mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add zero FileSize check to heuristic UPX Structure detection (#349)

Browse source 
Update scanForPackersAndCryptors_NET_and_Native to require PE.section[0].FileSize === 0 when checking three-section PE files with RWX flags. This narrows the heuristic to better detect packer/cryptor layouts (first section with zero FileSize) and reduce false positives. Change is in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.

Co-Authored-By: Yosef Khaled <124172634+tenzzzzzz@users.noreply.github.com>
This commit is contained in:
DosX 2026-05-07 19:54:55 +03:00
commit 68d27b52dc
1 changed files with 1 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
View file

@ -2394,6 +2394,7 @@ function scanForPackersAndCryptors_NET_and_Native() { // For .NET and Native app
var isUpxLikeImports = false;
if (PE_Cached.numberOfSections === 3 &&
PE.section[0].FileSize === 0 &&
(PE.section[0].Characteristics & SECTION_FLAGS_RWX_MASK) === SECTION_FLAGS_RWX_MASK &&
(PE.section[1].Characteristics & SECTION_FLAGS_RWX_MASK) === SECTION_FLAGS_RWX_MASK && (
(PE.section[2].Characteristics & SECTION_FLAGS_READ) === SECTION_FLAGS_READ ||