Normalize indentation and spacing across multiple YARA rule files. Changes are whitespace/formatting-only (alignment of comments, blocks, and string sections) and do not modify rule logic or conditions. Updated files: yara_rules/DiE_BasicHeuristics_by_DosX.yar, yara_rules/DiE_EnhancedHeuristics_by_DosX.yar, yara_rules/DiE_InterestingThings_by_DosX.yar, yara_rules/crypto_signature.yar, yara_rules/malware_analisys.yar, yara_rules/packer.yar, yara_rules/packer_compiler_signatures.yar, yara_rules/peid.yar.
Consolidate spaced byte-wildcards across many YARA signatures in yara_rules/peid.yar (e.g. "?? ?? ??" -> "??????" and similar) to make wildcard runs consistent and more compact. This is a bulk normalization change to improve readability and ensure uniform pattern expressions across multiple rules at the PE entry-point signatures.
Normalize indentation and formatting in yara_rules/packer_compiler_signatures.yar: convert tabs/irregular spacing to consistent spaces, align comments and condition blocks, and standardize meta/strings formatting across many rules. This is a whitespace/style-only change — no detection logic or rule conditions were altered.
Reformat yara_rules/packer.yar: standardize 'meta' author lines and normalize hex string patterns for readability and consistency. Consecutive 00 bytes and wildcard groups (??) were compacted/standardized, spacing in byte sequences was unified, and several pattern placeholders were adjusted to a consistent notation. No functional rule logic was changed—these are formatting/normalization edits to make maintenance of YARA signatures easier.
Reformatted yara_rules/malware_analisys.yar by merging multi-line "condition:" labels and their expressions onto single lines across many rules for consistent styling and readability. These are purely formatting/whitespace changes and do not alter rule logic.
Refactor many YARA rule string literals to collapse repeated byte sequences (e.g. runs of 0x00, 0x90, etc.) into compact continuous hex tokens across multiple rules. This normalizes formatting of the pe.entry_point patterns for readability and consistency without changing rule conditions or semantics.
Normalize formatting in yara_rules/peid.yar by collapsing multi-line 'strings' and 'condition' blocks into single-line declarations and adjusting indentation across many rules. This is purely a stylistic/whitespace change to make the file more compact; no rule logic or signatures were modified.
Introduce two YARA rules to detect PE signature/trust anomalies under a new section: Anomaly__AuthenticodeCorrupt (flags a present security directory with size smaller than a minimal PKCS#7 structure, ~8 bytes) and Anomaly__SecurityDirPointsBeyondFile (flags when the security directory offset + size exceeds the file size, indicating appended or corrupt data). Both rules target PE files and inspect pe.data_directories[4].
Append several structural/whole-file heuristic YARA rules to detect anomalous PE characteristics often associated with packers or custom toolchains. Rules added: TinyPE (filesize < 1KB), DOSStubMissing (e_lfanew < 0x50 indicating no DOS stub), DOSStubCustom (missing standard DOS stub strings), SelfModifyingHeaders (PE header located in a writable section), WholeFileHighEntropy (overall entropy > 7.0 for files >4KB), and VersionInfoMissing (native non-DLL PE with no version resource). Includes comments and detection thresholds explaining the rationale for each heuristic.
Introduce two YARA rules to detect anomalous resources in PE files:
- Anomaly__ResourceHighEntropy: flags .rsrc sections >4KB with entropy >7.4 (used to catch likely encrypted/compressed payloads while acknowledging legitimate high-entropy resources like PNG/JPEG).
- Anomaly__ResourceDominatedBinary: flags PE files where a .rsrc section comprises >90% of the file size (possible embedded payload), excluding DLLs to reduce false positives.
Also adds a Resource anomalies comment header for organization.
Introduce three YARA rules to detect PE data-directory anomalies: TLS callbacks (potential anti-debug/evasion), stripped debug directory despite a Rich header, and presence of CLR metadata in a PE with many native imports (mixed .NET/native). Rules check relevant data_directories indices (TLS=9, DEBUG=6, CLR=14), Rich signature, size, and import count to flag suspicious or uncommon binaries.
Introduce three new YARA rules detecting suspicious PE TimeDateStamp values: FutureTimestamp (pe.timestamp > Jan 1, 2026), AncientTimestamp (pe.timestamp < Jan 1, 1990 and not zero), and ZeroTimestamp (pe.timestamp == 0). These heuristics help flag likely forged, pre-PE-era, or intentionally stripped timestamps for further analysis.
Add two YARA rules to detect suspicious overlays in PE files: Anomaly__LargeOverlay (flags overlays larger than 50% of the file, indicating possible embedded payloads) and Anomaly__OverlayPresent (flags overlays >1KB with entropy >7.0, indicating compressed/encrypted data). These heuristics help surface appended data that may contain hidden or packed content for further analysis.
Add three import-related heuristics to DiE_EnhancedHeuristics_by_DosX.yar to detect suspicious PE import tables: Anomaly__NoImports (native PE with zero imports, excluding DLLs), Anomaly__SingleImportDll (native PE with exactly one import DLL), and Anomaly__SuspiciousMinimalImports (PEs importing only LoadLibrary[AW] and GetProcAddress). These rules help flag likely packed/crypted executables that resolve APIs manually and supplement existing entry-point/int3 heuristics.
