From 1adcf13e061b2e15aaa4b3f9aa910d46a362aef2 Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Tue, 3 Dec 2024 14:12:04 +0100
Subject: [PATCH] extend rule features and rename (#969)

* extend rule features
---
 ...emory-pages-using-arbitrary-code-guard.yml | 20 ++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml
index 3d19579e..d0bfaeb3 100644
--- a/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml
+++ b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml
@@ -17,10 +17,16 @@ rule:
     examples:
       - 2ebadd04f0ada89c36c1409b6e96423a68dd77b513db8db3da203c36d3753e5f:0x140002120
   features:
-    - and:
-      - api: SetProcessMitigationPolicy
-      - number: 4 = sizeof(PROCESS_MITIGATION_DYNAMIC_CODE_POLICY)
-      - number: 1 = ProhibitDynamicCode
-      - or:
-        - number: 8 = ProcessDynamicCodePolicy
-        - offset: 4
+    - or:
+      - and:
+        - api: SetProcessMitigationPolicy
+        - number: 4 = sizeof(PROCESS_MITIGATION_DYNAMIC_CODE_POLICY)
+        - number: 1 = set policy.ProhibitDynamicCode to 1
+        - number: 2 = ProcessDynamicCodePolicy
+      - and:
+        - api: SetProcessMitigationPolicy
+        - number: 4 = sizeof(PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY)
+        - number: 1 = set policy.MicrosoftSignedOnly to 1
+        - or:
+          - number: 8 = ProcessSignaturePolicy
+          - offset: 4 = lea ecx, [r8+4] ; with r8 equal to 4