search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
514 stars 157 forks source link

Create new rule with LoadLibrary, etc. APIs #909

Open mr-tz opened 2 months ago

mr-tz commented 2 months ago 
          I'd say it's fine to remove the optional block, how about we create a new rule with the LoadLibrary APIs (not sure if that's just noisy or helpful).

_Originally posted by @mr-tz in https://github.com/mandiant/capa-rules/pull/908#discussion_r1629084813_

removed rule features:

      - optional:
        - characteristic: indirect call
        - api: kernel32.LoadLibrary
        - api: kernel32.GetModuleHandle
        - api: kernel32.GetModuleHandleEx
        - api: ntdll.LdrLoadDll