inspect load icon resource

# generated using capa explorer for IDA Pro
rule:
  meta:
    name: inspect load icon resource
    namespace: anti-analysis
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: basic block
      dynamic: unsupported  # requires mnemonic features
  features:
    # check if call to LoadIcon fails when first argument is NULL
    # and second argument is not a valid predefined icon - LoadIcon
    # should return NULL here, but some sandboxes/emulation may instead
    # return a valid handle
    - and:
      - api: user32.LoadIcon
      - number: 0x0
      - mnemonic: test
      - not:
        - or:
          - description: predefined icon identifiers
          - number: 0x7F05 = IDI_WINLOGO
          - number: 0x7F06 = IDI_SHIELD
          - number: 0x7F02 = IDI_QUESTION
          - number: 0x7F00 = IDI_APPLICATION
          - number: 0x7F04 = (IDI_ASTERISK | IDI_INFORMATION)
          - number: 0x7F01 = (IDI_ERROR | IDI_HAND)
          - number: 0x7F03 = (IDI_EXCLAMATION | IDI_WARNING)