Add rules linked-against-funchook.yml and linked-against-plthook.yml (#1073)

Author: jtothej

linking/static/funchook/linked-against-funchook.yml

@@ -0,0 +1,37 @@
+rule:
+  meta:
+    name: linked against Funchook
+    namespace: linking/static/funchook
+    authors:
+      - [email protected]
+    description: Match on files linked with the Funchook hooking library.
+    scopes:
+      static: file
+      dynamic: file
+    att&ck:
+      - Defense Evasion::Hijack Execution Flow [T1574]
+    references:
+      - https://github.com/kubo/funchook
+    examples:
+      - 749cf36adc5513c92c7acc836d20935e3c433f3c2d5641293e7a9c57c5ce22c2
+  features:
+    - or:
+      - export: "funchook_hook_caller_asm"
+      - 3 or more:
+        - string: "Enter funchook_create()"
+        - string: "Leave funchook_create() => %p"
+        - string: "Enter funchook_prepare(%p, %p, %p)"
+        - string: "Leave funchook_prepare(..., [%p->%p],...) => %d"
+        - string: "Enter funchook_install(%p, 0x%x)"
+        - string: "Leave funchook_install() => %d"
+        - string: "Enter funchook_uninstall(%p, 0x%x)"
+        - string: "Leave funchook_uninstall() => %d"
+        - string: "Enter funchook_destroy(%p)"
+        - string: "Leave funchook_destroy() => %d"
+        - string: "Could not modify already-installed funchook handle."
+        - string: "Failed to protect memory %p (size=%"
+        - string: "Failed to unprotect memory %p (size=%"
+        - string: "Failed to unprotect page %p (size=%"
+        - string: "Failed to protect page %p (size=%"
+        - string: "Failed to deallocate page %p (size=%"
+        - string: "Could not find a free region near %p"

linking/static/plthook/linked-against-plthook.yml

@@ -0,0 +1,55 @@
+rule:
+  meta:
+    name: linked against PLTHook
+    namespace: linking/static/plthook
+    authors:
+      - [email protected]
+    description: Match on files linked with the PLTHook hooking library.
+    scopes:
+      static: file
+      dynamic: file
+    att&ck:
+      - Defense Evasion::Hijack Execution Flow [T1574]
+    references:
+      - https://github.com/kubo/plthook
+    examples:
+      - c2c3b3eea177b9411bc92a8800b40529fcd2d5c3696e71cbb2f4025429b314ee
+  features:
+    - or:
+      - string: "plthook_open"
+      - string: "plthook_open_by_handle"
+      - string: "plthook_open_by_address"
+      - string: "plthook_enum"
+      - string: "plthook_replace"
+      - string: "plthook_close"
+      - string: "plthook_error"
+      - export: "plthook_open"
+      - export: "plthook_open_by_handle"
+      - export: "plthook_open_by_address"
+      - export: "plthook_enum"
+      - export: "plthook_replace"
+      - export: "plthook_close"
+      - export: "plthook_error"
+      - 3 or more:
+        - string: "Cannot get module %s: "
+        - string: "Cannot get module at address %p: "
+        - string: "ImageDirectoryEntryToData error: "
+        - string: "invalid argument: The first argument is null."
+        - string: "no such function: %s"
+        - string: "Could not find an address in the specified handle."
+        - string: "Could not find memory region containing address %p"
+        - string: "Could not open %s: %s"
+        - string: "Could not find r_debug"
+        - string: "Opening the main program is not supported on this platform."
+        - string: "failed to open /proc/self/maps"
+        - string: "Could not find memory region containing %p"
+        - string: "Unexcepted memory permission %s at %p"
+        - string: "failed to call kinfo_getvmmap()"
+        - string: "Unknown kve_protection 0x%x at %p"
+        - string: "Unknown pr_mflags 0x%x at %p"
+        - string: "failed to find DT_SYMTAB"
+        - string: "failed to find DT_STRTAB"
+        - string: "failed to find DT_STRSZ"
+        - string: "failed to find DT_PLTRELSZ"
+        - string: "failed to find PLT_DT_RELENT"
+        - string: "failed to allocate memory: %"