Add InjectionModuleStompingProbing signature

[kevross33]

This module detects probing loops of failed RWX memory allocations, indicating potential code cave hunting or module stomping activities.

BruteRatel (very limited detection available here due to its stealth but this appears to be one)

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new security signature designed to identify advanced evasion techniques used by malware, such as BruteRatel. By monitoring failed RWX memory allocations that return CONFLICTING_ADDRESSES, the signature helps detect attempts to find code caves or perform module stomping, thereby enhancing the system's ability to spot stealthy malicious activities.

Highlights

• New Security Signature: Added InjectionModuleStompingProbing signature to detect malicious memory allocation patterns indicative of code cave hunting or module stomping.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• modules/signatures/windows/injection_modulestomping.py
  • Added a new signature for detecting module stomping and code cave hunting.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new signature, InjectionModuleStompingProbing, to detect potential code cave hunting or module stomping activities. The implementation is a good start, but I have identified two high-severity issues. First, the parsing of memory protection values can lead to missed detections (false negatives). Second, the logic in on_complete can cause the signature to trigger without actionable data, effectively creating a false positive. I have provided code suggestions to address both of these concerns.

[gemini-code-assist]

The current logic for parsing the protection value may be incorrect for hexadecimal values provided as strings without a "0x" prefix. For instance, if protection is the string "40", int("40") evaluates to 40, not the intended hexadecimal value of 64 (0x40). This can lead to missed detections. To ensure correct parsing, string values representing protection flags should consistently be treated as hexadecimal.

Suggested change

	prot_val = int(protection, 16) if isinstance(protection, str) and protection.startswith("0x") else int(protection)
	prot_val = int(protection, 16) if isinstance(protection, str) else protection

[gemini-code-assist]

The on_complete method reports a signature match if self.ret is true, which is set upon the first detected failed allocation. However, it does so regardless of whether any process actually exceeds the count > 5 threshold. This can lead to the signature being reported with an empty list of results, which is not informative. The signature should only trigger when there are concrete findings to report.

Suggested change

	def on_complete(self):
	if self.ret:
	formatted_results = []
	for pid, data in self.failed_allocations.items():
	count = data["count"]
	proc_name = data["proc_name"]
	if count > 5:
	formatted_results.append(f"pid {pid} process {proc_name} executed {count} probes")
	self.data.append({"rwx_probing_loops_detected": formatted_results})
	return self.ret
	def on_complete(self):
	if self.ret:
	formatted_results = []
	for pid, data in self.failed_allocations.items():
	count = data["count"]
	proc_name = data["proc_name"]
	if count > 5:
	formatted_results.append(f"pid {pid} process {proc_name} executed {count} probes")
	if formatted_results:
	self.data.append({"rwx_probing_loops_detected": formatted_results})
	return True
	return False