Change dynamic scope to call for atomic operations #952
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
jorik-utwente
force-pushed
the
narrow-dyn-scope-atomic-operations
branch
from
1fdde58
to
4449de5
Compare
| - or: | ||
| - number: 0x40000000 = GENERIC_WRITE | ||
| - number: 0x2 = FILE_WRITE_DATA | ||
| - match: create or open file |
There was a problem hiding this comment.
here's where things can get tricky: the scope of create or open file is (fortunately) also call, but in some other rules is a larger scope (like thread), which is impossible to match.
so, i think this change is fine.
but we should be aware that in other scenarios, there's some tricky things we might have to fix.
jorik-utwente
force-pushed
the
narrow-dyn-scope-atomic-operations
branch
from
4449de5
to
c9a586d
Compare
jorik-utwente
force-pushed
the
narrow-dyn-scope-atomic-operations
branch
from
c9a586d
to
29dc617
Compare
| @@ -7,7 +7,7 @@ rule: | |||
| - [email protected] | |||
| scopes: | |||
| static: function | |||
| dynamic: thread | |||
| dynamic: call | |||
There was a problem hiding this comment.
our rule parser doesn't like a call subscope in a file-wide call scope: call subscope supported only for the process and thread scopes - that's why the rule was as is, I assume
There was a problem hiding this comment.
this works here:
rule:
meta:
name: copy file
namespace: host-interaction/file-system/copy
authors:
- [email protected]
- [email protected]
scopes:
static: function
dynamic: call
mbc:
- File System::Copy File [C0045]
examples:
- Practical Malware Analysis Lab 01-01.exe_:0x401440
features:
- or:
- api: kernel32.CopyFile
- api: kernel32.CopyFileEx
- api: CopyFile2
- api: CopyFileTransacted
- api: LZCopy
- api: System.IO.FileInfo::CopyTo
- api: System.IO.File::Copy
# static
- basic block:
- and:
- number: 2 = FO_COPY
- or:
- api: kernel32.SHFileOperation
# dynamic
- and:
- number: 2 = FO_COPY
- or:
- api: kernel32.SHFileOperation
There was a problem hiding this comment.
Hmm okay. The problem with this fix is that for static analysis the dynamic part will also match, and doesn't have the basic block scope (as pointed out here: #952 (comment) ). There is no way to make part of the features only apply to dynamic analysis, is there?
There was a problem hiding this comment.
Oh, yes, that's not what we want.
I think we'd have to change the rule parser to properly handle this. @williballenthin, what do you think?
There was a problem hiding this comment.
This makes sense to me. +1
|
Thanks for all your suggestions, @jorik-utwente! I'm back this week to work on getting the improvements merged. |
To reduce false positives, we change the dynamic scope of a couple of operations to
call.E.g., writing to the registry is always done in one Windows API call, so we change the scope from
threadtocall.Original discussion: #951