWRITE and mbi.State == MEM_COMMIT and mbi.Type == MEM_PRIVATE:


      RtlPcToFileHeader(mbi.BaseAddress, &module_base);
      GetModuleFileNameEx(GetCurrentProcess(), cast[HMODULE](module_base), &module_name[0], cast[DWORD](sizeof(module_name)));
      if cast[int](mbi.BaseAddress) notin pages:
        echo " ! RWX: 0x", toHex(cast[int](mbi.BaseAddress)), " ", lpwstrc(module_name), " | size: ", mbi.RegionSize
        pages.add(cast[int](mbi.BaseAddress))
      zeromem(&module_name[0], sizeof(module_name))

let blacklist = [
  "C:\\Windows\\System32\\edgeangle.dll",
  "C:\\Windows\\System32\\AppVTerminator.dll",
  "C:\\Windows\\System32\\YamahaAE2.dll",
]
for trustedDll in walkDirRec("C:\\Windows\\System32", yieldFilter = {pcFile}, ):
  if not endsWith(trustedDll, ".dll"):
    continue
  echo "with ", trustedDll
  if trustedDll in blacklist:
    echo "skipping..."
    continue
  var hanDll = LoadLibraryA(trustedDll)
  showrwx(trustedDll)
  FreeLibrary(hanDll)