mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix lfaNewOffset unsigned calc and verify size

Browse source 
Coerce the computed e_lfanew to an unsigned 32-bit value using >>> 0 to avoid negative/incorrect offsets. Also tighten the remaining-buffer length passed to verifyPeSignature from (bufferSize - j - 4) to (bufferSize - j - 0x20) in both signature-check branches to avoid overly permissive/unsafe verification and reduce risk of out-of-bounds reads.
This commit is contained in:
DosX 2026-06-18 16:02:09 +03:00
commit 9893fbad90
1 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
View file

@ -7816,7 +7816,7 @@ function scanForMaliciousCode_NET_and_Native() {
lfaNewByte1 = getDecrypted(0x3D),
lfaNewByte2 = getDecrypted(0x3E),
lfaNewByte3 = getDecrypted(0x3F),
lfaNewOffset = lfaNewByte0 | (lfaNewByte1 << 8) | (lfaNewByte2 << 16) | (lfaNewByte3 * 16777216);
lfaNewOffset = (lfaNewByte0 | (lfaNewByte1 << 8) | (lfaNewByte2 << 16) | (lfaNewByte3 << 24)) >>> 0;
// Sanity check for the e_lfanew pointer
if (lfaNewOffset > 0x40 && lfaNewOffset < maxValidLfaNew) {
@ -7871,11 +7871,11 @@ function scanForMaliciousCode_NET_and_Native() {
var c0 = dataBuffer[j + k0_off[L]];
if (c0 === e0_bit && dataBuffer[j + k1_off[L]] === e1_bit) {
if (verifyPeSignature(dataBuffer, j, bufferSize - j - 4, L, 0)) {
if (verifyPeSignature(dataBuffer, j, bufferSize - j - 0x20, L, 0)) {
detectedAlgo = "XOR/XNOR"; return true;
}
} else if (c0 === e0_math && dataBuffer[j + k1_off[L]] === e1_math) {
if (verifyPeSignature(dataBuffer, j, bufferSize - j - 4, L, 1)) {
if (verifyPeSignature(dataBuffer, j, bufferSize - j - 0x20, L, 1)) {
detectedAlgo = "ADD/SUB"; return true;
}
}