-
Notifications
You must be signed in to change notification settings - Fork 164
/
Copy pathconnect-tcp-socket.yml
72 lines (72 loc) · 2.29 KB
/
connect-tcp-socket.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
rule:
meta:
name: connect TCP socket
namespace: communication/socket/tcp
authors:
scopes:
static: function
dynamic: thread
mbc:
- Communication::Socket Communication::Connect Socket [C0001.004]
examples:
- Practical Malware Analysis Lab 01-01.dll_:0x10001010
features:
- and:
- match: create TCP socket
- or:
- api: connect
- api: ws2_32.connect
- api: ws2_32.#4 = connect
- api: ws2_32.WSAConnect
- api: ws2_32.#33 = WSAConnect
- api: ConnectEx
- or:
- and:
# static
- basic block:
# candidate for GUID: WSAID_CONNECTEX/25a207b9-ddf3-4660-8ee9-76e58c74063e
- and:
- number: 0x25A207B9
- number: 0x4660DDF3
- number: 0xE576E98E
- number: 0x3E06748C
- basic block:
- and:
- or:
- api: ws2_32.WSAIoctl
- api: ws2_32.#60 = WSAIoctl
- number: 0xC8000006 = SIO_GET_EXTENSION_FUNCTION_POINTER
- basic block:
- and:
- or:
- api: setsockopt
- api: ws2_32.#21 = setsockopt
- number: 0xFFFF = SOL_SOCKET
- number: 0x7010 = SO_UPDATE_CONNECT_CONTEXT
# socket must be bound to ConnectEx
# https://gist.github.com/joeyadams/4158972
- or:
- api: bind
- api: ws2_32.#2 = bind
- and:
# dynamic
- call:
- and:
- or:
- api: ws2_32.WSAIoctl
- api: ws2_32.#60 = WSAIoctl
- number: 0xC8000006 = SIO_GET_EXTENSION_FUNCTION_POINTER
- call:
- and:
- or:
- api: setsockopt
- api: ws2_32.#21 = setsockopt
- number: 0xFFFF = SOL_SOCKET
- number: 0x7010 = SO_UPDATE_CONNECT_CONTEXT
# socket must be bound to ConnectEx
# https://gist.github.com/joeyadams/4158972
- or:
- api: bind
- api: ws2_32.#2 = bind