Renamed multiple db/MSDOS detection rule files to include category prefixes (compiler_, library_, protector_, self-displayer_, sfx_) for clearer organization. Cleared executable bits on LSI_C and Khrome_Crypt files (100755 → 100644). Added sLang = "C" to the LSI C detection rule to explicitly mark the language. No other functional changes.
Populate sLang in several MS-DOS detector scripts so the detected language is recorded (Logitech_Modula-2.4: sLang = "Modula-2"; ASIC-Basic, ApBasic, BetterBASIC, Turbo_Basic: sLang = "Basic"). Also rename L_O_V_E__FORTH.4.sg to compiler_L_O_V_E__FORTH.4.sg and Phar_Lap.0a.sg to extender_Phar_Lap.0a.sg to standardize database file naming. No other logic changes.
Rename multiple files in db/MSDOS to add category prefixes (e.g. converter_, extender_, packer_, protector_, self-displayer_) for clearer organization. Remove executable bit on several .sg files (mode 100755 -> 100644) and apply minor whitespace/line-ending normalization in a few detection rules (no functional changes).
Append Rabby Wallet signature string to the PE heuristic list in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to improve detection of Rabby Wallet-related binaries.
Stop forcing sOptions = "C/C++" in db/MACH/compiler_gcc.4.sg when libgcc_s.1.dylib is present. The detection now only sets bDetected, avoiding an unintended override of compiler option state elsewhere.
Limit iteration in scanForObfuscations_NET by adding an early-exit condition to the for loop (for ... && !isStrangeEpPosition) and remove the redundant break. Also append the OneKey signature string to the malicious signature array in scanForMaliciousCode_NET_and_Native so it is recognized by heuristics.
Extend the PE.compare pattern used to skip bitmap resources by adding extra trailing zero bytes to the signature, reducing false positives when determining resource types. Also perform minor whitespace/formatting cleanups in heuristic functions (isNameObfuscated and scanForLanguagesAndCompilers) to improve readability.
Add a guard in scanForPackersAndCryptors_NET_and_Native to skip sections with FileOffset == 0 or FileSize < 0x1000 before calculating entropy. This avoids reading invalid/empty section data and reduces false/high-entropy detections for very small sections, improving robustness of packer/cryptor detection.
Restrict the small-section skip in scanForMaliciousCode_NET_and_Native to cases where sectionOffset > 0. This prevents erroneously bypassing section processing when sectionOffset is zero or unset, preserving entry/resource section checks and improving heuristic scanning accuracy in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Replace the fixed immediate bytes in the heuristic pattern (was `81 ED 32 6F 01 20`) with wildcards (`81 ED ?? ?? 01 20`) in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. This relaxes the signature for the `sub ebp, imm` instruction so the rule can match more binary variants while keeping the surrounding instruction sequence intact for detection.
Introduce a percentageOfRiskScore variable to avoid recomputing the risk expression and clamp it to 100. Use this variable in the verdict details string and append the mayBeInfected note when the computed percentage is below 70%, improving readability and providing conditional infection context.
Extracted a reusable scanArea(areaOffset, areaSize) helper to centralize base64/anchor scanning and replaced global/unicode scanning with targeted scans. Add targeted scanning of PE sections, unmanaged resources and the overlay (gated by packer/protector results), with optimizations to skip unlikely sections (small sections, common .text/.rsrc/.idata/.reloc cases) and to only target large resources (>4KB) while skipping bitmaps. Also renamed/cleaned up offset variables and simplified encrypted-payload scanning logic by consolidating maxScanSize/dataBuffer creation and removing redundant conditionals. These changes improve performance and detection coverage.
Update the section name pattern from /^\.(?:r)?data$/i to /^\.[rex]?data$/i so .edata and .xdata (in addition to .rdata and .data) are recognized and get the larger scan size when scanning for malicious code.
Replace simple signature variants with robust Base64 payload detection for both ASCII and UTF-16LE encodings. The patch checks for "TV" + raw postfix bytes in the DOS stub (ASCII) and searches for a UTF-16LE "TV" anchor plus Unicode signature masks, sets a base64Version flag, and emits an "Encoded executable payload" verdict including the encoding (Base64, ASCII/UTF-16LE). Removes the prior validateGlobalUnicodeString/validateSignature path and consolidates detection logic.
Update comment to explicitly state the heuristic detects encrypted PE files in resources, sections, and overlay via KPA (Known Plaintext Attack). This is a documentation-only change to clarify detection scope; no functional code changes.
Update verdict labels to specify "executable" for Base64 and encrypted payloads for clarity. Add an optimization comment and additional checks to skip scanning common PE sections (.rsrc, .idata, .reloc) when they're unlikely to contain encrypted payloads, and reorder a conditional for the entry-point/.text check to be more robust.
Performance and readability refactor of the PE heuristic scanner.
- Introduce Uint8Arr alias (fallback to Array) and a hexLUT typed lookup table for fast hex-to-byte decoding.
