diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml new file mode 100644 index 000000000..7f50b0e22 --- /dev/null +++ b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml @@ -0,0 +1,33 @@ +rule: + meta: + name: hide thread from debugger + namespace: anti-analysis/anti-debugging/debugger-evasion + authors: + - michael.hunhoff@mandiant.com + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Defense Evasion::Debugger Evasion [T1622] + mbc: + - Anti-Behavioral Analysis::Debugger Evasion [B0002] + references: + - https://anti-debug.checkpoint.com/techniques/interactive.html#ntsetinformationthread + - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtSetInformationThread_ThreadHideFromDebugger.cpp + - https://github.com/jaeyung1001/Anti-Debugging/blob/master/Code/NtSetInformationThread.cpp + examples: + - 26beba7352a32b803aa19e0782011a383a1df19549910e7b2f2f244e49678524:0x10001670 + features: + - or: + - basic block: + - and: + - or: + - api: NtSetInformationThread + - api: ZwSetInformationThread + - number: 0x11 = ThreadHideFromDebugger + - and: + - or: + - string: "NtSetInformationThread" + - string: "ZwSetInformationThread" + - match: link function at runtime on Windows + - api: GetCurrentThread + - number: 0x11 = ThreadHideFromDebugger diff --git a/nursery/hide-thread-from-debugger.yml b/nursery/hide-thread-from-debugger.yml deleted file mode 100644 index 3fb0fc476..000000000 --- a/nursery/hide-thread-from-debugger.yml +++ /dev/null @@ -1,13 +0,0 @@ -rule: - meta: - name: hide thread from debugger - namespace: anti-analysis/anti-debugging - authors: - - michael.hunhoff@mandiant.com - scope: basic block - references: - - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtSetInformationThread_ThreadHideFromDebugger.cpp - features: - - and: - - api: NtSetInformationThread - - number: 0x11 = ThreadHideFromDebugger