Skip to content

Commit

Permalink
fix logic after dynamic update (#857)
Browse files Browse the repository at this point in the history 
* fix logic after dynamic update

---------

Co-authored-by: Yacine <[email protected]>
  • Loading branch information
@mr-tz @yelhamer
mr-tz and yelhamer authored Dec 8, 2023
1 parent 6661755 commit 4e72563
Show file tree
Hide file tree
Showing 3 changed files with 58 additions and 54 deletions.
36 changes: 19 additions & 17 deletions anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,20 +16,22 @@ rule:
examples:
- 773290480d5445f11d3dc1b800728966:0x140001140
features:
- and:
# static
- basic block:
- and:
- api: SLIsGenuineLocal
- basic block:
- and:
- api: UuidFromString
- string: "55c92734-d682-4d71-983e-d6ec3f16059f"
# dynamic
- call:
- and:
- api: SLIsGenuineLocal
- call:
- and:
- api: UuidFromString
- string: "55c92734-d682-4d71-983e-d6ec3f16059f"
- or:
- and:
# static
- basic block:
- and:
- api: SLIsGenuineLocal
- basic block:
- and:
- api: UuidFromString
- string: "55c92734-d682-4d71-983e-d6ec3f16059f"
- and:
# dynamic
- call:
- and:
- api: SLIsGenuineLocal
- call:
- and:
- api: UuidFromString
- string: "55c92734-d682-4d71-983e-d6ec3f16059f"
16 changes: 8 additions & 8 deletions communication/socket/create-vmci-socket.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,25 +5,25 @@ rule:
authors:
- [email protected]
scopes:
static: function
static: basic block
dynamic: thread
mbc:
- Communication::Socket Communication::Create Socket [C0001.003]
references:
- https://www.vmware.com/products/beta/ws/VMCIsockets.pdf
examples:
- 9ed5660c6a442dbba9e2ba795ccc913c1f1517ce89854fe4287c1c8b36b21d52:0x180001241
- 9ed5660c6a442dbba9e2ba795ccc913c1f1517ce89854fe4287c1c8b36b21d52:0x1800011D0
features:
- or:
- and:
- os: windows
- api: DeviceIoControl
- number: 0x81032068 = VMCI_SOCKETS_GET_AF_VALUE
- optional:
- or:
- api: socket
- api: DeviceIoControl
- number: 0x81032068 = VMCI_SOCKETS_GET_AF_VALUE
- and:
- os: linux
- api: ioctl
- number: 0x7B8 = VMCI_SOCKETS_GET_AF_VALUE
- optional:
- or:
- api: ioctl
- api: socket
- number: 0x7B8 = VMCI_SOCKETS_GET_AF_VALUE
60 changes: 31 additions & 29 deletions host-interaction/file-system/read/read-file-via-mapping.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,38 +12,40 @@ rule:
examples:
- Practical Malware Analysis Lab 01-01.exe_:0x401440
features:
- and:
# static
- basic block:
- and:
- api: kernel32.MapViewOfFile
- or:
- number: 4 = FILE_MAP_READ
- number: 6 = FILE_MAP_WRITE | FILE_MAP_READ
- optional:
- api: kernel32.UnmapViewOfFile
- and:
- match: get file size
- or:
- and:
# static
- basic block:
- and:
- api: kernel32.CreateFileMapping
- api: kernel32.MapViewOfFile
- or:
- number: 2 = PAGE_READONLY
- number: 4 = PAGE_READWRITE
# dynamic
- call:
- and:
- api: kernel32.MapViewOfFile
- or:
- number: 4 = FILE_MAP_READ
- number: 6 = FILE_MAP_WRITE | FILE_MAP_READ
- optional:
- api: kernel32.UnmapViewOfFile
- and:
- match: get file size
- number: 4 = FILE_MAP_READ
- number: 6 = FILE_MAP_WRITE | FILE_MAP_READ
- optional:
- api: kernel32.UnmapViewOfFile
- and:
- match: get file size
- basic block:
- and:
- api: kernel32.CreateFileMapping
- or:
- number: 2 = PAGE_READONLY
- number: 4 = PAGE_READWRITE
- and:
# dynamic
- call:
- and:
- api: kernel32.CreateFileMapping
- api: kernel32.MapViewOfFile
- or:
- number: 2 = PAGE_READONLY
- number: 4 = PAGE_READWRITE
- number: 4 = FILE_MAP_READ
- number: 6 = FILE_MAP_WRITE | FILE_MAP_READ
- optional:
- api: kernel32.UnmapViewOfFile
- and:
- match: get file size
- call:
- and:
- api: kernel32.CreateFileMapping
- or:
- number: 2 = PAGE_READONLY
- number: 4 = PAGE_READWRITE

0 comments on commit 4e72563

Please sign in to comment.