(YARA) YARA_detect_tlscallback

Download Raw

rule detect_tlscallback {
    meta:
        description = "Simple rule to detect tls callback as anti-debug."
        author = "Thomas Roccia | @fr0gger_"
    strings:
        $str1 = "TLS_CALLBACK" nocase
        $str2 = "TLScallback" nocase
    condition:
        uint32(uint32(0x3C)) == 0x4550 and any of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
TLS Callback U0124

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
a.exe 7 2025-10-03 4 days, 17 hours ago
program.exe 6 2025-10-01 1 week ago
DSViper_AES.exe 8 2025-09-23 2 weeks, 1 day ago
xor.exe 6 2025-08-30 1 month, 1 week ago
hemlockwin.exe 8 2025-08-06 2 months ago
teste.exe 6 2025-07-29 2 months, 1 week ago
libcrypto-1_1.dll 7 2025-07-01 3 months ago
loader.exe 8 2025-05-29 4 months, 1 week ago
hello.exe 8 2024-12-27 9 months, 1 week ago
test.exe 7 2024-12-06 10 months ago
View All

Created

June 20, 2022

Last Revised

June 20, 2022