obtain TransmitPackets callback function via WSAIoctl

rule:
  meta:
    name: obtain TransmitPackets callback function via WSAIoctl
    namespace: communication/socket/tcp/send
    authors:
      - jonathan.lepore@mandiant.com
    description: The TransmitPackets function transmits in-memory data or file data over a connected socket. The TransmitPackets function uses the operating system cache manager to retrieve file data, locking memory for the minimum time required to transmit and resulting in efficient, high-performance transmission.
    scopes:
      static: function
      dynamic: unsupported  # requires bytes, mnemonic features
    mbc:
      - Communication::Socket Communication::Send TCP Data [C0001.014]
    references:
      - https://docs.microsoft.com/en-us/windows/win32/api/mswsock/nc-mswsock-lpfn_transmitpackets
    examples:
      - 138C71E94961FE9E31CEC5DFBA62A639:0x100FF55
  features:
    - and:
      - mnemonic: call
      - number: 0x10 = inbuffer size (16 bytes to hold guid)
      - number: 0x0C8000006 = SIO_GET_EXTENSION_FUNCTION_POINTER
      - or:
        - bytes: A0 9D 68 D9 90 1F D3 11 99 71 00 C0 4F 68 C8 76 = WSAID_TRANSMITPACKETS guid
        - and:
          - number: 0x76C8684F = WSAID_TRANSMITPACKETS guid part
          - number: 0xC0007199 = WSAID_TRANSMITPACKETS guid part
          - number: 0x11D31F90 = WSAID_TRANSMITPACKETS guid part
          - number: 0xD9689DA0 = WSAID_TRANSMITPACKETS guid part
      - or:
        - and:
          - arch: i386
          - number: 0x4 = 32-bit function ptr
        - and:
          - arch: amd64
          - number: 0x8 = 64-bit function ptr
      - optional:
        - api: WSAIoctl
        - api: WSAGetLastError