-
Notifications
You must be signed in to change notification settings - Fork 159
/
hide-thread-from-debugger.yml
41 lines (41 loc) · 1.42 KB
/
hide-thread-from-debugger.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
rule:
meta:
name: hide thread from debugger
namespace: anti-analysis/anti-debugging/debugger-evasion
authors:
- michael.hunhoff@mandiant.com
- jakub.jozwiak@mandiant.com
scopes:
static: function
dynamic: thread
att&ck:
- Defense Evasion::Debugger Evasion [T1622]
mbc:
- Anti-Behavioral Analysis::Debugger Evasion [B0002]
references:
- https://anti-debug.checkpoint.com/techniques/interactive.html#ntsetinformationthread
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtSetInformationThread_ThreadHideFromDebugger.cpp
- https://github.com/jaeyung1001/Anti-Debugging/blob/master/Code/NtSetInformationThread.cpp
examples:
- 26beba7352a32b803aa19e0782011a383a1df19549910e7b2f2f244e49678524:0x10001670
features:
- or:
- basic block:
- and:
- or:
- api: NtSetInformationThread
- api: ZwSetInformationThread
- number: 0x11 = ThreadHideFromDebugger
- call:
- and:
- or:
- api: NtSetInformationThread
- api: ZwSetInformationThread
- number: 0x11 = ThreadHideFromDebugger
- and:
- or:
- string: "NtSetInformationThread"
- string: "ZwSetInformationThread"
- match: link function at runtime on Windows
- api: GetCurrentThread
- number: 0x11 = ThreadHideFromDebugger