get-process-filename.yml: added x86 support (#945)

* Added x86 support for get-process-filename.yml
mandiant · Oct 16, 2024 · 01e45df · 01e45df
1 parent 60fcf98
commit 01e45df
Showing 1 changed file with 19 additions and 11 deletions.
diff --git a/host-interaction/process/get-process-filename.yml b/host-interaction/process/get-process-filename.yml
@@ -15,14 +15,22 @@ rule:
     examples:
       - cb948b13a5046a692ec3ed8cc16a9566:0x140013ee2
   features:
-    - and:
-      # example:
-      # mov     rax, gs:60h     ; TEB.ProcessEnvironmentBlock
-      # mov     rcx, [rax+18h]  ; PEB64.Ldr
-      # mov     rax, [rcx+20h]  ; PEB_LDR_DATA.InMemoryOrderModuleList.Flink
-      # mov     rcx, [rax+50h]  ; LDR_DATA_TABLE_ENTRY.FullDllName.Buffer
-      - arch: amd64
-      - characteristic: peb access
-      - offset: 0x18 = PEB->Ldr
-      - offset: 0x20 = PEB->Ldr->InMemoryOrderModuleList->Flink
-      - offset: 0x50 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName
+    - or:
+      - and:
+        - arch: i386
+        - characteristic: peb access
+        - offset: 0x0C = PEB->Ldr
+        - offset: 0x14 = PEB->Ldr->InMemoryOrderModuleList->Flink
+        - offset: 0x28 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName
+
+      - and:
+        # example:
+        # mov     rax, gs:60h     ; TEB.ProcessEnvironmentBlock
+        # mov     rcx, [rax+18h]  ; PEB64.Ldr
+        # mov     rax, [rcx+20h]  ; PEB_LDR_DATA.InMemoryOrderModuleList.Flink
+        # mov     rcx, [rax+50h]  ; LDR_DATA_TABLE_ENTRY.FullDllName.Buffer
+        - arch: amd64
+        - characteristic: peb access
+        - offset: 0x18 = PEB->Ldr
+        - offset: 0x20 = PEB->Ldr->InMemoryOrderModuleList->Flink
+        - offset: 0x50 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName