rule: meta: name: check for PEB NtGlobalFlag flag namespace: anti-analysis/anti-debugging/debugger-detection author: moritz.raabe@fireeye.com scope: function mbc: - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036] references: - Practical Malware Analysis, Chapter 16, p. 355 - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm examples: - Practical Malware Analysis Lab 16-01.exe_:0x403530 features: - and: - basic block: - and: - match: PEB access - or: - or: - offset/x32: 0x68 = PEB.NtGlobalFlag - offset/x64: 0xBC = PEB.NtGlobalFlag - and: - mnemonic: add - or: - number/x32: 0x68 = PEB.NtGlobalFlag - number/x64: 0xBC = PEB.NtGlobalFlag - number: 0x70 = (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)