check mutex on Windows

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: check mutex on Windows
    namespace: host-interaction/mutex
    authors:
      - moritz.raabe@mandiant.com
      - mehunhoff@google.com
    scopes:
      static: function
      dynamic: span of calls
    mbc:
      - Process::Check Mutex [C0043]
    examples:
      - 1d8fd13c890060464019c0f07b928b1a:0x402eb0
  features:
    - or:
      - api: ntdll.NtQueryMutant
      - and:
        - match: create or open mutex on Windows
        - or:
          - api: WaitForSingleObject
          - basic block:
            - and:
              - api: GetLastError
              - or:
                - number: 2 = ERROR_FILE_NOT_FOUND
                - number: 0xB7 = ERROR_ALREADY_EXISTS
                - number: 5 = ERROR_ACCESS_DENIED

last edited: 2025-03-20 15:00:29