Skip to content

Commit

Permalink
Merge pull request #836 from mandiant/update-alloc-rules
Browse files Browse the repository at this point in the history
Update and refactor memory allocation/permission rules
  • Loading branch information
mr-tz authored Oct 16, 2023
2 parents c67c2ff + b778d25 commit 210b86f
Show file tree
Hide file tree
Showing 17 changed files with 97 additions and 64 deletions.
25 changes: 25 additions & 0 deletions host-interaction/process/inject/allocate-or-change-rwx-memory.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
rule:
meta:
name: allocate or change RWX memory
namespace: host-interaction/process/inject
authors:
- "@mr-tz"
scope: basic block
mbc:
- Memory::Allocate Memory [C0007]
examples:
- Practical Malware Analysis Lab 03-03.exe_:0x4010EA
# ntdll
- 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA
features:
- and:
- or:
- match: allocate memory
- match: change memory protection
- or:
- number: 0x40 = PAGE_EXECUTE_READWRITE
# lea r9d, [rcx+40h] ; flProtect
# call cs:VirtualAlloc
- instruction:
- mnemonic: lea
- offset: 0x40 = PAGE_EXECUTE_READWRITE
17 changes: 0 additions & 17 deletions host-interaction/process/inject/allocate-rwx-memory.yml

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ rule:
features:
- and:
- match: attach user process memory
- match: allocate RWX memory
- match: allocate or change RWX memory
- number: 0xFFFFFFFF = NtCurrentProcess()
- optional:
- match: find process by PID
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ rule:
- match: suspend thread
- api: kernel32.GetThreadContext
- optional:
- match: allocate RWX memory
- match: allocate or change RWX memory
- match: write process memory
- api: kernel32.SetThreadContext
- match: resume thread
2 changes: 1 addition & 1 deletion host-interaction/process/inject/inject-dll.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ rule:
- or:
- match: open process
- match: host-interaction/process/create
- match: allocate RW memory
- match: allocate or change RW memory
- match: write process memory
- and:
- or:
Expand Down
2 changes: 1 addition & 1 deletion host-interaction/process/inject/inject-pe.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ rule:
- or:
- match: open process
- match: host-interaction/process/create
- match: allocate RWX memory
- match: allocate or change RWX memory
- basic block:
- description: virtual address offset calculation
- and:
Expand Down
4 changes: 2 additions & 2 deletions host-interaction/process/inject/inject-thread.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ rule:
features:
- and:
- or:
- match: allocate RWX memory
- match: allocate RW memory
- match: allocate or change RWX memory
- match: allocate or change RW memory
- match: write process memory
- match: create thread
- optional:
Expand Down
18 changes: 12 additions & 6 deletions lib/allocate-memory.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,24 +3,30 @@ rule:
name: allocate memory
authors:
- [email protected]
- "@mr-tz"
lib: true
scope: basic block
mbc:
- Memory::Allocate Memory [C0007]
examples:
- Practical Malware Analysis Lab 03-03.exe_:0x4010EA
# ntdll
- 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA
- 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA # ntdll.NtAllocateVirtualMemory
features:
- or:
- api: kernel32.VirtualAlloc
- api: kernel32.VirtualAllocEx
- api: kernel32.VirtualAllocExNuma
- api: kernel32.VirtualProtect
- api: kernel32.VirtualProtectEx
- api: NtAllocateVirtualMemory
- api: ZwAllocateVirtualMemory
- api: NtMapViewOfSection
- api: ZwMapViewOfSection
- api: NtProtectVirtualMemory
- api: ZwProtectVirtualMemory
- and:
- match: link function at runtime on Windows
- or:
- string: "VirtualAlloc"
- string: "VirtualAllocEx"
- string: "VirtualAllocExNuma"
- string: "NtAllocateVirtualMemory"
- string: "ZwAllocateVirtualMemory"
- string: "NtMapViewOfSection"
- string: "ZwMapViewOfSection"
24 changes: 24 additions & 0 deletions lib/allocate-or-change-rw-memory.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
rule:
meta:
name: allocate or change RW memory
authors:
- [email protected]
- "@mr-tz"
lib: true
scope: basic block
mbc:
- Memory::Allocate Memory [C0007]
examples:
- Practical Malware Analysis Lab 17-02.dll_:0x1000D10D
features:
- and:
- or:
- match: allocate memory
- match: change memory protection
- or:
- number: 0x4 = PAGE_READWRITE
# lea r9d, [rcx+4] ; flProtect
# call cs:VirtualAlloc
- instruction:
- mnemonic: lea
- offset: 0x4 = PAGE_READWRITE
15 changes: 0 additions & 15 deletions lib/allocate-rw-memory.yml

