map section object

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: map section object
    namespace: host-interaction/process
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: span of calls
    examples:
      - 61908f4d70ce6f16173e76aa42a8c25a:0x4018F0
  features:
    - and:
      - os: windows
      - or:
        - api: NtMapViewOfSection
        - api: ZwMapViewOfSection
      - optional:
        - api: NtUnmapViewOfSection
        - api: ZwUnmapViewOfSection
        - match: create or open section object

last edited: 2025-01-29 09:27:13