(YARA) YARA_Detect_ExceptionHandler
Created the . Updated 1 year, 10 months ago.
rule Detect_SuspendThread: AntiDebug {
meta:
description = "Detect SuspendThread as anti-debug"
author = "Unprotect"
comment = "Experimental rule"
strings:
$1 = "UnhandledExcepFilter" fullword ascii
$2 = "SetUnhandledExceptionFilter" fullword ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Has Snippet(s) |
|---|---|---|
| Unhandled Exception Filter | U0108 B0001.030 |