mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Skip empty/small sections during entropy scan

Browse source 
Add a guard in scanForPackersAndCryptors_NET_and_Native to skip sections with FileOffset == 0 or FileSize < 0x1000 before calculating entropy. This avoids reading invalid/empty section data and reduces false/high-entropy detections for very small sections, improving robustness of packer/cryptor detection.
This commit is contained in:
DosX 2026-06-20 19:33:40 +03:00
commit d77aa6f6dd
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
View file

@ -2988,6 +2988,8 @@ function scanForPackersAndCryptors_NET_and_Native() { // For .NET and Native app
for (var t = 0; t < PE_Cached.numberOfSections && !isCompressedSectionPresent; t++) {
compressedSectionIndex = t;
if (PE.section[t].FileOffset === 0 || PE.section[t].FileSize < 0x1000) continue;
var sectionEntropy = PE.calculateEntropy(PE.getSectionFileOffset(compressedSectionIndex), PE.getSectionFileSize(compressedSectionIndex));
if (sectionEntropy > 7.4) {
log(logType.any, "Section #" + compressedSectionIndex + " (\"" + cleanSectionName(PE.getSectionName(compressedSectionIndex)) + "\") entropy: " + sectionEntropy);