Fix the dynamic flavor scope for allocate-or-change-rw-memory.yml

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs

https://github.com/mandiant/capa/

Apache License 2.0

531 stars 160 forks source link

Fix the dynamic flavor scope for allocate-or-change-rw-memory.yml #860

Closed yelhamer closed 10 months ago

yelhamer commented 10 months ago

As mentioned by @mike-hunhoff , the rule in its current format can match if the number: 0x4 = PAGE_READWRITE feature is present in another call in the same thread. Setting the rule's dynamic scope to call helps prevent this.

yelhamer commented 10 months ago

I've fixed two additional rules (allocate-memory.yml and change-memory-protection.yml) that were previously matching at thread level.