link many functions at runtime

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: link many functions at runtime
    namespace: linking/runtime-linking
    authors:
      - moritz.raabe@mandiant.com
      - joakim@intezer.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Execution::Shared Modules [T1129]
    examples:
      - b7b5e1253710d8927cbe07d52d2d2e10:0x401000
  features:
    - or:
      - and:
        - os: windows
        - match: link function at runtime on Windows
        - or:
          - count(api(kernel32.GetProcAddress)): 5 or more
          - count(api(ntdll.LdrGetProcedureAddress)): 5 or more
      - and:
        - or:
          - os: linux
          - os: android
        - match: link function at runtime on Linux
        - or:
          - count(api(dlsym)): 5 or more
          - count(api(dlvsym)): 5 or more

last edited: 2024-04-23 11:49:05