GET /api/techniques/169/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "LocalSize(0)",
    "category": [
        "https://search.unprotect.it/api/categories/3/"
    ],
    "description": "The function LocalSize() retrieves the current size of the specified local memory object, in bytes. By setting the hMem parameters with 0 will trigger an exception in a debugger that can be used as an anti-debugging mechanism.",
    "resources": "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-localsize",
    "tags": "anti-debugging",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/12/",
            "technique": "https://search.unprotect.it/api/techniques/169/",
            "description": "",
            "plain_code": "#include <iostream>\r\n#include <windows.h>\r\n\r\nusing namespace std;\r\n\r\nint main()\r\n{\r\n\tSIZE_T s;\r\n\tprintf(\"Starting the LocalSize()\\n\");\r\n\tfor (int i = 0; i < 0xFFF; i++){\r\n\t    s = LocalSize(0);\r\n\t}\r\n\tprintf(\"Sempai! :) \\n\");\r\n\treturn 0;\r\n}"
        }
    ],
    "detection_rules": [
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "localsize",
            "rule": "rule:\r\n  meta:\r\n    name: trap debugger with localsize\r\n    namespace: anti-analysis/anti-debugging\r\n    author: lordtmk@protonmail.com\r\n    scope: basic block\r\n    examples:\r\n      - B67E5B1985742F62785122B637EF4FBD:0x4B1F5B\r\n  features:\r\n    - and:\r\n      - api: LocalSize\r\n      - mnemonic: push \r\n      - number: 0"
        }
    ]
}