(YARA) Detect_Interrupts

Created the . Updated 1 year, 3 months ago.

            rule Detect_Interrupt: AntiDebug {
    meta: 
        description = "Detect Interrupt instruction"
        author = "Unprotect"
        comment = "Experimental rule / the rule can be slow to use"
    strings:
        $int3 = { CC }
        $intCD = { CD }
        $int03 = { 03 }
        $int2D = { 2D }
        $ICE = { F1 }
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}

Download Raw

Associated Techniques

Technique Name	Technique ID's	Has Snippet(s)
INT3 Instruction Scanning	U0105 B0001.025
INT 0x2D	U0129 B0001.006
ICE 0xF1	U0130