From c48da1f2c08fc4acfd3cd4e7d3375ce225591a83 Mon Sep 17 00:00:00 2001
From: Colin Grady <vxiahklpmw@2ac.tv>
Date: Thu, 20 Oct 2016 16:20:57 -0600
Subject: [PATCH] Add VirtualAllocEx and RtlMoveMemory to SUSPICIOUS_KEYWORDS (memory manipulation)

---
 oletools/olevba.py  | 2 ++
 oletools/olevba3.py | 2 ++
 2 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index edabb97..b0da3c7 100755
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -599,6 +599,8 @@ SUSPICIOUS_KEYWORDS = {
     'May detect WinJail Sandbox':
     # ref: http://www.cplusplus.com/forum/windows/96874/
         ('Afx:400000:0',),
+    'Memory manipulation':
+        ('VirtualAllocEx', 'RtlMoveMemory'),
 }
 
 # Regular Expression for a URL:
diff --git a/oletools/olevba3.py b/oletools/olevba3.py
index b122399..348b80d 100755
--- a/oletools/olevba3.py
+++ b/oletools/olevba3.py
@@ -570,6 +570,8 @@ SUSPICIOUS_KEYWORDS = {
     'May detect WinJail Sandbox':
     # ref: http://www.cplusplus.com/forum/windows/96874/
         ('Afx:400000:0',),
+    'Memory manipulation':
+        ('VirtualAllocEx', 'RtlMoveMemory'),
 }
 
 # Regular Expression for a URL:
--
libgit2 0.21.4