rule:
  meta:
    name: check for PEB BeingDebugged flag
    namespace: anti-analysis/anti-debugging/debugger-detection
    author: moritz.raabe@fireeye.com
    scope: basic block
    mbc:
      - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged [B0001.035]
    references:
      - Practical Malware Analysis, Chapter 16, p. 353
    examples:
      - Practical Malware Analysis Lab 16-01.exe_:0x403530
  features:
    - and:
      - match: PEB access
      - offset: 2 = PEB.BeingDebugged