Yearly Archives: 2019

Enter Sandbox part 23: Some new virtual memory & mapping APIs

Posted on by

Today I realized that a number of additional APIs related to virtual memory and mapping that can be used by malware has increased in newer Windows versions/builds… See this link.

There used to be VirtualAlloc and VirtualAllocEx and perhaps VirtualAllocExNuma only, now there is also VirtualAlloc2, VirtualAlloc2FromApp, VirtualAllocFromApp.

There used to be VirtualProtect, VirtualProtectEx. Now there is additionally VirtualProtectFromApp.

There used to be MapViewOfFile, MapViewOfFileEx, MapViewOfFileExNuma, UnmapViewOfFile, UnmapViewOfFileEx . Now there is additionally MapViewOfFileFromApp, MapViewOfFile2 (it’s not exported in 17134 though?), MapViewOfFile3, MapViewOfFile3FromApp, MapViewOfFileNuma2, UnmapViewOfFile2.

Most of them still call the underlying NT functions same as their predecessors, but it’s sometimes handy to monitor the API calls on a kernel32.dll level. Even if just to detect newer malware families or their variants relying on these new features …


Beyond good ol’ Run key, Part 100

Posted on by

It’s actually 99th, because I forgot one part on the way 🙂

This is one more persistence method based on a built-in set of features. This time the culprit is the Policy Manager.

Browsing through the PolicyManager key located here:

  • HKLM\Software\Microsoft\PolicyManager\

we can spot many interesting entries, often multiple-level deep:

Some of them include entries that are of our interest:

  • PreCheckDLLPath
  • transportDllPath

The good news is that not all entries have them a.k.a. they are optional. And it turns out that these allows to provide additional utility libraries that in turn will be loaded by Policy Manager components (policymanager.dll) when this DLL itself is utilized.

I couldn’t come up with a quick& dirty way to load the test dll, so I cheated by starting the procmon, setting up the filters, and letting it go for some time. After awhile I caught the first process accessing these entries:

The harvesting may be easier on a system connected to the domain (policies deployment/access is more frequent).