dbs_min update

2026-06-24 01:54:08 +00:00 · 2025-07-04 21:15:47 +03:00 · 2025-07-04 21:15:47 +03:00 · 579ce4dddb
commit 579ce4dddb
parent 4db5b191fb
22 changed files with 189 additions and 484 deletions
--- a/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
+++ b/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
@ -517,7 +517,7 @@ function scanForObfuscations_NET() {
        ) ||
        validateNetByteCode( // samples by: .NET Reactor (legacy~~)
            opCodes.stloc + opCodes.ldloc +
-            opCodes.joinNoBodyAndValue(opCodes.switch__nobody, "** ** ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00") +
+            opCodes.joinNoBodyAndValue(opCodes.switch__nobody, "** ** ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00", "switch__nobody") +
            opCodes.ldc_i4 + opCodes.br
        ) ||
        validateNetByteCode( // samples by: MindLated, NetShield
@ -1450,25 +1450,38 @@ function NetOpCodes() {
     * @method joinNoBodyAndValue
     * @param {string} opCode - The opcode without wildcards (e.g., "45" for switch)
     * @param {string} value - The hexadecimal bytes to append (e.g., "02 00 00 00 XX XX XX XX")
+     * @param {string} [opCodeName] - Optional: name of the opcode variable for validation
     * @returns {string} The combined opcode pattern
     * 
     * @example
     * // Create switch instruction with 2 targets
-     * var switchPattern = opCodes.joinNoBodyAndValue(opCodes.switch__nobody, "02 00 00 00 10 00 00 00 20 00 00 00");
+     * var switchPattern = opCodes.joinNoBodyAndValue(opCodes.switch__nobody, "02 00 00 00 10 00 00 00 20 00 00 00", "switch__nobody");
     * // Result: "45020000001000000020000000" (switch with 2 targets at offsets 0x10 and 0x20)
     * 
     * @throws {Error} If the opcode contains wildcards (should use setStrict instead)
+     * @throws {Error} If opCodeName is provided but doesn't contain '__nobody'
     */
-    this.joinNoBodyAndValue = function (opCode, value) {
-        if (!opCode || !value || typeof opCode !== "string") {
+    this.joinNoBodyAndValue = function (opCode, value, opCodeName) {
+        // Type validation
+        if (!opCode || typeof opCode !== "string") {
            _error("Invalid opcode provided.");
        }
+        if (!value || typeof value !== "string") {
+            _error("Invalid value provided.");
+        }

        // Check that opcode doesn't contain wildcards
        if (opCode.indexOf("??") !== -1) {
            _error("Opcode contains wildcards. Use setStrict() instead.");
        }

+        // Optional validation: check if opcode name contains '__nobody'
+        if (opCodeName && typeof opCodeName === "string") {
+            if (opCodeName.indexOf("__nobody") === -1) {
+                _error("joinNoBodyAndValue should only be used with '__nobody' opcodes (variable-length instructions).");
+            }
+        }
+
        return opCode + removeWhitespaces(value);
    }
 }
--- a/dbs_min/db/COM/CC#3.2.sg
+++ b/dbs_min/db/COM/CC#3.2.sg
@ -1 +1 @@
-function detect(){return Binary.compare("e9$$$$e800005d33db8bc3bf....893f81c3....532eff36....1f1e568d76..8bfbb9....f2a4c6")&&(sOptions="by ZeroCoder //XG",bDetected=!0),result()}init("protector","CC#3")
+function detect(){return Binary.compare("e9$$$$e800005d33db8bc3bf....893f81c3....532eff36....1f1e568d76..8bfbb9....f2a4c6")&&(bDetected=!0),result()}init("protector","CC#3")
--- a/dbs_min/db/PE/ADS_Self_Extractor.1.sg
+++ b/dbs_min/db/PE/ADS_Self_Extractor.1.sg
@ -1 +1 @@
-function detect(){return PE.compareEP("e8$$$$$$$$8bff558bec83ec..a1........8365....8365....5357bf........bb........3bc774")?bDetected=PE.compareOverlay("7b00320030003700320036003300370037002d00"):PE.compareEP("558bec6a..68........68........64a1........50648925........83ec..5356578965..ff15")&&(bDetected=-1!=PE.findSignature(PE.getOverlayOffset(),Math.min(256,PE.getOverlaySize()),"7b00320030003700320036003300370037002d00")),result()}init("sfx","ADS Self Extractor")
