(YARA) Detect_Interrupts
rule Detect_Interrupt: AntiDebug {
meta:
description = "Detect Interrupt instruction"
author = "Unprotect"
comment = "Experimental rule / the rule can be slow to use"
strings:
$int3 = { CC }
$intCD = { CD }
$int03 = { 03 }
$int2D = { 2D }
$ICE = { F1 }
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| INT3 Instruction Scanning | U0105 B0001.025 | ||
| INT 0x2D | U0129 B0001.006 | ||
| ICE 0xF1 | U0130 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| f9a5a72ead096594c5d59abe706e...0c3b4ebd7690f2eb114a37d1a7db | 6 | 2024-11-19 | 1 day, 22 hours ago |
| f2665f89ba53abd3deb81988c0d5...4053e77fc89b98b64a31a7504d77 | 6 | 2024-11-19 | 1 day, 22 hours ago |
| 83d8922e7a8212f1a2a9015973e6...90e7000c31f57be83803747df015 | 7 | 2024-11-19 | 1 day, 22 hours ago |
| 3c703ecb3e8c54e352ff39fadbe7...f848bd69551b07bf2ed0a58744b9 | 6 | 2024-11-19 | 1 day, 22 hours ago |
| ffc49c8fd266e46d2cf1f02f62b1...c88e6b01f9e022325744f55e2f07 | 5 | 2024-11-19 | 1 day, 23 hours ago |
| ffbe22e427a9aca61a1565c32137...5a56de738cbb240f7b5bb1d1dca1 | 6 | 2024-11-19 | 1 day, 23 hours ago |
| ebb508b441172b95f4c6a63c7f78...904128200bcb8ef38b1374663789 | 4 | 2024-11-19 | 1 day, 23 hours ago |
| e5516993358b4ce00e5e6877d767...9e2574cdcd850ebe9473879c9feb | 5 | 2024-11-19 | 1 day, 23 hours ago |
| e18ac2c4a57b7b4980c63623c966...4e2bb66f2cc4a54974219818fff3 | 8 | 2024-11-19 | 1 day, 23 hours ago |
| d87df763fcbee9141be2d06a2e6c...489083d7d933dec781652dd31d32 | 5 | 2024-11-19 | 1 day, 23 hours ago |
Created
June 22, 2022
Last Revised
June 22, 2022