Add rule unhook-a-dll.yml (#921)

* Add rule
mandiant · Aug 15, 2024 · 1d4b140 · 1d4b140
1 parent 99e100d
commit 1d4b140
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml b/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml
@@ -0,0 +1,30 @@
+rule:
+  meta:
+    name: overwrite DLL .text section to remove hooks
+    namespace: anti-analysis/anti-av
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: thread
+    att&ck:
+      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
+    mbc:
+      - Defense Evasion::Disable or Evade Security Tools [F0004]
+    references:
+      - https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++
+    examples:
+      - 282c32269a9893c5741ca682268369421c43ac21d73b1f6c23386d61c93bf3e9:0x1400014A4
+  features:
+    - and:
+      - or:
+        - api: GetModuleHandle
+        - api: GetModuleHandleEx
+      - or:
+        - match: read file via mapping
+        - match: read file on Windows
+      - match: enumerate PE sections
+      - string: ".text"
+      # The rule was initially created for NTDLL unhooking technique but then made more generic to handle unhooking of any DLL.
+      # Revert to `string: ntdll.dll` if it's too broad.
+      - substring: ".dll"