[plugin imports] Removed QueryPerformanceCounter as an anti-debug API…

…, as it generates too many false positives. [plugin overlay & plugin resources] Fixed a null deref when the Yara scan fails.
JusticeRage · Dec 6, 2018 · 5736e44 · 5736e44
1 parent c93d974
commit 5736e44
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 7 deletions.
diff --git a/bin/attack.py b/bin/attack.py
@@ -12,7 +12,8 @@
 mapping = {
     # Plugin Imports
     "Code injection capabilities":                          [("Defense Evasion", "Process Injection")],
-    "Code injection capabilities (process hollowing)":      [("Defense Evasion", "Process Injection")],
+    "Code injection capabilities (process hollowing)":      [("Defense Evasion", "Process Injection"),
+                                                             ("Defense Evasion", "Process Hollowing")],
     "Manipulates other processes":                          [("Discovery", "Process Discovery"),
                                                              ("Defense Evasion", "Process Injection")],
     "Code injection capabilities (PowerLoader)":            [("Defense Evasion", "Extra Window Memory Injection"),
@@ -187,4 +188,4 @@ def main():
 
 
 if __name__ == "__main__":
-    main()
+    main()
diff --git a/plugins/plugin_imports.cpp b/plugins/plugin_imports.cpp
@@ -33,8 +33,7 @@ enum REQUIREMENT { AT_LEAST_ONE = 1, AT_LEAST_TWO = 2, AT_LEAST_THREE = 3 };
 std::string anti_debug =
 	"FindWindow(A|W)|(Zw|Nt)QuerySystemInformation|DbgBreakPoint|DbgPrint|"
 	"CheckRemoteDebuggerPresent|CreateToolhelp32Snapshot|Toolhelp32ReadProcessMemory|"
-	"OutputDebugString|SwitchToThread|NtQueryInformationProcess|"	// Standard anti-debug API calls
-	"QueryPerformanceCounter";	// Techniques based on timing. GetTickCount ignored (too many false positives)
+	"OutputDebugString|SwitchToThread|NtQueryInformationProcess";	// Standard anti-debug API calls
 
 std::string vanilla_injection = "(Nt)?VirtualAlloc.*|(Nt)?WriteProcessMemory|CreateRemoteThread(Ex)?|(Nt)?OpenProcess";
 

diff --git a/plugins/plugin_overlay.cpp b/plugins/plugin_overlay.cpp
@@ -62,7 +62,7 @@ class OverlayPlugin : public IPlugin
 			return res;
 		}
         yara::const_matches matches = y.scan_bytes(*overlay_bytes);
-        if (!matches->empty())
+        if (matches && !matches->empty())
         {
             for (size_t i = 0; i < matches->size(); ++i)
             {

diff --git a/plugins/plugin_resources.cpp b/plugins/plugin_resources.cpp
@@ -147,13 +147,13 @@ class ResourcesPlugin : public IPlugin
 		{
 			// In some packed executables, resources still keep their original file size, which causes
 			// them to become bigger than the file itself. Disregard those cases when they happen
-			// because they make the resource to filesize rario bigger than 1. 
+			// because they make the resource to filesize ratio bigger than 1. 
 			// These cases will be reported by the packer detection plugin.
 			if (it->get_size() < pe.get_filesize()) {
 				size += it->get_size();
 			}
 			yara::const_matches matches = y.scan_bytes(*it->get_raw_data());
-			if (!matches->empty())
+			if (matches && !matches->empty())
 			{
 				for (size_t i = 0 ; i < matches->size() ; ++i)
 				{