access PEB ldr_data

rule:
  meta:
    name: access PEB ldr_data
    namespace: linking/runtime-linking
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: basic block
      dynamic: unsupported  # requires offset features
    att&ck:
      - Execution::Shared Modules [T1129]
    references:
      - https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntpsapi_x/peb_ldr_data.htm
      - https://github.com/d35ha/CallObfuscator/blob/5834aff9ff4511f1408ae4ce80b79737af4ae77b/ShellCode/shell_x64.asm#L8
    examples:
      - 3FDFB2D522E7DEECAAAF2F87420F7E75:0x4117B7
  features:
    - or:
      - and:
        - arch: i386
        - description: x32

        - match: PEB access

        # x86 Windows uses fs:0 to access the TIB which contains SEH information at offset 0
        # checking for fs:0 and a (possibly unrelated) number or offset often results in false positives

        - offset: 0x0C = PEB.LDR_DATA

        - or:
          - description: resolve a module list
          - offset: 0x0C = PEB.LDR_DATA.InLoadOrderModuleList
          - offset: 0x14 = PEB.LDR_DATA.InMemoryOrderModuleList
          - offset: 0x1C = PEB.LDR_DATA.InInitializationOrderModuleList

      - and:
        - arch: amd64
        - description: x64

        - match: PEB access

        - offset: 0x18 = PEB.LDR_DATA

        - or:
          - description: resolve a module list
          - offset: 0x10 = PEB.LDR_DATA.InLoadOrderModuleList
          - offset: 0x20 = PEB.LDR_DATA.InMemoryOrderModuleList
          - offset: 0x30 = PEB.LDR_DATA.InInitializationOrderModuleList