resolve function by hash

rule:
  meta:
    name: resolve function by hash
    namespace: linking/runtime-linking
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005]
    references:
      - https://www.mandiant.com/resources/precalculated-string-hashes-reverse-engineering-shellcode
      - https://pastebin.com/ci5XYW4P
  features:
    - or:
      - number: 0x6a4abc5b = ROR13(kernel32.dll)
      - number: 0x3cfa685d = ROR13(ntdll.dll)
      - number: 0xec0e4e8e = ROR13(LoadLibraryA)
      - number: 0x7c0dfcaa = ROR13(GetProcAddress)
      - number: 0x91afca54 = ROR13(VirtualAlloc)
      - number: 0x534c0ab8 = ROR13(NtFlushInstructionCache)
      - number: 0xff7f061a = ROR13(RtlExitUserThread)
      - number: 0x60e0ceef = ROR13(ExitThread)