(YARA) Detect DLL Export Name Modification
rule ModifyDLLExportName {
strings:
$map_and_load = "MapAndLoad"
$entry_to_data = "ImageDirectoryEntryToData"
$rva_to_va = "ImageRvaToVa"
$modify = "ModifyDLLExportName"
$virtual_protect = "VirtualProtect"
$virtual_alloc = "VirtualAlloc"
condition:
all of them
}
Associated Techniques
| Technique Name | Technique ID's | Categories | Snippet(s) |
|---|---|---|---|
| Tamper DLL Export Names & GetProcAddress Spoofing | U1241 |
|
Created
December 6, 2022
Last Revised
March 27, 2026