Update unbacked antianalysis for accuracy#589
Conversation
Improve process tracking and also of memory frees
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the unbacked memory anti-analysis signatures and introduces several new signature classes to detect fileless execution, persistence, privilege escalation, EDR unhooking, ETW/AMSI patching, and debugger detection from unbacked memory. It also adds tracking for virtual memory freeing APIs to keep memory ranges up to date. The review feedback highlights two main issues: first, in VirtualAllocEx, the hProcess argument is a process handle rather than a PID, meaning storing ranges under this handle will break tracking (especially for pseudo-handles like -1 which should resolve to the current PID); second, calling .lower() on memory address arguments can cause AttributeError crashes if the values are logged as integers, so they should be explicitly cast to strings first.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| target_addr = ( | ||
| self.get_argument(call, "BaseAddress") | ||
| or self.get_argument(call, "lpAddress") | ||
| or "" | ||
| ).lower() |
There was a problem hiding this comment.
If BaseAddress or lpAddress is logged as an integer (which is common in many Cuckoo/Cape environments), calling .lower() directly on it will raise an AttributeError: 'int' object has no attribute 'lower' and crash the signature execution.
Converting the value to a string first using str() avoids this crash.
base_addr = self.get_argument(call, "BaseAddress") or self.get_argument(call, "lpAddress") or ""
target_addr = str(base_addr).lower()| target_label = ( | ||
| self.get_argument(call, "BaseAddress") | ||
| or self.get_argument(call, "lpBaseAddress") | ||
| or self.get_argument(call, "ModuleName") | ||
| or self.get_argument(call, "HandleName") | ||
| or "" | ||
| ).lower() |
There was a problem hiding this comment.
If BaseAddress or lpBaseAddress is logged as an integer, calling .lower() directly on it will raise an AttributeError and crash the signature.
Converting the value to a string first using str() avoids this crash.
| target_label = ( | |
| self.get_argument(call, "BaseAddress") | |
| or self.get_argument(call, "lpBaseAddress") | |
| or self.get_argument(call, "ModuleName") | |
| or self.get_argument(call, "HandleName") | |
| or "" | |
| ).lower() | |
| base_addr = ( | |
| self.get_argument(call, "BaseAddress") | |
| or self.get_argument(call, "lpBaseAddress") | |
| or self.get_argument(call, "ModuleName") | |
| or self.get_argument(call, "HandleName") | |
| or "" | |
| ) | |
| target_label = str(base_addr).lower() |
| target_addr = ( | ||
| self.get_argument(call, "BaseAddress") | ||
| or self.get_argument(call, "lpAddress") | ||
| or "" | ||
| ).lower() |
There was a problem hiding this comment.
If BaseAddress or lpAddress is logged as an integer (which is common in many Cuckoo/Cape environments), calling .lower() directly on it will raise an AttributeError: 'int' object has no attribute 'lower' and crash the signature execution.
Converting the value to a string first using str() avoids this crash.
base_addr = self.get_argument(call, "BaseAddress") or self.get_argument(call, "lpAddress") or ""
target_addr = str(base_addr).lower()1 participant
Improve process tracking and also of memory frees