Closed TheAwakener closed 1 month ago
@TheAwakener thanks for your contribution. I'll get back to your PR shortly.
@TheAwakener General question. If the scan is initiated on every RWX memory allocation event, what are the expected performance penalties? I image we could face a significant event rate and overwhelm the Yara scanner.
@rabbitstack RWX is a rare and suspicious event for memory allocations, for example, dll images are loaded in a mapped and RX region. If you allocate heap for file reading it's default permission is RW. If you want we can make and additional check for regions unmapped with RWX.
@TheAwakener that sounds good to me. Please, take a look at the other comments. Once they are addressed, the PR should be good to merge.
Bonus request: if you could write a test to cover this new signal, that would be awesome.
@rabbitstack that's would be greate, although I'm new to contributions, can you tell me please where are the other comments to be addressed?
@TheAwakener Go to your PR and scroll down a bit in the Conversation tab. You'll see comments/suggestions I left on individual code lines. Fix them locally, then commit and push.
@rabbitstack ok, maybe I'm missing something but can't see comments on the code:
@TheAwakener take a look at the screenshot below. The conversation tab has a badge indicating the interactions on the PR. Lo
@rabbitstack I already added a commit with the test case for VirtualAlloc with RWX protection flags, although I haven't been able to see the review comments you mention, they simply do not appear in the comments flow:
@TheAwakener can you see the comments now?
@rabbitstack yeah, thank you
@rabbitstack new commit pushed with the requested changes
I think the test should be more realistic involving VirtualAlloc
followed by WriteProcessMemory
planting a trivial payload to match the rule. But we can leave the improvement for later. I'll merge the PR once mandatory checks pass. Congrats for your first contribution 🎉
@rabbitstack thank you for allow me to participate in this wonderful project
Adding yara scan trigger for PAGE_EXECUTE_READWRITE allocations, useful when PE image does not contain malicious code, for example, when shellcode is downloaded or decrypted after execution