capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard

Published 20 hours ago verified publisher icon mandiant

hijack KernelCallBack table

Open mike-hunhoff opened this issue 3 years ago • 2 comments

reference/example: https://github.com/ORCA666/KCTHIJACK or https://gitlab.com/ORCA000/kcthijack

mike-hunhoff avatar Feb 01 '22 13:02 mike-hunhoff

dear mentors , I came across this issue and I would like to work on it. i would appreciate your guidance as I work on this issue. Let me know if you have any suggestions or guidance on how I can get started. can you assign me with more details.

EmperialX avatar Mar 30 '23 18:03 EmperialX

this issue is about adding a rule to detect the technique referenced in the linked github/gitlab project to hijack the KernelCallback table. if you're not sure what this means, then i think its reasonable to either 1) look at other PRs that add rules to learn how to do this, or 2) find another issue that is more aligned with your skills and experiences. please also review the documentation and examples of capa so you're familiar with the terms and technologies. we're happy to help with specific questions, especially when you can share what you've already tried.

williballenthin avatar Mar 31 '23 08:03 williballenthin