Introduce a new "Entry point anomalies" block with multiple YARA rules to detect suspicious PE entry-point placements and characteristics. Adds rules: Anomaly__EntryPointInLastSection (EP in last section, common for appended code/packers), Anomaly__EntryPointInNonCodeSection (EP inside a section without CODE flag), Anomaly__EntryPointOutsideAnySections (EP not in any section, skips DLLs and zero EP, ignores sections with no raw data), Anomaly__EPStartsWithNops (EP begins with a 4+ NOP sled), and Anomaly__EPStartsWithInt3 (EP begins with INT3). Rules use raw file offsets for pe.entry_point and include guards to reduce false positives.
Add multiple YARA rules to detect PE section anomalies commonly associated with packers, obfuscators, or tampered binaries. New rules cover: writable+executable code sections, executable .data/.rdata/.bss, empty or non-printable section names, sections with zero raw size but non-zero virtual size and execute flag, raw data extending beyond file size, virtual size much larger than raw size (excluding .bss), high-entropy sections (excluding .rsrc), and duplicate section names. These heuristics improve detection of suspicious PE files for further analysis.
Add new YARA rules (yara_rules/DiE_EnhancedHeuristics_by_DosX.yar) for the Detect It Easy project authored by DosX. The file imports pe and math and defines reusable predicates (IsPE, IsNative, Is64) plus multiple PE header anomaly rules to detect suspicious or tampered PE files (e.g. zero-sized optional header, suspicious image base, zero entry point, entry point beyond image, invalid/tiny alignments, checksum mismatch, zero size_of_image, large section counts, suspicious subsystem, and forced integrity dll characteristic). These heuristics help flag manually crafted, packed, or corrupted binaries; copyright/author metadata is retained in the file.
Reformat YARA rule declarations across yara_rules/crypto_signature.yar, yara_rules/packer.yar and yara_rules/packer_compiler_signatures.yar by moving the opening brace onto the same line as the `rule` name and cleaning up surrounding blank lines/indentation. These are non-functional, stylistic changes to improve consistency and readability; rule logic and string conditions were not altered.
Update yara_rules/peid.yar by stripping the ': PEiD' module/inheritance specifier from numerous rule declarations, converting them to plain 'rule <Name>' forms. Also apply minor formatting cleanup across the file to improve YARA compatibility and consistency.
Introduced a new YARA rule 'Linker__Microsoft_Linker' that triggers when the Rich signature is present, leveraging the existing IsRichSignPresent rule.
Simplified the React OS detection logic in db/PE/_PE.0.sg and removed an unnecessary blank line in db/PE/AverCryptor.2.sg. Cleaned up formatting in the DiE_InterestingThings_by_DosX.yar YARA rules file. Also removed screenshot.jpg from the repository.
Added '.securom' and '.dsstext' as additional SecuROM indicators in the heuristic analysis script. Introduced a new YARA rule to detect SecuROM by checking for a '.securom' section in PE files.
Introduces a new rule 'Packer__BoxedApp' to identify PE files packed with BoxedApp by checking for '.bxpck' and '.main' section names. This enhances detection capabilities for packed executables.
Added a header comment to the Py2exe.1.sg rule file for clarity. Introduced a new YARA rule to detect py2exe-packed PE files by checking for the 'PyArg_ParseTuple' export.
Introduced two new rules: Packer__PEPack and Packer__SoftwareCompress. These rules detect PE files packed with PEPack and SoftwareCompress by checking for specific section names in the PE headers.
Renamed DosX_Heuristic.yar and DosX_InterestingThings.yar to DiE_BasicHeuristics_by_DosX.yar and DiE_InterestingThings_by_DosX.yar, respectively. Added comments indicating these modules are specifically for the Detect It Easy project and to retain copyright information.
Introduces detection rules for VPacker and XPack packers. The VPacker rule matches a specific byte pattern at the PE entry point, while the XPack rule checks for a section named '.XPack0'.
Introduced a private IsPE rule to check for PE files and updated multiple rules to require IsPE in their conditions. This ensures that rules only match on PE files, improving accuracy and reducing false positives.
Added new private rules for detecting 32-bit and DLL PE files, improved formatting and readability, and expanded comments for clarity. Updated conditions in several rules to use the new helpers and improved string/condition formatting for consistency.
Introduces a new set of YARA rules in DosX_InterestingThings.yar for identifying various PE file characteristics, including .NET Native, Qt Framework, UPX and MPRESS packers, and obfus.h protection. These rules help in automated detection and classification of Windows executables.
Introduces several new YARA rulesets: DosX_Heuristic.yar for obfuscation, packing, and anti-analysis detection; crypto_signature.yar for identifying cryptographic constants, algorithms, and related malware signatures; malware_analisys.yar, packer.yar, packer_compiler_signatures.yar, and peid.yar for further malware, packer, and PE analysis. These rules enhance the detection capabilities for malware analysis and reverse engineering workflows.
