rule: reference ConfuserEx anti-profiling (fixes #602)#1150
rule: reference ConfuserEx anti-profiling (fixes #602)#1150Nitezio wants to merge 2 commits intomandiant:masterfrom
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
mike-hunhoff
left a comment
mike-hunhoff
left a comment
There was a problem hiding this comment.
Thanks @Nitezio. Currently, the rule is too broad and will likely result in false positives. Please tighten up the rule, e.g. function scoped to detect the string match and modification of ProfAPIMaxWaitForTriggerMs via, e.g VirtualProtect.
|
Thanks for the review and guidance, @mike-hunhoff I've updated the rule to scope: function and split the logic to match the distinct behaviors in the source code. It now requires kernel32.VirtualProtect to be present alongside the ProfAPIMaxWaitForTriggerMs string, or the pipe creation APIs (CreateNamedPipe / CreateFile) to be present alongside the \.\pipe\CPFATP_ string. Let me know if this looks better or if it needs any further tightening |
2 participants
closes #602
This PR introduces a file-scope rule to detect the specific anti-profiling techniques used by the ConfuserEx .NET obfuscator.
As requested in the issue, analyzing the
AntiManagedProfiler.cssource code reveals that it prevents profiler attachment by hijacking the CLR's named pipe and manipulating theProfAPIMaxWaitForTriggerMstimeout. This rule flags the presence of those specific, hard-coded strings.Note: I am submitting this as my preliminary code contribution for my GSoC 2026 application regarding the capa Automated Rule Generation Agent.