Add PE detection rule for Brotli library

Add db/PE/library_Brotli.4.sg to detect the Google Brotli library in PE files. The rule checks for library names matching brotlidec/brotlienc and for exported functions starting with BrotliDecoder or BrotliEncoder; when only exports are present it sets sOptions to "static". File includes author/contact metadata.
2026-06-24 01:54:08 +00:00 · 2026-06-17 14:12:20 +03:00 · 2026-06-17 14:12:20 +03:00 · 2902dc790d
commit 2902dc790d
parent bbc91ca478
1 changed files with 20 additions and 0 deletions
--- a/db/PE/library_Brotli.4.sg
+++ b/db/PE/library_Brotli.4.sg
@ -0,0 +1,20 @@
+// Detect It Easy: detection rule file
+
+// Author: DosX
+// E-Mail: collab@kay-software.ru
+// GitHub: https://github.com/DosX-dev
+// Telegram: @DosX_dev
+
+// https://github.com/google/brotli
+meta("library", "Brotli");
+
+function detect() {
+    if (PE.isLibraryPresentExp(/brotli(?:dec|enc)/i)) {
+        bDetected = true;
+    } else if (PE.isExportFunctionPresentExp(/^Brotli(?:Decoder|Encoder)/)) {
+        sOptions = "static"; // EAT
+        bDetected = true;
+    }
+
+    return result();
+}