Introduce reusable SECTION_FLAGS_* constants and derived RWX masks to avoid duplicated local constants. Add a heuristic for detecting UPX-like binaries (3-section layout + RWX checks + common imports) and mark such files as a suspicious packer. Refactor packer/protector detection flow to use an isPackerOrProtectionNotDetected guard and to emit a "UPX-like" suspicion when appropriate. Also replace local RWX_MASK/RWX_CODE_MASK usage in scanForObfuscations_Native with the new global masks.
Treat the floating-point FNOP opcode the same as NOP in scanForObfuscations_Native by adding FNOP to the initial opcode check. This ensures sequences starting with FNOP are identified as NOPs and improves detection of NOP-equivalent obfuscation patterns.
Add a Detect It Easy rule (db/PE/tool_Scylla.6.sg) to identify Scylla reconstructed PE dumps. The script (authored by DosX) skips .NET binaries, checks the last section for the name ".SCY" and a characteristics mask (0xe0000020), and marks the sample as a reconstructed dump by setting sOptions and bDetected. Includes upstream project link metadata.
Add a heuristic in scanForObfuscations_Native to detect a phantom Export Address Table (EAT). If the PE header indicates an export section but numberOfUnmanagedExports is zero, the code now flags the sample by adding the "Phantom EAT" option. This helps identify an obfuscation trick that misleads PE parsers and analyzers.
Introduce two YARA rules to detect PE signature/trust anomalies under a new section: Anomaly__AuthenticodeCorrupt (flags a present security directory with size smaller than a minimal PKCS#7 structure, ~8 bytes) and Anomaly__SecurityDirPointsBeyondFile (flags when the security directory offset + size exceeds the file size, indicating appended or corrupt data). Both rules target PE files and inspect pe.data_directories[4].
Append several structural/whole-file heuristic YARA rules to detect anomalous PE characteristics often associated with packers or custom toolchains. Rules added: TinyPE (filesize < 1KB), DOSStubMissing (e_lfanew < 0x50 indicating no DOS stub), DOSStubCustom (missing standard DOS stub strings), SelfModifyingHeaders (PE header located in a writable section), WholeFileHighEntropy (overall entropy > 7.0 for files >4KB), and VersionInfoMissing (native non-DLL PE with no version resource). Includes comments and detection thresholds explaining the rationale for each heuristic.
Introduce two YARA rules to detect anomalous resources in PE files:
- Anomaly__ResourceHighEntropy: flags .rsrc sections >4KB with entropy >7.4 (used to catch likely encrypted/compressed payloads while acknowledging legitimate high-entropy resources like PNG/JPEG).
- Anomaly__ResourceDominatedBinary: flags PE files where a .rsrc section comprises >90% of the file size (possible embedded payload), excluding DLLs to reduce false positives.
Also adds a Resource anomalies comment header for organization.
Introduce three YARA rules to detect PE data-directory anomalies: TLS callbacks (potential anti-debug/evasion), stripped debug directory despite a Rich header, and presence of CLR metadata in a PE with many native imports (mixed .NET/native). Rules check relevant data_directories indices (TLS=9, DEBUG=6, CLR=14), Rich signature, size, and import count to flag suspicious or uncommon binaries.
Introduce three new YARA rules detecting suspicious PE TimeDateStamp values: FutureTimestamp (pe.timestamp > Jan 1, 2026), AncientTimestamp (pe.timestamp < Jan 1, 1990 and not zero), and ZeroTimestamp (pe.timestamp == 0). These heuristics help flag likely forged, pre-PE-era, or intentionally stripped timestamps for further analysis.
Add two YARA rules to detect suspicious overlays in PE files: Anomaly__LargeOverlay (flags overlays larger than 50% of the file, indicating possible embedded payloads) and Anomaly__OverlayPresent (flags overlays >1KB with entropy >7.0, indicating compressed/encrypted data). These heuristics help surface appended data that may contain hidden or packed content for further analysis.
Add three import-related heuristics to DiE_EnhancedHeuristics_by_DosX.yar to detect suspicious PE import tables: Anomaly__NoImports (native PE with zero imports, excluding DLLs), Anomaly__SingleImportDll (native PE with exactly one import DLL), and Anomaly__SuspiciousMinimalImports (PEs importing only LoadLibrary[AW] and GetProcAddress). These rules help flag likely packed/crypted executables that resolve APIs manually and supplement existing entry-point/int3 heuristics.
