mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

dbs_min update

Browse source
This commit is contained in:
DosX 2026-04-15 15:56:54 +03:00
commit 47f4b7d1cc
3 changed files with 17 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

28
dbs_min/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
View file

@ -22,8 +22,8 @@ if((PE.compare("00**00**00",E)||PE.compare("00****00****00****00",E)||PE.compare
m&&(e=addOption(e,"Short names"))
for(var f=!1,_="",l=0;l<300;l++){var y=PE.readByte(E+l).toString(16)
"0"===y&&(y+="0"),_=_+y+" "}for(var b="",C=replaceAllInString(_,"00 ","20 20 20 ").split(" "),l=0;l<C.length;l++)b+=String.fromCharCode(parseInt(C[l],16))
for(var M=b.split(" "),x=0,X=validateNetObject("<PrivateImplementationDetails>"),l=0;l<M.length&&!f;l++){var v=M[l]
if(X&&40===v.length)break;-1===v.indexOf("<")&&!/^([0-9A-F]{64})$/.test(v)&&isNameObfuscated(v)&&x++,2<x&&(f=!0)}f&&(e=addOption(e,"Bad namings"))
for(var x=b.split(" "),M=0,X=validateNetObject("<PrivateImplementationDetails>"),l=0;l<x.length&&!f;l++){var v=x[l]
if(X&&40===v.length)break;-1===v.indexOf("<")&&!/^([0-9A-F]{64})$/.test(v)&&isNameObfuscated(v)&&M++,2<M&&(f=!0)}f&&(e=addOption(e,"Bad namings"))
for(var i=!1,p=((validateNetUnicodeString(" is tampered.")||validateNetUnicodeString("ping 127.0.0.1 > nul")||validateNetUnicodeString('/C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "')||validateNetUnicodeString(P.ldloc_s+P.ldc_i4_0+P.ldloc_s+P.ldc_i4_0+P.ldelem_u4+P.ldloc_s+P.ldc_i4_0+P.ldelem_u4+P._unknown+P.stelem_i4+P.ldloc_s+P.ldc_i4_1+P.ldloc_s+P.ldc_i4_1+P.ldelem_u4+P.ldloc_s+P.ldc_i4_1+P.ldelem_u4+P._unknown+P.stelem_i4+P.ldloc_s+P.ldc_i4_2+P.ldloc_s+P.ldc_i4_2+P.ldelem_u4+P.ldloc_s+P.ldc_i4_2+P.ldelem_u4+P._unknown+P.stelem_i4+P.ldloc_s+P.ldc_i4_3+P.ldloc_s+P.ldc_i4_3+P.ldelem_u4+P.ldloc_s+P.ldc_i4_3+P.ldelem_u4+P._unknown+P.stelem_i4+P.ldloc_s+P.ldc_i4_4+P.ldloc_s+P.ldc_i4_4+P.ldelem_u4+P.ldloc_s+P.ldc_i4_4+P.ldelem_u4+P._unknown+P.stelem_i4)||validateNetByteCode(P.ldloc_s+P._unknown+P.shr_un+P.ldloc_s+P.ldc_i4_s+P.shl+P.or+P.stloc_s+P.ldloc_s+P._unknown+P.shr_un+P.ldloc_s+P.ldc_i4_s+P.shl+P.or+P.stloc_s+P.ldloc_s+P._unknown+P.shr_un+P.ldloc_s+P.ldc_i4_s+P.shl+P.or+P.stloc_s))&&(log(logType.net,"Anti-tamper detected!"),i=!0),i&&(e=addOption(e,"Anti-tamper")),!1),i=PE.findSignature(PE.getDosStubOffset()+PE.getDosStubSize(),PE.getSize()-PE.getOverlaySize(),"00'<Module>'00"),O=(-1!==i&&-1!==(O=PE.findSignature(i+10,PE.getSize()-PE.getOverlaySize(),"'<Module>'"))&&0!==PE.readByte(O+8)&&(log(logType.net,"Fake <Module> detected! Offset: 0x"+Number(O).toString(16)),p=!0),p&&(e=addOption(e,"Fake .cctor name")),!1),N=(-1===i&&(log(logType.net,"It seems that the .cctor is missing. Bad PE format!"),O=!0),O&&(e=addOption(e,"Bad .cctor format")),!1),w=[P.add,P.sub,P.mul,P.div,P.xor,P.shr,P.shl,P.or,P.not,P.and],V=[P.ldc_i4+P.ldc_i4+"%s"+P.stloc,P.ldc_i4+P.ldc_i4+"%s"+P.ldsfld,P.ldc_i4+P.ldc_i4+"%s"+P.ldc_i4+P.add,P.ldloc_1+P.ldc_i4+P.ldc_i4+"%s"+P.ldc_i4+P.ldc_i4,P.ldloc+P.ldc_i4+P.ldc_i4+P.ldc_i4+"%s"+P.stelem_i1,P.ldc_i4+P.ldc_i4+"%s"+P.br_s],A=0;A<V.length&&!N;A++)for(var H=V[A],k=0;k<w.length&&!N&&(0!==k||validateNetByteCode(replaceAllInString(H,"%s",P._unknown)));k++)validateNetByteCode(replaceAllInString(H,"%s",w[k]))&&(log(logType.net,"Math mutations detected! Offset: "+lastOffsetDetected),N=!0)
N&&(e=addOption(e,"Math mutations"))
var p=!1,i=(PE_Cached.isVbNetStandardLibraryPresent&&!isFrameworkComponent()&&validateNetObject("Resources")&&!validateGlobalUnicodeString(".Resources")&&(log(logType.net,"It appears that the strings are hidden/encrypted and can be loaded dynamically."),p=!0),p&&(e=addOption(e,"Strings encryption")),!1),O=(validateNetByteCode(P.ldc_i4+P.not)&&(validateNetByteCode(P.ldc_i4+P.not+P.neg+P.not+P.neg+P.not+P.neg+P.not+P.neg)||validateNetByteCode(P.ldc_i4+P.not+P.not+P.neg+P.neg+P.not+P.not)||validateNetByteCode(P.ldc_i4+P.not+P.neg+P.not+P.not+P.neg+P.neg)||validateNetByteCode(P.ldc_i4+P.not+P.neg+P.not+P.neg+P.not+P.not)||validateNetByteCode(P.ldc_i4+P.not+P.neg+P.not+P.neg+P.not+P.neg))&&(log(logType.net,"Math inversions detected, offset "+lastOffsetDetected),i=!0),i&&(e=addOption(e,"Math inversions")),!1),$=(validateNetByteCode(P.setStrict(P.calli,"FF FF FF FF")+P.setStrict(P.sizeof,"FF FF FF FF"))&&(log(logType.net,"Invalid OpCodes detected, offset "+lastOffsetDetected),O=!0),O&&(e=addOption(e,"Invalid OpCodes")),!1),U=""
@ -51,9 +51,9 @@ s=!1,i="wine_get_unix_file_name",(s=r&&(validateGlobalUnicodeString(i)||validate
var i=e.indexOf("??"),n=-1!==i,i=n?e.substring(0,i):e
return n&&e.substring(i.length).length!=t.length&&_error("The size of the input values does not match."),i+t},this.setNullValue=function(e){return-1===e.indexOf("??")&&_error("Instruction does not have a body to overwrite the value."),replaceAllInString(e,"??","00")},this.joinNoBodyAndValue=function(e,t,i){return e&&"string"==typeof e||_error("Invalid opcode provided."),t&&"string"==typeof t||_error("Invalid value provided."),-1!==e.indexOf("??")&&_error("Opcode contains wildcards. Use setStrict() instead."),i&&"string"==typeof i&&-1===i.indexOf("__nobody")&&_error("joinNoBodyAndValue should only be used with '__nobody' opcodes (variable-length instructions)."),e+removeWhitespaces(t)}}function removeWhitespaces(e){return e&&"string"==typeof e?e.replace(/\s+/g,""):""}function replaceAllInString(e,t,i){return e&&"string"==typeof e?t&&"string"==typeof t?("string"!=typeof i&&(i=""),e.split(t).join(i)):e:""}function clearSectionName(e){return e&&"string"==typeof e?e.replace(/[\x00-\x1F\x7F-\x9F]/g,"").trim():""}function isAsciiString(e){return!(!e||"string"!=typeof e)&&/^[\x20-\x7E]+$/.test(e)}function getFileNameWithoutExtension(e){var t
return e&&"string"==typeof e?-1===(t=e.lastIndexOf("."))?e:e.substring(0,t):""}function scanForPackersAndCryptors_NET_and_Native(){log(logType.nothing,"Scanning for packers and cryptors...")