+function detect(){return PE.compareEP("e8$$$$$$$$8bff558bec83ec..a1........8365....8365....5357bf........bb........3bc774")?bDetected=PE.compareOverlay("7b00320030003700320036003300370037002d00"):PE.compareEP("558bec6a..68........68........64a1........50648925........83ec..5356578965..ff15")&&(bDetected=-1!==PE.findSignature(PE.getOverlayOffset(),Math.min(256,PE.getOverlaySize()),"7b00320030003700320036003300370037002d00")),result()}init("sfx","ADS Self Extractor")
--- a/dbs_min/db/PE/Advanced_BAT_to_EXE_converter.2.sg
+++ b/dbs_min/db/PE/Advanced_BAT_to_EXE_converter.2.sg
@ -1 +1 @@
-function detect(){return PE.compareEP("558BEC6AFF68")&&PE.compareOverlay("..02020202363A38393a")&&(sVersion="2.X-4.X",bDetected=!0),result()}init("protector","Advanced BAT to EXE Converter")
+function detect(){return PE.compareEP("558BEC6AFF68")&&PE.compareOverlay("..02020202363A38393a")&&(sVersion="2.X-4.X",bDetected=!0),sLang="Batch",result()}init("protector","Advanced BAT to EXE Converter")
--- a/dbs_min/db/PE/Anticrack_Software_Protector.2.sg
+++ b/dbs_min/db/PE/Anticrack_Software_Protector.2.sg
@ -1 +1 @@
-function detect(){return(PE.compareEP("60..................E801000000............................................0000......04")||PE.compareEP("60................0000........................E801000000..83042406C3..........00"))&&(sVersion="1.09",bDetected=!0),result()}init("protector","AntiCrack Software")
+function detect(){return(PE.compareEP("60..................E801000000............................................0000......04")||PE.compareEP("60................0000........................E801000000..83042406C3..........00"))&&(sVersion="1.09",bDetected=!0),result()}init("protector","AntiCrack Software Basic")
--- a/dbs_min/db/PE/AverCryptor.2.sg
+++ b/dbs_min/db/PE/AverCryptor.2.sg
@ -1,3 +1,3 @@
-function detect(){if(PE.section[".avc"]&&PE.compareEP("60E8000000005D81ED........8BBD........8B8D........B8")){switch(PE.readByte(PE.nEP+65)){case 250:sVersion="1.0"
+function detect(){if(PE.isSectionNamePresent(".avc")&&PE.compareEP("60E8000000005D81ED........8BBD........8B8D........B8")){switch(PE.readByte(PE.nEP+65)){case 250:sVersion="1.0"
 break
 case 247:sVersion="1.02"}bDetected=!0}return result()}init("cryptor","AverCryptor")
--- a/dbs_min/db/PE/BatToExe.1.sg
+++ b/dbs_min/db/PE/BatToExe.1.sg
@ -1,2 +1,2 @@
 function detect(){if(PE.compareEP("68........68........68........e8........83c4..68........e8........a3........68........68........68........e8........a3"))for(var e=0;e<PE.getNumberOfResources()&&!bDetected;e++)"RT_RCDATA"==PE.resource[e].Type&&(bDetected=PE.compare("78 9c 63 60 18 05 23 19 00 00 02 00 00 01",PE.resource[e].Offset))
-return result()}init("packer","Bat To Exe")
+return sLang="Batch",result()}init("packer","Bat To Exe")
--- a/dbs_min/db/PE/Cab.1.sg
+++ b/dbs_min/db/PE/Cab.1.sg
@ -1,2 +1,2 @@
-function detect(){var e,r
-return PE.compareOverlay("'wextract'",16)?(r=PE.getOverlayOffset(),-1!=(r=PE.findSignature(r-3584,3584,"BD04EFFE00000100"))&&(r+=16,sVersion=PE.readWord(r+2)+"."+PE.readWord(r)+"."+PE.readWord(r+6)+"."+PE.readWord(r+4)),bDetected=!0):/sfxcab/.test(PE.getManifest())?(PE.section[".rsrc"]&&(e=PE.section[".rsrc"].VirtualSize,r=PE.section[".rsrc"].FileOffset+e,-1!=(r=PE.findSignature(r-1536,1536,"BD04EFFE00000100")))&&(r+=8,sVersion=PE.readWord(r+2)+"."+PE.readWord(r)+"."+PE.readWord(r+6)+"."+PE.readWord(r+4)),bDetected=!0):/wextract/i.test(PE.getVersionStringInfo("InternalName"))?(sVersion=PE.getFileVersion(),bDetected=!0):PE.compareEP("558bec81ec........535657ff15........a3........ff15........a1........6625....3d")?PE.compare("'MSCF'00000000",20480)&&(bDetected=!0):PE.compareEP("6a..68........e8........66813d............75..a1........81b8................75..")?PE.compareOverlay("'MSCF'00000000")&&(bDetected=!0):PE.compareEP("e9$$$$$$$$558bec81ec........830d..........5356576a..33dbbf........68........895d..881d")&&(bDetected=!0),0<PE.getNumberOfResources()&&(r=PE.getResourceNameOffset("CABINET"),PE.compare("'MSCF'00000000",r)&&(bDetected=!0),r=PE.getResourceNameOffset("IDR_CABFILE"),PE.compare("'MSCF'00000000",r))&&(bDetected=!0),result()}init("sfx","Microsoft Cabinet")
