Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add patch-antimalware-scan-interface-function.yml and updated patch-e… #798

Merged
merged 3 commits into from
Nov 20, 2023
Merged

Add patch-antimalware-scan-interface-function.yml and updated patch-e… #798

merged 3 commits into from
Nov 20, 2023

Conversation

jtothej
Copy link
Contributor

@jtothej jtothej commented Jul 13, 2023

Add patch-antimalware-scan-interface-function.yml and updated patch-event-tracing-for-windows-function.yml

@jtothej jtothej mentioned this pull request Jul 13, 2023
Merged
williballenthin
williballenthin reviewed Jul 13, 2023
View reviewed changes
anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml Outdated
Comment on lines 20 to 27
- api: kernel32.VirtualProtect
- api: kernel32.VirtualProtectEx
- api: ntdll.NtProtectVirtualMemory
- api: ZwProtectVirtualMemory
- string: "VirtualProtect"
- string: "VirtualProtectEx"
- string: "NtProtectVirtualMemory"
- string: "ZwProtectVirtualMemory"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think we should factor this logic out into a library rule, like patch read-only memory at runtime or something

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

then we can have a rule like hook function at runtime and then the rules in this PR boil down to:

    - match: hook function at runtime
    - or:
      - string: AmsiScanBuffer
      - string: AmsiScanString

and

    - match: hook function at runtime
    - or:
      - string: EventWrite
      - ...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was initially thinking about using allocate RWX memory (which in turn depends on allocate memory) but allocate memory matches on both memory allocation functions and functions that change of protection of already allocated memory.
So maybe we could split allocate memory to actual allocate memory and something like change memory protection (including VirtualProtect, VirtualProtectEx, NtProtectVirtualMemory, ZwProtectVirtualMemory). The we could have change memory protection to RWX and use it in rules in this PR. The problem with this approach would be figuring out which rules currently using allocate memory rule depend on memory allocation functions, which depend on change of memory functions and which on both.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup, that sounds like a great refactor!

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

refactoring this in #836

@mr-tz mr-tz mentioned this pull request Oct 11, 2023
Merged
mr-tz
mr-tz reviewed Oct 11, 2023
View reviewed changes
Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update once #836 was merged

anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml Outdated Show resolved Hide resolved
anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml Outdated Show resolved Hide resolved
@mr-tz mr-tz merged commit 131cf44 into mandiant:master Nov 20, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mr-tz mr-tz mr-tz left review comments

@williballenthin williballenthin williballenthin left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jtothej @williballenthin @mr-tz