Commit c48da1f2c08fc4acfd3cd4e7d3375ce225591a83
1 parent
0d451876
Add VirtualAllocEx and RtlMoveMemory to SUSPICIOUS_KEYWORDS (memory manipulation)
Showing
2 changed files
with
4 additions
and
0 deletions
oletools/olevba.py
| ... | ... | @@ -599,6 +599,8 @@ SUSPICIOUS_KEYWORDS = { |
| 599 | 599 | 'May detect WinJail Sandbox': |
| 600 | 600 | # ref: http://www.cplusplus.com/forum/windows/96874/ |
| 601 | 601 | ('Afx:400000:0',), |
| 602 | + 'Memory manipulation': | |
| 603 | + ('VirtualAllocEx', 'RtlMoveMemory'), | |
| 602 | 604 | } |
| 603 | 605 | |
| 604 | 606 | # Regular Expression for a URL: | ... | ... |
oletools/olevba3.py
| ... | ... | @@ -570,6 +570,8 @@ SUSPICIOUS_KEYWORDS = { |
| 570 | 570 | 'May detect WinJail Sandbox': |
| 571 | 571 | # ref: http://www.cplusplus.com/forum/windows/96874/ |
| 572 | 572 | ('Afx:400000:0',), |
| 573 | + 'Memory manipulation': | |
| 574 | + ('VirtualAllocEx', 'RtlMoveMemory'), | |
| 573 | 575 | } |
| 574 | 576 | |
| 575 | 577 | # Regular Expression for a URL: | ... | ... |