Malware Journey Day 8

Another very brief update. In the beginning of my day I was working more with filling memory and analyzing it in a debugger. I wanted to work with RtlFillMemory.

The microsoft docs were rather disappointing and didnt give much detail on this function. Anyways, time to put it to the debugger

   PVOID pMemory = VirtualAlloc(
        NULL,
        50,
        MEM_COMMIT,
        PAGE_READWRITE
    );
   RtlFillMemory(
        pMemory,
        50,
        0x41
    );

   VirtualFree(pMemory, 0, MEM_RELEASE);

Above was a very simple sample code to get started with my understanding. In the previous blogs I went over VirtualAlloc briefly. In short I am allocating memory to an address of my OS choosing.

At the very beginning of my program I have no allocated memory currently for my 50 A’s. To see a change in the dump I need to go to VirtualAlloc.

Stepping into virtualAlloc and going to the end of the function is the first step I will take.

Now that I am at the end of VirtualAlloc, I will dump the RAX register to dump 1. My bytes will change to all 0’s.

Now I will reach memset which using RCX to move over all my A’s

Finally, its time to prevent my program from any vulnerbilities, so using VirtualFree will dump all the data back to 0's