(YARA) YARA_Detect_ExceptionHandler
June 22, 2022, 3:54 a.m. | 2 weeks
rule Detect_SuspendThread: AntiDebug {
meta:
description = "Detect SuspendThread as anti-debug"
author = "Unprotect"
comment = "Experimental rule"
strings:
$1 = "UnhandledExcepFilter" fullword ascii
$2 = "SetUnhandledExceptionFilter" fullword ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Has Snippet(s) |
|---|---|---|
| Unhandled Exception Filter | U0108 |