Hi Guys,
I would like to share about the commond windows API that is imported by malware to execute its activities as below
Memory Operation
VirtualAlloc
Reserves, commits, or changes the state of a region of pages in the virtual address space of the calling process. Memory allocated by this function is automatically initialized to zero
LPVOID VirtualAlloc(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);
VirtualProtect
Changes the protection on a region of committed pages in the virtual address space of the calling process.
BOOL VirtualProtect(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flNewProtect,
PDWORD lpflOldProtect
);
VirtualFree
Releases, decommits, or releases and decommits a region of pages within the virtual address space of the calling process
BOOL VirtualFree(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD dwFreeType
);
During the static analyses of any malware, If we found the above API being called and imported then We must take precaution that the application will be able to load code into memory.
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 