Malware Journey Day 6
I was trying to figure out how to trace VirtualAlloc. I realize this eventually leads to the call NtAllocateVirtualMemory. I decided to simulate this by creating a custom VirtualAlloc function and debugging it. My goal is debug this function to the NtAllocateVirtualMemory where I should find the 2nd parameter(Base Addr).
In x64dbg I set a breakpoint for VirtualAlloc. Normally I would set a breakpoint at IsDebuggerPresent to defeat the anti debug. In this case I dont have to since I created the function. But in normal circumstances I would set EAX to 0 which would show that IsDebuggerPresent to be false.
Once the above function is about to return, it would normally in this scenario show 1, simply changing it to 0 is all that would be needed.
Anyways, as expected I hit my first BP in x64dbg
Stepping through the program I find NtAllocateVirtualMemory
The 2nd parameter is going to be my base address.
After going through this call I see the return value is 0
This means STATUS_SUCCESS from microsoft documentation.
