Common Windows Memory API (Malware)

Hi Guys,

I would like to share about the commond windows API that is imported by malware to execute its activities as below

Memory Operation

VirtualAlloc
Reserves, commits, or changes the state of a region of pages in the virtual address space of the calling process. Memory allocated by this function is automatically initialized to zero

LPVOID VirtualAlloc(
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flAllocationType,
  DWORD  flProtect
);

VirtualProtect
Changes the protection on a region of committed pages in the virtual address space of the calling process.

BOOL VirtualProtect(
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flNewProtect,
  PDWORD lpflOldProtect
);

VirtualFree
Releases, decommits, or releases and decommits a region of pages within the virtual address space of the calling process

BOOL VirtualFree(
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  dwFreeType
);

During the static analyses of any malware, If we found the above API being called and imported then We must take precaution that the application will be able to load code into memory.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s