mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

dbs_min update

Browse source
This commit is contained in:
DosX 2026-05-26 02:34:28 +03:00
commit b140ce5050
1 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
dbs_min/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
View file

@ -218,13 +218,13 @@ else for(var _=["il2cpp",".text$mn",".rdata$zzzdbg"],i=0;i<_.length&&!f;i++)PE.i
f&&(_setResult("~compiler","IL2CPP Technology","",""),_setLangByHeur("Native MSIL/C#"))}var C,b=!o&&!a,y=PE.getMajorLinkerVersion(),A=PE.getMinorLinkerVersion(),v=(isCompilerDetected()||isLinkerDetected()||PE_Cached.isDotNet||(v=PE.section[".eh_frame"],C=PE.section[".build-id"],v||C||!(PE_Cached.isRichSignaturePresent||PE.compare("'MZ'90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000....00000E1FBA0E00B409CD21B8014CCD21'This program cannot be run in DOS mode.\r\r\n$'00000000")||PE.compare("'MZ'90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000....000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")||PE.isSectionNamePresent(".00cfg"))?v||C||PE.isSectionNamePresent(".CRT")&&PE.isSectionNamePresent(".rdata")&&PE.isSectionNamePresent(".xdata")&&PE.isSectionNamePresent(".idata")&&(PE.isSectionNamePresent(".tls")||PE.isSectionNamePresent(".bss"))||PE.isSectionNamePresent(".buildid")?(_setResult("~compiler","MinGW","",""),!_isLangDetected()&&b&&_setLangByHeur("C/C++")):PE.isSectionNamePresent(".flat")&&!a&&(_setResult("~compiler","FASM","",""),_setLangByHeur("ASMx"+(PE_Cached.is64bit?"64":"86"))):((PE.isSectionNamePresent(".gfids")||PE.isSectionNamePresent(".giats")||PE.isSectionNamePresent(".gljmp"))&&_setResult("~tool","Microsoft Visual Studio","",""),_setResult("~linker","Microsoft Linker",0!==y?y+"."+A:"",""),_setResult("~compiler","Microsoft Visual C/C++","",""),!_isLangDetected()&&b&&(isNetMetaDataPresent()?_setLangByHeur("MSIL/C/C++"):_setLangByHeur("C/C++")))),PE.section[".rdata"])
v&&e&&PE.isSignaturePresent(v.FileOffset,v.FileSize,generateUnicodeSignatureMask("Visual C++"))&&(log(logType.any,"Embedded Visual C++ Runtime detected."),a=!0),a||e&&PE.isSignaturePresent(PE_Cached.dosStubSize,PE_Cached.fileBodySize,"' C++ '")?_setLangByHeur("C++"):!_isLangPresent("C++")&&o&&(PE.isFunctionPresent("_iob")||PE.isFunctionPresent("printf")||PE.isFunctionPresent("malloc")||PE.isFunctionPresent("memset"))?_setLangByHeur("C"):PE.isLibraryPresentExp(/^api-ms-win-crt*/i)||PE.isSectionNamePresent(".msvcjmc")||PE.isSectionNamePresentExp(/\.CRT(?:\$[A-Z]{3})?$/i)?_setLangByHeur("C/C++"):_isLangDetected()||_getNumberOfResults("compiler")||PE_Cached.isDotNet||_getNumberOfResults("protector")||_getNumberOfResults("cryptor")||_getNumberOfResults("~cryptor")||_getNumberOfResults("packer")||_getNumberOfResults("~packer")||_setLangByHeur("ASMx"+(PE_Cached.is64bit?"64":"86"))}function _setLangByHeur(e){log(logType.any,e+" language detected!"),_setLang(e,heurLabel)}function addOption(e,t){return e&&(e+=" + "),e+=t}function log(e,t){if(t){/\r|\n|\t/.test(t)&&(t=t.replace(/[\r\n\t]+/g," ").replace(/\s+/g," ").trim())
var i=""
switch(-2!==e&&(i=heurLabel),-2<e&&0!==e&&(i+="/"),e){case-2:i="!"
switch(e!==logType.warning&&(i=heurLabel),e>logType.warning&&e!==logType.nothing&&(i+="/"),e){case logType.warning:i="!"
break
case-1:i+="About"
case logType.about:i+="About"
break
case 1:i+="Any"
case logType.any:i+="Any"
break
case 2:i+=".NET"}"undefined"!=typeof _log?_log("["+i+"] "+t):_error("Unable to write log message")}}function scanForMaliciousCode_NET_and_Native(){log(logType.nothing,"Scanning for malicious code...")
case logType.net:i+=".NET"}"undefined"!=typeof _log?_log("["+i+"] "+t):_error("Unable to write log message")}}function scanForMaliciousCode_NET_and_Native(){log(logType.nothing,"Scanning for malicious code...")
