(YARA) Detect_Interrupts
June 22, 2022, 3:50 a.m. | 2 weeks
rule Detect_Interrupt: AntiDebug {
meta:
description = "Detect Interrupt instruction"
author = "Unprotect"
comment = "Experimental rule / the rule can be slow to use"
strings:
$int3 = { CC }
$intCD = { CD }
$int03 = { 03 }
$int2D = { 2D }
$ICE = { F1 }
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Has Snippet(s) |
|---|---|---|
| INT3 Instruction Scanning | U0105 | |
| INT 0x2D | U0129 | |
| ICE 0xF1 | U0130 |