[plugin_imports] Nt variants of some functions are not take into acco…

…unt. Updated the RICH IDs with the latest Visual Studio revision numbers.
JusticeRage · Nov 22, 2018 · 979c865 · 979c865
1 parent dc886b1
commit 979c865
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 7 deletions.
diff --git a/manape/nt_values.cpp b/manape/nt_values.cpp
@@ -664,6 +664,9 @@ const flag_dict COMP_ID_PRODID =
                                 ("VS2017 v15.8.4 compiler 26729",              0x6869)
                                 ("VS2017 v15.8.5-8 compiler 26730",            0x686A)
                                 ("VS2017 v15.8.9 compiler 26732",              0x686C)
+                                ("VS2017 v15.9.0-1 compiler 27023",            0x698F)
+                                ("VS 2015/2017 runtime 27012",                 0x6984)
+                                ("VS2017 v15.9.2 compiler 27024",              0x6990)
     ;
 
 // ----------------------------------------------------------------------------

diff --git a/plugins/plugin_imports.cpp b/plugins/plugin_imports.cpp
@@ -35,15 +35,15 @@ std::string anti_debug =
 	"OutputDebugString|SwitchToThread|NtQueryInformationProcess|"	// Standard anti-debug API calls
 	"QueryPerformanceCounter";	// Techniques based on timing. GetTickCount ignored (too many false positives)
 
-std::string vanilla_injection = "VirtualAlloc.*|WriteProcessMemory|CreateRemoteThread(Ex)?|OpenProcess";
+std::string vanilla_injection = "(Nt)?VirtualAlloc.*|(Nt)?WriteProcessMemory|CreateRemoteThread(Ex)?|(Nt)?OpenProcess";
 
-std::string process_hollowing = "WriteProcessMemory|(Wow64)?SetThreadContext|ResumeThread";
+std::string process_hollowing = "(Nt)?WriteProcessMemory|(Nt)?WriteVirtualMemory|(Wow64)?SetThreadContext|(Nt)?ResumeThread|(Nt)?SetContextThread";
 
 std::string power_loader = "FindWindow(A|W)|GetWindowLong(A|W)";
 
 std::string atom_bombing = "GlobalAddAtom(A|W)|GlobalGetAtomName(A|W)|QueueUserAPC";
 
-std::string process_doppelganging = "CreateTransaction|CreateFileTransacted|RollbackTransaction|WriteFile";
+std::string process_doppelganging = "CreateTransaction|CreateFileTransacted|RollbackTransaction|(Nt)?WriteFile";
 
 std::string keylogger_api = "SetWindowsHook(Ex)?|GetAsyncKeyState|GetForegroundWindow|AttachThreadInput|CallNextHook(Ex)?|MapVirtualKey(A|W|Ex)";
 
@@ -53,9 +53,9 @@ std::string http_api = "Internet.*|URL(Download|Open).*|WinHttp.*";
 
 std::string registry_api = "Reg.*(Key|Value).*|SH.*(Reg|Key).*|SHQueryValueEx(A|W)|SHGetValue(A|W)";
 
-std::string process_creation_api = "CreateProcess.*|system|WinExec|ShellExecute(A|W)";
+std::string process_creation_api = "(Nt)?CreateProcess.*|system|WinExec|ShellExecute(A|W)";
 
-std::string process_manipulation_api = "EnumProcess.*|OpenProcess|(Read|Write)ProcessMemory|Process32(First|Next)(A|W)?";
+std::string process_manipulation_api = "EnumProcess.*|(Nt)?OpenProcess|(Nt)?(Read|Write)ProcessMemory|Process32(First|Next)(A|W)?";
 
 std::string service_manipulation_api = "OpenSCManager(A|W)|(Open|Control|Create|Delete)Service(A|W)?|QueryService.*|"
 									   "ChangeServiceConfig(A|W)|EnumServicesStatus(Ex)?(A|W)";
@@ -68,7 +68,7 @@ std::string dacl_api = "SetKernelObjectSecurity|SetFileSecurity(A|W)|SetNamedSec
 
 std::string dynamic_import = "(Co)?LoadLibrary(Ex)?(A|W)|GetProcAddress|LdrLoadDll|MmGetSystemRoutineAddress";
 
-std::string packer_api = "VirtualAlloc(Ex)?|VirtualProtect(Ex)?";
+std::string packer_api = "(Nt)?VirtualAlloc(Ex)?|(Nt)?VirtualProtect(Ex)?";
 
 std::string temporary_files = "GetTempPath(A|W)|(Create|Write)File(A|W)";
 
@@ -91,7 +91,7 @@ std::string networking_api = "(Un)?EnableRouter|SetAdapterIpAddress|SetIp(Forwar
 /**
  *	@brief Counts the number of different function names in a vector.
  *
- *	A, W and Ex variants of the same function are considered to be the same.
+ *	A, W, Ex and Nt/Zw variants of the same function are considered to be the same.
  *
  *	@param v The vector containing the function names.
  *
@@ -112,6 +112,9 @@ size_t count_functions(const std::vector<std::string>& v)
 		if (tmp.size() > 2 && boost::algorithm::ends_with(tmp, "Ex")) {
 			tmp = tmp.substr(0, tmp.size() - 2);
 		}
+        if (tmp.size() > 2 && (boost::algorithm::starts_with(tmp, "Nt") || boost::algorithm::starts_with(tmp, "Zw"))) {
+            tmp = tmp.substr(2, tmp.size());
+        }
 		string_set.insert(tmp);
 	}
 	return string_set.size();