forked from mandiant/capa-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
allocate-memory.yml
34 lines (34 loc) · 1.02 KB
/
allocate-memory.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
rule:
meta:
name: allocate memory
authors:
- "@mr-tz"
lib: true
scopes:
static: basic block
dynamic: call
mbc:
- Memory::Allocate Memory [C0007]
examples:
- Practical Malware Analysis Lab 03-03.exe_:0x4010EA
- 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA # ntdll.NtAllocateVirtualMemory
features:
- or:
- api: kernel32.VirtualAlloc
- api: kernel32.VirtualAllocEx
- api: kernel32.VirtualAllocExNuma
- api: NtAllocateVirtualMemory
- api: ZwAllocateVirtualMemory
- api: NtMapViewOfSection
- api: ZwMapViewOfSection
- and:
- match: link function at runtime on Windows
- or:
- string: "VirtualAlloc"
- string: "VirtualAllocEx"
- string: "VirtualAllocExNuma"
- string: "NtAllocateVirtualMemory"
- string: "ZwAllocateVirtualMemory"
- string: "NtMapViewOfSection"
- string: "ZwMapViewOfSection"