flare-floss icon indicating copy to clipboard operation
flare-floss copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Heuristic to identify calls to LoadLibrary and GetProcAddress

Open mr-tz opened this issue 8 years ago • 1 comments

Might be a good way to catch more (inlined) decoding routines. Sample: 02b2d905a72c4bb2abfc278b8ca7f722.

mr-tz avatar Nov 14 '16 13:11 mr-tz

capa has an implementation here: https://github.com/fireeye/capa/blob/master/capa/features/extractors/viv/indirect_calls.py

williballenthin avatar Jul 21 '21 14:07 williballenthin