resolve function by FNV-1a hash

rule:
  meta:
    name: resolve function by FNV-1a hash
    namespace: linking/runtime-linking
    authors:
      - still@teamt5.org
    description: known import name hashes calculated using the non-cryptographic FNV-1a hashing algorithm
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005]
    references:
      - https://blog.xorhex.com/blog/reddeltaplugxchangeup/
  features:
    - or:
      - number: 0x53b2070f = FNV(LoadLibraryA)
      - number: 0xfaba0065 = FNV(CloseHandle)
      - number: 0x03285501 = FNV(VirtualAlloc)
      - number: 0x820621f3 = FNV(VirtualProtect)
      - number: 0xf8f45725 = FNV(GetProcAddress)
      - number: 0xbdcac9ce = FNV(CreateFileA)
      - number: 0xafcab3c4 = FNV(CreateFileW)
      - number: 0x54fcc943 = FNV(ReadFile)
      - number: 0x2fa62ca8 = FNV(Sleep)