mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Strengthen de4dot .NET detection logic

Browse source 
Refine the PE.NET detection in tool_de4dot.6.sg: accept either method_0 or smethod_0 and require either both GClass0 & GClass1 or both Class0 & Class1. Previously the check relied on smethod_0 and allowed a single GClass0 (or Class0+Class1), which could produce false positives; this change makes detection stricter and more accurate.
This commit is contained in:
DosX 2026-06-21 12:43:13 +03:00
commit 86151c660f
1 changed files with 3 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
db/PE/tool_de4dot.6.sg
View file

@ -10,10 +10,9 @@ meta("tool", "de4dot");
function detect() {
if (PE.isNet()) {
if (PE.isNetObjectPresent("smethod_0") && (
PE.isNetObjectPresent("GClass0") || (
PE.isNetObjectPresent("Class0") && PE.isNetObjectPresent("Class1")
)
if ((PE.isNetObjectPresent("method_0") || PE.isNetObjectPresent("smethod_0")) && (
(PE.isNetObjectPresent("GClass0") && PE.isNetObjectPresent("GClass1")) ||
(PE.isNetObjectPresent("Class0") && PE.isNetObjectPresent("Class1"))
)) {
bDetected = true;
sOptions = "deobfuscated";