var e="",M=!1,t=!1
var e="",x=!1,t=!1
if(PE_Cached.isDotNet){var i=!1
if(!isFrameworkComponent()&&"System.dll"!==PE_Cached.nameOfNetModuleName&&isAllNetReferencesPresent(["System.Reflection","get_EntryPoint","Assembly","Invoke","Load"])&&(i=!0,e="Assembly invoke"),findAndMark("System.Security.Cryptography",!1)!="")for(var n,x=["TripleDESCryptoServiceProvider","RSACryptoServiceProvider","DSACryptoServiceProvider","DESCryptoServiceProvider","AesCryptoServiceProvider","Rfc2898DeriveBytes","TripleDES","Rijndael","ECDsaCng","AesAEAD","Aes192Cbc","Aes256Cbc","Aes128Cbc","AesManaged","AesCng","RC2CryptoServiceProvider","RNGCryptoServiceProvider"],r=0;r<x.length;r++)t||(o=findAndMark(n=x[r],!0),i&&o.length&&(log(logType.net,"Crypto class present: "+n),t=!0,e=addOption(e,n)))
if(!isFrameworkComponent()&&"System.dll"!==PE_Cached.nameOfNetModuleName&&isAllNetReferencesPresent(["System.Reflection","get_EntryPoint","Assembly","Invoke","Load"])&&(i=!0,e="Assembly invoke"),findAndMark("System.Security.Cryptography",!1)!="")for(var n,M=["TripleDESCryptoServiceProvider","RSACryptoServiceProvider","DSACryptoServiceProvider","DESCryptoServiceProvider","AesCryptoServiceProvider","Rfc2898DeriveBytes","TripleDES","Rijndael","ECDsaCng","AesAEAD","Aes192Cbc","Aes256Cbc","Aes128Cbc","AesManaged","AesCng","RC2CryptoServiceProvider","RNGCryptoServiceProvider"],r=0;r<M.length;r++)t||(o=findAndMark(n=M[r],!0),i&&o.length&&(log(logType.net,"Crypto class present: "+n),t=!0,e=addOption(e,n)))
if(findAndMark("System.IO.Compression",!1).length)for(var X=["DeflateStream","GZipStream"],r=0;r<X.length;r++){var s=X[r],o=findAndMark(s,!0)
if(i&&o.length){log(logType.net,"Compression class present: "+s),t&&(e=addOption(e,s))
break}}var a=!1;(validateNetObject("RunPE")||validateNetObject("PELoader")||validateNetObject("CMemoryExecute")||validateNetObject("GetProcAddress")&&validateNetUnicodeString("WriteProcessMemory")&&validateNetUnicodeString("VirtualAllocEx")&&validateNetUnicodeString("ZwUnmapViewOfSection")||(validateNetObject("WriteProcessMemory")||validateNetObject("NtWriteVirtualMemory"))&&(validateNetObject("ZwUnmapViewOfSection")||validateNetObject("NtUnmapViewOfSection"))&&(validateNetObject("CreateProcess")||validateNetObject("NtCreateProcess")||validateNetObject("CreateProcessA")||validateNetObject("CreateProcessW"))&&validateNetObject("VirtualAllocEx"))&&(log(logType.net,"RunPE-like behavior detected!"),a=!0),a&&(e=addOption(e,"RunPE"))}var l=!1
@ -84,7 +84,7 @@ case 1:L="cryptor"
break
case 2:L="protector"
break
case 3:L="protection"}L&&(_="",f=!1,m[1]?_=m[1]:h&&!/^(a [pc]|fake )$/.test(S[0])&&(m[0]===S[0]?S[1]&&(_=S[1]):f=!0),_setResult("~"+L,m[0]+(f?"-like":""),_,"Suspicion only"))}(M=0!=e.length?!0:M)&&_setResult("~"+(t?"cryptor":"packer"),"Generic","",PE.isVerbose()?e:"")}function scanForLicensingSystems_NET_and_Native(){log(logType.nothing,"Scanning for licensing systems...")
