News antidebug api calls detection

UnhandledExceptionFilter RaiseException FindWindowA

News antidebug api calls detection
UnhandledExceptionFilter RaiseException FindWindowA
0e5f4909 · j0sm1 · ec06ead1 · 0e5f4909
Commit 0e5f4909 authored Apr 21, 2015 by j0sm1
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 0 deletions

antidebug.yar antidebug.yar +40 -0

No files found.
--- a/antidebug.yar
+++ b/antidebug.yar
@@ -546,4 +546,44 @@ rule Check_OutputDebugStringA_iat
 		pe.imports("kernel32.dll","OutputDebugStringA")
 }

+rule Check_unhandledExceptionFiler_iat {
+
+	meta:
+		Author = "http://twitter.com/j0sm1"
+		Description = "it's checked if UnhandledExceptionFilter is imported" 
+		Date = "20/04/2015"
+		Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#UnhandledExceptionFilter"
+		
+	condition:
+		pe.imports("kernel32.dll","UnhandledExceptionFilter")	
+}
+
+rule check_RaiseException_iat {
+
+	meta:
+		Author = "http://twitter.com/j0sm1"
+		Description = "it's checked if RaiseException is imported" 
+		Date = "20/04/2015"
+		Reference = "http://waleedassar.blogspot.com.es/2012/11/ollydbg-raiseexception-bug.html"
+		
+	condition:
+		pe.imports("kernel32.dll","RaiseException")	
+}
+
+rule Check_FindWindowA_iat {
+
+	meta:
+		Author = "http://twitter.com/j0sm1"
+		Description = "it's checked if FindWindowA() is imported" 
+		Date = "20/04/2015"
+		Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow"
+		
+	strings:
+		$ollydbg = "OLLYDBG"
+		$windbg = "WinDbgFrameClass"
+		
+	condition:
+		pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg)
+}
+