mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Only skip tiny sections when sectionOffset > 0

Browse source 
Restrict the small-section skip in scanForMaliciousCode_NET_and_Native to cases where sectionOffset > 0. This prevents erroneously bypassing section processing when sectionOffset is zero or unset, preserving entry/resource section checks and improving heuristic scanning accuracy in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
This commit is contained in:
DosX 2026-06-20 16:09:22 +03:00
commit 10fa1b1822
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
View file

@ -7798,7 +7798,7 @@ function scanForMaliciousCode_NET_and_Native() {
for (var i = 0; i < PE_Cached.numberOfSections && !isBase64Payload; i++) {
// Optimizations: Skip known sections that are unlikely to contain encoded payloads
if (PE_Cached.numberOfSections > 1) {
if (PE.section[i].FileSize < 0x2000) {
if (sectionOffset > 0 && PE.section[i].FileSize < 0x2000) {
} else if (!PE_Cached.isDotNet && i === PE.getEntryPointSection() && PE.section[0].Name === ".text" && i === 0) {
continue;
} else if (i === PE.getResourceSection() && PE.section[i].Name === ".rsrc") {