bunch of FN in our current rules

[williballenthin]

• [ ] free user process memory
• [x] read data from Internet
• [x] copy file
• [x] crypto
• [x] allocate user process RWX memory https://github.com/vivisect/vivisect/issues/296
• [x] modify service
• [x] get MAC address
• [x] reference processor manufacturer constants
• [x] set global application hook
• [x] enumerate services
• [x] start TCP server
• [ ] get Program Files directory https://github.com/vivisect/vivisect/issues/297
• [ ] delay execution
• [ ] get session integrity level
• [ ] reference anti-VM strings
• [ ] check for unmoving mouse cursor
• [ ] get Program Files directory

[williballenthin]

@mike-hunhoff "free user process memory" 493167E85E45363D09495D0841C30648:0x404B00 missing API ZwFreeVirtualMemory

[williballenthin]

delete "crypto" with preference to match: data-manipulation/encryption

[williballenthin]

"allocate user process RWX memory" works in IDA, not in viv.

IDA decodes instruction at 0x00404bb6 as push 0xFFFFFFFF:

but viv only sees a one byte push:

opcode bytes: 6A FF

.text:00404BB6 6A FF                   push    0FFFFFFFFh

this is a bug in vivisect. need to pull the latest master there and report a bug upstream if its still a problem.

[williballenthin]

"get mac address" viv doesn't recognize the function

also this is apparently an installer, so capa is hesitant to run.

[williballenthin]

"reference processor manufacturer constants" uses example thats shellcode that doesn't start at offset 0x0

[williballenthin]

"set global application hook" viv doesn't recognize function

[williballenthin]

"get Program Files directory" viv doesn't support delayed imports. https://github.com/vivisect/vivisect/issues/297

[mr-tz]

I've double checked the above and fixed one example address in #815.