Merge pull request #238 from fireeye/williballenthin-patch-1

connect-tcp-socket: add ConnectEx via WSAID_CONNECTEX
mandiant · Feb 9, 2021 · 80b88d9 · 80b88d9
2 parents 9aceefb + 1f48bd0
commit 80b88d9
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/communication/socket/tcp/connect-tcp-socket.yml b/communication/socket/tcp/connect-tcp-socket.yml
@@ -15,3 +15,23 @@ rule:
         - api: ws2_32.connect
         - api: ws2_32.WSAConnect
         - api: ConnectEx
+        - and:
+          - basic block:
+            # candidate for GUID: WSAID_CONNECTEX/25a207b9-ddf3-4660-8ee9-76e58c74063e
+            - and:
+              - number: 0x25A207B9
+              - number: 0x4660DDF3
+              - number: 0xE576E98E
+              - number: 0x3E06748C
+          - basic block:
+            - and:
+              - api: WSAIoctl
+              - number: 0xC8000006 = SIO_GET_EXTENSION_FUNCTION_POINTER
+          - basic block:
+            - and:
+              - api: setsockopt
+              - number: 0xFFFF = SOL_SOCKET
+              - number: 0x7010 = SO_UPDATE_CONNECT_CONTEXT
+          # socket must be bound to ConnectEx
+          # https://gist.github.com/joeyadams/4158972
+          - api: bind