- Replace dynamic per-byte hex parsing with LUT and allocate decoded buffers as Uint8Arr to reduce overhead.
- Refactor scanBuffer: hoist variables, minimize re-computation, and apply lazy evaluation for alternative decryption checks (ADD/SUB and SUB/REV) to short-circuit work when XOR/XNOR matches.
- Minor cleanup of PE header offset assignment/comment.
Changes are intended to improve speed and reduce allocations while preserving existing verification logic.
Change the inner getDecrypted implementation to a named function with combined variable declarations and clearer multiline ternary formatting for readability; no functional change to the decryption logic. Also add "conhost.exe" to systemFileNamesDict so the console host is treated as a system-signed filename.
Add detection/support for a new SUB-REV (arithmetic-reverse) decryption mode: introduce mode 2 in verifyPeSignature and extend the universal decryptor return to handle SUB-REV. Compute reverse expected bytes (e0_rev/e1_rev) and add a matching detection branch. Also fix PE header offset handling (avoid double addition of peStartOffset) and normalize algorithm labels (e.g. "XOR-XNOR", "ADD-SUB") and the verdict version string to include "Algo: ". These changes improve heuristic coverage for encrypted PE payloads using reversed subtraction schemes.
Eliminate the unnecessary .replace(/\s/g,'') call when obtaining the hex signature in scanForMaliciousCode_NET_and_Native (db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg). PE.getSignature already provides the expected format, so this avoids redundant processing and preserves the original returned string.
Adjust the maxScanSize calculation in scanForMaliciousCode_NET_and_Native so non-.rdata PE sections are scanned up to 0x3000 bytes (was 0x2500). .rdata sections remain capped at 0x6000. This expands the scan window to improve detection coverage for larger sections.
Introduce getDecodedBuffer(offset, size) to decode PE.getSignature hex strings into byte arrays and replace three duplicated decoding loops (resources, overlay, sections) with calls to this helper. This reduces code duplication, improves readability and maintainability, and preserves existing scanBuffer behavior. Also removes a stray blank line.
Use lfaNewOffset directly for the PE header offset (avoids adding peStartOffset incorrectly). Normalize hex signatures by removing whitespace and uppercasing lowercase hex chars before byte conversion (applied to resource, overlay and section scans). Increase overlay scan limit from 0x1000 to 0x14000 to allow scanning larger overlays. These changes improve signature parsing reliability and broaden scanning coverage.
Coerce the computed e_lfanew to an unsigned 32-bit value using >>> 0 to avoid negative/incorrect offsets. Also tighten the remaining-buffer length passed to verifyPeSignature from (bufferSize - j - 4) to (bufferSize - j - 0x20) in both signature-check branches to avoid overly permissive/unsafe verification and reduce risk of out-of-bounds reads.
Lower max scan size for resource and overlay scans from 0x2000 to 0x1000 to reduce scanning work, and add a new section-scanning pass to detect encrypted payloads. The new loop skips obvious benign sections (entry-point .text and .rsrc) and only scans large sections (>0x2500), using a larger window for data-like sections (.data/.rdata). Hex signatures are converted to a byte buffer and fed to scanBuffer; if a match is found isEncPePresent is set to true.
Extract repeated KPA scanning logic into a scanBuffer helper to avoid duplication and simplify resource scanning. Extend detection to include PE overlays (in addition to resources), reading up to 0x2000 bytes of overlay data (only if overlaySize > 0x1000 and the PE is unsigned) and converting the hex signature into a data buffer before scanning. Updated comment to reflect overlay support and preserved existing multi-algorithm/key-length verification via verifyPeSignature.
Reduce the allowed NumberOfSections upper bound from 96 to 48 to tighten PE header validation and reduce false positives. Increase the targeted resource payload threshold from 0x300 (768 bytes) to 0x1000 (4096 bytes) so the heuristic focuses on larger payloads; the comment was updated accordingly. Changes made in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Add KPA-based detection for encrypted PE files embedded in resources, supporting multiple algorithms (XOR/XNOR and ADD/SUB) and key lengths up to 20 bytes. Replace isXorPePresent with a generic isEncPePresent and track detectedAlgo. Introduce mode-aware decryptor and stronger PE header verification (checks for PE signature, Optional Header magic, NumberOfSections and Characteristics). Adjust resource size/scan thresholds and skip bitmap-like resources. Report encrypted payloads with detected algorithm type.
Expand the Known-Plaintext Attack (KPA) support from 16 to 20-byte keys by resizing offset arrays and updating loops; document that 20 bytes is the mathematical maximum for this O(1) KPA using the e_res2 20-byte zero block. Replace throw string with throw new Error for consistent error objects. Increase minimum resource size check from 0x100 to 0x800 (2 KB) to avoid scanning tiny resources, remove noisy debug/key-dump logging, and simplify fast-fail logic and comments for clearer, slightly faster XOR-PE detection.
