(YARA) YARA_Detect_FindWindow
import "pe"
rule Detect_FindWindowA_iat {
meta:
Author = "http://twitter.com/j0sm1"
Description = "it's checked if FindWindowA() is imported"
Date = "20/04/2015"
Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow"
strings:
$ollydbg = "OLLYDBG"
$windbg = "WinDbgFrameClass"
condition:
pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg)
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Detecting Window with FindWindow API | U0406 U0123 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| 5.exe | 9 | 2025-05-30 | 12 hours, 7 minutes ago |
Created
June 22, 2022
Last Revised
November 5, 2024