get process image filename

edit on GitHub
search on VirusTotal

# generated using capa explorer for IDA Pro
rule:
  meta:
    name: get process image filename
    namespace: host-interaction/process
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: basic block
      dynamic: span of calls
  features:
    - or:
      - and:
        - os: windows
        - or:
          - api: kernel32.K32GetProcessImageFileName
          - api: kernel32.GetProcessImageFileName
      - and:
        - api: System.Diagnostics.Process::GetCurrentProcess
        - property/read: System.Diagnostics.Process::MainModule
        - property/read: System.Diagnostics.ProcessModule::FileName

last edited: 2025-01-29 09:27:13