Merge pull request #37 from merces/master

Process memory working set size anti-debug trick

antidebug.yar

@@ -586,4 +586,15 @@ rule Check_FindWindowA_iat {
 		pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg)
 }
 
+rule DebuggerCheck__MemoryWorkingSet : AntiDebug DebuggerCheck {
+	meta:
+		author = "Fernando Mercês"
+		date = "2015-06"
+		description = "Anti-debug process memory working set size check"
+		reference = "http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/"
+
+	condition:
+		pe.imports("kernel32.dll", "K32GetProcessMemoryInfo") and
+		pe.imports("kernel32.dll", "GetCurrentProcess")
+}