Extend the PE.compare pattern used to skip bitmap resources by adding extra trailing zero bytes to the signature, reducing false positives when determining resource types. Also perform minor whitespace/formatting cleanups in heuristic functions (isNameObfuscated and scanForLanguagesAndCompilers) to improve readability.
Add a guard in scanForPackersAndCryptors_NET_and_Native to skip sections with FileOffset == 0 or FileSize < 0x1000 before calculating entropy. This avoids reading invalid/empty section data and reduces false/high-entropy detections for very small sections, improving robustness of packer/cryptor detection.
Restrict the small-section skip in scanForMaliciousCode_NET_and_Native to cases where sectionOffset > 0. This prevents erroneously bypassing section processing when sectionOffset is zero or unset, preserving entry/resource section checks and improving heuristic scanning accuracy in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Replace the fixed immediate bytes in the heuristic pattern (was `81 ED 32 6F 01 20`) with wildcards (`81 ED ?? ?? 01 20`) in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. This relaxes the signature for the `sub ebp, imm` instruction so the rule can match more binary variants while keeping the surrounding instruction sequence intact for detection.
Introduce a percentageOfRiskScore variable to avoid recomputing the risk expression and clamp it to 100. Use this variable in the verdict details string and append the mayBeInfected note when the computed percentage is below 70%, improving readability and providing conditional infection context.
Extracted a reusable scanArea(areaOffset, areaSize) helper to centralize base64/anchor scanning and replaced global/unicode scanning with targeted scans. Add targeted scanning of PE sections, unmanaged resources and the overlay (gated by packer/protector results), with optimizations to skip unlikely sections (small sections, common .text/.rsrc/.idata/.reloc cases) and to only target large resources (>4KB) while skipping bitmaps. Also renamed/cleaned up offset variables and simplified encrypted-payload scanning logic by consolidating maxScanSize/dataBuffer creation and removing redundant conditionals. These changes improve performance and detection coverage.
Update the section name pattern from /^\.(?:r)?data$/i to /^\.[rex]?data$/i so .edata and .xdata (in addition to .rdata and .data) are recognized and get the larger scan size when scanning for malicious code.
Replace simple signature variants with robust Base64 payload detection for both ASCII and UTF-16LE encodings. The patch checks for "TV" + raw postfix bytes in the DOS stub (ASCII) and searches for a UTF-16LE "TV" anchor plus Unicode signature masks, sets a base64Version flag, and emits an "Encoded executable payload" verdict including the encoding (Base64, ASCII/UTF-16LE). Removes the prior validateGlobalUnicodeString/validateSignature path and consolidates detection logic.
Update comment to explicitly state the heuristic detects encrypted PE files in resources, sections, and overlay via KPA (Known Plaintext Attack). This is a documentation-only change to clarify detection scope; no functional code changes.
Update verdict labels to specify "executable" for Base64 and encrypted payloads for clarity. Add an optimization comment and additional checks to skip scanning common PE sections (.rsrc, .idata, .reloc) when they're unlikely to contain encrypted payloads, and reorder a conditional for the entry-point/.text check to be more robust.
Performance and readability refactor of the PE heuristic scanner.
- Introduce Uint8Arr alias (fallback to Array) and a hexLUT typed lookup table for fast hex-to-byte decoding.
- Replace dynamic per-byte hex parsing with LUT and allocate decoded buffers as Uint8Arr to reduce overhead.
- Refactor scanBuffer: hoist variables, minimize re-computation, and apply lazy evaluation for alternative decryption checks (ADD/SUB and SUB/REV) to short-circuit work when XOR/XNOR matches.
- Minor cleanup of PE header offset assignment/comment.
Changes are intended to improve speed and reduce allocations while preserving existing verification logic.
Change the inner getDecrypted implementation to a named function with combined variable declarations and clearer multiline ternary formatting for readability; no functional change to the decryption logic. Also add "conhost.exe" to systemFileNamesDict so the console host is treated as a system-signed filename.
Add detection/support for a new SUB-REV (arithmetic-reverse) decryption mode: introduce mode 2 in verifyPeSignature and extend the universal decryptor return to handle SUB-REV. Compute reverse expected bytes (e0_rev/e1_rev) and add a matching detection branch. Also fix PE header offset handling (avoid double addition of peStartOffset) and normalize algorithm labels (e.g. "XOR-XNOR", "ADD-SUB") and the verdict version string to include "Algo: ". These changes improve heuristic coverage for encrypted PE payloads using reversed subtraction schemes.
Eliminate the unnecessary .replace(/\s/g,'') call when obtaining the hex signature in scanForMaliciousCode_NET_and_Native (db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg). PE.getSignature already provides the expected format, so this avoids redundant processing and preserves the original returned string.
Adjust the maxScanSize calculation in scanForMaliciousCode_NET_and_Native so non-.rdata PE sections are scanned up to 0x3000 bytes (was 0x2500). .rdata sections remain capped at 0x6000. This expands the scan window to improve detection coverage for larger sections.
Introduce getDecodedBuffer(offset, size) to decode PE.getSignature hex strings into byte arrays and replace three duplicated decoding loops (resources, overlay, sections) with calls to this helper. This reduces code duplication, improves readability and maintainability, and preserves existing scanBuffer behavior. Also removes a stray blank line.
