From 01e45dfcf9ac6125ad8cb1345b10af0e7a1d2dca Mon Sep 17 00:00:00 2001 From: Matt Williams <13837569+mwilliams31@users.noreply.github.com> Date: Wed, 16 Oct 2024 16:11:11 +0000 Subject: [PATCH] get-process-filename.yml: added x86 support (#945) * Added x86 support for get-process-filename.yml --- .../process/get-process-filename.yml | 30 ++++++++++++------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/host-interaction/process/get-process-filename.yml b/host-interaction/process/get-process-filename.yml index 31baee22..bb310fd9 100644 --- a/host-interaction/process/get-process-filename.yml +++ b/host-interaction/process/get-process-filename.yml @@ -15,14 +15,22 @@ rule: examples: - cb948b13a5046a692ec3ed8cc16a9566:0x140013ee2 features: - - and: - # example: - # mov rax, gs:60h ; TEB.ProcessEnvironmentBlock - # mov rcx, [rax+18h] ; PEB64.Ldr - # mov rax, [rcx+20h] ; PEB_LDR_DATA.InMemoryOrderModuleList.Flink - # mov rcx, [rax+50h] ; LDR_DATA_TABLE_ENTRY.FullDllName.Buffer - - arch: amd64 - - characteristic: peb access - - offset: 0x18 = PEB->Ldr - - offset: 0x20 = PEB->Ldr->InMemoryOrderModuleList->Flink - - offset: 0x50 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName + - or: + - and: + - arch: i386 + - characteristic: peb access + - offset: 0x0C = PEB->Ldr + - offset: 0x14 = PEB->Ldr->InMemoryOrderModuleList->Flink + - offset: 0x28 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName + + - and: + # example: + # mov rax, gs:60h ; TEB.ProcessEnvironmentBlock + # mov rcx, [rax+18h] ; PEB64.Ldr + # mov rax, [rcx+20h] ; PEB_LDR_DATA.InMemoryOrderModuleList.Flink + # mov rcx, [rax+50h] ; LDR_DATA_TABLE_ENTRY.FullDllName.Buffer + - arch: amd64 + - characteristic: peb access + - offset: 0x18 = PEB->Ldr + - offset: 0x20 = PEB->Ldr->InMemoryOrderModuleList->Flink + - offset: 0x50 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName