forked from mandiant/capa-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
peb-access.yml
48 lines (48 loc) · 1.54 KB
/
peb-access.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
rule:
meta:
name: PEB access
authors:
lib: true
scopes:
static: basic block
dynamic: unsupported # requires characteristic, offset, mnemonic features
mbc:
- Anti-Behavioral Analysis::Debugger Detection::Process Environment Block [B0001.019]
references:
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp
examples:
- al-khaser_x86.exe_:0x420D20
features:
- or:
- characteristic: peb access
- and:
# https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp#L41
- arch: i386
- characteristic: fs access
- or:
# in 0f5d5d07c6533bc6d991836ce79daaa1
# then we have:
#
# xor edx, edx
# mov edx, fs:[edx+30h]
- offset: 0x30
- instruction:
# in the case of CallObfuscator, gs:[rax]
- mnemonic: add
- number: 0x30
- and:
- arch: amd64
- characteristic: gs access
- or:
- offset: 0x60
- instruction:
- mnemonic: add
- number: 0x60
- and:
# WoW64 PEB address is fetched via the WoW64 Thread Environment Block (TEB) at FS:[0x18]-0x2000
# https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp#L45
- characteristic: fs access
- instruction:
- mnemonic: sub
- number: 0x2000