Use lfaNewOffset directly for the PE header offset (avoids adding peStartOffset incorrectly). Normalize hex signatures by removing whitespace and uppercasing lowercase hex chars before byte conversion (applied to resource, overlay and section scans). Increase overlay scan limit from 0x1000 to 0x14000 to allow scanning larger overlays. These changes improve signature parsing reliability and broaden scanning coverage.
Coerce the computed e_lfanew to an unsigned 32-bit value using >>> 0 to avoid negative/incorrect offsets. Also tighten the remaining-buffer length passed to verifyPeSignature from (bufferSize - j - 4) to (bufferSize - j - 0x20) in both signature-check branches to avoid overly permissive/unsafe verification and reduce risk of out-of-bounds reads.
Lower max scan size for resource and overlay scans from 0x2000 to 0x1000 to reduce scanning work, and add a new section-scanning pass to detect encrypted payloads. The new loop skips obvious benign sections (entry-point .text and .rsrc) and only scans large sections (>0x2500), using a larger window for data-like sections (.data/.rdata). Hex signatures are converted to a byte buffer and fed to scanBuffer; if a match is found isEncPePresent is set to true.
Extract repeated KPA scanning logic into a scanBuffer helper to avoid duplication and simplify resource scanning. Extend detection to include PE overlays (in addition to resources), reading up to 0x2000 bytes of overlay data (only if overlaySize > 0x1000 and the PE is unsigned) and converting the hex signature into a data buffer before scanning. Updated comment to reflect overlay support and preserved existing multi-algorithm/key-length verification via verifyPeSignature.
Reduce the allowed NumberOfSections upper bound from 96 to 48 to tighten PE header validation and reduce false positives. Increase the targeted resource payload threshold from 0x300 (768 bytes) to 0x1000 (4096 bytes) so the heuristic focuses on larger payloads; the comment was updated accordingly. Changes made in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Add KPA-based detection for encrypted PE files embedded in resources, supporting multiple algorithms (XOR/XNOR and ADD/SUB) and key lengths up to 20 bytes. Replace isXorPePresent with a generic isEncPePresent and track detectedAlgo. Introduce mode-aware decryptor and stronger PE header verification (checks for PE signature, Optional Header magic, NumberOfSections and Characteristics). Adjust resource size/scan thresholds and skip bitmap-like resources. Report encrypted payloads with detected algorithm type.
Expand the Known-Plaintext Attack (KPA) support from 16 to 20-byte keys by resizing offset arrays and updating loops; document that 20 bytes is the mathematical maximum for this O(1) KPA using the e_res2 20-byte zero block. Replace throw string with throw new Error for consistent error objects. Increase minimum resource size check from 0x100 to 0x800 (2 KB) to avoid scanning tiny resources, remove noisy debug/key-dump logging, and simplify fast-fail logic and comments for clearer, slightly faster XOR-PE detection.
Move several loop/index variables (len, i, k, p, j, L) into their for-loop headers with var to limit scope and avoid accidental globals. Remove redundant initializations and a stray variable declaration. Also convert the verifyPeSignature function expression into a function declaration for clarity. No algorithmic changes intended—this is a scoping/cleanup refactor to reduce potential bugs.
Add heuristic to detect XOR-encrypted PE files embedded in resources using a known-plaintext attack (assumes 'MZ'). Supports key lengths 1–16 bytes and precomputes offset maps to avoid costly modulo math in the hot loop. Implements a strict verifyPeSignature routine to validate e_lfanew/PE signature, limits scans to the first 4KB of each resource for performance, and reports a "XOR-encrypted payload" verdict when found.
Update PE heuristic database to improve detection coverage and correct signatures: add "NSS_Init" to Firefox-related fingerprints; include alternate WindowsLive/\My Received Files path variant; broaden Paltalk registry keys to include uppercase SOFTWARE and HKCU variants; add NoIP (Vitalwerks DUC) registry keys; include "Ftplist.txt" for FTP Commander detection; and clarify the generic entry comment to reduce false positives. These changes refine string matches and widen coverage for legitimate variations of targeted applications.
Update PE heuristic database to broaden credential and artifact detection: add alternate key filenames (\keys3.db, \keys4.db), include additional Outlook profile GUIDs, and add Microsoft Edge user-data path. Expand IMVU name variants for case-insensitive matching and add extra password token variants (including spaced and uppercase forms) to improve credential string matching.
Extend the detect() logic to also check for xessGetVersion and xessDestroyContext via PE.isFunctionPresent so the Intel XeSS library is detected even when the lib name isn't found. Preserve the export-symbol regex fallback that sets sOptions to "static" only when matching xess export functions are present. This makes detection more reliable and reduces false positives for static-only classification.
Add libeay32 and ssleay32 to the OpenSSL detection regex in db/PE/library_OpenSSL.4.sg so the PE scanner also recognizes legacy Windows OpenSSL library names (libeay32/ssleay32) in addition to libssl/libcrypto.
Add new detection rule (db/PE/library_Nvidia_GeForce_NOW_SDK.4.sg) to identify the NVIDIA GeForce NOW SDK. The rule checks for presence of GfnRuntimeSdk.dll or exported functions matching /^gfn(?:Free|Get|Register|Start|Stop)/, sets the "static" option for EAT-based detections, and returns the detection result. File includes author/contact metadata.
Tighten the "protector" detection regex in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to avoid false positives. The updated pattern adds anchors and exclusions to skip Unity symbols like `_guard_c`/`_guard_d` and avoid matching Chromiums' exact "prot" token, and includes an inline comment explaining the exceptions.
