rule: meta: name: check for trap flag exception namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com scope: basic block mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/TrapFlag.cpp examples: - al-khaser_x86.exe_:0x431680 - al-khaser_x64.exe_:0x140030CB0 features: - and: - or: - description: read/write EFLAGS register - and: - mnemonic: pushf - mnemonic: popf - and: - mnemonic: pushfd - mnemonic: popfd - and: - mnemonic: pushfq - mnemonic: popfq - or: - description: set trap flag - and: - mnemonic: or - number: 0x100 - and: - mnemonic: bts - number: 0x8