22Şub
Very frequent calls to same Windows API function by malware
Here I have a malware sample that calls RegQueryValueEx quite frequently, without any time interruption. And as we can see, the result is quite often "BUFFER OVERFLOW". In another topic I read that this means that the allocated buffer is not big enough, e.g. the buffer is 12 bytes, but the returned value, i.e. string, is 33 bytes (null terminated). But even that would be strange, because the MachineGUID in the registry has a fixed length, so the author of the malware could simply hardcode the size of the buffer. But my main question is, why so many calls to the same Windows API function, the result is always the same (same GUID)...?