Merge pull request #836 from mandiant/update-alloc-rules

Update and refactor memory allocation/permission rules

host-interaction/process/inject/allocate-or-change-rwx-memory.yml

@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: allocate or change RWX memory
+    namespace: host-interaction/process/inject
+    authors:
+      - "@mr-tz"
+    scope: basic block
+    mbc:
+      - Memory::Allocate Memory [C0007]
+    examples:
+      - Practical Malware Analysis Lab 03-03.exe_:0x4010EA
+      # ntdll
+      - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA
+  features:
+    - and:
+      - or:
+        - match: allocate memory
+        - match: change memory protection
+      - or:
+        - number: 0x40 = PAGE_EXECUTE_READWRITE
+        # lea     r9d, [rcx+40h]  ; flProtect
+        # call    cs:VirtualAlloc
+        - instruction:
+          - mnemonic: lea
+          - offset: 0x40 = PAGE_EXECUTE_READWRITE

host-interaction/process/inject/allocate-user-process-rwx-memory.yml

@@ -12,7 +12,7 @@ rule:
   features:
     - and:
       - match: attach user process memory
-      - match: allocate RWX memory
+      - match: allocate or change RWX memory
       - number: 0xFFFFFFFF = NtCurrentProcess()
       - optional:
         - match: find process by PID

host-interaction/process/inject/hijack-thread-execution.yml

@@ -20,7 +20,7 @@ rule:
       - match: suspend thread
       - api: kernel32.GetThreadContext
       - optional:
-        - match: allocate RWX memory
+        - match: allocate or change RWX memory
         - match: write process memory
       - api: kernel32.SetThreadContext
       - match: resume thread

host-interaction/process/inject/inject-dll.yml

@@ -23,7 +23,7 @@ rule:
         - or:
           - match: open process
           - match: host-interaction/process/create
-      - match: allocate RW memory
+      - match: allocate or change RW memory
       - match: write process memory
       - and:
         - or:

host-interaction/process/inject/inject-pe.yml

@@ -19,7 +19,7 @@ rule:
         - or:
           - match: open process
           - match: host-interaction/process/create
-      - match: allocate RWX memory
+      - match: allocate or change RWX memory
       - basic block:
         - description: virtual address offset calculation
         - and:

host-interaction/process/inject/inject-thread.yml

@@ -15,8 +15,8 @@ rule:
   features:
     - and:
       - or:
-        - match: allocate RWX memory
-        - match: allocate RW memory
+        - match: allocate or change RWX memory
+        - match: allocate or change RW memory
       - match: write process memory
       - match: create thread
       - optional:

lib/allocate-memory.yml

@@ -3,24 +3,30 @@ rule:
     name: allocate memory
     authors:
       - [email protected]
+      - "@mr-tz"
     lib: true
     scope: basic block
     mbc:
       - Memory::Allocate Memory [C0007]
     examples:
       - Practical Malware Analysis Lab 03-03.exe_:0x4010EA
-      # ntdll
-      - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA
+      - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA  # ntdll.NtAllocateVirtualMemory
   features:
     - or:
       - api: kernel32.VirtualAlloc
       - api: kernel32.VirtualAllocEx
       - api: kernel32.VirtualAllocExNuma
-      - api: kernel32.VirtualProtect
-      - api: kernel32.VirtualProtectEx
       - api: NtAllocateVirtualMemory
       - api: ZwAllocateVirtualMemory
       - api: NtMapViewOfSection
       - api: ZwMapViewOfSection
-      - api: NtProtectVirtualMemory
-      - api: ZwProtectVirtualMemory
+      - and:
+        - match: link function at runtime on Windows
+        - or:
+          - string: "VirtualAlloc"
+          - string: "VirtualAllocEx"
+          - string: "VirtualAllocExNuma"
+          - string: "NtAllocateVirtualMemory"
+          - string: "ZwAllocateVirtualMemory"
+          - string: "NtMapViewOfSection"
+          - string: "ZwMapViewOfSection"

