read process memory

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: read process memory
    namespace: host-interaction/process
    authors:
      - matthew.williams@mandiant.com
      - "@_re_fox"
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: thread
  features:
    - and:
      - api: kernel32.ReadProcessMemory
      - api: kernel32.Toolhelp32ReadProcessMemory
      - optional:
        - or:
          - api: kernel32.OpenProcess
          - api: kernel32.VirtualQueryEx
          - api: psapi.QueryWorkingSet

last edited: 2023-11-24 10:34:28