improve rules that often match #655
Conversation
| @@ -28,4 +28,3 @@ rule: | |||
| - api: LdrFindResourceEx_U | |||
| - api: kernel32.SizeofResource | |||
| - api: kernel32.FreeResource | |||
| - api: user32.LoadString | |||
There was a problem hiding this comment.
I don't think that's really what we are after normally. Anyone thing it's worth creating a new rule for it?
There was a problem hiding this comment.
agree that this should be removed
| @@ -1,17 +0,0 @@ | |||
| rule: | |||
There was a problem hiding this comment.
ref: #143, I've only seen this hit in library code (which Python flirt often doesn't recognize)
| @@ -1,10 +1,10 @@ | |||
| rule: | |||
| meta: | |||
| name: create or open registry key | |||
There was a problem hiding this comment.
analogous to create or open file, we have a lot more specific rules that use this (now library) rule, e.g. set registry value or delete registry value
| - number: 0x800000FF | ||
| - number: 0xFF | ||
| - operand[1].number: 0x800000FF | ||
| - operand[1].number: 0xFF |
There was a problem hiding this comment.
can you explain this change?
There was a problem hiding this comment.
trying to be more explicit here, but yeah, there can only be an immediate in the second operand, so I guess this is not useful here
There was a problem hiding this comment.
any preference? be explicit here or undo change and stick to number?
There was a problem hiding this comment.
i think just plain old number is probably sufficient. i dont feel strongly, though.
I've analyzed the top 50 or so rule matches over 5000 recent random samples.
In these rules I noticed room for improvement. Happy to discuss as needed.