(YARA) YARA_Detect_Interrupts

Created the . Updated 1 year, 10 months ago.

            rule AntiDebugging_Interrupt {
  condition:
    // Check for presence of __try and __except blocks
    uint32(0) == 0x00646120 and uint32(4) == 0x00646120 and
    // Check for presence of __debugbreak or interrupt instructions such as INT 3 or UD2
    (uint8(8) == 0xCC or uint8(8) == 0xF1 or uint8(8) == 0xCC)
}
        

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Interrupts U0106