Introduce a new "Entry point anomalies" block with multiple YARA rules to detect suspicious PE entry-point placements and characteristics. Adds rules: Anomaly__EntryPointInLastSection (EP in last section, common for appended code/packers), Anomaly__EntryPointInNonCodeSection (EP inside a section without CODE flag), Anomaly__EntryPointOutsideAnySections (EP not in any section, skips DLLs and zero EP, ignores sections with no raw data), Anomaly__EPStartsWithNops (EP begins with a 4+ NOP sled), and Anomaly__EPStartsWithInt3 (EP begins with INT3). Rules use raw file offsets for pe.entry_point and include guards to reduce false positives.
Add multiple YARA rules to detect PE section anomalies commonly associated with packers, obfuscators, or tampered binaries. New rules cover: writable+executable code sections, executable .data/.rdata/.bss, empty or non-printable section names, sections with zero raw size but non-zero virtual size and execute flag, raw data extending beyond file size, virtual size much larger than raw size (excluding .bss), high-entropy sections (excluding .rsrc), and duplicate section names. These heuristics improve detection of suspicious PE files for further analysis.
Add new YARA rules (yara_rules/DiE_EnhancedHeuristics_by_DosX.yar) for the Detect It Easy project authored by DosX. The file imports pe and math and defines reusable predicates (IsPE, IsNative, Is64) plus multiple PE header anomaly rules to detect suspicious or tampered PE files (e.g. zero-sized optional header, suspicious image base, zero entry point, entry point beyond image, invalid/tiny alignments, checksum mismatch, zero size_of_image, large section counts, suspicious subsystem, and forced integrity dll characteristic). These heuristics help flag manually crafted, packed, or corrupted binaries; copyright/author metadata is retained in the file.
In detect(), assign sType.toLowerCase() to a local variable and only append it to sOptions when non-empty. This prevents empty strings from being added to sOptions when the debug type is blank, making debug data type handling more robust.
Broaden the UX-Locker heuristic to trigger not only on lc.exe/lc module or assembly names but also on several .NET indicators. Add checks for PE.isNetObjectPresent("0xC00000FD: The memory location at the specified address returned \"null\"") and PE.isNetUStringPresent for "%temp%\\$unlocker_id.ux-cryptobytes", "attrib $h $s $r $i /D ", and "OneDrive10293" so samples without the original module/assembly names are still identified.
Add a heuristic in scanForMaliciousCode_NET_and_Native to push a UX-Locker verdict when no other verdicts exist and the .NET module or assembly name is 'lc.exe' or 'lc'. The verdict object includes empty version and details fields. This introduces an early detection rule before existing RAT/anti-AV checks.
In detect() (db/ELF/_ELF.0.sg) handle the case where ELF.getOperationSystemVersion() returns the string "0" by converting it to an empty string (sVersion = String()). This prevents a misleading '0' value from being treated as a real version when verbose output is enabled.
Add a short-term compatibility check in db/language::_setLang to support legacy Wayback calls: if version is the boolean false, the function returns null and aborts further processing. Comment notes this is temporary and will be removed.
Expand and refine the list of DOS-mode signature messages used for custom DOS detection. Adds additional known headers (e.g., "This program requires Microsoft Windows" for MASM/FASM/older assemblers and "Win32 only." for Pellec C), reorders entries, and clarifies comments for existing strings (twinBASIC, Borland, Legacy Win32 SDK, Watcom). This improves detection of DOS stub messages emitted by various compilers/linkers.
Add a guard using PE.isOverlayPresent() before calling PE.compareOverlay in the detect() function. This ensures overlay comparison only runs when an overlay exists, avoiding false comparisons or errors for files without an overlay. (Updated db/PE/sign_tool_Windows_Authenticode.7.sg)
Update db/PE/_debug_data.5.sg: remove a duplicated header comment and add a new "// Enhanced: DosX" note. This clarifies the file metadata without changing detection logic for PE Debug Directory entries.
Broaden the section name check to match both ".rsrc" and ".reloc" (using /. (rsrc|reloc)/i) instead of only matching "rsrc". This ensures reloc sections are counted in the resourceSectionsCounter and improves accuracy when identifying resource/relocation sections in PE parsing.