This file was deleted.

24 changes: 24 additions & 0 deletions lib/change-memory-protection.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
rule:
meta:
name: change memory protection
authors:
- "@mr-tz"
lib: true
scope: basic block
mbc:
- Memory::Change Memory Protection [C0008]
examples:
- Practical Malware Analysis Lab 11-02.dll_:0x10001203
features:
- or:
- api: kernel32.VirtualProtect
- api: kernel32.VirtualProtectEx
- api: NtProtectVirtualMemory
- api: ZwProtectVirtualMemory
- and:
- match: link function at runtime on Windows
- or:
- string: "VirtualProtect"
- string: "VirtualProtectEx"
- string: "NtProtectVirtualMemory"
- string: "ZwProtectVirtualMemory"
16 changes: 1 addition & 15 deletions load-code/shellcode/execute-shellcode-via-copyfile2.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,21 +11,7 @@ rule:
- c2bb17c12975ea61ff43a71afd9c3ff111d018af161859abae0bdb0b3dae98f9:0x140001010
features:
- and:
- or:
- match: allocate RWX memory
- basic block:
- and:
# xor ecx, ecx ; lpAddress
# mov edx, 31Fh ; dwSize
# mov r8d, 1000h ; flAllocationType
# lea r9d, [rcx+40h] ; flProtect
# call cs:VirtualAlloc
- match: allocate memory
- or:
- number: 0x40
- instruction:
- mnemonic: lea
- offset: 0x40
- match: allocate or change RWX memory
- api: CopyFile2
- api: DeleteFileW
- number: 0x00000001 = COPY_FILE_FAIL_IF_EXISTS
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ rule:
- a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf:0x10001010
features:
- and:
- match: allocate RWX memory
- match: allocate or change RWX memory
- api: CreateEvent
- api: CreateThreadpoolWait
- api: SetThreadpoolWait
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ rule:
- 43db867967c71bd3aaba9a9a3084e7fa:0x140001000
features:
- and:
- match: allocate RWX memory
- match: allocate or change RWX memory
- or:
- api: EnumDateFormats
- api: GrayString
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ rule:
- f03bdb9fa52f7b61ef03141fefff1498ad2612740b1fdbf6941f1c5af5eee70a:0x4026E0
features:
- and:
- match: allocate RWX memory
- match: allocate or change RWX memory
- api: ConvertThreadToFiber
- api: CreateFiber
- api: SwitchToFiber
2 changes: 1 addition & 1 deletion load-code/shellcode/spawn-thread-to-rwx-shellcode.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,5 @@ rule:
- Practical Malware Analysis Lab 19-02.exe_:0x401230
features:
- and:
- match: allocate RWX memory
- match: allocate or change RWX memory
- match: create thread
2 changes: 1 addition & 1 deletion nursery/execute-shellcode-via-indirect-call.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ rule:
- Memory::Allocate Memory [C0007]
features:
- and:
- match: allocate RWX memory
- match: allocate or change RWX memory
- or:
- characteristic: indirect call
- characteristic: cross section flow

0 comments on commit 210b86f

Please sign in to comment.