mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' of https://github.com/horsicq/Detect-It-Easy

Browse source
This commit is contained in:
DosX 2026-04-17 23:44:13 +03:00
commit 07eadbc2ed
1 changed files with 4 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

12
db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
View file

@ -2388,15 +2388,11 @@ function scanForPackersAndCryptors_NET_and_Native() { // For .NET and Native app
if (PE_Cached.numberOfSections === 3 &&
(PE.section[0].Characteristics & SECTION_FLAGS_RWX_MASK) === SECTION_FLAGS_RWX_MASK &&
(PE.section[1].Characteristics & SECTION_FLAGS_RWX_MASK) === SECTION_FLAGS_RWX_MASK && (
(PE.section[2].Characteristics & SECTION_FLAGS_READ) === SECTION_FLAGS_READ ||
(PE.section[2].Characteristics & (SECTION_FLAGS_READ | SECTION_FLAGS_WRITE)) === (SECTION_FLAGS_READ | SECTION_FLAGS_WRITE)
) &&
(PE.section[1].Characteristics & SECTION_FLAGS_RWX_MASK) === SECTION_FLAGS_RWX_MASK &&
(PE.section[2].Characteristics & SECTION_FLAGS_READ) === SECTION_FLAGS_READ &&
PE.isFunctionPresent("VirtualProtect") &&
PE.isFunctionPresent("GetProcAddress") && (
PE.isFunctionPresent("ExitProcess") || // Original
PE.isFunctionPresent("CopyContext") // https://github.com/DosX-dev/UPX-Patcher
)
PE.isFunctionPresent("GetProcAddress") &&
PE.isFunctionPresent("ExitProcess")
) {
log(logType.nothing, "UPX-like structure detected: [0]RWX/[1]RWX/[2]R");