case 3:L="protection"}L&&(_="",f=!1,m[1]?_=m[1]:h&&!/^(a [pc]|fake )$/.test(S[0])&&(m[0]===S[0]?S[1]&&(_=S[1]):f=!0),_setResult("~"+L,m[0]+(f?"-like":""),_,"Suspicion only"))}(x=0!=e.length?!0:x)&&_setResult("~"+(t?"cryptor":"packer"),"Generic","",PE.isVerbose()?e:"")}function scanForLicensingSystems_NET_and_Native(){log(logType.nothing,"Scanning for licensing systems...")
for(var e="",t=!1,i=(PE_Cached.isDotNet&&(o=!1,(o=validateNetObject("CheckLicense")||validateNetObject("set_License")||validateNetObject("Licensing")?!0:o)&&(e="DotNET methods"),o=!1,(o=validateNetObject("LicenseProviderAttribute")?!0:o)&&(e=addOption(e,"Provider attribute")),o=!1,o=!!validateNetObject("LicenseManager")||o)&&(e=addOption(e,"License manager")),!1),n=["nter serial ","erial key "," activate "," trial ","rong activation","rong licens","icense expire","valid license","icense key"," full version"," purchase a "],r=0;r<n.length;r++){var s=n[r]
if(PE.isSignaturePresent(0,PE.getSize(),"'"+s+"'")||PE.isSignaturePresent(0,PE.getSize(),"'"+generateUnicodeSignatureMask(s)+"'")){i=!0
break}}i&&(e=addOption(e,"Strings"))
@ -147,12 +147,12 @@ for(var P=!1,s=0;s<PE_Cached.numberOfUnmanagedImports&&!P;s++){var p=PE.getImpor
4<p.length&&"ntoskrnl.exe"!==p&&".exe"===p.substr(p.length-4,4)&&(P=!0)}P&&(e=addOption(e,"EXE in imports"))
for(var E=!1,s=0;s<PE_Cached.numberOfUnmanagedResources&&!E;s++)-1===PE.getResourceOffsetByNumber(s)&&(E=!0)
E&&(e=addOption(e,"Unreadable resources"))
var i=!1,i=((i=PE_Cached.isDynamicLinkLibrary&&PE.isExportFunctionPresentExp(/^(Start|main|_start|(w)?WinMain|EntryPoint)$/)?!0:i)&&(e=addOption(e,"EXE as DLL")),!1),i=((i=0<PE_Cached.numberOfSections&&".text"!==PE.section[0].Name&&".textbss"!==PE.section[0].Name&&(PE.isSectionNamePresent(".text")||PE.isSectionNamePresent(".textbss"))&&".code"===PE.section[0]?!0:i)&&(e=addOption(e,'".text" section is not first')),!1),m=!1,i=(-1!==PE_Cached.indexOfImportsSection||PE_Cached.isDynamicLinkLibrary?-1===PE_Cached.indexOfImportsSection||PE_Cached.numberOfUnmanagedImports||(m=!0):i=!0,i?e=addOption(e,"No IAT"):m&&(e=addOption(e,"Empty IAT")),!1),m=((i=PE_Cached.isDynamicLinkLibrary&&PE.getAddressOfEntryPoint()&&-1===PE_Cached.indexOfImportsSection&&-1===PE_Cached.indexOfExportsSection?!0:i)&&(e=addOption(e,"No IAT and EAT")),!1),h=!1,S=(!i&&PE_Cached.isDynamicLinkLibrary&&(-1===PE_Cached.indexOfExportsSection&&PE.getAddressOfEntryPoint()?m=!0:-1!==PE_Cached.indexOfExportsSection&&0===PE_Cached.numberOfUnmanagedExports&&(h=!0)),m?e=addOption(e,"No EAT"):h&&(e=addOption(e,"Empty EAT")),!1)
