Rename several database pages to standardized prefixes for clearer organization: db/LX/{PKZIP-SFX.1.sg,RAR-SFX.1.sg} -> db/LX/sfx_PKZIP-SFX.1.sg and db/LX/sfx_RAR-SFX.1.sg; db/MSDOS/{Microsoft_Fortran.4.sg,Microsoft_Quick_Basic.4.sg} -> db/MSDOS/compiler_Microsoft_Fortran.4.sg and db/MSDOS/compiler_Microsoft_Quick_Basic.4.sg. Files are unchanged (100% similarity); only filenames were updated to reflect type (sfx for self-extractors, compiler for compilers).
Rename db/LX/compiler_Borland_C.4.sg to db/LX/compiler_Borland_C++.4.sg and update the detect() function to set sLang from "C/C++" to "C++". This adjusts the file/name to explicitly represent the C++ compiler and aligns the language identifier accordingly; no other functional changes.
Refine the PE.NET detection in tool_de4dot.6.sg: accept either method_0 or smethod_0 and require either both GClass0 & GClass1 or both Class0 & Class1. Previously the check relied on smethod_0 and allowed a single GClass0 (or Class0+Class1), which could produce false positives; this change makes detection stricter and more accurate.
Add additional signature variants to the signsToCheck array in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg (scanForMaliciousCode_NET_and_Native). New entries cover different capitalizations and synonyms for file/cookie/wallet stealers (e.g. Grabfiles/stealfiles, GrabCookies, WalletsStealer/WalletsGrabber) to improve detection coverage for varied naming conventions.
Rename many db/MSDOS detection rules to include category prefixes (e.g. compiler_, extender_, immunizer_, linker_, protector_, other_) for clearer organization. Add sLang assignment for Microsoft_C rule to set "C" or "C/C++" based on sName. Normalize formatting/whitespace in several scripts and remove executable bit from a few rule files. No detection logic changes besides the explicit sLang assignment.
Renamed multiple db/MSDOS detection rule files to include category prefixes (compiler_, library_, protector_, self-displayer_, sfx_) for clearer organization. Cleared executable bits on LSI_C and Khrome_Crypt files (100755 → 100644). Added sLang = "C" to the LSI C detection rule to explicitly mark the language. No other functional changes.
Populate sLang in several MS-DOS detector scripts so the detected language is recorded (Logitech_Modula-2.4: sLang = "Modula-2"; ASIC-Basic, ApBasic, BetterBASIC, Turbo_Basic: sLang = "Basic"). Also rename L_O_V_E__FORTH.4.sg to compiler_L_O_V_E__FORTH.4.sg and Phar_Lap.0a.sg to extender_Phar_Lap.0a.sg to standardize database file naming. No other logic changes.
Rename multiple files in db/MSDOS to add category prefixes (e.g. converter_, extender_, packer_, protector_, self-displayer_) for clearer organization. Remove executable bit on several .sg files (mode 100755 -> 100644) and apply minor whitespace/line-ending normalization in a few detection rules (no functional changes).
Append Rabby Wallet signature string to the PE heuristic list in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to improve detection of Rabby Wallet-related binaries.
Stop forcing sOptions = "C/C++" in db/MACH/compiler_gcc.4.sg when libgcc_s.1.dylib is present. The detection now only sets bDetected, avoiding an unintended override of compiler option state elsewhere.
Limit iteration in scanForObfuscations_NET by adding an early-exit condition to the for loop (for ... && !isStrangeEpPosition) and remove the redundant break. Also append the OneKey signature string to the malicious signature array in scanForMaliciousCode_NET_and_Native so it is recognized by heuristics.
Extend the PE.compare pattern used to skip bitmap resources by adding extra trailing zero bytes to the signature, reducing false positives when determining resource types. Also perform minor whitespace/formatting cleanups in heuristic functions (isNameObfuscated and scanForLanguagesAndCompilers) to improve readability.
Add a guard in scanForPackersAndCryptors_NET_and_Native to skip sections with FileOffset == 0 or FileSize < 0x1000 before calculating entropy. This avoids reading invalid/empty section data and reduces false/high-entropy detections for very small sections, improving robustness of packer/cryptor detection.