var e,t=[],i="May be infected, be careful!"
if(PE_Cached.isDotNet){var n=!1,r="",s="??"+(s=generateUnicodeSignatureMask("|'|'|")+"00").substring(2)
0===t.length&&(PE.isNetUStringPresent("im523")?(r="0.7D Green Edition",n=!0):("w"===PE_Cached.nameOfNetAssemblyName||"w.exe"===PE_Cached.nameOfNetModuleName||"k"===PE_Cached.nameOfNetAssemblyName||"k.exe"===PE_Cached.nameOfNetModuleName||PE.isNetObjectPresent("njLogger")||PE.isNetUStringPresent("|PWD| ")||PE.isNetUStringPresent("|'|'|")||PE.isSignatureInSectionPresent(0,s))&&(n=!0))
@ -245,7 +245,7 @@ break}}var I=PE.getVersionStringInfo("LegalCopyright")
if(I&&!/(?:\(C\)|©|\bcopyright\b)/i.test(I))for(var R=["microsoft","google","apple","amazon","adobe","oracle","mozilla","vmware","valve","rockstar","blizzard","ubisoft","roblox","ea digital","cd projekt","epic games","discord","telegram","whatsapp","kaspersky","avast","malwarebytes","doctor web","bitdefender","norton","mcafee","eset","avira","sophos","nvidia","intel"],d=0;d<R.length;d++)if(new RegExp("\\b"+R[d]+"\\b").test(I.toLowerCase())){t.push({type:"Fake build info",version:"",details:i})
break}var T=["csrss.exe","wininit.exe","lsass.exe","svchost.exe","taskhostw.exe","ntkrnlmp.exe","RuntimeBroker.exe","smss.exe","SecurityHealthService.exe"],D=T.concat(["dwm.exe","winlogon.exe","services.exe","spoolsv.exe","OneDrive.exe","fontdrvhost.exe","sihost.exe","winresume.exe","SystemSettings.exe","ShellExperienceHost.exe","StartMenuExperienceHost.exe"]),k=!1
function F(e){return e&&(e=e.toLowerCase(),PE.getVersionStringInfo("OriginalFilename").toLowerCase()===e||PE.getVersionStringInfo("InternalName").toLowerCase()===e)}for(P=0;P<T.length&&!k;P++)!F(T[P])||PE.isSigned()||(k=!0)
for(E=0;E<D.length&&!k;E++)!F(D[E])||!PE_Cached.isDotNet&&PE_Cached.isRichSignaturePresent||(0<_getNumberOfResults("packer")||0<_getNumberOfResults("protector"))&&(k=!0)
if((PE_Cached.isDotNet||!PE_Cached.isRichSignaturePresent)&&(0<_getNumberOfResults("packer")||0<_getNumberOfResults("protector")))for(E=0;E<D.length&&!k;E++)F(D[E])&&(k=!0)
k&&t.push({type:"Fake "+(PE_Cached.isDotNet?"":"or infected ")+"system file",version:"",details:i}),(PE_Cached.isDotNet&&("stub"===PE_Cached.nameOfNetAssemblyName.toLowerCase()||0===PE_Cached.nameOfNetModuleName.toLowerCase().indexOf("stub.")||-1!==PE_Cached.nameOfNetAssemblyName.toLowerCase().indexOf("crypted")||-1!==PE_Cached.nameOfNetModuleName.toLowerCase().indexOf("crypted")||-1!==PE_Cached.nameOfNetAssemblyName.toLowerCase().indexOf("payload")||-1!==PE_Cached.nameOfNetModuleName.toLowerCase().indexOf("payload")||isNameObfuscated(PE_Cached.nameOfNetAssemblyName)||isNameObfuscated(PE_Cached.nameOfNetModuleName)||/(?:^tmp|\.tmp$)/.test(PE_Cached.nameOfNetModuleName))||0===PE.getVersionStringInfo("OriginalFilename").toLowerCase().indexOf("stub.")||0===PE.getVersionStringInfo("InternalName").toLowerCase().indexOf("stub.")||(function(){for(var e=["Comments","CompanyName","FileDescription","ProductName","LegalCopyright","LegalTrademarks","OriginalFilename","InternalName"],t=0;t<e.length;t++)if(isNameObfuscated(PE.getVersionStringInfo(e[t])))return 1})())&&t.push({type:"Anomalous build info",version:"",details:i}),(PE.isResourceNamePresentExp(/^(?:STUB|SERVER)(?:\.[A-Z]{3})?$/)||PE.isResourceNamePresentExp(/(?:PAYLOAD|SHELLCODE|INJECT|CRYPTED|DECRYPTOR)/))&&t.push({type:"Anomalous resources",version:"",details:i})
for(var L=0;L<t.length;L++){var B=t[L]
_setResult("~malware",B.type,B.version,B.details)}}function scanForInterestingMarkers_NET_and_Native(){log(logType.nothing,"Scanning for interesting markers...")