if(PE_Cached.isArchX86){var i=["MOV ESI, ESI","XCHG EAX, EAX","XCHG EBX, EBX","XCHG ECX, ECX","XCHG EDX, EDX","XCHG EDI, EDI","LEA EAX, [EAX]","LEA ESI, [ESI]","LEA ESI, CS:[ESI]"],m=["MOV RSI, RSI","XCHG RAX, RAX","XCHG RBX, RBX","XCHG RCX, RCX","XCHG RDX, RDX","XCHG RDI, RDI","LEA RAX, [RAX]","LEA RSI, [RSI]","LEA RSI, CS:[RSI]"],M=["XCHG AX, AX","XCHG BX, BX","XCHG CX, CX","XCHG DX, DX","XCHG SI, SI","XCHG DI, DI","XCHG BP, BP"].concat(PE_Cached.is64bit?m:i)
var i=!1,i=((i=PE_Cached.isDynamicLinkLibrary&&PE.isExportFunctionPresentExp(/^(Start|main|_start|(w)?WinMain|EntryPoint)$/)?!0:i)&&(e=addOption(e,"EXE as DLL")),!1),i=((i=0<PE_Cached.numberOfSections&&".text"!==PE.section[0].Name&&".textbss"!==PE.section[0].Name&&(PE.isSectionNamePresent(".text")||PE.isSectionNamePresent(".textbss"))&&".code"===PE.section[0]?!0:i)&&(e=addOption(e,'".text" section is not first')),!1),m=!1,i=(-1!==PE_Cached.indexOfImportsSection||PE_Cached.isDynamicLinkLibrary?-1===PE_Cached.indexOfImportsSection||PE_Cached.numberOfUnmanagedImports||(m=!0):i=!0,i?e=addOption(e,"No IAT"):m&&(e=addOption(e,"Empty IAT")),!1),m=((i=PE_Cached.isDynamicLinkLibrary&&PE.getAddressOfEntryPoint()&&-1===PE_Cached.indexOfImportsSection&&-1===PE_Cached.indexOfExportsSection?!0:i)&&(e=addOption(e,"No IAT and EAT")),!1),h=!1,i=(!i&&PE_Cached.isDynamicLinkLibrary&&(-1===PE_Cached.indexOfExportsSection&&PE.getAddressOfEntryPoint()?m=!0:-1!==PE_Cached.indexOfExportsSection&&0===PE_Cached.numberOfUnmanagedExports&&(h=!0)),m?e=addOption(e,"No EAT"):h&&(e=addOption(e,"Empty EAT")),!1),S=((i=0===PE_Cached.numberOfUnmanagedExports&&-1!==PE.getExportSection()?!0:i)&&(e=addOption(e,"Phantom EAT")),!1)
if(PE_Cached.isArchX86){var m=["MOV ESI, ESI","XCHG EAX, EAX","XCHG EBX, EBX","XCHG ECX, ECX","XCHG EDX, EDX","XCHG EDI, EDI","LEA EAX, [EAX]","LEA ESI, [ESI]","LEA ESI, CS:[ESI]"],h=["MOV RSI, RSI","XCHG RAX, RAX","XCHG RBX, RBX","XCHG RCX, RCX","XCHG RDX, RDX","XCHG RDI, RDI","LEA RAX, [RAX]","LEA RSI, [RSI]","LEA RSI, CS:[RSI]"],x=["XCHG AX, AX","XCHG BX, BX","XCHG CX, CX","XCHG DX, DX","XCHG SI, SI","XCHG DI, DI","XCHG BP, BP"].concat(PE_Cached.is64bit?h:m)
if("NOP"===getFirstEpAsmOpCode()||"FNOP"===getFirstEpAsmOpCode())S=!0
else for(s=0;s<x.length&&!S;s++)PE_Cached.firstEpAsmInstruction===x[s]&&(S=!0)}else{var i=["NOP","MOV R0, R0","MOV R1, R1","MOV R2, R2","MOV R3, R3","MOV R4, R4","MOV R5, R5","MOV R6, R6","MOV R7, R7","MOV R8, R8","MOV R9, R9","MOV R10, R10","MOV R11, R11","MOV R12, R12","MOV R13, R13","MOV R14, R14","MOV R15, R15"],h=["NOP","MOV X0, X0","MOV X1, X1","MOV X2, X2","MOV X3, X3","MOV X4, X4","MOV X5, X5","MOV X6, X6","MOV X7, X7","MOV W0, W0","MOV W1, W1","MOV W2, W2","MOV W3, W3"],M=PE_Cached.is64bit?h:i
