rule:
meta:
name: reference analysis tools strings
namespace: anti-analysis
authors:
- mehunhoff@google.com
scopes:
static: file
dynamic: file
mbc:
- Discovery::Analysis Tool Discovery::Process detection [B0013.001]
references:
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiAnalysis/process.cpp
examples:
- al-khaser_x86.exe_
features:
- or:
- string: /ollydbg(\.exe)?/i
- string: /ProcessHacker(\.exe)?/i
- string: /tcpview(\.exe)?/i
- string: /autoruns(\.exe)?/i
- string: /autorunsc(\.exe)?/i
- string: /filemon(\.exe)?/i
- string: /procmon(\.exe)?/i
- string: /regmon(\.exe)?/i
- string: /procexp(\.exe)?/i
- string: /(?<!\w)ida[gqtuw]?(\.exe)?$/i
- string: /ida[gqtuw]?64(\.exe)?$/i
- string: /ImmunityDebugger(\.exe)?/i
- string: /Wireshark(\.exe)?/i
- string: /dumpcap(\.exe)?/i
- string: /HookExplorer(\.exe)?/i
- string: /ImportREC(\.exe)?/i
- string: /PETools(\.exe)?/i
- string: /LordPE(\.exe)?/i
- string: /SysInspector(\.exe)?/i
- string: /proc_analyzer(\.exe)?/i
- string: /sysAnalyzer(\.exe)?/i
- string: /sniff_hit(\.exe)?/i
- string: /windbg(\.exe)?/i
- string: /joeboxcontrol(\.exe)?/i
- string: /joeboxserver(\.exe)?/i
- string: /ResourceHacker(\.exe)?/i
- string: /x32dbg(\.exe)?/i
- string: /x64dbg(\.exe)?/i
- string: /Fiddler(\.exe)?/i
- string: /httpdebugger(\.exe)?/i
- string: /fakenet(\.exe)?/i
- string: /netmon(\.exe)?/i
- string: /WPE PRO(\.exe)?/i
- string: /decompile(\.exe)?/i
- string: /scylla/i
- string: /megadumper/i
- string: /apdagent(\.exe)?/i
- string: /apimonitor(\.exe)?/i
- string: /azurearcsystray(\.exe)?/i
- string: /binaryninja(\.exe)?/i
- string: /burpsuite(\.exe)?/i
- string: /charles\.exe/i
- string: /cutter(\.exe)?/i
- string: /dbgx\.shell(\.exe)?/i
- string: /df5serv(\.exe)?/i
- string: /frida(\.exe)?/i
- string: /httpanalyzerv7(\.exe)?/i
- string: /httpdebuggerui(\.exe)?/i
- string: /netcat(\.exe)?/i
- string: /pin\.exe/i
- string: /prl_tools(\.exe)?/i
- string: /qemu-ga(\.exe)?/i
- string: /rammap(\.exe)?/i
- string: /rammap64(\.exe)?/i
- string: /rdpclip(\.exe)?/i
- string: /tasklist/i
- string: /cred-store(\.exe)?/i
- string: /decoder\.exe/i
- string: /dnspy(\.exe)?/i
- string: /drrun(\.exe)?/i
- string: /dumpit(\.exe)?/i
- string: /frida-inject(\.exe)?/i
- string: /frida-server(\.exe)?/i
- string: /gdb\.exe/i
- string: /httpdebuggersvc(\.exe)?/i
- string: /ilspy(\.exe)?/i
- string: /inetsim(\.exe)?/i
- string: /ksdumper(\.exe)?/i
- string: /ksdumperclient(\.exe)?/i
- string: /mitmdump(\.exe)?/i
- string: /pestudio(\.exe)?/i
- string: /private-cloud-proxy(\.exe)?/i
- string: /process\.exe/i
- string: /r2\.exe/i
- string: /rekall(\.exe)?/i
- string: /tcpdump(\.exe)?/i
- string: /windasm(\.exe)?/i
- string: /x32dbgn(\.exe)?/i
last edited: 2025-11-25 20:38:55