rule Detect_GuardPages: AntiDebug { meta: description = "Detect Guard Pages as anti-debug" author = "Unprotect" comment = "Experimental rule" strings: $1 = "GetSystemInfo" fullword ascii $2 = "VirtualAlloc" fullword ascii $3 = "RtlFillMemory" fullword ascii $4 ="VirtualProtect" fullword ascii $5 ="VirtualFree" fullword ascii condition: uint16(0) == 0x5A4D and filesize < 1000KB and 4 of them }