Add new heuristics to PE DB: insert VCasm-Protector (version 1.1-1.2, hash 0xcfed7c1e) and Excalibur (version 1.0X, hash 0x7f364e1f) into the packer/cryptor signature list, and add a section-name rule for VCasm-Protector ('vcasm'). Also adjust array punctuation for the appended entries.
Add upstream GitHub reference and replace the slow signature-in-section check with PE.isNetObjectPresent checks for 'RustemSoft.Skater' and 'RustemSoft.Skater.Skater_NET_Obfuscator' to speed up detection. Keeps the existing EP .NET compare logic and version detection for 2.X.
Rename generateUnicodeSignatureMask to convertStringToUnicodeSignature and change its output to a continuous UTF-16LE hex string (no spaces) with consistent zero-padding. Update all callers accordingly across the PE heuristics file, adjust doc examples to the new format, and remove an obsolete substring adjustment for the NjRAT separator pattern. These changes standardize how UTF-16LE signatures are produced and consumed by PE.isSignature*/PE.findSignature calls.
Rename many internal variables in scanForMaliciousCode_NET_and_Native to clearer, self-descriptive identifiers (e.g. k0_off/k1_off/k3_off -> offsetKey0/offsetKey1/offsetKey3, lfa*_off -> offsetLfa*, keyLen/j/L -> keyLength/offset, and byte variables like b0/b1 -> cipherM/cipherZ, etc.). Changes span the pre-calculation block, verifyPeSignature, and scanBuffer to improve readability and maintainability. No functional logic changes intended — behavior should remain the same.
Adjust signature pattern handling in scanForMaliciousCode_NET_and_Native.
- Remove the added "??" prefix when building njRatDataSeparatorPattern so the pattern uses the substring directly.
- Remove the trailing " **" wildcard from the Unicode " RAT" signature passed to PE.isSignatureInSectionPresent to narrow matching.
Rewrite generateUnicodeSignatureMask to produce UTF-16LE hex byte sequences for each character. The new implementation uses charCodeAt to extract code units, computes low/high bytes in little-endian order, pads bytes to two hex digits (ES3/ES5 compatible), and joins byte pairs with spaces. This replaces the previous quoted 'char'00' style output and correctly handles non-ASCII characters.
Replace custom hex decoding and helper with direct PE.readBytes, removing hexLUT and getDecodedBuffer to reduce overhead. Simplify scanBuffer signature and internals (rename comment, local caching, remove unused offsetBase), tighten verifyPeSignature comments and remove redundant explanatory comments. Use PE.readBytes for resources, overlay and sections, and keep existing algorithm detection logic intact; this is a cleanup/optimization to improve readability and performance without changing core behavior.
Remove redundant b3 decode and consolidate the e_lfanew fast-fail check to test upper 16-bits against max bounds. Treat the MSB of e_lfanew as implicitly 0 and move its per-iteration validation into the main scan loop by caching lfa3_off as _lfa3 and reading the MSB (d3F) once per iteration. This reduces repeated reads and unnecessary variables, clarifies assumptions about e_lfanew, and slightly improves performance by localizing offsets and eliminating a prior separate fast-fail branch.
Inline and optimize PE header verification and scanning hot paths for performance. Added precomputed lfa*_off lookup tables for e_lfanew byte offsets and removed the getDecryptedByte helper by inlining decryption math inside verifyPeSignature to avoid function-call and modulo overhead. Reduced repeated arithmetic by caching base indices, precomputing remainder r, and validating high-order bytes early; also added maxLfa to avoid recomputing buffer bounds. Minor micro-optimizations: cache hexLUT locally in getDecodedBuffer, cache k*_off arrays in scanBuffer, and break out of loops once an encrypted PE is detected. Behavior and verification checks are preserved while improving throughput in tight scanning loops.
Performance and memory optimizations for the PE heuristic scanner:
- Tighten DOS-PDB scan loop to stop once pdbPathBeginOffset is found (avoids an extra break).
