-
Notifications
You must be signed in to change notification settings - Fork 159
/
access-peb-ldr_data.yml
60 lines (54 loc) · 2.04 KB
/
access-peb-ldr_data.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
rule:
meta:
name: access PEB ldr_data
namespace: linking/runtime-linking
author: moritz.raabe@fireeye.com
scope: basic block
att&ck:
- Execution::Shared Modules [T1129]
examples:
- 3FDFB2D522E7DEECAAAF2F87420F7E75:0x4117B7
features:
- or:
# x32
- and:
# resolve the PEB
- or:
- match: PEB access
# x86 Windows uses fs:0 to access the TIB which contains SEH information at offset 0
# checking for fs:0 and a (possibly unrelated) number or offset often results in false positives
# LDR_DATA* Ldr;
# good PEB layout reference here:
# https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb_ldr_data.htm
- offset/x32: 0x0C = PEB.LDR_DATA
# resolve a module list
- or:
- offset/x32: 0x0C = PEB.LDR_DATA.InLoadOrderModuleList
- offset/x32: 0x14 = PEB.LDR_DATA.InMemoryOrderModuleList
- offset/x32: 0x1C = PEB.LDR_DATA.InInitializationOrderModuleList
# x64
- and:
# resolve the PEB
- or:
- match: PEB access
# in the case of CallObfuscator, gs:[rax]
# ref: https://github.com/d35ha/CallObfuscator/blob/5834aff9ff4511f1408ae4ce80b79737af4ae77b/ShellCode/shell_x64.asm#L8
- and:
- number/x64: 0x60
- characteristic: gs access
# in 0f5d5d07c6533bc6d991836ce79daaa1
# then we have:
#
# xor edx, edx
# mov edx, fs:[edx+30h]
- and:
- offset/x64: 0x60 = PEB
- characteristic: gs access
# good PEB layout reference here:
# https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb_ldr_data.htm
- offset/x64: 0x18 = PEB.LDR_DATA
# resolve a module list
- or:
- offset/x64: 0x10 = PEB.LDR_DATA.InLoadOrderModuleList
- offset/x64: 0x20 = PEB.LDR_DATA.InMemoryOrderModuleList
- offset/x64: 0x30 = PEB.LDR_DATA.InInitializationOrderModuleList