extract resource via kernel32 functions

rule:
  meta:
    name: extract resource via kernel32 functions
    namespace: executable/resource
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: thread
    examples:
      - BF88E1BD4A3BDE10B419A622278F1FF7:0x401000
      - Practical Malware Analysis Lab 01-04.exe_:0x4011FC
      # ntdll
      - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA
  features:
    - or:
      - and:
        - or:
          - api: kernel32.LoadResource
          - api: kernel32.LockResource
          - api: LdrAccessResource
        - optional:
          - api: kernel32.GetModuleHandle
          # may occur in parent function, see 0664B09A86EC2DF7DFE01A93E184A1FA23DF66EA82CAB39000944E418EC1F7B2
          - or:
            - api: kernel32.FindResource
            - api: kernel32.FindResourceEx
            - api: LdrFindResource_U
            - api: LdrFindResourceEx_U
          - api: kernel32.SizeofResource
          - api: kernel32.FreeResource