Restrict the small-section skip in scanForMaliciousCode_NET_and_Native to cases where sectionOffset > 0. This prevents erroneously bypassing section processing when sectionOffset is zero or unset, preserving entry/resource section checks and improving heuristic scanning accuracy in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Replace the fixed immediate bytes in the heuristic pattern (was `81 ED 32 6F 01 20`) with wildcards (`81 ED ?? ?? 01 20`) in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. This relaxes the signature for the `sub ebp, imm` instruction so the rule can match more binary variants while keeping the surrounding instruction sequence intact for detection.
Introduce a percentageOfRiskScore variable to avoid recomputing the risk expression and clamp it to 100. Use this variable in the verdict details string and append the mayBeInfected note when the computed percentage is below 70%, improving readability and providing conditional infection context.
Extracted a reusable scanArea(areaOffset, areaSize) helper to centralize base64/anchor scanning and replaced global/unicode scanning with targeted scans. Add targeted scanning of PE sections, unmanaged resources and the overlay (gated by packer/protector results), with optimizations to skip unlikely sections (small sections, common .text/.rsrc/.idata/.reloc cases) and to only target large resources (>4KB) while skipping bitmaps. Also renamed/cleaned up offset variables and simplified encrypted-payload scanning logic by consolidating maxScanSize/dataBuffer creation and removing redundant conditionals. These changes improve performance and detection coverage.
Update the section name pattern from /^\.(?:r)?data$/i to /^\.[rex]?data$/i so .edata and .xdata (in addition to .rdata and .data) are recognized and get the larger scan size when scanning for malicious code.
Replace simple signature variants with robust Base64 payload detection for both ASCII and UTF-16LE encodings. The patch checks for "TV" + raw postfix bytes in the DOS stub (ASCII) and searches for a UTF-16LE "TV" anchor plus Unicode signature masks, sets a base64Version flag, and emits an "Encoded executable payload" verdict including the encoding (Base64, ASCII/UTF-16LE). Removes the prior validateGlobalUnicodeString/validateSignature path and consolidates detection logic.
Update comment to explicitly state the heuristic detects encrypted PE files in resources, sections, and overlay via KPA (Known Plaintext Attack). This is a documentation-only change to clarify detection scope; no functional code changes.
Update verdict labels to specify "executable" for Base64 and encrypted payloads for clarity. Add an optimization comment and additional checks to skip scanning common PE sections (.rsrc, .idata, .reloc) when they're unlikely to contain encrypted payloads, and reorder a conditional for the entry-point/.text check to be more robust.
Performance and readability refactor of the PE heuristic scanner.
- Introduce Uint8Arr alias (fallback to Array) and a hexLUT typed lookup table for fast hex-to-byte decoding.
- Replace dynamic per-byte hex parsing with LUT and allocate decoded buffers as Uint8Arr to reduce overhead.
- Refactor scanBuffer: hoist variables, minimize re-computation, and apply lazy evaluation for alternative decryption checks (ADD/SUB and SUB/REV) to short-circuit work when XOR/XNOR matches.
- Minor cleanup of PE header offset assignment/comment.
Changes are intended to improve speed and reduce allocations while preserving existing verification logic.
Change the inner getDecrypted implementation to a named function with combined variable declarations and clearer multiline ternary formatting for readability; no functional change to the decryption logic. Also add "conhost.exe" to systemFileNamesDict so the console host is treated as a system-signed filename.
Add detection/support for a new SUB-REV (arithmetic-reverse) decryption mode: introduce mode 2 in verifyPeSignature and extend the universal decryptor return to handle SUB-REV. Compute reverse expected bytes (e0_rev/e1_rev) and add a matching detection branch. Also fix PE header offset handling (avoid double addition of peStartOffset) and normalize algorithm labels (e.g. "XOR-XNOR", "ADD-SUB") and the verdict version string to include "Algo: ". These changes improve heuristic coverage for encrypted PE payloads using reversed subtraction schemes.
