Fix: 2023-10-09

db/PE/3dcrypter.2.sg

@@ -0,0 +1,14 @@
+// DIE's signature file
+
+init("crypter","3dCrypter");
+
+function detect(bShowType,bShowVersion,bShowOptions)
+{
+    if(PE.compareEP("684c124000e8eeffffff0000000000003000000038000000000000003848ee54"))
+    {
+        sVersion="mod Zion-92";
+        bDetected=1;
+    }
+
+    return result(bShowType,bShowVersion,bShowOptions);
+}

db/PE/AutorunProEnterprise.1.sg

@@ -0,0 +1,17 @@
+// Author KDSS-Research
+
+init("Installer","Autorun Pro Enterprise");
+
+function detect(bShowType,bShowVersion,bShowOptions)
+{
+    bDetected = 1;
+    if (!PE.isSectionNamePresent(".rsrc") || PE.isSectionNamePresent("CODE")){
+        return null;
+    }
+    var n1=PE.findString(PE.section[".rsrc"].FileOffset,PE.section[".rsrc"].FileSize,"9AutoRunObjects");
+    var n2=PE.findString(PE.section[".rsrc"].FileOffset,PE.section[".rsrc"].FileSize,"AutoRunObjects");
+    if (n1==-1 && n2==-1){
+	bDetected=0;
+    }
+    return result(bShowType,bShowVersion,bShowOptions);
+}

db/PE/AutorunProEnterpriseII.1.sg

@@ -0,0 +1,20 @@
+// Author KDSS-Research
+
+init("Installer","Autorun Pro Enterprise II");
+
+function detect(bShowType,bShowVersion,bShowOptions)
+{
+    bDetected = 1;
+    if (!PE.isSectionNamePresent(".rsrc") ){
+        return null;
+    }
+    if (!PE.isSectionNamePresent("CODE")){
+        return null;
+    }
+    var n1=PE.findString(PE.section["CODE"].FileOffset,PE.section["CODE"].FileSize,"TAutoRunProjectX");
+    var n2=PE.findString(PE.section[".rsrc"].FileOffset,PE.section[".rsrc"].FileSize,"AutoRunObjects");
+    if (n1==-1 && n2==-1){
+	bDetected=0;
+    }
+    return result(bShowType,bShowVersion,bShowOptions);
+}

db/PE/LDK .NET.2.sg

@@ -0,0 +1,16 @@
+// DIE's signature file
+
+init("protector","SafeNet Sentinel LDK .NET");
+
+function detect(bShowType,bShowVersion,bShowOptions)
+{
+	if(PE.isNET())
+	{
+		if(PE.isNETStringPresent(".protect") && PE.isNETStringPresent("haspdnert.dll"))
+		{
+			bDetected=1;
+		}
+	}
+
+	return result(bShowType,bShowVersion,bShowOptions);
+}

db/PE/LDK.2.sg

@@ -0,0 +1,24 @@
+// DIE's signature file
+// Author: sendersu
+/*
+If errors pls contact sendersu on exelab.ru
+*/
+
+init("protector","SafeNet Sentinel LDK");
+
+function detect(bShowType,bShowVersion,bShowOptions)
+{
+    if(PE.getNumberOfSections()==4)
+    {
+        if(PE.isSectionNamePresent(".AKS1")
+           && PE.isSectionNamePresent(".AKS2")
+           && PE.isSectionNamePresent(".AKS3")
+           && PE.isSectionNamePresent(".rsrc")
+        )
+        {
+            bDetected=1;
+        }
+    }
+
+    return result(bShowType,bShowVersion,bShowOptions);
+}

db/PE/LimeCrypter.2.sg

@@ -0,0 +1,58 @@
+// DIE's signature file
+// Author: KDSS-Research
+
+init("cryptor", "LimeCrypter");
+
+function detect(bShowType, bShowVersion, bShowOptions) {
+    if (PE.isNET()) {
+        bDetected = 1;
+        if (validateReferences(
+                isPositive = true,
+                references = [
+                    "System.Security.Cryptography",
+                    "System.Collections.Generic",
+                    "System.Resources",
+                    "System.Reflection"
+
+                ]
+            )) {
+            bDetected = 0;
+            return null; // end
+        } 
+
+        var n3=PE.isSignatureInSectionPresent(0,"24........................................................................");
+        var n2=PE.isSignatureInSectionPresent(0,"3c50726976617465496d706c656d656e746174696f6e44657461696c733e7b........................................................................7d");
+        
+        if (!n2 || !n3 || !PE.isNETStringPresent("<Initialize>o__SiteContainer0") 
+                || !PE.isNETStringPresent("$$method0x6000005-1") 
+                || !PE.isNETStringPresent("Assembly")
+                || !PE.isNETStringPresent("Rfc2898DeriveBytes")
+                || !PE.isNETStringPresent("AES_Decrypt")
+                || !PE.isNETStringPresent("<>p__Site1") || PE.isNETStringPresent("Chainski")) {
+             bDetected = 0;
+        }
+
+
+    }
+    
+
+    return result(bShowType, bShowVersion, bShowOptions);
+}
+
+
+// validateReferences by DosX
+function validateReferences(isPositive, references) {
+    for (var i = 0; i < references.length; i++) {
+        var sign = "00'" + references[i] + "'00";
+        if (isPositive == true) {
+            if (!PE.isSignatureInSectionPresent(0, sign)) {
+                return true;
+            }
+        } else { // negative
+            if (PE.isSignatureInSectionPresent(0, sign)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}

db/PE/PEUnion.2.sg

@@ -0,0 +1,122 @@
+// DIE's signature file
+// Author: KDSS-Research
+// Edited: DosX; Telegram: @DosX_Plus
+
+init("cryptor", "PEUnion");
+
+function detect(bShowType, bShowVersion, bShowOptions) {
+    //32bit RUNPE stub
+    if (!PE.isNET()) {
+        bDetected = 1;
+
+        if (PE.isPEPlus()) {
+            bDetected = 0;
+        }
+
+        const kLib = "kernel32.dll";
+
+        if (validateNativeImports(
+                isPositive = true,
+                references = [
+                    [kLib, "GetProcAddress"],
+                    [kLib, "ExitProcess"],
+                    [kLib, "GetModuleFileNameA"],
+                    [kLib, "GetComputerNameA"],
+                    [kLib, "VirtualAllocExNuma"],
+                    ["shlwapi.dll", "PathFindFileNameA"]
+                ]
+            )) {
+            bDetected = 0;
+        }
+
+        // ====== ENTRY POINT ======
+        //      E8:  call ...
+        //      6A:  push 0
+        //  FF15A4:  call dword ptr [...]
+        //      C3:  ret
+        // =========================
+        const entryPoint = "E8??????006A00FF15A4????00C3";
+
+        if (PE.getNumberOfSections() != 3 ||
+            !PE.compareEP(entryPoint) ||
+            !PE.isSectionNamePresent(".rsrc") || !PE.isSectionNamePresent(".idata") || !PE.isSectionNamePresent(".text") ||
+            PE.findString(PE.section[".rsrc"].FileOffset, PE.section[".rsrc"].FileSize, "</assembly>") == -1 ||
+            !(PE.getSectionVirtualSize(1) + PE.getSectionVirtualSize(2) < PE.getSectionVirtualSize(0)) ||
+            !PE.isSignatureInSectionPresent(1, "00'Shlwapi.dll'00")) { // validate imports with signature <[S]hlwapi.dll>
+            bDetected = 0;
+        }
+
+
+        sOptions += "RunPE"
+    }
+
+    if (PE.isNET()) {
+        bDetected = 1;
+        if (validateReferences(
+                isPositive = true,
+                references = [
+                    "kernel32.dll", "LoadLibraryA", "GetProcAddress",
+                    "System.Runtime.InteropServices",
+                    "System.Runtime.CompilerServices",
+                    "System.IO",
+                    "System.Reflection",
+                    "System.Resources",
+                    "System.Collections.Generic",
+                    "System.Core",
+                    "System.Linq",
+                    "IEnumerable`1", "<>c__DisplayClass1", "Func`2"
+                ],
+                section = 0
+            )) {
+            bDetected = 0;
+        }
+
+        if (PE.isNETStringPresent("BeginInvoke") ||
+            PE.isNETStringPresent("EndInvoke")) {
+            sOptions += "Invoke"
+        }
+
+    }
+
+    sVersion = "v4.0";
+    return result(bShowType, bShowVersion, bShowOptions);
+}
+
+
+// validateReferences by DosX
+function validateReferences(isPositive, references, section) {
+    for (var i = 0; i < references.length; i++) {
+        var sign = "00'" + references[i] + "'00";
+        if (isPositive == true) {
+            if (!PE.isSignatureInSectionPresent(section, sign)) {
+                return true;
+            }
+        } else { // negative
+            if (PE.isSignatureInSectionPresent(section, sign)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+// and validateNativeImports by DosX also
+function validateNativeImports(isPositive, references) { // references[2]
+    for (var i = 0; i < references.length; i++) {
+        var importSign = references[i],
+            library = importSign[0],
+            entry = importSign[1];
+        if (isPositive == true) {
+            if (!PE.isLibraryFunctionPresent(library, entry)) {
+                return true;
+            }
+        } else { // negative
+            if (PE.isLibraryFunctionPresent(library, entry)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+// I like coffee. Preferably with milk

db/PE/Squishy.2.sg

@@ -0,0 +1,11 @@
+// Made by KDSS-Research
+
+init("packer","Squishy");
+
+function detect(bShowType,bShowVersion,bShowOptions)
+{
+	if (PE.isSectionNamePresent("logicoma")){
+		bDetected=1;
+	}
+    return result(bShowType,bShowVersion,bShowOptions);
+}

db/PE/Xash.3.sg

@@ -0,0 +1,19 @@
+// DIE's signature file
+// Author: KDSS-Research
+
+init("GameEngine","Xash3D");
+
+function detect(bShowType,bShowVersion,bShowOptions)
+{
+    if (!PE.isSectionNamePresent(".data")){
+        return null;
+    }
+    var n1=PE.findString(PE.section[".data"].FileOffset,PE.section[".data"].FileSize,"Xash Error")
+    var n2=PE.findString(PE.section[".data"].FileOffset,PE.section[".data"].FileSize,"xash.dll")
+    var n3=PE.findString(PE.section[".data"].FileOffset,PE.section[".data"].FileSize,"Unable to load the xash.dll")
+    if (n1!=-1 && n2!=-1 && n3 !=-1){
+        bDetected=1;
+		
+    }
+    return result(bShowType,bShowVersion,bShowOptions);
+}

db_custom/PE/Test.sg

@@ -0,0 +1,13 @@
+// DIE's signature file
+
+init("packer","TEST");
+
+function detect(bShowType,bShowVersion,bShowOptions)
+{
+    if(false) // TODO !!!
+    {
+        bDetected=1;
+    }
+
+    return result(bShowType,bShowVersion,bShowOptions);
+}