One of the less defined sections of MAEC, especially in the dynamic analysis context, is with regards to malware and actions on memory. Right now we only have two abstract action names defined, Write To Process Virtual Memory, and Allocate
Virtual Memory in Process, both of which we derived from their respective Win32 Kernel API calls (ZwWriteVirtualMemory and ZwAllocateVirtualMemory, respectively).
As such, there’s clearly more we can cover (we will definitely be taking a look at Volatility and other related tools), but I wanted to gather other thoughts and opinions on this topic before we started delving into it. Is there something
like a minimum set of actions, objects, and attributes that we should cover? Are there any particular areas that we direly need to add (e.g. heap-related stuff)? Should we be covering platform-specific constructs, like the memory protection flags in Windows?