extract HTTP body

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: extract HTTP body
    namespace: communication/http/client
    authors:
      - matthew.williams@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires offset, bytes features
    mbc:
      - Communication::HTTP Communication::Extract Body [C0002.011]
    references:
      - https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa752574(v=vs.85)
    examples:
      - 395EB0DDD99D2C9E37B6D0B73485EE9C:0x4020A9
  features:
    - and:
      - bytes: 25 44 2C 33 CB 26 D0 11 B4 83 00 C0 4F D9 01 19 = CLSID_IHTMLDocument2
      - offset: 0x24 = IHTMLDocument2Vtbl.get_body
      - offset: 0xF0 = IHTMLElementVtbl.get_innerText

last edited: 2023-11-24 10:34:28