-
Notifications
You must be signed in to change notification settings - Fork 164
/
Copy pathpeb-access.yml
36 lines (36 loc) · 1.16 KB
/
peb-access.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
rule:
meta:
name: PEB access
author: [email protected]
lib: true
scope: basic block
mbc:
- Anti-Behavioral Analysis::Debugger Detection::Process Environment Block [B0001.019]
references:
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp
examples:
- al-khaser_x86.exe_:0x420D20
features:
- or:
- characteristic: peb access
- and:
# https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp#L41
- characteristic: fs access
- or:
- offset/x32: 0x30
- and:
- number/x32: 0x30
- mnemonic: add
- and:
- characteristic: gs access
- or:
- offset/x64: 0x60
- and:
- number/x64: 0x60
- mnemonic: add
- and:
# WoW64 PEB address is fetched via the WoW64 Thread Environment Block (TEB) at FS:[0x18]-0x2000
# https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp#L45
- characteristic: fs access
- mnemonic: sub
- number: 0x2000