English only.
Memory fluctuation is a sophisticated in-memory evasion technique used by adversaries to evade memory scanners deployed by defensive solutions such as antivirus, EPP, and EDR. The technique operates by cyclically encrypting and decrypting shell code contents while fluctuating memory protection between RW (or PAGE_NOACCESS) and RX. When the shellcode resides in RW or NoAccess memory pages, memory scanners like Moneta or pe-sieveare unable to detect and dump it for analysis.
The process typically involves hooking kernel32!Sleep to intercept when the payload goes dormant, then encrypting the shellcode and flipping memory protection to RW or PAGE_NOACCESSbefore calling the original Sleep function. Upon waking, the shellcode is decrypted and RX protection is restored, allowing execution to resume while leaving minimal traces for memory scanners to detect.
For security professionals, understanding this technique is crucial for both offensive and defensive purposes. From a Blue Team perspective, recognizing the artifacts left by memory fluctuation can help improve detection capabilities. From a Red Team perspective, it demonstrates the importance of considering memory-based evasion in adversary simulation exercises.
The slides from our CoRIIN2026 presentation are now available on this site, covering a technical deep-dive into the technique on Windows, detection heuristics and artifacts, research extensions to Linux and macOS platforms, and practical implementation examples. We have also released loaders and detection scripts on our GitHub repository for the community to explore and build upon.
