-
Notifications
You must be signed in to change notification settings - Fork 164
/
parse-pe-header.yml
56 lines (56 loc) · 2.24 KB
/
parse-pe-header.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
rule:
meta:
name: parse PE header
namespace: load-code/pe
authors:
scope: function
att&ck:
- Execution::Shared Modules [T1129]
examples:
- 9324D1A8AE37A36AE560C37448C9705A:0x403DD0
features:
- and:
- os: windows
- and:
- mnemonic: cmp
- or:
- number: 0x4550 = IMAGE_NT_SIGNATURE (PE)
- and:
- number: 0x50
- number: 0x45
- or:
- number: 0x5A4D = IMAGE_DOS_SIGNATURE (MZ)
- and:
- number: 0x4D
- number: 0x5A
- optional:
- and:
- operand[1].offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew
- or:
- and:
- arch: i386
- operand[1].offset: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage
- operand[1].offset: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase
- and:
- arch: amd64
- operand[1].offset: 0x50 = IMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage
- operand[1].offset: 0x30 = IMAGE_NT_HEADERS64.OptionalHeader.ImageBase
- basic block:
- and:
- operand[1].offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew
- 3 or more:
- operand[1].offset: 0x4 = IMAGE_NT_HEADERS.FileHeader.Machine
- operand[1].offset: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections
- operand[1].offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader
- operand[1].offset: 0x16 = IMAGE_NT_HEADERS.FileHeader.Characteristics
- operand[1].offset: 0x28 = IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint # for 32 and 64 bit
- or:
- and:
- arch: i386
- operand[1].offset: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase
- operand[1].offset: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage
- and:
- arch: amd64
- operand[1].offset: 0x30 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase
- operand[1].offset: 0x50 = IMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage