(YARA) YARA_Detect_CloseHandle

June 22, 2022, 4:16 a.m. | 2 weeks

            rule Detect_CloseHandle: AntiDebug {
    meta: 
        description = "Detect CloseHandle as anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "NtClose" fullword ascii
        $2 = "CloseHandle" fullword ascii
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}

Download Raw

Associated Techniques

Technique Name	Technique ID's	Has Snippet(s)
CloseHandle, NtClose	U0114

(YARA) YARA_Detect_CloseHandle

Associated Techniques

Comment