rule:
  meta:
    name: check for software breakpoints
    namespace: anti-analysis/anti-debugging/debugger-detection
    authors:
      - michael.hunhoff@mandiant.com
    scope: function
    mbc:
      - Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints [B0001.025]
    references:
      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SoftwareBreakpoints.cpp
    examples:
      - al-khaser_x86.exe_:0x431020
  features:
    - and:
      - basic block:
        - and:
          - mnemonic: cmp
          - or:
            - number: 0xCC
            - and:
              - number: 0xCD
              - number: 0x3
      - match: contain loop