read .ini file

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: read .ini file
    namespace: host-interaction/file-system/read
    authors:
      - "@_re_fox"
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: thread
    mbc:
      - File System::Read File [C0051]
    examples:
      - 1d8fd13c890060464019c0f07b928b1a:0x401070
      - E6234FB98F17201C232F4502015B47B3:0x701312FA
  features:
    - and:
      - or:
        - api: GetPrivateProfileInt
        - api: GetPrivateProfileString
        - api: GetPrivateProfileStruct
        - api: GetPrivateProfileSection
        - api: GetPrivateProfileSectionNames
      - optional:
        - string: /\.ini/i
        - api: GetFullPathName

last edited: 2023-11-24 10:34:28