if("NOP"===getFirstEpAsmOpCode())S=!0
else for(s=0;s<M.length&&!S;s++)PE_Cached.firstEpAsmInstruction===M[s]&&(S=!0)}else{var h=["NOP","MOV R0, R0","MOV R1, R1","MOV R2, R2","MOV R3, R3","MOV R4, R4","MOV R5, R5","MOV R6, R6","MOV R7, R7","MOV R8, R8","MOV R9, R9","MOV R10, R10","MOV R11, R11","MOV R12, R12","MOV R13, R13","MOV R14, R14","MOV R15, R15"],m=["NOP","MOV X0, X0","MOV X1, X1","MOV X2, X2","MOV X3, X3","MOV X4, X4","MOV X5, X5","MOV X6, X6","MOV X7, X7","MOV W0, W0","MOV W1, W1","MOV W2, W2","MOV W3, W3"],x=PE_Cached.is64bit?m:h
if("NOP"===getFirstEpAsmOpCode())S=!0
else for(s=0;s<x.length&&!S;s++)PE_Cached.firstEpAsmInstruction===x[s]&&(S=!0)}S&&(e=addOption(e,"Nop at EP"))
else for(s=0;s<M.length&&!S;s++)PE_Cached.firstEpAsmInstruction===M[s]&&(S=!0)}S&&(e=addOption(e,"Nop at EP"))
var f=!1
if(PE_Cached.isArchX86&&!PE_Cached.isDynamicLinkLibrary)for(s=0;s<32&&!f;s++){if(!(b=getAsmInstructionByIndex(s)))break
if("CALL"===getAsmOpCode(b)){for(var _=PE.getAddressOfEntryPoint(),X=0;X<s;X++)_=PE.getDisasmNextAddress(_)
@ -161,10 +161,10 @@ PE.compare("E8 00 00 00 00",w)&&(log(logType.any,"Stack-push address near EP fou
var y=!1
if(PE_Cached.isArchX86&&!PE_Cached.isDynamicLinkLibrary)for(var b,s=0;s<15&&!y;s++){if(!(b=getAsmInstructionByIndex(s)))break
"CPUID"===getAsmOpCode(b)&&(log(logType.any,"CPUID near EP found at instruction index: "+s),y=!0)}y&&(e=addOption(e,"Cpuid near EP"))
for(var i=!1,m=(PE.isTLSPresent()&&(PE_Cached.isArchX86?(/^INT( )?3$/.test(getAsmOpCode(PE_Cached.firstEpAsmInstruction))||/^RET( \d+)?$/.test(getAsmOpCode(PE_Cached.firstEpAsmInstruction)))&&(i=!0):(/^BKPT/.test(getAsmOpCode(PE_Cached.firstEpAsmInstruction))||/^BRK/.test(getAsmOpCode(PE_Cached.firstEpAsmInstruction))||/^RET/.test(getAsmOpCode(PE_Cached.firstEpAsmInstruction))||/^BX( )?LR$/.test(PE_Cached.firstEpAsmInstruction))&&(i=!0)),i&&(e=addOption(e,"TLS hidden EP")),!1),h=((m=PE_Cached.isArchX86&&(PE.compareEP("EB $$ EB")||PE.compareEP("EB $$ E9")||PE.compareEP("E9 ## ## ## ## EB")||PE.compareEP("E9 ## ## ## ## E9"))?!0:m)&&(e=addOption(e,"Proxy jmp at EP")),!1),C=((h=S||-1===getEpAsmPattern(!0,5).indexOf(getInstructionsAsmPattern(["NOP","NOP"]))?h:!0)&&(e=addOption(e,"Nop EP padding")),!1),v=-1,O=-536870912,V=32|O,s=0;s<PE_Cached.numberOfSections&&!C;s++){var H=PE.section[s].Characteristics;(H&O)!=O&&(H&V)!=V||(C=!0,v=s)}C&&(e=addOption(e,"Section #"+v+' ("'+clearSectionName(PE.getSectionName(v))+'") has RWX'))
