(YARA) Detect_Interrupts
rule Detect_Interrupt: AntiDebug {
meta:
description = "Detect Interrupt instruction"
author = "Unprotect"
comment = "Experimental rule / the rule can be slow to use"
strings:
$int3 = { CC }
$intCD = { CD }
$int03 = { 03 }
$int2D = { 2D }
$ICE = { F1 }
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| INT3 Instruction Scanning | U0105 B0001.025 | ||
| INT 0x2D | U0129 B0001.006 | ||
| ICE 0xF1 | U0130 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| 1663704907_themetool.exe | 6 | 2025-01-20 | 1 day, 23 hours ago |
| Stellaris v2.3.0-v3.12.5 Plus 24 Trainer.exe | 8 | 2025-01-18 | 3 days, 7 hours ago |
| driver_installer.exe | 7 | 2025-01-14 | 1 week ago |
| Voice.ai-Downloader.exe | 7 | 2025-01-13 | 1 week, 1 day ago |
| ZClient.exe | 12 | 2025-01-13 | 1 week, 2 days ago |
| 3552dda80bd6875c1ed1273ca756...e2f757266dae70f60bf204089a4a | 5 | 2025-01-12 | 1 week, 2 days ago |
| Crackme#7.exe | 8 | 2025-01-12 | 1 week, 2 days ago |
| Temp_1.exe | 7 | 2025-01-06 | 2 weeks, 1 day ago |
| kernel32.dll | 13 | 2024-12-30 | 3 weeks, 1 day ago |
| hello.exe | 8 | 2024-12-27 | 3 weeks, 4 days ago |
Created
June 22, 2022
Last Revised
June 22, 2022