(YARA) YARA_Detect_CloseHandle
Created the . Updated 9 months ago.
rule Detect_CloseHandle: AntiDebug {
meta:
description = "Detect CloseHandle as anti-debug"
author = "Unprotect"
comment = "Experimental rule"
strings:
$1 = "NtClose" fullword ascii
$2 = "CloseHandle" fullword ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Has Snippet(s) |
|---|---|---|
| CloseHandle, NtClose | U0114 B0001.003 |