change memory protection

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: change memory protection
    authors:
      - "@mr-tz"
    lib: true
    scopes:
      static: basic block
      dynamic: call
    mbc:
      - Memory::Change Memory Protection [C0008]
    examples:
      - Practical Malware Analysis Lab 11-02.dll_:0x10001203
  features:
    - or:
      - api: kernel32.VirtualProtect
      - api: kernel32.VirtualProtectEx
      - api: NtProtectVirtualMemory
      - api: ZwProtectVirtualMemory
      - and:
        - match: link function at runtime on Windows
        - or:
          - string: "VirtualProtect"
          - string: "VirtualProtectEx"
          - string: "NtProtectVirtualMemory"
          - string: "ZwProtectVirtualMemory"

last edited: 2023-12-11 16:06:39