rule:
meta:
name: parse PE header
namespace: load-code/pe
authors:
- moritz.raabe@mandiant.com
scopes:
static: function
dynamic: unsupported # requires mnemonic, operand[1].offset features
att&ck:
- Execution::Shared Modules [T1129]
examples:
- 9324D1A8AE37A36AE560C37448C9705A:0x403DD0
features:
- and:
- os: windows
- and:
- mnemonic: cmp
- or:
- number: 0x4550 = IMAGE_NT_SIGNATURE (PE)
- and:
- number: 0x50
- number: 0x45
- or:
- number: 0x5A4D = IMAGE_DOS_SIGNATURE (MZ)
- and:
- number: 0x4D
- number: 0x5A
- optional:
- and:
- operand[1].offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew
- or:
- and:
- arch: i386
- operand[1].offset: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage
- operand[1].offset: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase
- and:
- arch: amd64
- operand[1].offset: 0x50 = IMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage
- operand[1].offset: 0x30 = IMAGE_NT_HEADERS64.OptionalHeader.ImageBase
- basic block:
- and:
- operand[1].offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew
- 3 or more:
- operand[1].offset: 0x4 = IMAGE_NT_HEADERS.FileHeader.Machine
- operand[1].offset: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections
- operand[1].offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader
- operand[1].offset: 0x16 = IMAGE_NT_HEADERS.FileHeader.Characteristics
- operand[1].offset: 0x28 = IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint # for 32 and 64 bit
- or:
- and:
- arch: i386
- operand[1].offset: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase
- operand[1].offset: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage
- and:
- arch: amd64
- operand[1].offset: 0x30 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase
- operand[1].offset: 0x50 = IMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage
last edited: 2023-11-24 10:34:28