-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #836 from mandiant/update-alloc-rules
Update and refactor memory allocation/permission rules
- Loading branch information
Showing
17 changed files
with
97 additions
and
64 deletions.
There are no files selected for viewing
25 changes: 25 additions & 0 deletions
25
host-interaction/process/inject/allocate-or-change-rwx-memory.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
rule: | ||
meta: | ||
name: allocate or change RWX memory | ||
namespace: host-interaction/process/inject | ||
authors: | ||
- "@mr-tz" | ||
scope: basic block | ||
mbc: | ||
- Memory::Allocate Memory [C0007] | ||
examples: | ||
- Practical Malware Analysis Lab 03-03.exe_:0x4010EA | ||
# ntdll | ||
- 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA | ||
features: | ||
- and: | ||
- or: | ||
- match: allocate memory | ||
- match: change memory protection | ||
- or: | ||
- number: 0x40 = PAGE_EXECUTE_READWRITE | ||
# lea r9d, [rcx+40h] ; flProtect | ||
# call cs:VirtualAlloc | ||
- instruction: | ||
- mnemonic: lea | ||
- offset: 0x40 = PAGE_EXECUTE_READWRITE |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,24 +3,30 @@ rule: | |
name: allocate memory | ||
authors: | ||
- [email protected] | ||
- "@mr-tz" | ||
lib: true | ||
scope: basic block | ||
mbc: | ||
- Memory::Allocate Memory [C0007] | ||
examples: | ||
- Practical Malware Analysis Lab 03-03.exe_:0x4010EA | ||
# ntdll | ||
- 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA | ||
- 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA # ntdll.NtAllocateVirtualMemory | ||
features: | ||
- or: | ||
- api: kernel32.VirtualAlloc | ||
- api: kernel32.VirtualAllocEx | ||
- api: kernel32.VirtualAllocExNuma | ||
- api: kernel32.VirtualProtect | ||
- api: kernel32.VirtualProtectEx | ||
- api: NtAllocateVirtualMemory | ||
- api: ZwAllocateVirtualMemory | ||
- api: NtMapViewOfSection | ||
- api: ZwMapViewOfSection | ||
- api: NtProtectVirtualMemory | ||
- api: ZwProtectVirtualMemory | ||
- and: | ||
- match: link function at runtime on Windows | ||
- or: | ||
- string: "VirtualAlloc" | ||
- string: "VirtualAllocEx" | ||
- string: "VirtualAllocExNuma" | ||
- string: "NtAllocateVirtualMemory" | ||
- string: "ZwAllocateVirtualMemory" | ||
- string: "NtMapViewOfSection" | ||
- string: "ZwMapViewOfSection" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
rule: | ||
meta: | ||
name: allocate or change RW memory | ||
authors: | ||
- [email protected] | ||
- "@mr-tz" | ||
lib: true | ||
scope: basic block | ||
mbc: | ||
- Memory::Allocate Memory [C0007] | ||
examples: | ||
- Practical Malware Analysis Lab 17-02.dll_:0x1000D10D | ||
features: | ||
- and: | ||
- or: | ||
- match: allocate memory | ||
- match: change memory protection | ||
- or: | ||
- number: 0x4 = PAGE_READWRITE | ||
# lea r9d, [rcx+4] ; flProtect | ||
# call cs:VirtualAlloc | ||
- instruction: | ||
- mnemonic: lea | ||
- offset: 0x4 = PAGE_READWRITE |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
rule: | ||
meta: | ||
name: change memory protection | ||
authors: | ||
- "@mr-tz" | ||
lib: true | ||
scope: basic block | ||
mbc: | ||
- Memory::Change Memory Protection [C0008] | ||
examples: | ||
- Practical Malware Analysis Lab 11-02.dll_:0x10001203 | ||
features: | ||
- or: | ||
- api: kernel32.VirtualProtect | ||
- api: kernel32.VirtualProtectEx | ||
- api: NtProtectVirtualMemory | ||
- api: ZwProtectVirtualMemory | ||
- and: | ||
- match: link function at runtime on Windows | ||
- or: | ||
- string: "VirtualProtect" | ||
- string: "VirtualProtectEx" | ||
- string: "NtProtectVirtualMemory" | ||
- string: "ZwProtectVirtualMemory" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters