capa
capa copied to clipboard
mandiant
Feature request: loop scope
Introducing a new loop scope could be useful in some rules. For example:
rule:
meta:
name: enumerate PE sections
namespace: load-code/pe
author: "@Ana06"
scope: function
references:
- https://0x00sec.org/t/reflective-dll-injection/3080
- https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection
examples:
- E4C33AC3638EEF68311F8AC0D72483C7:0x401510
features:
- and:
- offset: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections
- basic block:
- or:
- and:
- description: IMAGE_FIRST_SECTION(nt_header)
- offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader
- offset: 0x18 = FileHeader.SizeOfOptionalHeader
- and:
- description: (DWORD)dll_raw + dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * i
- number: 0x28 = sizeof(IMAGE_SECTION_HEADER)
- or:
- offset/x32: 0xF8 = sizeof(IMAGE_NT_HEADERS32)
- offset/x64: 0x108 = sizeof(IMAGE_NT_HEADERS64)
- loop:
- and:
- offset: 0xC = IMAGE_SECTION_HEADER.VirtualAddress
- offset: 0x14 = IMAGE_SECTION_HEADER.PointerToRawData
- offset: 0x10 = IMAGE_SECTION_HEADER.SizeOfRawData
From https://github.com/fireeye/capa-rules/pull/308#discussion_r600715392
this seems useful.
it make take a bit of work to enable this without affecting performance too much. but perhaps performance tuning is needed anyways.
i wonder if there are any edge cases with a crazy number of loops that we'd need to handle. and how does the following behave? can it be done efficiently?
loop:
and:
loop:
offset: 10
@williballenthin
loop: and: loop: offset: 10
I understand this as a loop which contains the offset 10. Something like this would for example match:
while(condition){
var += 10
}
Do you mean that this may be too common and match too often or do we understand different things? 🤔
I think Willi's referring to nested loops like
while(condition1) {
while(condition2){
var += 10
}
}
