Commit c48da1f2c08fc4acfd3cd4e7d3375ce225591a83

Authored by Colin Grady
1 parent 0d451876

Add VirtualAllocEx and RtlMoveMemory to SUSPICIOUS_KEYWORDS (memory manipulation)

oletools/olevba.py
@@ -599,6 +599,8 @@ SUSPICIOUS_KEYWORDS = { @@ -599,6 +599,8 @@ SUSPICIOUS_KEYWORDS = {
599 'May detect WinJail Sandbox': 599 'May detect WinJail Sandbox':
600 # ref: http://www.cplusplus.com/forum/windows/96874/ 600 # ref: http://www.cplusplus.com/forum/windows/96874/
601 ('Afx:400000:0',), 601 ('Afx:400000:0',),
  602 + 'Memory manipulation':
  603 + ('VirtualAllocEx', 'RtlMoveMemory'),
602 } 604 }
603 605
604 # Regular Expression for a URL: 606 # Regular Expression for a URL:
oletools/olevba3.py
@@ -570,6 +570,8 @@ SUSPICIOUS_KEYWORDS = { @@ -570,6 +570,8 @@ SUSPICIOUS_KEYWORDS = {
570 'May detect WinJail Sandbox': 570 'May detect WinJail Sandbox':
571 # ref: http://www.cplusplus.com/forum/windows/96874/ 571 # ref: http://www.cplusplus.com/forum/windows/96874/
572 ('Afx:400000:0',), 572 ('Afx:400000:0',),
  573 + 'Memory manipulation':
  574 + ('VirtualAllocEx', 'RtlMoveMemory'),
573 } 575 }
574 576
575 # Regular Expression for a URL: 577 # Regular Expression for a URL: