get process filename

rule:
  meta:
    name: get process filename
    namespace: host-interaction/process
    authors:
      - matthew.williams@mandiant.com
    description: Retrieves the current process' filename. In the example sample, this was part of a sandbox evasion technique that computed and verified the checksum of the sample's filename.
    scopes:
      static: basic block
      dynamic: unsupported # requires offset features
    att&ck:
      - Discovery::Process Discovery [T1057]
    references:
      - https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data
      - https://research.openanalysis.net/rhadamanthys/config/ida/shifted%20pointers/peb/_list_entry/_ldr_data_table_entry/2023/01/19/rhadamanthys.html#PEB-Walk-_LDR_DATA_TABLE_ENTRY-and-Shifted-Pointers-in-IDA
    examples:
      - cb948b13a5046a692ec3ed8cc16a9566:0x140013ee2
  features:
    - or:
      - and:
        - arch: i386
        - characteristic: peb access
        - offset: 0x0C = PEB->Ldr
        - offset: 0x14 = PEB->Ldr->InMemoryOrderModuleList->Flink
        - offset: 0x28 = PEB->Ldr->InMemoryOrderModuleList->Flink->BaseDllName.Buffer

      - and:
        # example:
        # mov     rax, gs:60h     ; TEB.ProcessEnvironmentBlock
        # mov     rcx, [rax+18h]  ; PEB64.Ldr
        # mov     rax, [rcx+20h]  ; PEB_LDR_DATA.InMemoryOrderModuleList.Flink
        # mov     rcx, [rax+50h]  ; LDR_DATA_TABLE_ENTRY.BaseDllName.Buffer
        - arch: amd64
        - characteristic: peb access
        - offset: 0x18 = PEB->Ldr
        - offset: 0x20 = PEB->Ldr->InMemoryOrderModuleList->Flink
        - offset: 0x50 = PEB->Ldr->InMemoryOrderModuleList->Flink->BaseDllName.Buffer