Process memory working set size anti-debug trick

87400d6c · Fernando Mercês · 32c66ff5 · 87400d6c
Commit 87400d6c authored Jun 15, 2015 by Fernando Mercês
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

antidebug.yar antidebug.yar +11 -0

No files found.
--- a/antidebug.yar
+++ b/antidebug.yar
@@ -586,4 +586,15 @@ rule Check_FindWindowA_iat {
 		pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg)
 }

+rule DebuggerCheck__MemoryWorkingSet : AntiDebug DebuggerCheck {
+	meta:
+		author = "Fernando Mercês"
+		date = "2015-06"
+		description = "Anti-debug process memory working set size check"
+		reference = "http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/"
+
+	condition:
+		pe.imports("kernel32.dll", "K32GetProcessMemoryInfo") and
+		pe.imports("kernel32.dll", "GetCurrentProcess")
+}