mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add Scylla PE detection rule

Browse source 
Add a Detect It Easy rule (db/PE/tool_Scylla.6.sg) to identify Scylla reconstructed PE dumps. The script (authored by DosX) skips .NET binaries, checks the last section for the name ".SCY" and a characteristics mask (0xe0000020), and marks the sample as a reconstructed dump by setting sOptions and bDetected. Includes upstream project link metadata.
This commit is contained in:
DosX 2026-04-15 15:30:01 +03:00
commit ae3196bcc8
1 changed files with 22 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

22
db/PE/tool_Scylla.6.sg Normal file
View file

@ -0,0 +1,22 @@
// Detect It Easy: detection rule file
// Author: DosX
// E-Mail: collab@kay-software.ru
// GitHub: https://github.com/DosX-dev
// Telegram: @DosX_dev
// https://github.com/ntquery/scylla
meta("tool", "Scylla");
function detect() {
if (PE.isNet()) return; // Doesn't support .NET
var lastSection = PE.section[PE.getNumberOfSections() - 1];
if (lastSection.Name === ".SCY" && lastSection.Characteristics & 0xe0000020) {
sOptions = "reconstructed dump";
bDetected = true;
}
return result();
}