Merge branch 'master' of github.com:fireeye/capa-rules

.github/ISSUE_TEMPLATE/false_negative.md

@@ -0,0 +1,28 @@
+---
+name: False negative
+about: Report a sample that should have matched but didn't (false negative)
+title: "[RULE NAME]"
+labels: false negative
+
+---
+
+<!--
+
+Have you read capa's Code of Conduct? By filing an Issue, you are expected to comply with it, including treating everyone with respect: https://github.com/fireeye/capa/blob/master/CODE_OF_CONDUCT.md
+-->
+
+## Summary
+
+<!-- Rule name and one paragraph explanation of the false negative. -->
+
+## Examples
+
+<!-- If you can, please include a hash for the sample you'd expect capa to match. If you've reverse engineered the sample please also include offsets or any additional information. -->
+
+## Possible improvements
+
+<!-- How can the rule be improved? -->
+
+## Additional context
+
+<!-- Add any other context or screenshots about the false negative here. -->

README.md

@@ -1,7 +1,7 @@
 # capa rules
 
 [![Rule linter status](https://github.com/fireeye/capa-rules/workflows/CI/badge.svg)](https://github.com/fireeye/capa-rules/actions?query=workflow%3A%22CI%22)
-[![Number of rules](https://img.shields.io/badge/rules-303-blue.svg)](rules)
+[![Number of rules](https://img.shields.io/badge/rules-341-blue.svg)](rules)
 [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt)
 
 This is the standard collection of rules for [capa](https://github.com/fireeye/capa) - the tool to automatically identify capabilities of programs.

anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: check for debugger via API
+    namespace: anti-analysis/anti-debugging/debugger-detection
+    author: [email protected]
+    scope: function
+    mbc:
+      - Anti-Behavioral Analysis::Detect Debugger
+    references:
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/CheckRemoteDebuggerPresent.cpp
+    examples:
+      - al-khaser_x86.exe_:0x420000
+  features:
+    - or:
+      - api: kernel32.CheckRemoteDebuggerPresent
+      - api: WUDFPlatform.WudfIsAnyDebuggerPresent
+      - api: WUDFPlatform.WudfIsKernelDebuggerPresent
+      - api: WUDFPlatform.WudfIsUserDebuggerPresent

anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml

@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: check for hardware breakpoints
+    namespace: anti-analysis/anti-debugging/debugger-detection
+    author: [email protected]
+    scope: function
+    mbc:
+      - Anti-Behavioral Analysis::Detect Debugger
+    references:
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/HardwareBreakpoints.cpp
+    examples:
+      - al-khaser_x86.exe_:0x42035D
+  features:
+    - and:
+      - api: kernel32.GetThreadContext
+      - number: 0x10010 = CONTEXT_DEBUG_REGISTERS
+      - offset: 0x4 = DR0
+      - offset: 0x8 = DR1
+      - offset: 0xC = DR2
+      - offset: 0x10 = DR3
+      - count(mnemonic(cmp)): 4 or more

anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml

@@ -0,0 +1,24 @@
+rule:
+  meta:
+    name: check for kernel debugger via shared user data structure
+    namespace: anti-analysis/anti-debugging/debugger-detection
+    author: [email protected]
+    scope: function
+    mbc:
+      - Anti-Behavioral Analysis::Detect Debugger
+    references:
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SharedUserData_KernelDebugger.cpp
+      - http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kuser_shared_data.htm
+    examples:
+      - al-khaser_x86.exe_:0x430E60
+  features:
+    - and:
+      - number: 0x7FFE02D4 = UserSharedData->KdDebuggerEnabled
+      - basic block:
+        - and:
+          - mnemonic: and
+          - number: 0x2 = KdDebuggerNotPresent
+      - basic block:
+        - and:
+          - mnemonic: and
+          - number: 0x1 = KdDebuggerEnabled

anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml

@@ -12,5 +12,5 @@ rule:
       - Practical Malware Analysis Lab 16-01.exe_:0x403530
   features:
     - and:
-      - characteristic: peb access
+      - match: PEB access
       - offset: 2 = PEB.BeingDebugged

anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml

@@ -3,7 +3,7 @@ rule:
     name: check for PEB NtGlobalFlag flag
     namespace: anti-analysis/anti-debugging/debugger-detection
     author: [email protected]
-    scope: basic block
+    scope: function
     mbc:
       - Anti-Behavioral Analysis::Detect Debugger::Process Environment Block
     references:
@@ -13,10 +13,16 @@ rule:
       - Practical Malware Analysis Lab 16-01.exe_:0x403530
   features:
     - and:
-      - characteristic: peb access
-      - or:
-        # 32-bit
-        - offset: 0x68 = PEB.NtGlobalFlag
-        # 64-bit
-        - offset: 0xBC = PEB.NtGlobalFlag
+      - basic block:
+        - and:
+          - match: PEB access
+          - or:
+            - or:
+              - offset/x32: 0x68 = PEB.NtGlobalFlag
+              - offset/x64: 0xBC = PEB.NtGlobalFlag
+            - and:
+              - mnemonic: add
+              - or:
+                - number/x32: 0x68 = PEB.NtGlobalFlag
+                - number/x64: 0xBC = PEB.NtGlobalFlag
       - number: 0x70 = (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)

anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml

@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: check for protected handle exception
+    namespace: anti-analysis/anti-debugging/debugger-detection
+    author: [email protected]
+    scope: function
+    mbc:
+      - Anti-Behavioral Analysis::Detect Debugger
+    references:
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SetHandleInformation_API.cpp
+    examples:
+      - al-khaser_x86.exe_:0x430D20
+  features:
+    - and:
+      - basic block:
+        - and:
+          - count(number(2)): 2 or more
+          - api: SetHandleInformation
+      - api: CloseHandle

anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml

@@ -0,0 +1,23 @@
+rule:
+  meta:
+    name: check for software breakpoints
+    namespace: anti-analysis/anti-debugging/debugger-detection
+    author: [email protected]
+    scope: function
+    mbc:
+      - Anti-Behavioral Analysis::Detect Debugger
+    references:
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SoftwareBreakpoints.cpp
+    examples:
+      - al-khaser_x86.exe_:0x431020
+  features:
+    - and:
+      - basic block:
+        - and:
+          - mnemonic: cmp
+          - or:
+            - number: 0xCC
+            - and:
+              - number: 0xCD
+              - number: 0x3
+      - match: contain loop

anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml

@@ -0,0 +1,34 @@
+rule:
+  meta:
+    name: check for trap flag exception
+    namespace: anti-analysis/anti-debugging/debugger-detection
+    author: [email protected]
+    scope: basic block
+    mbc:
+      - Anti-Behavioral Analysis::Detect Debugger
+    references:
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/TrapFlag.cpp
+    examples:
+      - al-khaser_x86.exe_:0x431680
+      - al-khaser_x64.exe_:0x140030CB0
+  features:
+    - and:
+      - or:
+        - and:
+          - mnemonic: pushf
+          - mnemonic: popf
+        - and:
+          - mnemonic: pushfd
+          - mnemonic: popfd
+        - and:
+          - mnemonic: pushfq
+          - mnemonic: popfq
+        description: read/write EFLAGS register
+      - or:
+        - and:
+          - mnemonic: or
+          - number: 0x100
+        - and:
+          - mnemonic: bts
+          - number: 0x8
+        description: set trap flag

anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml

@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: check for unexpected memory writes
+    namespace: anti-analysis/anti-debugging/debugger-detection
+    author: [email protected]
+    scope: basic block
+    mbc:
+      - Anti-Behavioral Analysis::Detect Debugger
+    references:
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/WriteWatch.cpp
+    examples:
+      - al-khaser_x86.exe_:0x431EBC
+  features:
+    - and:
+      - api: kernel32.GetWriteWatch
+      - number: 0x0

anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml

@@ -0,0 +1,23 @@
+rule:
+  meta:
+    name: check process job object
+    namespace: anti-analysis/anti-debugging/debugger-detection
+    author: [email protected]
+    scope: function
+    mbc:
+      - Anti-Behavioral Analysis::Detect Debugger
+    references:
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ProcessJob.cpp
+    examples:
+      - al-khaser_x86.exe_:0x426730
+  features:
+    - and:
+      - match: contain loop
+      - basic block:
+        - and:
+          - api: kernel32.QueryInformationJobObject
+          - number: 0x3 = JobObjectBasicProcessIdList
+      - basic block:
+        - and:
+          - api: kernel32.OpenProcess
+          - number: 0x400 = PROCESS_QUERY_INFORMATION

anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml

@@ -4,13 +4,21 @@ rule:
     namespace: anti-analysis/anti-emulation/wine
     author: "@_re_fox"
     scope: function
+    att&ck:
+      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
+    references:
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Wine.cpp
     examples:
       - ccbf7cba35bab56563c0fbe4237fdc41:0x40d750
   features:
-    - and:
-      - api: GetModuleHandle
-      - api: GetProcAddress
-      - string: wine_get_unix_file_name
+    - or:
+      - and:
+        - api: GetModuleHandle
+        - api: GetProcAddress
+        - string: wine_get_unix_file_name
+        - or:
+          - string: kernel32.dll
+          - string: ntdll.dll
       - or:
-        - string: kernel32.dll
-        - string: ntdll.dll
+        - string: /Wine/i
+        - string: /SOFTWARE\\Wine/i

anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-parallels.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: reference anti-VM strings targeting Parallels
+    namespace: anti-analysis/anti-vm/vm-detection
+    author: [email protected]
+    scope: file
+    att&ck:
+      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
+    references:
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Parallels.cpp
+    examples:
+      - al-khaser_x86.exe_
+  features:
+    - or:
+      - string: /Parallels/i
+      - string: /prl_cc.exe/i
+      - string: /prl_tools.exe/i
+      - string: /prl hyperv/i

anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: reference anti-VM strings targeting Qemu
+    namespace: anti-analysis/anti-vm/vm-detection
+    author: [email protected]
+    scope: file
+    att&ck:
+      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
+    references:
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Qemu.cpp
+    examples:
+      - al-khaser_x86.exe_
+  features:
+    - or:
+      - string: /Qemu/i
+      - string: /qemu-ga.exe/i
+      - string: /BOCHS/i
+      - string: /BXPC/i