The Latest in IT Security

Wrong specifications [reloaded]

01
Jun
2011

I can confirm that we at the Virus Lab “love” product specifications and documentation. My recent experience shows a discrepancy between MSDN and the real behavior of VirtualAlloc.

I’m currently revising and tweaking the memory management inside one of the emulators used in the avast! antivirus engine. The goal of my effort is to bring this emulated environment closer to the real world environment, thus I decided to make the memory management conform precisely with MSDN. But after doing that…. suddenly….. about a sixth of my test set (around 400 malware families in total) refused to emulate deep enough (as usual). And the problem was in VirtualAlloc emulation:

MSDN documentation of VirtualAlloc

Let me use a well known worm – Allaple – as an example and let me be a bit sarcastic :-) . The picture above states that a region of memory must be reserved before it can be committed. But Allaple uses a direct commitment of memory that has never ever been reserved. Hmmm, would Allaple be a successful ITW worm if this method didn’t work so far? I don’t think so. And we can give it a try.

let's show it step…….

…..by step

Here we go. The function call that is supposed to fail actually does not. It returns the valid pointer to allocated memory. The testing system is Win XP, but I gave it a shot also under Win7 x64 SP1 and guess what – it works as well:

just call this "proof of concept" :-)

Thanks again for such a precise documentation. But now what are we to rely on? This is such a “sad” experience :D .

Leave a reply


Categories

THURSDAY, NOVEMBER 21, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments