Better SEH Detection

Better SEH Detection

Better SEH Detection
f7a6ab7e · Jaume Martin · GitHub · 90cac274 · ceeb3958 · f7a6ab7e
Unverified Commit f7a6ab7e authored Feb 26, 2019 by Jaume Martin Committed by GitHub Feb 26, 2019
Show whitespace changes
Inline Side-by-side

Showing with 31 additions and 0 deletions

antidebug_antivm.yar Antidebug_AntiVM/antidebug_antivm.yar +31 -0

No files found.
--- a/Antidebug_AntiVM/antidebug_antivm.yar
+++ b/Antidebug_AntiVM/antidebug_antivm.yar
@@ -4,6 +4,12 @@
 import "pe"
+private rule WindowsPE
+{
+    condition:
+        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550
+}
 rule DebuggerCheck__PEB : AntiDebug DebuggerCheck {
 	meta:
 		weight = 1
@@ -275,6 +281,31 @@ rule DebuggerPattern__SEH_Inits : AntiDebug DebuggerPattern {
 }
 */
+rule SEH_Save : Tactic_DefensiveEvasion Technique_AntiDebugging SubTechnique_SEH
+{
+    meta:
+        author = "Malware Utkonos"
+        original_author = "naxonez"
+        source = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+    strings:
+        $a = { 64 ff 35 00 00 00 00 }
+    condition:
+        WindowsPE and $a
+}
+rule SEH_Init : Tactic_DefensiveEvasion Technique_AntiDebugging SubTechnique_SEH
+{
+    meta:
+        author = "Malware Utkonos"
+        original_author = "naxonez"
+        source = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+    strings:
+        $a = { 64 A3 00 00 00 00 }
+        $b = { 64 89 25 00 00 00 00 }
+    condition:
+        WindowsPE and ($a or $b)
+}
 rule Check_Dlls
 {