Closed dstepanic closed 3 months ago
dstepanic
commented
4 months ago nice, this may be a bit detailed and specific to the example compilation. can we relax the counts and instructions or do you think those are already focused on the core?
It's a good question, I would lean towards those as being part of the core. FWIW, the rule also triggers on the x86/x64 PoC compiled versions. I am happy to adjust it though, I was mainly trying to make sure it wouldn't generate FP's as well.
mr-tz
commented
4 months ago Gotcha, it's definitely better to avoid FPs.
mr-tz
commented
3 months ago What do you think of this simplification?
features:
- and:
- count(api(kernel32.SetFileInformationByHandle)): 2
- basic block:
- and:
- api: kernel32.SetFileInformationByHandle
- optional:
- number: 3 = FileRenameInfo
- basic block:
- and:
- api: kernel32.SetFileInformationByHandle
- number: 4 = FileDispositionInfo
- number: 1 = TRUE // fDelete.DeleteFile = TRUE;
- and:
- count(api(kernel32.CreateFile)): 2
- number: 0x10000 = DELETE
What do you think of this simplification?
features: - and: - count(api(kernel32.SetFileInformationByHandle)): 2 - basic block: - and: - api: kernel32.SetFileInformationByHandle - optional: - number: 3 = FileRenameInfo - basic block: - and: - api: kernel32.SetFileInformationByHandle - number: 4 = FileDispositionInfo - number: 1 = TRUE // fDelete.DeleteFile = TRUE; - and: - count(api(kernel32.CreateFile)): 2 - number: 0x10000 = DELETE
Yeh, that's much better and cleaner. Thanks for the recommendation, I will adjust and send it back. Thanks!
williballenthin
commented
3 months ago thanks @dstepanic!
Reference: #894 Test data: https://github.com/mandiant/capa-testfiles/pull/231
Adding capa rule for self-deletion technique. I tried to capture the main behaviors in the rule across two implementations. I am open for suggestions or improvements to the rule. Thanks in advance!