Performance and memory optimizations for the PE heuristic scanner:
- Tighten DOS-PDB scan loop to stop once pdbPathBeginOffset is found (avoids an extra break).
- Replace offset tables (k0_off/k1_off/k3_off) with typed Uint8Array to reduce allocations and improve access speed.
- Extract a single getDecryptedByte function (removed inner closure) to avoid per-call closure allocation and centralize decrypt logic.
- Add a fast-fail check for the most-significant byte of e_lfanew and simplify lfaNewOffset calculation to speed header validation.
- Replace multiple inline decryption calls with getDecryptedByte in verifyPeSignature for clarity and efficiency.
- Restructure the detection inner loop to early-continue on mismatches and apply lazy evaluation for arithmetic checks (ADD-SUB / SUB-REV) to reduce unnecessary work.
Behavior should be unchanged functionally while reducing CPU and memory overhead during scanning.
Cache section properties (offset, size, name) and replace direct PE.section accesses to improve readability and performance. Adjust skip logic to use cached sectionSize/sectionName. Expand scanning windows: scan .text of .NET assemblies up to 0x64000, increase data-like sections to 0x12000 and other sections to 0x6000 (previously smaller), to improve detection of encoded/encrypted payloads.
Replace inconsistent byte wildcard in a signature ("81 ED ?? ?? 01 20" -> "81 ED .. .. 01 20") to match the file's wildcard convention, and expand resource-name detection by adding a regex for obvious malicious names (TROJAN, VIRUS, MALWARE, DROPPER). An inline comment was added explaining the resource-name check; minor spacing was also adjusted.
Rename several database pages to standardized prefixes for clearer organization: db/LX/{PKZIP-SFX.1.sg,RAR-SFX.1.sg} -> db/LX/sfx_PKZIP-SFX.1.sg and db/LX/sfx_RAR-SFX.1.sg; db/MSDOS/{Microsoft_Fortran.4.sg,Microsoft_Quick_Basic.4.sg} -> db/MSDOS/compiler_Microsoft_Fortran.4.sg and db/MSDOS/compiler_Microsoft_Quick_Basic.4.sg. Files are unchanged (100% similarity); only filenames were updated to reflect type (sfx for self-extractors, compiler for compilers).
Rename db/LX/compiler_Borland_C.4.sg to db/LX/compiler_Borland_C++.4.sg and update the detect() function to set sLang from "C/C++" to "C++". This adjusts the file/name to explicitly represent the C++ compiler and aligns the language identifier accordingly; no other functional changes.
Refine the PE.NET detection in tool_de4dot.6.sg: accept either method_0 or smethod_0 and require either both GClass0 & GClass1 or both Class0 & Class1. Previously the check relied on smethod_0 and allowed a single GClass0 (or Class0+Class1), which could produce false positives; this change makes detection stricter and more accurate.
Add additional signature variants to the signsToCheck array in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg (scanForMaliciousCode_NET_and_Native). New entries cover different capitalizations and synonyms for file/cookie/wallet stealers (e.g. Grabfiles/stealfiles, GrabCookies, WalletsStealer/WalletsGrabber) to improve detection coverage for varied naming conventions.
Rename many db/MSDOS detection rules to include category prefixes (e.g. compiler_, extender_, immunizer_, linker_, protector_, other_) for clearer organization. Add sLang assignment for Microsoft_C rule to set "C" or "C/C++" based on sName. Normalize formatting/whitespace in several scripts and remove executable bit from a few rule files. No detection logic changes besides the explicit sLang assignment.
Renamed multiple db/MSDOS detection rule files to include category prefixes (compiler_, library_, protector_, self-displayer_, sfx_) for clearer organization. Cleared executable bits on LSI_C and Khrome_Crypt files (100755 → 100644). Added sLang = "C" to the LSI C detection rule to explicitly mark the language. No other functional changes.
