Common Windows Memory API (Malware)

Hi Guys,

I would like to share about the commond windows API that is imported by malware to execute its activities as below

Memory Operation

VirtualAlloc
Reserves, commits, or changes the state of a region of pages in the virtual address space of the calling process. Memory allocated by this function is automatically initialized to zero

LPVOID VirtualAlloc(
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flAllocationType,
  DWORD  flProtect
);

VirtualProtect
Changes the protection on a region of committed pages in the virtual address space of the calling process.

BOOL VirtualProtect(
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flNewProtect,
  PDWORD lpflOldProtect
);

VirtualFree
Releases, decommits, or releases and decommits a region of pages within the virtual address space of the calling process

BOOL VirtualFree(
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  dwFreeType
);

During the static analyses of any malware, If we found the above API being called and imported then We must take precaution that the application will be able to load code into memory.

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Share this:

Like this:

Related

Leave a Reply Cancel reply