Rename architecture-specific rules

Author: akh7177

host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml renamed to host-interaction/hardware/cpu/get-number-of-processors.yml

@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: get number of processors via x86 assembly
+    name: get number of processors
     namespace: host-interaction/hardware/cpu
     authors:
       - [email protected]

load-code/pe/enumerate-pe-sections.yml

@@ -3,56 +3,34 @@ rule:
     name: enumerate PE sections
     namespace: load-code/pe
     authors:
-      - "@Ana06"
-      - "@mr-tz"
+      - sara-rn
     scopes:
       static: function
-      dynamic: unsupported  # requires offset, operand[1].offset, characteristic, mnemonic, basicblock features
-    mbc:
-      - Discovery::Code Discovery::Enumerate PE Sections [B0046.001]
-    references:
-      - https://0x00sec.org/t/reflective-dll-injection/3080
-      - https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection
+      dynamic: unsupported  # requires characteristic, offset, mnemonic features
     examples:
-      - E4C33AC3638EEF68311F8AC0D72483C7:0x401510
+      - 73CE04892E5F39EC82B00C02FC04C70F:0x406BA1
   features:
     - and:
       - os: windows
-      # there should be some complexity to functions like this
-      - count(basic blocks): 3 or more
-      - optional:
-        - offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew
-      - instruction:
-        - or:
-          - mnemonic: mov
-          - mnemonic: movzx
-        - operand[1].offset: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections
-      - basic block:
+      - or:
+        - characteristic: loop
+        - mnemonic: movzx
+      - and:
+        - offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew
         - or:
           - and:
-            - description: IMAGE_FIRST_SECTION(nt_header)
-            - instruction:
-              - or:
-                - mnemonic: add
-                - mnemonic: mov
-                - mnemonic: movzx
-              - operand[1].offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader
-            - operand[1].offset: 0x18 = FileHeader.SizeOfOptionalHeader
+            - arch: i386
+            - offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT]
           - and:
-            - description: (DWORD)dll_raw + dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * i
-            - number: 0x28 = sizeof(IMAGE_SECTION_HEADER)
-            - or:
-              - and:
-                - arch: i386
-                - operand[1].offset: 0xF8 = sizeof(IMAGE_NT_HEADERS32)
-              - and:
-                - arch: amd64
-                - operand[1].offset: 0x108 = sizeof(IMAGE_NT_HEADERS64)
-      - 2 or more:
-        - operand[1].offset: 0xC = IMAGE_SECTION_HEADER.VirtualAddress
-        - operand[1].offset: 0x14 = IMAGE_SECTION_HEADER.PointerToRawData
-        - operand[1].offset: 0x10 = IMAGE_SECTION_HEADER.SizeOfRawData
-        # there's also offset 0x8 = IMAGE_SECTION_HEADER.Misc.PhysicalAddress, but it's likely too common
-      - not:
-        # non-zeroing XOR was observed in FPs
-        - characteristic: nzxor
+            - arch: amd64
+            - offset: 0x88 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT]
+        - 3 or more:
+          - offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions
+          - offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals
+          - offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames
+          - offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames
+          - offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions
+      - optional:
+        - or:
+          - api: LoadLibrary
+          - api: strcmp