Malware Journey Day 7

The overall goal of memory allocation is finding the base address that is returned. The reason being for is memory resides where the base address is pointing to. When Allocating memory I can use winAPI functions like HeapAlloc(). But first I want to again go into VirtualAlloc and finding the base addr

Running the sample to a breakpoint at main will show the beginning of my VirtualAlloc

So lets try and watch the memory being allocated.

First from symbols I go to the library ntdll and set a breakpoint at NtAllocateVirtualMemory. I want to look for the 2nd arg since it is the one pointing to the memory address for baseaddr.

From the below screenshot, we can see I dumped the 2nd parameter for the syscall of NtAllocateVirtualMemory. Though the function itself has not finished yet. So eventually the field of all 0’s will change to a address pointer to the allocated memory.

0000017045D10000 is my base address

Looking at the memory map also confirms this is my baseaddr for NtAllocateVirtualMemory