lib/allocate-or-change-rw-memory.yml

@@ -0,0 +1,24 @@
+rule:
+  meta:
+    name: allocate or change RW memory
+    authors:
+      - [email protected]
+      - "@mr-tz"
+    lib: true
+    scope: basic block
+    mbc:
+      - Memory::Allocate Memory [C0007]
+    examples:
+      - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D
+  features:
+    - and:
+      - or:
+        - match: allocate memory
+        - match: change memory protection
+      - or:
+        - number: 0x4 = PAGE_READWRITE
+        # lea     r9d, [rcx+4]  ; flProtect
+        # call    cs:VirtualAlloc
+        - instruction:
+          - mnemonic: lea
+          - offset: 0x4 = PAGE_READWRITE

lib/change-memory-protection.yml

@@ -0,0 +1,24 @@
+rule:
+  meta:
+    name: change memory protection
+    authors:
+      - "@mr-tz"
+    lib: true
+    scope: basic block
+    mbc:
+      - Memory::Change Memory Protection [C0008]
+    examples:
+      - Practical Malware Analysis Lab 11-02.dll_:0x10001203
+  features:
+    - or:
+      - api: kernel32.VirtualProtect
+      - api: kernel32.VirtualProtectEx
+      - api: NtProtectVirtualMemory
+      - api: ZwProtectVirtualMemory
+      - and:
+        - match: link function at runtime on Windows
+        - or:
+          - string: "VirtualProtect"
+          - string: "VirtualProtectEx"
+          - string: "NtProtectVirtualMemory"
+          - string: "ZwProtectVirtualMemory"

load-code/shellcode/execute-shellcode-via-copyfile2.yml

@@ -11,21 +11,7 @@ rule:
       - c2bb17c12975ea61ff43a71afd9c3ff111d018af161859abae0bdb0b3dae98f9:0x140001010
   features:
     - and:
-      - or:
-        - match: allocate RWX memory
-        - basic block:
-          - and:
-            # xor     ecx, ecx        ; lpAddress
-            # mov     edx, 31Fh       ; dwSize
-            # mov     r8d, 1000h      ; flAllocationType
-            # lea     r9d, [rcx+40h]  ; flProtect
-            # call    cs:VirtualAlloc
-            - match: allocate memory
-            - or:
-              - number: 0x40
-              - instruction:
-                - mnemonic: lea
-                - offset: 0x40
+      - match: allocate or change RWX memory
       - api: CopyFile2
       - api: DeleteFileW
       - number: 0x00000001 = COPY_FILE_FAIL_IF_EXISTS

load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml

@@ -11,7 +11,7 @@ rule:
       - a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf:0x10001010
   features:
     - and:
-      - match: allocate RWX memory
+      - match: allocate or change RWX memory
       - api: CreateEvent
       - api: CreateThreadpoolWait
       - api: SetThreadpoolWait

load-code/shellcode/execute-shellcode-via-windows-callback-function.yml

@@ -23,7 +23,7 @@ rule:
       - 43db867967c71bd3aaba9a9a3084e7fa:0x140001000
   features:
     - and:
-      - match: allocate RWX memory
+      - match: allocate or change RWX memory
       - or:
         - api: EnumDateFormats
         - api: GrayString

load-code/shellcode/execute-shellcode-via-windows-fibers.yml

@@ -14,7 +14,7 @@ rule:
       - f03bdb9fa52f7b61ef03141fefff1498ad2612740b1fdbf6941f1c5af5eee70a:0x4026E0
   features:
     - and:
-      - match: allocate RWX memory
+      - match: allocate or change RWX memory
       - api: ConvertThreadToFiber
       - api: CreateFiber
       - api: SwitchToFiber

load-code/shellcode/spawn-thread-to-rwx-shellcode.yml

@@ -12,5 +12,5 @@ rule:
       - Practical Malware Analysis Lab 19-02.exe_:0x401230
   features:
     - and:
-      - match: allocate RWX memory
+      - match: allocate or change RWX memory
       - match: create thread

nursery/execute-shellcode-via-indirect-call.yml

@@ -9,7 +9,7 @@ rule:
       - Memory::Allocate Memory [C0007]
   features:
     - and:
-      - match: allocate RWX memory
+      - match: allocate or change RWX memory
       - or:
         - characteristic: indirect call
         - characteristic: cross section flow