get graphical window text

rule:
  meta:
    name: get graphical window text
    namespace: host-interaction/gui/window/get-text
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: function
      dynamic: thread
    mbc:
      - Discovery::Application Window Discovery [E1010]
    examples:
      - B7841B9D5DC1F511A93CC7576672EC0C:0x10007A50
      - Practical Malware Analysis Lab 11-03.dll_:0x10001000
  features:
    - or:
      - and:
        - optional:
          - api: user32.IsWindowVisible
        - or:
          - basic block:
            - and:
              - number: 0xD = WM_GETTEXT
              - api: user32.SendMessage
          - call:
            - and:
              - number: 0xD = WM_GETTEXT
              - api: user32.SendMessage
      - and:
        - optional:
          - api: user32.GetForegroundWindow
        - api: user32.GetWindowText