{"id":5787,"date":"2019-01-06T02:12:52","date_gmt":"2019-01-06T02:12:52","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5787"},"modified":"2019-01-06T02:12:54","modified_gmt":"2019-01-06T02:12:54","slug":"enter-sandbox-part-23-some-new-virtual-memory-mapping-apis","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/01\/06\/enter-sandbox-part-23-some-new-virtual-memory-mapping-apis\/","title":{"rendered":"Enter Sandbox part 23: Some new virtual memory &#038; mapping APIs"},"content":{"rendered":"\n<p>Today I realized that a number of additional APIs related to virtual memory and mapping that can be used by malware has increased in newer Windows versions\/builds&#8230; See this <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/api\/memoryapi\/\">link<\/a>.<\/p>\n\n\n\n<p>There used to be VirtualAlloc and VirtualAllocEx and perhaps VirtualAllocExNuma only, now there is also VirtualAlloc2, VirtualAlloc2FromApp, VirtualAllocFromApp.<\/p>\n\n\n\n<p>There used to be VirtualProtect, VirtualProtectEx. Now there is additionally VirtualProtectFromApp.<\/p>\n\n\n\n<p>There used to be MapViewOfFile, MapViewOfFileEx, MapViewOfFileExNuma, UnmapViewOfFile, UnmapViewOfFileEx . Now there is additionally MapViewOfFileFromApp, MapViewOfFile2 (it&#8217;s not exported in 17134 though?), MapViewOfFile3, MapViewOfFile3FromApp, MapViewOfFileNuma2, UnmapViewOfFile2. <\/p>\n\n\n\n<p>Most of them still call the underlying NT functions same as their predecessors, but it&#8217;s sometimes handy to monitor the API calls on a kernel32.dll level. Even if just to detect newer malware families or their variants relying on these new features &#8230;<\/p>\n\n\n\n<p><br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today I realized that a number of additional APIs related to virtual memory and mapping that can be used by malware has increased in newer Windows versions\/builds&#8230; See this link. There used to be VirtualAlloc and VirtualAllocEx and perhaps VirtualAllocExNuma &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/01\/06\/enter-sandbox-part-23-some-new-virtual-memory-mapping-apis\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,41],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5787"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5787"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5787\/revisions"}],"predecessor-version":[{"id":5788,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5787\/revisions\/5788"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5787"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5787"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5787"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}