From ed791c9b172dd032585b77bfe4794567a7c3df00 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Wed, 11 Oct 2023 11:14:14 +0200 Subject: [PATCH 1/6] separate allocate and change memory protection --- .../process/inject/allocate-rwx-memory.yml | 16 ++++++++++++---- lib/allocate-memory.yml | 5 +---- lib/allocate-rw-memory.yml | 15 ++++++++++++--- lib/change-memory-protection.yml | 18 ++++++++++++++++++ .../execute-shellcode-via-copyfile2.yml | 16 +--------------- .../execute-shellcode-via-indirect-call.yml | 2 +- 6 files changed, 45 insertions(+), 27 deletions(-) create mode 100644 lib/change-memory-protection.yml diff --git a/host-interaction/process/inject/allocate-rwx-memory.yml b/host-interaction/process/inject/allocate-rwx-memory.yml index d8587e00a..6e5d06848 100644 --- a/host-interaction/process/inject/allocate-rwx-memory.yml +++ b/host-interaction/process/inject/allocate-rwx-memory.yml @@ -1,9 +1,9 @@ rule: meta: - name: allocate RWX memory + name: allocate or change RWX memory namespace: host-interaction/process/inject authors: - - moritz.raabe@mandiant.com + - "@mr-tz" scope: basic block mbc: - Memory::Allocate Memory [C0007] @@ -13,5 +13,13 @@ rule: - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA features: - and: - - match: allocate memory - - number: 0x40 = PAGE_EXECUTE_READWRITE + - or: + - match: allocate memory + - match: change memory protection + - or: + - number: 0x40 = PAGE_EXECUTE_READWRITE + # lea r9d, [rcx+40h] ; flProtect + # call cs:VirtualAlloc + - instruction: + - mnemonic: lea + - offset: 0x40 = PAGE_EXECUTE_READWRITE diff --git a/lib/allocate-memory.yml b/lib/allocate-memory.yml index e1840dd54..2450fb887 100644 --- a/lib/allocate-memory.yml +++ b/lib/allocate-memory.yml @@ -9,15 +9,12 @@ rule: - Memory::Allocate Memory [C0007] examples: - Practical Malware Analysis Lab 03-03.exe_:0x4010EA - # ntdll - - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA + - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA # ntdll.NtAllocateVirtualMemory features: - or: - api: kernel32.VirtualAlloc - api: kernel32.VirtualAllocEx - api: kernel32.VirtualAllocExNuma - - api: kernel32.VirtualProtect - - api: kernel32.VirtualProtectEx - api: NtAllocateVirtualMemory - api: ZwAllocateVirtualMemory - api: NtMapViewOfSection diff --git a/lib/allocate-rw-memory.yml b/lib/allocate-rw-memory.yml index 25c085299..b67f25c3f 100644 --- a/lib/allocate-rw-memory.yml +++ b/lib/allocate-rw-memory.yml @@ -1,8 +1,9 @@ rule: meta: - name: allocate RW memory + name: allocate or change RW memory authors: - 0x534a@mailbox.org + - "@mr-tz" lib: true scope: basic block mbc: @@ -11,5 +12,13 @@ rule: - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D features: - and: - - match: allocate memory - - number: 0x4 = PAGE_READWRITE + - or: + - match: allocate memory + - match: change memory protection + - or: + - number: 0x4 = PAGE_READWRITE + # lea r9d, [rcx+4] ; flProtect + # call cs:VirtualAlloc + - instruction: + - mnemonic: lea + - offset: 0x4 = PAGE_READWRITE diff --git a/lib/change-memory-protection.yml b/lib/change-memory-protection.yml new file mode 100644 index 000000000..8def6a247 --- /dev/null +++ b/lib/change-memory-protection.