Mike Hunhoff
Mike Hunhoff
inflate: https://github.com/madler/zlib/blob/cacf7f1d4e3d44d871b605da3b647f07d718623f/inflate.c#L622 deflate: https://github.com/madler/zlib/blob/cacf7f1d4e3d44d871b605da3b647f07d718623f/deflate.c#L763
see source: https://github.com/madler/zlib/blob/master/contrib/masmx86/inffas32.asm I've seen this code used in shellcode; we can hit on the hard-coded strings or the assembly itself. strings: - `Fast decoding Code from Chris Anderson` -...
check performed [here](https://github.com/mdsecactivebreach/SharpShooter/blob/9aea0b7a723b61c01c21f1e4b55409edf39a5a3b/CSharpShooterStageless/CheckPlease.cs#L77). we might already cover these but let's double-check.
`CryptAcquireContext` + `0x8` (`CRYPT_NEWKEYSET`) From Microsoft: > Creates a new key container with the name specified by pszContainer. If pszContainer is NULL, a key container with the default name is...
https://gist.github.com/odzhan/d18145b9538a3653be2f9a580b53b063
https://github.com/TheWover/donut/blob/master/DonutTest/rundotnet.cpp
https://github.com/fireeye/capa-rules/blob/7b77a66e97e780a5fa41f9cef2afabf0a9dd6200/nursery/compiled-with-nim.yml#L1-L16 suggestions: @williballenthin > 5464d5b534614b03032f9b0a9c9e6e0e on VT might be an easy example?
We recently added: https://github.com/fireeye/capa-rules/blob/3b4377aabb0734966b720088db89f002681558d7/lib/create-or-open-file.yml#L1-L18 Let's update the rule collection where possible to use the above `lib` rule.
We no longer filter library rules when rendering vverbose. This can be problematic because some library rules can have many matches, polluting the output and in some cases making it...