(YARA) YARA_Detect_FindWindow
import "pe"
rule Detect_FindWindowA_iat {
meta:
Author = "http://twitter.com/j0sm1"
Description = "it's checked if FindWindowA() is imported"
Date = "20/04/2015"
Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow"
strings:
$ollydbg = "OLLYDBG"
$windbg = "WinDbgFrameClass"
condition:
pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg)
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Detecting Window with FindWindow API | U0406 U0123 |
Created
June 22, 2022
Last Revised
November 5, 2024