mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Optimize signature pattern checks

Browse source 
Adjust signature pattern handling in scanForMaliciousCode_NET_and_Native.

- Remove the added "??" prefix when building njRatDataSeparatorPattern so the pattern uses the substring directly.
- Remove the trailing " **" wildcard from the Unicode " RAT" signature passed to PE.isSignatureInSectionPresent to narrow matching.
This commit is contained in:
DosX 2026-06-22 16:28:35 +03:00
commit 61509245aa
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
View file

@ -6150,7 +6150,7 @@ function scanForMaliciousCode_NET_and_Native() {
var njRatDataSeparator = "|'|'|",
njRatDataSeparatorPattern = generateUnicodeSignatureMask(njRatDataSeparator) + "00";
njRatDataSeparatorPattern = "??" + njRatDataSeparatorPattern.substring(2);
njRatDataSeparatorPattern = njRatDataSeparatorPattern.substring(2);
// NjRAT Generic: Detect NjRAT via requests-separator or assembly name
if (verdicts.length === 0) {
@ -6556,7 +6556,7 @@ function scanForMaliciousCode_NET_and_Native() {
}
if (PE.isSignatureInSectionPresent(0, "00" + generateUnicodeSignatureMask(" RAT") + "00 **") && (
if (PE.isSignatureInSectionPresent(0, "00" + generateUnicodeSignatureMask(" RAT") + "00") && (
PE.isNetObjectPresent("System.Net.Sockets") ||
PE.isNetObjectPresent("GetWindowText") ||
PE.isNetObjectPresent("avicap32.dll")