search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
531 stars 160 forks source link

Idea of rule modification: generate-random-numbers-via-rtlgenrandom #827

Closed richardweiss80 closed 1 year ago

richardweiss80 commented 1 year ago

https://github.com/mandiant/capa-rules/blame/b9c2bc120e21154fd7e3e1d8b7150f8de92b1a50/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml

Dear Willi,

fantastic rule; thank you for insipiration. What do you think about these changes?

  1. Adding a reference. e.g.:
  2. Adding comment to the examples if detected by api or string
  3. changing of:
    • string: "advapi32.dll" to string: /advapi32/i: .dll is not needed and could be appended by the OS, and the string as argument is used in a case-insensitive way
    • deletion of line 21: it is covered by the regex string

It is only an idea and I hope you like it. :)

Kind regards, Richard