rule:
meta:
name: open process
authors:
- 0x534a@mailbox.org
lib: true
scopes:
static: basic block
dynamic: call
mbc:
- Process::Open Process [C0065]
examples:
- Practical Malware Analysis Lab 17-02.dll_:0x1000D10D
features:
- or:
- api: kernel32.OpenProcess
- api: NtOpenProcess
- api: ZwOpenProcess
last edited: 2023-11-24 10:35:00