mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Standardize wildcard and broaden resource checks

Browse source 
Replace inconsistent byte wildcard in a signature ("81 ED ?? ?? 01 20" -> "81 ED .. .. 01 20") to match the file's wildcard convention, and expand resource-name detection by adding a regex for obvious malicious names (TROJAN, VIRUS, MALWARE, DROPPER). An inline comment was added explaining the resource-name check; minor spacing was also adjusted.
This commit is contained in:
DosX 2026-06-22 14:01:59 +03:00
commit 3303f77420
1 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
View file

@ -7089,7 +7089,7 @@ function scanForMaliciousCode_NET_and_Native() {
"E8 00 00 00 00" + // call $+5
"5D" + // pop ebp
"8B C5" + // mov eax, ebp
"81 ED ?? ?? 01 20" + // sub ebp, ...
"81 ED .. .. 01 20" + // sub ebp, ...
"2B 85 .. .. .. .." + // sub eax, dword ptr [ebp + ...]
"89 85 .. .. .. .." + // mov dword ptr [ebp + ...], eax
"B0 00" // mov al, 0
@ -8215,7 +8215,8 @@ function scanForMaliciousCode_NET_and_Native() {
// indicate the presence of a builder or attempts to hide the true nature of the malware.
if (PE.isResourceNamePresentExp(/^(?:STUB|SERVER)(?:\.[A-Z]{3})?$/) ||
PE.isResourceNamePresentExp(/(?:PAYLOAD|SHELLCODE|INJECT|CRYPTED|DECRYPTOR)/)) {
PE.isResourceNamePresentExp(/(?:PAYLOAD|SHELLCODE|INJECT|CRYPTED|DECRYPTOR)/) || // Why virus-makers use such resource names is beyond me, but they do.
PE.isResourceNamePresentExp(/^(?:TROJAN|VIRUS|MALWARE|DROPPER)$/)) {
verdicts.push({
type: "Anomalous resources",
version: String(),