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: change memory protection + authors: + - "@mr-tz" + lib: true + scope: basic block + mbc: + - Memory::Change Memory Protection [C0008] + examples: + # ntdll + - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA + features: + - or: + - api: kernel32.VirtualProtect + - api: kernel32.VirtualProtectEx + - api: NtProtectVirtualMemory + - api: ZwProtectVirtualMemory diff --git a/load-code/shellcode/execute-shellcode-via-copyfile2.yml b/load-code/shellcode/execute-shellcode-via-copyfile2.yml index 98b81bee6..ffd16299c 100644 --- a/load-code/shellcode/execute-shellcode-via-copyfile2.yml +++ b/load-code/shellcode/execute-shellcode-via-copyfile2.yml @@ -11,21 +11,7 @@ rule: - c2bb17c12975ea61ff43a71afd9c3ff111d018af161859abae0bdb0b3dae98f9:0x140001010 features: - and: - - or: - - match: allocate RWX memory - - basic block: - - and: - # xor ecx, ecx ; lpAddress - # mov edx, 31Fh ; dwSize - # mov r8d, 1000h ; flAllocationType - # lea r9d, [rcx+40h] ; flProtect - # call cs:VirtualAlloc - - match: allocate memory - - or: - - number: 0x40 - - instruction: - - mnemonic: lea - - offset: 0x40 + - match: allocate or change RWX memory - api: CopyFile2 - api: DeleteFileW - number: 0x00000001 = COPY_FILE_FAIL_IF_EXISTS diff --git a/nursery/execute-shellcode-via-indirect-call.yml b/nursery/execute-shellcode-via-indirect-call.yml index 9d48eb518..b2a39fe2c 100644 --- a/nursery/execute-shellcode-via-indirect-call.yml +++ b/nursery/execute-shellcode-via-indirect-call.yml @@ -9,7 +9,7 @@ rule: - Memory::Allocate Memory [C0007] features: - and: - - match: allocate RWX memory + - match: allocate or change RWX memory - or: - characteristic: indirect call - characteristic: cross section flow From 5f223ea5ce5e61c9353a5e35f45b7b159239aeab Mon Sep 17 00:00:00 2001 From: mr-tz Date: Wed, 11 Oct 2023 11:17:13 +0200 Subject: [PATCH 2/6] rename rules --- ...{allocate-rwx-memory.yml => allocate-or-change-rwx-memory.yml} | 0 lib/{allocate-rw-memory.yml => allocate-or-change-rw-memory.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename host-interaction/process/inject/{allocate-rwx-memory.yml => allocate-or-change-rwx-memory.yml} (100%) rename lib/{allocate-rw-memory.yml => allocate-or-change-rw-memory.yml} (100%) diff --git a/host-interaction/process/inject/allocate-rwx-memory.yml b/host-interaction/process/inject/allocate-or-change-rwx-memory.yml similarity index 100% rename from host-interaction/process/inject/allocate-rwx-memory.yml rename to host-interaction/process/inject/allocate-or-change-rwx-memory.yml diff --git a/lib/allocate-rw-memory.yml b/lib/allocate-or-change-rw-memory.yml similarity index 100% rename from lib/allocate-rw-memory.yml rename to lib/allocate-or-change-rw-memory.yml From 66f58dffa02decfd6227e5852995ebf8e0627abc Mon Sep 17 00:00:00 2001 From: mr-tz Date: Wed, 11 Oct 2023 11:20:23 +0200 Subject: [PATCH 3/6] update match rule name --- .../process/inject/allocate-user-process-rwx-memory.yml | 2 +- host-interaction/process/inject/hijack-thread-execution.yml | 2 +- host-interaction/process/inject/inject-dll.yml | 2 +- host-interaction/process/inject/inject-pe.yml | 2 +- host-interaction/process/inject/inject-thread.yml | 4 ++-- .../shellcode/execute-shellcode-via-createthreadpoolwait.yml | 2 +- .../execute-shellcode-via-windows-callback-function.yml | 2 +- load-code/shellcode/execute-shellcode-via-windows-fibers.yml | 2 +- load-code/shellcode/spawn-thread-to-rwx-shellcode.yml | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/host-interaction/process/inject/allocate-user-process-rwx-memory.yml b/host-interaction/process/inject/allocate-user-process-rwx-memory.yml index d2f4b40ab..cd2c3bda9 100644 --- a/host-interaction/process/inject/allocate-user-process-rwx-memory.yml +++ b/host-interaction/process/inject/allocate-user-process-rwx-memory.yml @@ -12,7 +12,7 @@ rule: features: - and: - match: attach user process memory - - match: allocate RWX memory + - match: allocate or change RWX memory - number: 0xFFFFFFFF = NtCurrentProcess() - optional: - match: find process by PID diff --git a/host-interaction/process/inject/hijack-thread-execution.yml b/host-interaction/process/inject/hijack-thread-execution.yml index 6ecbae26a..d60daa4bb 100644 --- a/host-interaction/process/inject/hijack-thread-execution.yml +++ b/host-interaction/process/inject/hijack-thread-execution.yml @@ -20,7 +20,7 @@ rule: - match: suspend thread - api: kernel32.GetThreadContext - optional: - - match: allocate RWX memory + - match: allocate or change RWX memory - match: write process memory - api: kernel32.SetThreadContext - match: resume thread diff --git a/host-interaction/process/inject/inject-dll.yml b/host-interaction/process/inject/inject-dll.yml index a9276aa1f..d1ceb6b81 100644 --- a/host-interaction/process/inject/inject-dll.yml +++ b/host-interaction/process/inject/inject-dll.yml @@ -23,7 +23,7 @@ rule: - or: - match: open process - match: host-interaction/process/create - - match: allocate RW memory + - match: allocate or change RW memory - match: write process memory - and: - or: diff --git a/host-interaction/process/inject/inject-pe.yml b/host-interaction/process/inject/inject-pe.yml index 3ce5e81b2..333f831ed 100644 --- a/host-interaction/process/inject/inject-pe.yml +++ b/host-interaction/process/inject/inject-pe.yml @@ -19,7 +19,7 @@ rule: - or: - match: open process - match: host-interaction/process/create - - match: allocate RWX memory + - match: allocate or change RWX memory - basic block: - description: virtual address offset calculation - and: diff --git a/host-interaction/process/inject/inject-thread.yml b/host-interaction/process/inject/inject-thread.yml index 97a66feb5..f6e25e16e 100644 --- a/host-interaction/process/inject/inject-thread.yml +++ b/host-interaction/process/inject/inject-thread.yml @@ -15,8 +15,8 @@ rule: features: - and: - or: - - match: allocate RWX memory - - match: allocate RW memory + - match: allocate or change RWX memory + - match: allocate or change RW memory - match: write process memory - match: create thread - optional: diff --git a/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml b/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml index 6f8379bfe..063c5249e 100644 --- a/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml +++ b/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml @@ -11,7 +11,7 @@ rule: - a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf:0x10001010 features: - and: - - match: allocate RWX memory + - match: allocate or change RWX memory - api: CreateEvent - api: CreateThreadpoolWait - api: SetThreadpoolWait diff --git a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml index a95f9d2dc..bd012419e 100644 --- a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml +++ b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml @@ -23,7 +23,7 @@ rule: - 43db867967c71bd3aaba9a9a3084e7fa:0x140001000 features: - and: - - match: allocate RWX memory + - match: allocate or change RWX memory - or: - api: EnumDateFormats - api: GrayString diff --git a/load-code/shellcode/execute-shellcode-via-windows-fibers.yml b/load-code/shellcode/execute-shellcode-via-windows-fibers.yml index 7524d1867..7ff68d7d2 100644 --- a/load-code/shellcode/execute-shellcode-via-windows-fibers.yml +++ b/load-code/shellcode/execute-shellcode-via-windows-fibers.yml @@ -14,7 +14,7 @@ rule: - f03bdb9fa52f7b61ef03141fefff1498ad2612740b1fdbf6941f1c5af5eee70a:0x4026E0 features: - and: - - match: allocate RWX memory + - match: allocate or change RWX memory - api: ConvertThreadToFiber - api: CreateFiber - api: SwitchToFiber diff --git a/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml b/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml index 7920143b6..3bdd878b3 100644 --- a/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml +++ b/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml @@ -12,5 +12,5 @@ rule: - Practical Malware Analysis Lab 19-02.exe_:0x401230 features: - and: - - match: allocate RWX memory + - match: allocate or change RWX memory - match: create thread From 7ddf609ebc944832b6ecd6d8d3a0baab84af3e41 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Wed, 11 Oct 2023 11:33:20 +0200 Subject: [PATCH 4/6] update example --- lib/change-memory-protection.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/change-memory-protection.yml b/lib/change-memory-protection.yml index 8def6a247..16139a27c 100644 --- a/lib/change-memory-protection.yml +++ b/lib/change-memory-protection.yml @@ -8,8 +8,7 @@ rule: mbc: - Memory::Change Memory Protection [C0008] examples: - # ntdll - - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA + - Practical Malware Analysis Lab 11-02.dll_:0x10001203 features: - or: - api: kernel32.VirtualProtect From 1be6720131a13a31a4fbe627763463597352fcf8 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Wed, 11 Oct 2023 11:54:50 +0200 Subject: [PATCH 5/6] add runtime resolved functions --- lib/allocate-memory.yml | 10 ++++++++++ lib/change-memory-protection.yml | 7 +++++++ 2 files changed, 17 insertions(+) diff --git a/lib/allocate-memory.yml b/lib/allocate-memory.yml index 2450fb887..03b7f3dee 100644 --- a/lib/allocate-memory.yml +++ b/lib/allocate-memory.yml @@ -19,3 +19,13 @@ rule: - api: ZwAllocateVirtualMemory - api: NtMapViewOfSection - api: ZwMapViewOfSection + - and: + - match: link function at runtime on Windows + - or: + - string: "VirtualAlloc" + - string: "VirtualAllocEx" + - string: "VirtualAllocExNuma" + - string: "NtAllocateVirtualMemory" + - string: "ZwAllocateVirtualMemory" + - string: "NtMapViewOfSection" + - string: "ZwMapViewOfSection" diff --git a/lib/change-memory-protection.yml b/lib/change-memory-protection.yml index 16139a27c..05301e1ad 100644 --- a/lib/change-memory-protection.yml +++ b/lib/change-memory-protection.yml @@ -15,3 +15,10 @@ rule: - api: kernel32.VirtualProtectEx - api: NtProtectVirtualMemory - api: ZwProtectVirtualMemory + - and: + - match: link function at runtime on Windows + - or: + - string: "VirtualProtect" + - string: "VirtualProtectEx" + - string: "NtProtectVirtualMemory" + - string: "ZwProtectVirtualMemory" From b778d2529254de76f68813dd3676d4cf9fed311c Mon Sep 17 00:00:00 2001 From: Moritz Date: Wed, 11 Oct 2023 12:08:01 +0200 Subject: [PATCH 6/6] Update allocate-memory.yml --- lib/allocate-memory.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/allocate-memory.yml b/lib/allocate-memory.yml index 432b2b070..13c2dde10 100644 --- a/lib/allocate-memory.yml +++ b/lib/allocate-memory.yml @@ -3,6 +3,7 @@ rule: name: allocate memory authors: - 0x534a@mailbox.org + - "@mr-tz" lib: true scope: basic block mbc: @@ -29,4 +30,3 @@ rule: - string: "ZwAllocateVirtualMemory" - string: "NtMapViewOfSection" - string: "ZwMapViewOfSection" -