allocate or change RW memory

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: allocate or change RW memory
    authors:
      - 0x534a@mailbox.org
      - "@mr-tz"
    lib: true
    scopes:
      static: basic block
      dynamic: call
    mbc:
      - Memory::Allocate Memory [C0007]
    examples:
      - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D
  features:
    - and:
      - or:
        - match: allocate memory
        - match: change memory protection
      - or:
        - number: 0x4 = PAGE_READWRITE
        # lea     r9d, [rcx+4]  ; flProtect
        # call    cs:VirtualAlloc
        - instruction:
          - mnemonic: lea
          - offset: 0x4 = PAGE_READWRITE

last edited: 2023-12-11 16:06:39