for(var m=!1,h=(PE.isTLSPresent()&&(PE_Cached.isArchX86?(/^INT( )?3$/.test(getAsmOpCode(PE_Cached.firstEpAsmInstruction))||/^RET( \d+)?$/.test(getAsmOpCode(PE_Cached.firstEpAsmInstruction)))&&(m=!0):(/^BKPT/.test(getAsmOpCode(PE_Cached.firstEpAsmInstruction))||/^BRK/.test(getAsmOpCode(PE_Cached.firstEpAsmInstruction))||/^RET/.test(getAsmOpCode(PE_Cached.firstEpAsmInstruction))||/^BX( )?LR$/.test(PE_Cached.firstEpAsmInstruction))&&(m=!0)),m&&(e=addOption(e,"TLS hidden EP")),!1),i=((h=PE_Cached.isArchX86&&(PE.compareEP("EB $$ EB")||PE.compareEP("EB $$ E9")||PE.compareEP("E9 ## ## ## ## EB")||PE.compareEP("E9 ## ## ## ## E9"))?!0:h)&&(e=addOption(e,"Proxy jmp at EP")),!1),C=((i=S||-1===getEpAsmPattern(!0,5).indexOf(getInstructionsAsmPattern(["NOP","NOP"]))?i:!0)&&(e=addOption(e,"Nop EP padding")),!1),v=-1,O=-536870912,V=32|O,s=0;s<PE_Cached.numberOfSections&&!C;s++){var H=PE.section[s].Characteristics;(H&O)!=O&&(H&V)!=V||(C=!0,v=s)}C&&(e=addOption(e,"Section #"+v+' ("'+clearSectionName(PE.getSectionName(v))+'") has RWX'))
for(var N=!1,A=-1,$=PE.getAddressOfEntryPoint()-PE.getImageBase(),s=0;s<PE_Cached.numberOfSections&&!N;s++){var U=PE.getSectionVirtualAddress(s),j=PE.getSectionVirtualSize(s)
U<=$&&$<U+j&&(A=s,PE.compare("00 00 00",PE.getSectionFileOffset(A)))&&(N=!0)}N&&(e=addOption(e,"EP-section #"+A+' ("'+clearSectionName(PE.getSectionName(A))+'") zero padding'))
var i=!1,m=((i=20<PE_Cached.numberOfSections?!0:i)&&(e=addOption(e,"Too many sections")),!1),i=(_isResultPresent("linker","Turbo Linker")||(h=getOptHeaderOffset()+(PE_Cached.is64bit?112:96)+96,-1!==PE_Cached.indexOfImportsSection&&0===PE.read_int32(h)&&(m=!0)),m&&(e=addOption(e,"IAT directory empty")),!1),k=((i=PE.isSectionNamePresentExp(/^\.[xp]data$/)&&(h=getOptHeaderOffset()+(PE_Cached.is64bit?136:120),0===PE.read_int32(h))&&0===PE.read_int32(h+4)?!0:i)&&(e=addOption(e,"Exceptions directory empty")),!1)
var m=!1,h=((m=20<PE_Cached.numberOfSections?!0:m)&&(e=addOption(e,"Too many sections")),!1),m=(_isResultPresent("linker","Turbo Linker")||(i=getOptHeaderOffset()+(PE_Cached.is64bit?112:96)+96,-1!==PE_Cached.indexOfImportsSection&&0===PE.read_int32(i)&&(h=!0)),h&&(e=addOption(e,"IAT directory empty")),!1),k=((m=PE.isSectionNamePresentExp(/^\.[xp]data$/)&&(i=getOptHeaderOffset()+(PE_Cached.is64bit?136:120),0===PE.read_int32(i))&&0===PE.read_int32(i+4)?!0:m)&&(e=addOption(e,"Exceptions directory empty")),!1)
if(0<PE_Cached.numberOfUnmanagedExports)for(s=0;s<PE_Cached.numberOfUnmanagedExports&&!k;s++){var D=PE.getExportFunctionName(s)