+function detect(){var e
+return PE.compareOverlay("'wextract'",16)?(e=PE.getOverlayOffset(),-1!=(e=PE.findSignature(e-3584,3584,"BD04EFFE00000100"))&&(e+=16,sVersion=PE.readWord(e+2)+"."+PE.readWord(e)+"."+PE.readWord(e+6)+"."+PE.readWord(e+4)),bDetected=!0):/sfxcab/.test(PE.getManifest())?(PE.section[".rsrc"]&&(e=PE.section[".rsrc"].FileOffset+PE.section[".rsrc"].VirtualSize,-1!=(e=PE.findSignature(e-1536,1536,"BD04EFFE00000100")))&&(e+=8,sVersion=PE.readWord(e+2)+"."+PE.readWord(e)+"."+PE.readWord(e+6)+"."+PE.readWord(e+4)),bDetected=!0):/wextract/i.test(PE.getVersionStringInfo("InternalName"))?(sVersion=PE.getFileVersion(),bDetected=!0):PE.compareEP("558bec81ec........535657ff15........a3........ff15........a1........6625....3d")?PE.compare("'MSCF'00000000",20480)&&(bDetected=!0):PE.compareEP("6a..68........e8........66813d............75..a1........81b8................75..")?PE.compareOverlay("'MSCF'00000000")&&(bDetected=!0):PE.compareEP("e9$$$$$$$$558bec81ec........830d..........5356576a..33dbbf........68........895d..881d")&&(bDetected=!0),0<PE.getNumberOfResources()&&(e=PE.getResourceNameOffset("CABINET"),PE.compare("'MSCF'00000000",e)&&(bDetected=!0),e=PE.getResourceNameOffset("IDR_CABFILE"),PE.compare("'MSCF'00000000",e))&&(bDetected=!0),result()}init("sfx","Microsoft Cabinet")
--- a/dbs_min/db/PE/Hide&Protect.2.sg
+++ b/dbs_min/db/PE/Hide&Protect.2.sg
@ -1 +1 @@
-function detect(){return PE.compareEP("909090E9D8..050095..5300954A5000")&&(sVersion="1.016",bDetected=!0),result()}init("protector","Hide&Protect")
+function detect(){return(PE.compareEP("909090E9D8..050095..5300954A5000")||PE.compareEP("909090E9........0000000000000000"))&&(sVersion="1.016",bDetected=!0),result()}init("protector","Hide&Protect")
--- a/dbs_min/db/PE/Microsoft.6.sg
+++ b/dbs_min/db/PE/Microsoft.6.sg
--- a/dbs_min/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
+++ b/dbs_min/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
--- a/dbs_min/db_extra/COM/packers.2.sg
+++ b/dbs_min/db_extra/COM/packers.2.sg
--- a/dbs_min/db_extra/COM/patchers.1.sg
+++ b/dbs_min/db_extra/COM/patchers.1.sg
--- a/dbs_min/db_extra/ELF/ELFCrypt.2.sg
+++ b/dbs_min/db_extra/ELF/ELFCrypt.2.sg
--- a/dbs_min/db_extra/MSDOS/Cryptors.2.sg
+++ b/dbs_min/db_extra/MSDOS/Cryptors.2.sg
--- a/dbs_min/db_extra/PE/ASPR_Stripper.2.sg
+++ b/dbs_min/db_extra/PE/ASPR_Stripper.2.sg
--- a/dbs_min/db_extra/PE/Blizzard_PrePatch.1.sg
+++ b/dbs_min/db_extra/PE/Blizzard_PrePatch.1.sg
--- a/dbs_min/db_extra/PE/Break_Into_Pattern.2.sg
+++ b/dbs_min/db_extra/PE/Break_Into_Pattern.2.sg
@ -1 +1 @@
-function detect(){return PE.compareEP("E9$$$$$$$$EB14")&&(sVersion="0.1",bDetected=!0),result()}init("protector","Break Into Pattern")
+function detect(){return PE.compareEP("E9$$$$$$$$EB14")&&(sVersion="0.1",bDetected=!0),result()}init("protector","Break-Into-Pattern")
--- a/dbs_min/db_extra/PE/ChainskiCrypter.1.sg
+++ b/dbs_min/db_extra/PE/ChainskiCrypter.1.sg
--- a/dbs_min/db_extra/PE/CipherWall.1.sg
+++ b/dbs_min/db_extra/PE/CipherWall.1.sg
--- a/dbs_min/db_extra/PE/DS.Novex_dongle.4.sg
+++ b/dbs_min/db_extra/PE/DS.Novex_dongle.4.sg
--- a/dbs_min/db_extra/about.txt
+++ b/dbs_min/db_extra/about.txt
@ -1,2 +1,4 @@
 "db_extra" contains detection rules and scripts that were not approved for inclusion in the main database.
-Some of these rules may trigger only a few positive detections across the entire internet. Use of this database by default is not recommended, as it is neither optimized nor actively maintained.
+Some of these rules may trigger only a few positive detections across the entire internet.
+
+Using this default database is NOT RECOMMENDED as it is not optimized or actively maintained.