block operations on executable memory pages using Arbitrary Code Guard

rule:
  meta:
    name: block operations on executable memory pages using Arbitrary Code Guard
    namespace: anti-analysis/anti-av
    authors:
      - jakub.jozwiak@mandiant.com
    scopes:
      static: basic block
      dynamic: call
    att&ck:
      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
    mbc:
      - Defense Evasion::Disable or Evade Security Tools::Modify Policy [F0004.005]
    references:
      - https://blog.xpnsec.com/protecting-your-malware/
      - https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/
    examples:
      - 2ebadd04f0ada89c36c1409b6e96423a68dd77b513db8db3da203c36d3753e5f:0x140002120
  features:
    - and:
      - api: SetProcessMitigationPolicy
      - number: 4 = sizeof(PROCESS_MITIGATION_DYNAMIC_CODE_POLICY)
      - number: 1 = ProhibitDynamicCode
      - or:
        - number: 8 = ProcessDynamicCodePolicy
        - offset: 4