mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

dbs_min update

Browse source
This commit is contained in:
DosX 2026-05-12 18:11:16 +03:00
commit 1433beadaf
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
dbs_min/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
View file

@ -172,7 +172,8 @@ for(var E=!1,p=(PE.isTLSPresent()&&(PE_Cached.isArchX86?(/^INT(?: )?3$/.test(get
for(var O=!1,N=-1,W=PE.getAddressOfEntryPoint()-PE.getImageBase(),r=0;r<PE_Cached.numberOfSections&&!O;r++){var $=PE.getSectionVirtualAddress(r),j=PE.getSectionVirtualSize(r)
$<=W&&W<$+j&&(N=r,PE.compare("00 00 00",PE.getSectionFileOffset(N)))&&(O=!0)}O&&(e=addOption(e,"EP-section #"+N+' ("'+clearSectionName(PE.getSectionName(N))+'") zero padding'))
var E=!1,p=((E=20<PE_Cached.numberOfSections?!0:E)&&(e=addOption(e,"Too many sections")),!1),E=(_isResultPresent("linker","Turbo Linker")||(i=getOptHeaderOffset()+(PE_Cached.is64bit?112:96)+96,-1!==PE_Cached.indexOfImportsSection&&0===PE.read_int32(i)&&(p=!0)),p&&(e=addOption(e,"IAT directory empty")),!1),p=((E=PE.isSectionNamePresentExp(/^\.[xp]data$/)&&(i=getOptHeaderOffset()+(PE_Cached.is64bit?136:120),0===PE.read_int32(i))&&0===PE.read_int32(i+4)?!0:E)&&(e=addOption(e,"Exceptions directory empty")),PE.getImageOptionalHeader("DllCharacteristics")),i=((31&p?!0:!1)&&(e=addOption(e,"Invalid DLL flags")),!1),E=((i=p&IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA&&!(p&IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)?!0:i)&&(e=addOption(e,"High entropy VA without ASLR")),!1),i=((E=p&IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA&&!PE_Cached.is64bit?!0:E)&&(e=addOption(e,"High entropy VA on x32")),!1),E=((i=p&IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY&&!(p&IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)?!0:i)&&(e=addOption(e,"Force integrity without ASLR")),!1),i=((E=p&IMAGE_DLLCHARACTERISTICS_GUARD_CF&&!(p&IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)?!0:E)&&(e=addOption(e,"CFG without ASLR")),!1),E=((i=p&IMAGE_DLLCHARACTERISTICS_GUARD_CF&&!(p&IMAGE_DLLCHARACTERISTICS_NX_COMPAT)?!0:i)&&(e=addOption(e,"CFG without DEP")),!1),I=((E=p&IMAGE_DLLCHARACTERISTICS_NO_SEH&&PE_Cached.is64bit?!0:E)&&(e=addOption(e,"No-SEH on x64")),!1)
if(0<PE_Cached.numberOfUnmanagedExports)for(r=0;r<PE_Cached.numberOfUnmanagedExports&&!I;r++){var R=PE.getExportFunctionName(r);(R&&/^\d/.test(R)||!isAsciiString(R))&&(I=!0)}I&&(e=addOption(e,"Strange exports"))
if(0<PE_Cached.numberOfUnmanagedExports)for(r=0;r<PE_Cached.numberOfUnmanagedExports&&!I;r++){var R=PE.getExportFunctionName(r)
!R||!/^\d/.test(R)&&isAsciiString(R)||(I=!0)}I&&(e=addOption(e,"Strange exports"))
for(var T=!1,z="=~!@#$%^&*()\"№;%:?*():;,|'`<> ",r=0;r<PE_Cached.numberOfUnmanagedImports&&!T;r++){var D=PE.getImportLibraryName(r)
if(isAsciiString(D))for(var k=0;k<z.length&&!T;k++)isAsciiString(D)&&-1===D.indexOf(z[k])||(T=!0)
else 0!==D.indexOf("MZ")&&(T=!0)}T&&(e=addOption(e,"Strange imports"))