feat(rules): detect ReadDirectoryChanges shellcode via callback and APC (#1095)#1143
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
| mbc: | ||
| - Defense Evasion::Hijack Execution Flow::Abuse Windows Function Calls [F0015.006] | ||
| references: | ||
| - https://github.com/mandiant/capa-rules/issues/1095 |
There was a problem hiding this comment.
| - https://github.com/mandiant/capa-rules/issues/1095 |
| - api: ReadDirectoryChangesW | ||
| - api: ReadDirectoryChangesA | ||
| - api: ReadDirectoryChangesExW | ||
| - api: ReadDirectoryChangesExA |
There was a problem hiding this comment.
Please review the rule documentation to understand how capa handles APIs with A/W variants and update accordingly.
| - api: ReadDirectoryChangesA | ||
| - api: ReadDirectoryChangesW | ||
| - api: ReadDirectoryChangesExA | ||
| - api: ReadDirectoryChangesExW |
There was a problem hiding this comment.
Please review the rule documentation to understand how capa handles APIs with A/W variants and update accordingly.
|
@sherkhanz lints are failing. Please ensure all lints and tests pass locally before requesting another review. |
|
Actually, this is a dup of #1140 |
|
Thanks for the review and for pointing this out. Understood on the A/W handling, lint requirements, and the duplicate with #1140. I’ll review the rule documentation more carefully and use this in my next contribution. |
2 participants
This PR resolves #1095.
References
Rule validation against the standalone YAML file
Validation within the full ruleset context
Fixes #1095