From 45dbe8792e0fbea614aa289887bdc7b4f9cc3591 Mon Sep 17 00:00:00 2001
From: mr-tz <moritz.raabe@mandiant.com>
Date: Sat, 2 Sep 2023 18:44:36 +0200
Subject: [PATCH] add rule

---
 nursery/get-ntoskrnl-base-address.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 nursery/get-ntoskrnl-base-address.yml

diff --git a/nursery/get-ntoskrnl-base-address.yml b/nursery/get-ntoskrnl-base-address.yml
new file mode 100644
index 000000000..0f2686ab3
--- /dev/null
+++ b/nursery/get-ntoskrnl-base-address.yml
@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: get ntoskrnl base address
+    namespace: linking/runtime-linking
+    authors:
+      - "@mr-tz"
+    scope: function
+    att&ck:
+      - Execution::Shared Modules [T1129]
+    references:
+      - https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b163f873a41b5/Source/Furutaka/sup.c#L76
+      - https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/query.htm
+  features:
+    - and:
+      - basic block:
+        - and:
+          - description: returns RTL_PROCESS_MODULES structure
+          - number: 0xB = SystemModuleInformation
+          - match: get system information on Windows
+      - and:
+        - arch: i386
+        - offset: 0xC = RTL_PROCESS_MODULES.Modules[0].ImageBase
+      - and:
+        - arch: amd64
+        - offset: 0x18 = RTL_PROCESS_MODULES.Modules[0].ImageBase