(YARA) Detect_EnumProcess
Created the . Updated 9 months, 1 week ago.
rule Detect_EnumProcess: AntiDebug {
meta:
description = "Detect EnumProcessas anti-debug"
author = "Unprotect"
comment = "Experimental rule"
strings:
$1 = "EnumProcessModulesEx" fullword ascii
$2 = "EnumProcesses" fullword ascii
$3 = "EnumProcessModules" fullword ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Has Snippet(s) |
|---|---|---|
| Detecting Running Process: EnumProcess API | U0109 U0405 U1306 |