allocate or change RWX memory

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: allocate or change RWX memory
    namespace: host-interaction/process/inject
    authors:
      - "@mr-tz"
    scopes:
      static: basic block
      dynamic: thread
    mbc:
      - Memory::Allocate Memory [C0007]
    examples:
      - Practical Malware Analysis Lab 03-03.exe_:0x4010EA
      # ntdll
      - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA
  features:
    - and:
      - or:
        - match: allocate memory
        - match: change memory protection
      - or:
        - number: 0x40 = PAGE_EXECUTE_READWRITE
        # lea     r9d, [rcx+40h]  ; flProtect
        # call    cs:VirtualAlloc
        - instruction:
          - mnemonic: lea
          - offset: 0x40 = PAGE_EXECUTE_READWRITE

last edited: 2023-11-24 10:35:03