check for PEB NtGlobalFlag flag

rule:
  meta:
    name: check for PEB NtGlobalFlag flag
    namespace: anti-analysis/anti-debugging/debugger-detection
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires offset, mnemonic features
    mbc:
      - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036]
    references:
      - Practical Malware Analysis, Chapter 16, p. 355
      - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm
    examples:
      - Practical Malware Analysis Lab 16-01.exe_:0x403530
  features:
    - and:
      - basic block:
        - and:
          - match: PEB access
          - or:
            - and:
              - arch: i386
              - offset: 0x68 = PEB.NtGlobalFlag
            - and:
              - arch: amd64
              - offset: 0xBC = PEB.NtGlobalFlag
            - instruction:
              - arch: i386
              - mnemonic: add
              - offset: 0x68 = PEB.NtGlobalFlag
            - instruction:
              - arch: amd64
              - mnemonic: add
              - offset: 0xBC = PEB.NtGlobalFlag
      - number: 0x70 = (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)