Add check-for-av-emulation-using-virtualallocexnuma.yml

mandiant · Aug 8, 2023 · 28c0331 · 28c0331
1 parent 149cf2d
commit 28c0331
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/anti-analysis/anti-av/check-for-av-emulation-using-virtualallocexnuma.yml b/anti-analysis/anti-av/check-for-av-emulation-using-virtualallocexnuma.yml
@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: check for AV emulation using VirtualAllocExNuma
+    namespace: anti-analysis/anti-av
+    authors:
+      - [email protected]
+    scope: basic block
+    mbc:
+      - Anti-Behavioral Analysis::Emulator Evasion [B0005]
+    references:
+      - https://www.purpl3f0xsecur1ty.tech/2021/03/30/av_evasion.html
+    examples:
+      - 23604a06b0720a430f8d6f6b14b589d850e4cfd291a47f22f199324f21169c1a:0x10084520
+  features:
+    - and:
+      - api: kernel32.VirtualAllocExNuma
+      - api: kernel32.GetCurrentProcess