From 8ea09935a3ea7e15e2efa622c61dbfcf77c13a94 Mon Sep 17 00:00:00 2001 From: jtothej Date: Fri, 17 May 2024 18:32:34 +0800 Subject: [PATCH 1/2] Update encrypt-data-using-dpapi.yml rule --- .../encryption/dpapi/encrypt-data-using-dpapi.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml index 637160e5..34870edc 100644 --- a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml +++ b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml @@ -22,3 +22,10 @@ rule: - api: crypt32.CryptUnprotectData - api: System.Security.Cryptography.ProtectedData::Unprotect - api: System.Security.Cryptography.ProtectedData::Protect + - api: SystemFunction040 + - api: SystemFunction041 + - and: + - match: link function at runtime on Windows + - or: + - string: "SystemFunction040" + - string: "SystemFunction041" From eecaabe0bd038a029df4c3e65ccaabb502940206 Mon Sep 17 00:00:00 2001 From: jtothej Date: Fri, 17 May 2024 21:34:59 +0800 Subject: [PATCH 2/2] Add comments in encrypt-data-using-dpapi.yml --- .../encryption/dpapi/encrypt-data-using-dpapi.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml index 34870edc..1c8bae60 100644 --- a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml +++ b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml @@ -27,5 +27,9 @@ rule: - and: - match: link function at runtime on Windows - or: + # RtlEncryptMemory is available as SystemFunction040 export in Advapi32.dll + # CryptProtectMemory is a wrapper function for SystemFunction040 - string: "SystemFunction040" + # RtlDecryptMemory is available as SystemFunction041 export in Advapi32.dll + # CryptUnprotectMemory is a wrapper function for SystemFunction041 - string: "SystemFunction041"