Unhandled Exception Filter

An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application arror message box and causes the exception handler to be executed.

U0108

Detection Rules

rule:
  meta:
    name: check for protected handle exception
    namespace: anti-analysis/anti-debugging/debugger-detection
    author: michael.hunhoff@fireeye.com
    scope: function
    mbc:
      - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024]
    references:
      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SetHandleInformation_API.cpp
    examples:
      - al-khaser_x86.exe_:0x430D20
  features:
    - and:
      - basic block:
        - and:
          - count(number(2)): 2 or more
          - api: SetHandleInformation
      - api: CloseHandle

Additional Resources

Subscribe to our Newsletter and don't miss important updates