Add new heuristics to PE DB: insert VCasm-Protector (version 1.1-1.2, hash 0xcfed7c1e) and Excalibur (version 1.0X, hash 0x7f364e1f) into the packer/cryptor signature list, and add a section-name rule for VCasm-Protector ('vcasm'). Also adjust array punctuation for the appended entries.
Add upstream GitHub reference and replace the slow signature-in-section check with PE.isNetObjectPresent checks for 'RustemSoft.Skater' and 'RustemSoft.Skater.Skater_NET_Obfuscator' to speed up detection. Keeps the existing EP .NET compare logic and version detection for 2.X.
Rename generateUnicodeSignatureMask to convertStringToUnicodeSignature and change its output to a continuous UTF-16LE hex string (no spaces) with consistent zero-padding. Update all callers accordingly across the PE heuristics file, adjust doc examples to the new format, and remove an obsolete substring adjustment for the NjRAT separator pattern. These changes standardize how UTF-16LE signatures are produced and consumed by PE.isSignature*/PE.findSignature calls.
Rename many internal variables in scanForMaliciousCode_NET_and_Native to clearer, self-descriptive identifiers (e.g. k0_off/k1_off/k3_off -> offsetKey0/offsetKey1/offsetKey3, lfa*_off -> offsetLfa*, keyLen/j/L -> keyLength/offset, and byte variables like b0/b1 -> cipherM/cipherZ, etc.). Changes span the pre-calculation block, verifyPeSignature, and scanBuffer to improve readability and maintainability. No functional logic changes intended — behavior should remain the same.
Adjust signature pattern handling in scanForMaliciousCode_NET_and_Native.
- Remove the added "??" prefix when building njRatDataSeparatorPattern so the pattern uses the substring directly.
- Remove the trailing " **" wildcard from the Unicode " RAT" signature passed to PE.isSignatureInSectionPresent to narrow matching.
Rewrite generateUnicodeSignatureMask to produce UTF-16LE hex byte sequences for each character. The new implementation uses charCodeAt to extract code units, computes low/high bytes in little-endian order, pads bytes to two hex digits (ES3/ES5 compatible), and joins byte pairs with spaces. This replaces the previous quoted 'char'00' style output and correctly handles non-ASCII characters.
Replace custom hex decoding and helper with direct PE.readBytes, removing hexLUT and getDecodedBuffer to reduce overhead. Simplify scanBuffer signature and internals (rename comment, local caching, remove unused offsetBase), tighten verifyPeSignature comments and remove redundant explanatory comments. Use PE.readBytes for resources, overlay and sections, and keep existing algorithm detection logic intact; this is a cleanup/optimization to improve readability and performance without changing core behavior.
Remove redundant b3 decode and consolidate the e_lfanew fast-fail check to test upper 16-bits against max bounds. Treat the MSB of e_lfanew as implicitly 0 and move its per-iteration validation into the main scan loop by caching lfa3_off as _lfa3 and reading the MSB (d3F) once per iteration. This reduces repeated reads and unnecessary variables, clarifies assumptions about e_lfanew, and slightly improves performance by localizing offsets and eliminating a prior separate fast-fail branch.
Inline and optimize PE header verification and scanning hot paths for performance. Added precomputed lfa*_off lookup tables for e_lfanew byte offsets and removed the getDecryptedByte helper by inlining decryption math inside verifyPeSignature to avoid function-call and modulo overhead. Reduced repeated arithmetic by caching base indices, precomputing remainder r, and validating high-order bytes early; also added maxLfa to avoid recomputing buffer bounds. Minor micro-optimizations: cache hexLUT locally in getDecodedBuffer, cache k*_off arrays in scanBuffer, and break out of loops once an encrypted PE is detected. Behavior and verification checks are preserved while improving throughput in tight scanning loops.
Performance and memory optimizations for the PE heuristic scanner:
- Tighten DOS-PDB scan loop to stop once pdbPathBeginOffset is found (avoids an extra break).
- Replace offset tables (k0_off/k1_off/k3_off) with typed Uint8Array to reduce allocations and improve access speed.
- Extract a single getDecryptedByte function (removed inner closure) to avoid per-call closure allocation and centralize decrypt logic.
- Add a fast-fail check for the most-significant byte of e_lfanew and simplify lfaNewOffset calculation to speed header validation.
- Replace multiple inline decryption calls with getDecryptedByte in verifyPeSignature for clarity and efficiency.
