Threat Research

Wrong specifications [reloaded]

Michal Krejdl, 1 June 2011

Wrong specifications [reloaded]

I can confirm that we at the Virus Lab "love" product specifications and documentation. My recent experience shows a discrepancy between MSDN and the real behavior of VirtualAlloc.

I'm currently revising and tweaking the memory management inside one of the emulators used in the avast! antivirus engine. The goal of my effort is to bring this emulated environment closer to the real world environment, thus I decided to make the memory management conform precisely with MSDN. But after doing that.... suddenly..... about a sixth of my test set (around 400 malware families in total) refused to emulate deep enough (as usual). And the problem was in VirtualAlloc emulation:

Let me use a well known worm - Allaple - as an example and let me be a bit sarcastic :-). The picture above states that a region of memory must be reserved before it can be committed. But Allaple uses a direct commitment of memory that has never ever been reserved. Hmmm, would Allaple be a successful ITW worm if this method didn't work so far? I don't think so. And we can give it a try.

Here we go. The function call that is supposed to fail actually does not. It returns the valid pointer to allocated memory. The testing system is Win XP, but I gave it a shot also under Win7 x64 SP1 and guess what - it works as well:

Thanks again for such a precise documentation. But now what are we to rely on? This is such a "sad" experience :D.