Normalize formatting in yara_rules/peid.yar by collapsing multi-line 'strings' and 'condition' blocks into single-line declarations and adjusting indentation across many rules. This is purely a stylistic/whitespace change to make the file more compact; no rule logic or signatures were modified.
Standardize db/MSDOS filenames by adding type prefixes (compiler_, cryptor_, protector_, sfx_, other_PK_). Rename multiple detection rule files accordingly. Also normalize file modes for protector_DAEMON_Protect.2.sg and sfx_Disk_eXPress.1.sg (100755 -> 100644) and apply minor formatting/whitespace normalization; no detection logic changes.
Relax detection in scanForPackersAndCryptors_NET_and_Native(): accept the third section as read-write in addition to read, and treat CopyContext as an alternative to ExitProcess when identifying UPX-like layouts. This accommodates variants such as UPX-Patcher while preserving the original RWX/RWX/ R pattern detection logic.
Fix PE section lookup in tool_UPX-Patcher by using dosxSection.Number when computing fishSectionByIndex. Previously the code used dosxSection directly (which can be an object), producing an incorrect index; this change ensures a numeric index is used and prevents detection failures.
Introduce reusable SECTION_FLAGS_* constants and derived RWX masks to avoid duplicated local constants. Add a heuristic for detecting UPX-like binaries (3-section layout + RWX checks + common imports) and mark such files as a suspicious packer. Refactor packer/protector detection flow to use an isPackerOrProtectionNotDetected guard and to emit a "UPX-like" suspicion when appropriate. Also replace local RWX_MASK/RWX_CODE_MASK usage in scanForObfuscations_Native with the new global masks.
Treat the floating-point FNOP opcode the same as NOP in scanForObfuscations_Native by adding FNOP to the initial opcode check. This ensures sequences starting with FNOP are identified as NOPs and improves detection of NOP-equivalent obfuscation patterns.
Add a Detect It Easy rule (db/PE/tool_Scylla.6.sg) to identify Scylla reconstructed PE dumps. The script (authored by DosX) skips .NET binaries, checks the last section for the name ".SCY" and a characteristics mask (0xe0000020), and marks the sample as a reconstructed dump by setting sOptions and bDetected. Includes upstream project link metadata.
Add a heuristic in scanForObfuscations_Native to detect a phantom Export Address Table (EAT). If the PE header indicates an export section but numberOfUnmanagedExports is zero, the code now flags the sample by adding the "Phantom EAT" option. This helps identify an obfuscation trick that misleads PE parsers and analyzers.
Introduce two YARA rules to detect PE signature/trust anomalies under a new section: Anomaly__AuthenticodeCorrupt (flags a present security directory with size smaller than a minimal PKCS#7 structure, ~8 bytes) and Anomaly__SecurityDirPointsBeyondFile (flags when the security directory offset + size exceeds the file size, indicating appended or corrupt data). Both rules target PE files and inspect pe.data_directories[4].
Append several structural/whole-file heuristic YARA rules to detect anomalous PE characteristics often associated with packers or custom toolchains. Rules added: TinyPE (filesize < 1KB), DOSStubMissing (e_lfanew < 0x50 indicating no DOS stub), DOSStubCustom (missing standard DOS stub strings), SelfModifyingHeaders (PE header located in a writable section), WholeFileHighEntropy (overall entropy > 7.0 for files >4KB), and VersionInfoMissing (native non-DLL PE with no version resource). Includes comments and detection thresholds explaining the rationale for each heuristic.
Introduce two YARA rules to detect anomalous resources in PE files:
- Anomaly__ResourceHighEntropy: flags .rsrc sections >4KB with entropy >7.4 (used to catch likely encrypted/compressed payloads while acknowledging legitimate high-entropy resources like PNG/JPEG).
- Anomaly__ResourceDominatedBinary: flags PE files where a .rsrc section comprises >90% of the file size (possible embedded payload), excluding DLLs to reduce false positives.
Also adds a Resource anomalies comment header for organization.