- Restructure the detection inner loop to early-continue on mismatches and apply lazy evaluation for arithmetic checks (ADD-SUB / SUB-REV) to reduce unnecessary work.
Behavior should be unchanged functionally while reducing CPU and memory overhead during scanning.
Cache section properties (offset, size, name) and replace direct PE.section accesses to improve readability and performance. Adjust skip logic to use cached sectionSize/sectionName. Expand scanning windows: scan .text of .NET assemblies up to 0x64000, increase data-like sections to 0x12000 and other sections to 0x6000 (previously smaller), to improve detection of encoded/encrypted payloads.
Replace inconsistent byte wildcard in a signature ("81 ED ?? ?? 01 20" -> "81 ED .. .. 01 20") to match the file's wildcard convention, and expand resource-name detection by adding a regex for obvious malicious names (TROJAN, VIRUS, MALWARE, DROPPER). An inline comment was added explaining the resource-name check; minor spacing was also adjusted.
Rename several database pages to standardized prefixes for clearer organization: db/LX/{PKZIP-SFX.1.sg,RAR-SFX.1.sg} -> db/LX/sfx_PKZIP-SFX.1.sg and db/LX/sfx_RAR-SFX.1.sg; db/MSDOS/{Microsoft_Fortran.4.sg,Microsoft_Quick_Basic.4.sg} -> db/MSDOS/compiler_Microsoft_Fortran.4.sg and db/MSDOS/compiler_Microsoft_Quick_Basic.4.sg. Files are unchanged (100% similarity); only filenames were updated to reflect type (sfx for self-extractors, compiler for compilers).
Rename db/LX/compiler_Borland_C.4.sg to db/LX/compiler_Borland_C++.4.sg and update the detect() function to set sLang from "C/C++" to "C++". This adjusts the file/name to explicitly represent the C++ compiler and aligns the language identifier accordingly; no other functional changes.
Refine the PE.NET detection in tool_de4dot.6.sg: accept either method_0 or smethod_0 and require either both GClass0 & GClass1 or both Class0 & Class1. Previously the check relied on smethod_0 and allowed a single GClass0 (or Class0+Class1), which could produce false positives; this change makes detection stricter and more accurate.
Add additional signature variants to the signsToCheck array in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg (scanForMaliciousCode_NET_and_Native). New entries cover different capitalizations and synonyms for file/cookie/wallet stealers (e.g. Grabfiles/stealfiles, GrabCookies, WalletsStealer/WalletsGrabber) to improve detection coverage for varied naming conventions.
Rename many db/MSDOS detection rules to include category prefixes (e.g. compiler_, extender_, immunizer_, linker_, protector_, other_) for clearer organization. Add sLang assignment for Microsoft_C rule to set "C" or "C/C++" based on sName. Normalize formatting/whitespace in several scripts and remove executable bit from a few rule files. No detection logic changes besides the explicit sLang assignment.
Renamed multiple db/MSDOS detection rule files to include category prefixes (compiler_, library_, protector_, self-displayer_, sfx_) for clearer organization. Cleared executable bits on LSI_C and Khrome_Crypt files (100755 → 100644). Added sLang = "C" to the LSI C detection rule to explicitly mark the language. No other functional changes.
Populate sLang in several MS-DOS detector scripts so the detected language is recorded (Logitech_Modula-2.4: sLang = "Modula-2"; ASIC-Basic, ApBasic, BetterBASIC, Turbo_Basic: sLang = "Basic"). Also rename L_O_V_E__FORTH.4.sg to compiler_L_O_V_E__FORTH.4.sg and Phar_Lap.0a.sg to extender_Phar_Lap.0a.sg to standardize database file naming. No other logic changes.
Rename multiple files in db/MSDOS to add category prefixes (e.g. converter_, extender_, packer_, protector_, self-displayer_) for clearer organization. Remove executable bit on several .sg files (mode 100755 -> 100644) and apply minor whitespace/line-ending normalization in a few detection rules (no functional changes).
Append Rabby Wallet signature string to the PE heuristic list in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to improve detection of Rabby Wallet-related binaries.
Stop forcing sOptions = "C/C++" in db/MACH/compiler_gcc.4.sg when libgcc_s.1.dylib is present. The detection now only sets bDetected, avoiding an unintended override of compiler option state elsewhere.
Limit iteration in scanForObfuscations_NET by adding an early-exit condition to the for loop (for ... && !isStrangeEpPosition) and remove the redundant break. Also append the OneKey signature string to the malicious signature array in scanForMaliciousCode_NET_and_Native so it is recognized by heuristics.
