Add signatures for exception-driven execution detection

[kevross33]

This file implements two signatures for detecting exception-driven execution and memory protection manipulation in malware. The first signature identifies processes that register a Vectored Exception Handler and trigger exceptions, while the second monitors memory allocations and protection changes to detect potential payload hiding.

Sample (infostealer doing this and using indirect syscalls that cause cape to lose tracking of it) bcff5812c1bdd518470f91a0b2e5c1e8ed28ba96c58e28953c1e5d9b6cfe9db0

[gemini-code-assist]

Code Review

This pull request introduces two new Windows signatures: ExceptionDrivenExecution, which detects exception-driven execution via Vectored Exception Handlers (VEH), and AllocatedMemoryProtectionNoAccess, which tracks memory allocations that are subsequently protected with PAGE_NOACCESS. The feedback suggests critical improvements to ensure robust detection, including adding the standard Win32 AddVectoredExceptionHandler API to the tracked list, capturing the actual allocated base address from the return value of VirtualAlloc/VirtualAllocEx rather than the requested address, and using int(val, 0) to safely parse both hex and decimal strings.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.