D&&(/^\d/.test(D)||!isAsciiString(D)||!isItemMangled(D)&&isNameObfuscated(replaceAllInString(D,"_"," ")))&&(k=!0)}k&&(e=addOption(e,"Strange exports"))
for(var I=!1,G="=~!@#$%^&*()\"№;%:?*():;,|'`<> ",s=0;s<PE_Cached.numberOfUnmanagedImports&&!I;s++){var R=PE.getImportLibraryName(s)
@ -172,8 +172,8 @@ if(isAsciiString(R))for(var T=0;T<G.length&&!I;T++)isAsciiString(R)&&-1===R.inde
else 0!==R.indexOf("MZ")&&(I=!0)}I&&(e=addOption(e,"Strange imports"))
for(var F=!1,s=0;s<PE_Cached.numberOfUnmanagedResources&&!F;s++){var B=PE.getResourceNameByNumber(s)
!B||isAsciiString(B)&&!isNameObfuscated(B)||(log(logType.any,"Strange resource name: "+B),F=!0)}F&&(e=addOption(e,"Strange resources"))
m=!1,(m=0===PE.getMajorLinkerVersion()&&0===PE.getMinorLinkerVersion()?!0:m)&&(e=addOption(e,"Zero linker version")),h=!1,(h=isNetMetaDataPresent()&&0<PE_Cached.numberOfUnmanagedImports?!0:h)&&(e=addOption(e,"DotNET meta")),i=!1
if((i=PE.isFunctionPresent("_CorExeMain")||PE.isFunctionPresent("_CorDllMain")?!0:i)&&(e=addOption(e,"DotNET runtime attach")),PE.section[".asmg"]||PE.section.ASMGUARD)for(var L=0;L<3;L++)_removeResult("packer",["UPX","MPRESS","EP:MPRESS"][L]);(t=0!=e.length?!0:t)&&_setResult("~protection","Generic","",PE.isVerbose()?e:"")}function isArchX86(){switch(PE.getOperationSystemOptions().split(",")[0]){case"I386":case"AMD64":return!0
h=!1,(h=0===PE.getMajorLinkerVersion()&&0===PE.getMinorLinkerVersion()?!0:h)&&(e=addOption(e,"Zero linker version")),i=!1,(i=isNetMetaDataPresent()&&0<PE_Cached.numberOfUnmanagedImports?!0:i)&&(e=addOption(e,"DotNET meta")),m=!1
if((m=PE.isFunctionPresent("_CorExeMain")||PE.isFunctionPresent("_CorDllMain")?!0:m)&&(e=addOption(e,"DotNET runtime attach")),PE.section[".asmg"]||PE.section.ASMGUARD)for(var L=0;L<3;L++)_removeResult("packer",["UPX","MPRESS","EP:MPRESS"][L]);(t=0!=e.length?!0:t)&&_setResult("~protection","Generic","",PE.isVerbose()?e:"")}function isArchX86(){switch(PE.getOperationSystemOptions().split(",")[0]){case"I386":case"AMD64":return!0
case"ARM":case"ARMNT":case"THUMB":return!1
default:return}}var _patternSplitter="|"
function getEpAsmPattern(e,t){for(var i=_patternSplitter,n=PE.getAddressOfEntryPoint(),r=0;r<t;r++){1<=r&&(n=PE.getDisasmNextAddress(n))

2
dbs_min/db/PE/tool_Scylla.6.sg Normal file
View file

@ -0,0 +1,2 @@
function detect(){var t
if(!PE.isNet())return".SCY"===(t=PE.section[PE.getNumberOfSections()-1]).Name&&3758096416&t.Characteristics&&(sOptions="reconstructed dump",bDetected=1),result()}meta("tool","Scylla")

2
dbs_min/timestamp.log
View file

@ -1 +1 @@
Generated: 10/04/2026
Generated: 15/04/2026