capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

rule: check processor architecture (need example)

Open Ana06 opened this issue 5 years ago • 1 comments

@mike-hunhoff

Example: b7841b9d5dc1f511a93cc7576672ec0c:0x1000ebc8

Example resolves API calls and won't hit with capa.

May just want to generalize this rule for general collect

Windows API:

  • kernel32::GetNativeSystemInfo

Offsets:

  • 0x0 = SYSTEM_INFO.wProcessorArchitecture

Ana06 avatar Aug 06 '20 16:08 Ana06

Example at capa-testfiles/03b236b23b1ec37c663527c1f53af3fe.dll_

The following basic block:

0x180024c27      488d4c2420             lea     rcx, [lpSystemInfo] ; LPSYSTEM_INFO lpSystemInfo
0x180024c2c      ff15f6f40200           call    qword [GetNativeSystemInfo] ; 0x180054128 ; VOID GetNativeSystemInfo(LPSYSTEM_INFO lpSystemInfo)
0x180024c32      8b542424               mov     edx, dword [rsp + 0x24]
0x180024c36      8b4550                 mov     eax, dword [rbp + 0x50]
0x180024c39      488d7aff               lea     rdi, [rdx - 1]
0x180024c3d      488d4aff               lea     rcx, [rdx - 1]
0x180024c41      4803f8                 add     rdi, rax
0x180024c44      4803cb                 add     rcx, rbx
0x180024c47      488d42ff               lea     rax, [rdx - 1]
0x180024c4b      48f7d0                 not     rax
0x180024c4e      4823f8                 and     rdi, rax
0x180024c51      488d42ff               lea     rax, [rdx - 1]
0x180024c55      48f7d0                 not     rax
0x180024c58      4823c8                 and     rcx, rax
0x180024c5b      483bf9                 cmp     rdi, rcx
0x180024c5e      7412                   je      0x180024c72

re-fox avatar Oct 07 '20 14:10 re-fox

GetNativeSystemInfo is included in get system information on Windows

mr-tz avatar Jan 13 '23 11:01 mr-tz