rule Detect_SuspendThread: AntiDebug { meta: description = "Detect SuspendThread as anti-debug" author = "Unprotect" comment = "Experimental rule" strings: $1 = "SuspendThread" fullword ascii $2 = "NtSuspendThread" fullword ascii $3 = "OpenThread" fullword ascii $4 ="SetThreadContext" fullword ascii $5 ="SetInformationThread" fullword ascii $x1 ="CreateToolHelp32Snapshot" fullword ascii $x2 ="EnumWindows" fullword ascii condition: uint16(0) == 0x5A4D and filesize < 1000KB and $x and 2 of them }