From 7f8216f2f216f856b2ce1a56842e8ae8aa107a79 Mon Sep 17 00:00:00 2001
From: JJ <jakubjozwiak@google.com>
Date: Tue, 21 May 2024 00:58:07 -0700
Subject: [PATCH] Update encrypt-data-using-dpapi.yml rule (#900)

* Update encrypt-data-using-dpapi.yml rule
---
 .../encryption/dpapi/encrypt-data-using-dpapi.yml     | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml
index 637160e5..1c8bae60 100644
--- a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml
+++ b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml
@@ -22,3 +22,14 @@ rule:
       - api: crypt32.CryptUnprotectData
       - api: System.Security.Cryptography.ProtectedData::Unprotect
       - api: System.Security.Cryptography.ProtectedData::Protect
+      - api: SystemFunction040
+      - api: SystemFunction041
+      - and:
+        - match: link function at runtime on Windows
+        - or:
+          # RtlEncryptMemory is available as SystemFunction040 export in Advapi32.dll
+          # CryptProtectMemory is a wrapper function for SystemFunction040
+          - string: "SystemFunction040"
+          # RtlDecryptMemory is available as SystemFunction041 export in Advapi32.dll
+          # CryptUnprotectMemory is a wrapper function for SystemFunction041
+          - string: "SystemFunction041"