Monday, January 15, 2018

msvbvm60.DllFunctionCall with kernel32.VirtualAlloc windows api

So I was reviewing an executable in x32dbg and came across this call


Now I'm just learning, so I can't claim to fully understand this, but here is my interpretation.  I think it's possible that all the lines using the floating point registers (xmm , mm, etc.) are just obfuscation and an attempt by the attacker to distract the security analyst.  I think the relevant information are the pushes and the call statement at the end. Now when we get to that call, here is what is in the registers and on the stack.

What this looks like to me is an attempt for a VB6 program to utilize the DllFunctionCall windows api to execute the kernel32.VirtualAlloc windows api, which is used typically by attackers to allocate more memory in the current process in order to inject their malicious code inside.


No comments:

Post a Comment