Populate sLang in several MS-DOS detector scripts so the detected language is recorded (Logitech_Modula-2.4: sLang = "Modula-2"; ASIC-Basic, ApBasic, BetterBASIC, Turbo_Basic: sLang = "Basic"). Also rename L_O_V_E__FORTH.4.sg to compiler_L_O_V_E__FORTH.4.sg and Phar_Lap.0a.sg to extender_Phar_Lap.0a.sg to standardize database file naming. No other logic changes.
Rename multiple files in db/MSDOS to add category prefixes (e.g. converter_, extender_, packer_, protector_, self-displayer_) for clearer organization. Remove executable bit on several .sg files (mode 100755 -> 100644) and apply minor whitespace/line-ending normalization in a few detection rules (no functional changes).
Append Rabby Wallet signature string to the PE heuristic list in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to improve detection of Rabby Wallet-related binaries.
Stop forcing sOptions = "C/C++" in db/MACH/compiler_gcc.4.sg when libgcc_s.1.dylib is present. The detection now only sets bDetected, avoiding an unintended override of compiler option state elsewhere.
Limit iteration in scanForObfuscations_NET by adding an early-exit condition to the for loop (for ... && !isStrangeEpPosition) and remove the redundant break. Also append the OneKey signature string to the malicious signature array in scanForMaliciousCode_NET_and_Native so it is recognized by heuristics.
Extend the PE.compare pattern used to skip bitmap resources by adding extra trailing zero bytes to the signature, reducing false positives when determining resource types. Also perform minor whitespace/formatting cleanups in heuristic functions (isNameObfuscated and scanForLanguagesAndCompilers) to improve readability.
Add a guard in scanForPackersAndCryptors_NET_and_Native to skip sections with FileOffset == 0 or FileSize < 0x1000 before calculating entropy. This avoids reading invalid/empty section data and reduces false/high-entropy detections for very small sections, improving robustness of packer/cryptor detection.
Restrict the small-section skip in scanForMaliciousCode_NET_and_Native to cases where sectionOffset > 0. This prevents erroneously bypassing section processing when sectionOffset is zero or unset, preserving entry/resource section checks and improving heuristic scanning accuracy in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Replace the fixed immediate bytes in the heuristic pattern (was `81 ED 32 6F 01 20`) with wildcards (`81 ED ?? ?? 01 20`) in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. This relaxes the signature for the `sub ebp, imm` instruction so the rule can match more binary variants while keeping the surrounding instruction sequence intact for detection.
Introduce a percentageOfRiskScore variable to avoid recomputing the risk expression and clamp it to 100. Use this variable in the verdict details string and append the mayBeInfected note when the computed percentage is below 70%, improving readability and providing conditional infection context.
Extracted a reusable scanArea(areaOffset, areaSize) helper to centralize base64/anchor scanning and replaced global/unicode scanning with targeted scans. Add targeted scanning of PE sections, unmanaged resources and the overlay (gated by packer/protector results), with optimizations to skip unlikely sections (small sections, common .text/.rsrc/.idata/.reloc cases) and to only target large resources (>4KB) while skipping bitmaps. Also renamed/cleaned up offset variables and simplified encrypted-payload scanning logic by consolidating maxScanSize/dataBuffer creation and removing redundant conditionals. These changes improve performance and detection coverage.
Update the section name pattern from /^\.(?:r)?data$/i to /^\.[rex]?data$/i so .edata and .xdata (in addition to .rdata and .data) are recognized and get the larger scan size when scanning for malicious code.
Replace simple signature variants with robust Base64 payload detection for both ASCII and UTF-16LE encodings. The patch checks for "TV" + raw postfix bytes in the DOS stub (ASCII) and searches for a UTF-16LE "TV" anchor plus Unicode signature masks, sets a base64Version flag, and emits an "Encoded executable payload" verdict including the encoding (Base64, ASCII/UTF-16LE). Removes the prior validateGlobalUnicodeString/validateSignature path and consolidates detection logic.
Update comment to explicitly state the heuristic detects encrypted PE files in resources, sections, and overlay via KPA (Known Plaintext Attack). This is a documentation-only change to clarify detection scope; no functional code changes.
