# --- Setup mprotect syscall (Linux x64) ---
# rax = 10 → sys_mprotect
# rdi = address (MUST be page-aligned)
# rsi = size (usually 0x1000 = 1 page)
# rdx = protection flags (7 = RWX)
set $rax = 10
set $rdi = 0x402000 # TARGET REGION (ensure it's page-aligned, e.g. ends with 000)
set $rsi = 0x1000 # Size to change (1 memory page)
set $rdx = 7 # PROT_READ | PROT_WRITE | PROT_EXEC
# --- Inject raw syscall instruction at current RIP ---
# 0x0f 0x05 → syscall
# 0xcc → int3 (trap to safely regain control after syscall)
set {unsigned char}($rip) = 0x0f # syscall
set {unsigned char}($rip+1) = 0x05
set {unsigned char}($rip+2) = 0xcc # breakpoint after syscall
# --- Execute syscall ---
continue # runs patched instruction → mprotect
# --- Verify result ---
# rax == 0 → success
# vmmap should now show 'rwx' for the region
vmmap
# --- Transfer execution to shellcode ---
jump *0x402000 # execute payload from now-executable memory
BLUE TEAM / MALWARE REVERSE / LINUX