Introduce three YARA rules to detect PE data-directory anomalies: TLS callbacks (potential anti-debug/evasion), stripped debug directory despite a Rich header, and presence of CLR metadata in a PE with many native imports (mixed .NET/native). Rules check relevant data_directories indices (TLS=9, DEBUG=6, CLR=14), Rich signature, size, and import count to flag suspicious or uncommon binaries.
Introduce three new YARA rules detecting suspicious PE TimeDateStamp values: FutureTimestamp (pe.timestamp > Jan 1, 2026), AncientTimestamp (pe.timestamp < Jan 1, 1990 and not zero), and ZeroTimestamp (pe.timestamp == 0). These heuristics help flag likely forged, pre-PE-era, or intentionally stripped timestamps for further analysis.
Add two YARA rules to detect suspicious overlays in PE files: Anomaly__LargeOverlay (flags overlays larger than 50% of the file, indicating possible embedded payloads) and Anomaly__OverlayPresent (flags overlays >1KB with entropy >7.0, indicating compressed/encrypted data). These heuristics help surface appended data that may contain hidden or packed content for further analysis.
Add three import-related heuristics to DiE_EnhancedHeuristics_by_DosX.yar to detect suspicious PE import tables: Anomaly__NoImports (native PE with zero imports, excluding DLLs), Anomaly__SingleImportDll (native PE with exactly one import DLL), and Anomaly__SuspiciousMinimalImports (PEs importing only LoadLibrary[AW] and GetProcAddress). These rules help flag likely packed/crypted executables that resolve APIs manually and supplement existing entry-point/int3 heuristics.
Introduce a new "Entry point anomalies" block with multiple YARA rules to detect suspicious PE entry-point placements and characteristics. Adds rules: Anomaly__EntryPointInLastSection (EP in last section, common for appended code/packers), Anomaly__EntryPointInNonCodeSection (EP inside a section without CODE flag), Anomaly__EntryPointOutsideAnySections (EP not in any section, skips DLLs and zero EP, ignores sections with no raw data), Anomaly__EPStartsWithNops (EP begins with a 4+ NOP sled), and Anomaly__EPStartsWithInt3 (EP begins with INT3). Rules use raw file offsets for pe.entry_point and include guards to reduce false positives.
Add multiple YARA rules to detect PE section anomalies commonly associated with packers, obfuscators, or tampered binaries. New rules cover: writable+executable code sections, executable .data/.rdata/.bss, empty or non-printable section names, sections with zero raw size but non-zero virtual size and execute flag, raw data extending beyond file size, virtual size much larger than raw size (excluding .bss), high-entropy sections (excluding .rsrc), and duplicate section names. These heuristics improve detection of suspicious PE files for further analysis.
Add new YARA rules (yara_rules/DiE_EnhancedHeuristics_by_DosX.yar) for the Detect It Easy project authored by DosX. The file imports pe and math and defines reusable predicates (IsPE, IsNative, Is64) plus multiple PE header anomaly rules to detect suspicious or tampered PE files (e.g. zero-sized optional header, suspicious image base, zero entry point, entry point beyond image, invalid/tiny alignments, checksum mismatch, zero size_of_image, large section counts, suspicious subsystem, and forced integrity dll characteristic). These heuristics help flag manually crafted, packed, or corrupted binaries; copyright/author metadata is retained in the file.
In detect(), assign sType.toLowerCase() to a local variable and only append it to sOptions when non-empty. This prevents empty strings from being added to sOptions when the debug type is blank, making debug data type handling more robust.
Broaden the UX-Locker heuristic to trigger not only on lc.exe/lc module or assembly names but also on several .NET indicators. Add checks for PE.isNetObjectPresent("0xC00000FD: The memory location at the specified address returned \"null\"") and PE.isNetUStringPresent for "%temp%\\$unlocker_id.ux-cryptobytes", "attrib $h $s $r $i /D ", and "OneDrive10293" so samples without the original module/assembly names are still identified.
Add a heuristic in scanForMaliciousCode_NET_and_Native to push a UX-Locker verdict when no other verdicts exist and the .NET module or assembly name is 'lc.exe' or 'lc'. The verdict object includes empty version and details fields. This introduces an early detection rule before existing RAT/anti-AV checks.
