inject DLL reflectively

rule:
  meta:
    name: inject DLL reflectively
    namespace: load-code/pe
    authors:
      - "@Ana06"
    scopes:
      static: function
      dynamic: unsupported  # requires characteristic, offset features
    att&ck:
      - Defense Evasion::Process Injection::Dynamic-link Library Injection [T1055.001]
      - Defense Evasion::Reflective Code Loading [T1620]
    references:
      - https://0x00sec.org/t/reflective-dll-injection/3080
      - https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection
    examples:
      - E4C33AC3638EEF68311F8AC0D72483C7:0x401510
  features:
    - and:
      - os: windows
      - match: enumerate PE sections
      - match: rebuild import table
      - basic block:
        - and:
          - offset: 0x28 = IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint
          - number: 0x1 = DLL_PROCESS_ATTACH
          - characteristic: indirect call = call entry point
      - optional:
        - match: inspect section memory permissions