(YARA) YARA_Detect_AlKhaser_AntiDebug_WriteWatch
rule YARA_Detect_AlKhaser_AntiDebug_WriteWatch
{
meta:
description = "Default invalid parameter values of Al-Khaser's Anti-Debug technique (VirtualAlloc/MEM_WRITE_WATCH). Used for checking API hooks in debuggers/sandboxes."
author = "@albertzsigovits"
date = "2024-07-10"
reference = "https://github.com/LordNoteworthy/al-khaser/blob/967afa0d783ff9625caf1b069e3cd1246836b09f/al-khaser/AntiDebug/WriteWatch.cpp#L85"
sha256 = "e07383f6a340d8422a69b1d40cf848652165517407f7d0dc7260eed4a76499b3"
strings:
$ = "%ThisIsAnInvalidEnvironmentVariableName?[]<>@\\;*!-{}#:/~%" ascii wide
$ = "%ThisIsAnInvalidFileName?[]<>@\\;*!-{}#:/~%" ascii wide
condition:
uint16(0) == 0x5A4D
and uint32(uint32(0x3C)) == 0x00004550
and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Al-Khaser_WriteWatch | U0134 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| al-khaser.exe | 24 | 2024-11-13 | 1 week ago |
Created
August 19, 2024
Last Revised
November 15, 2024