rule YARA_Detect_AlKhaser_AntiDebug_WriteWatch { meta: description = "Default invalid parameter values of Al-Khaser's Anti-Debug technique (VirtualAlloc/MEM_WRITE_WATCH). Used for checking API hooks in debuggers/sandboxes." author = "@albertzsigovits" date = "2024-07-10" reference = "https://github.com/LordNoteworthy/al-khaser/blob/967afa0d783ff9625caf1b069e3cd1246836b09f/al-khaser/AntiDebug/WriteWatch.cpp#L85" sha256 = "e07383f6a340d8422a69b1d40cf848652165517407f7d0dc7260eed4a76499b3" strings: $ = "%ThisIsAnInvalidEnvironmentVariableName?[]<>@\\;*!-{}#:/~%" ascii wide $ = "%ThisIsAnInvalidFileName?[]<>@\\;*!-{}#:/~%" ascii wide condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and any of them }