Enter Sandbox part 23: Some new virtual memory & mapping APIs

January 6, 2019 in Batch Analysis, Sandboxing

Today I realized that a number of additional APIs related to virtual memory and mapping that can be used by malware has increased in newer Windows versions/builds… See this link.

There used to be VirtualAlloc and VirtualAllocEx and perhaps VirtualAllocExNuma only, now there is also VirtualAlloc2, VirtualAlloc2FromApp, VirtualAllocFromApp.

There used to be VirtualProtect, VirtualProtectEx. Now there is additionally VirtualProtectFromApp.

There used to be MapViewOfFile, MapViewOfFileEx, MapViewOfFileExNuma, UnmapViewOfFile, UnmapViewOfFileEx . Now there is additionally MapViewOfFileFromApp, MapViewOfFile2 (it’s not exported in 17134 though?), MapViewOfFile3, MapViewOfFile3FromApp, MapViewOfFileNuma2, UnmapViewOfFile2.

Most of them still call the underlying NT functions same as their predecessors, but it’s sometimes handy to monitor the API calls on a kernel32.dll level. Even if just to detect newer malware families or their variants relying on these new features …

Share this :)

Comments are closed.