- Replace offset tables (k0_off/k1_off/k3_off) with typed Uint8Array to reduce allocations and improve access speed.
- Extract a single getDecryptedByte function (removed inner closure) to avoid per-call closure allocation and centralize decrypt logic.
- Add a fast-fail check for the most-significant byte of e_lfanew and simplify lfaNewOffset calculation to speed header validation.
- Replace multiple inline decryption calls with getDecryptedByte in verifyPeSignature for clarity and efficiency.
- Restructure the detection inner loop to early-continue on mismatches and apply lazy evaluation for arithmetic checks (ADD-SUB / SUB-REV) to reduce unnecessary work.
Behavior should be unchanged functionally while reducing CPU and memory overhead during scanning.
Cache section properties (offset, size, name) and replace direct PE.section accesses to improve readability and performance. Adjust skip logic to use cached sectionSize/sectionName. Expand scanning windows: scan .text of .NET assemblies up to 0x64000, increase data-like sections to 0x12000 and other sections to 0x6000 (previously smaller), to improve detection of encoded/encrypted payloads.
Replace inconsistent byte wildcard in a signature ("81 ED ?? ?? 01 20" -> "81 ED .. .. 01 20") to match the file's wildcard convention, and expand resource-name detection by adding a regex for obvious malicious names (TROJAN, VIRUS, MALWARE, DROPPER). An inline comment was added explaining the resource-name check; minor spacing was also adjusted.
Rename several database pages to standardized prefixes for clearer organization: db/LX/{PKZIP-SFX.1.sg,RAR-SFX.1.sg} -> db/LX/sfx_PKZIP-SFX.1.sg and db/LX/sfx_RAR-SFX.1.sg; db/MSDOS/{Microsoft_Fortran.4.sg,Microsoft_Quick_Basic.4.sg} -> db/MSDOS/compiler_Microsoft_Fortran.4.sg and db/MSDOS/compiler_Microsoft_Quick_Basic.4.sg. Files are unchanged (100% similarity); only filenames were updated to reflect type (sfx for self-extractors, compiler for compilers).
Rename db/LX/compiler_Borland_C.4.sg to db/LX/compiler_Borland_C++.4.sg and update the detect() function to set sLang from "C/C++" to "C++". This adjusts the file/name to explicitly represent the C++ compiler and aligns the language identifier accordingly; no other functional changes.
Refine the PE.NET detection in tool_de4dot.6.sg: accept either method_0 or smethod_0 and require either both GClass0 & GClass1 or both Class0 & Class1. Previously the check relied on smethod_0 and allowed a single GClass0 (or Class0+Class1), which could produce false positives; this change makes detection stricter and more accurate.
Add additional signature variants to the signsToCheck array in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg (scanForMaliciousCode_NET_and_Native). New entries cover different capitalizations and synonyms for file/cookie/wallet stealers (e.g. Grabfiles/stealfiles, GrabCookies, WalletsStealer/WalletsGrabber) to improve detection coverage for varied naming conventions.
Rename many db/MSDOS detection rules to include category prefixes (e.g. compiler_, extender_, immunizer_, linker_, protector_, other_) for clearer organization. Add sLang assignment for Microsoft_C rule to set "C" or "C/C++" based on sName. Normalize formatting/whitespace in several scripts and remove executable bit from a few rule files. No detection logic changes besides the explicit sLang assignment.
Renamed multiple db/MSDOS detection rule files to include category prefixes (compiler_, library_, protector_, self-displayer_, sfx_) for clearer organization. Cleared executable bits on LSI_C and Khrome_Crypt files (100755 → 100644). Added sLang = "C" to the LSI C detection rule to explicitly mark the language. No other functional changes.
Populate sLang in several MS-DOS detector scripts so the detected language is recorded (Logitech_Modula-2.4: sLang = "Modula-2"; ASIC-Basic, ApBasic, BetterBASIC, Turbo_Basic: sLang = "Basic"). Also rename L_O_V_E__FORTH.4.sg to compiler_L_O_V_E__FORTH.4.sg and Phar_Lap.0a.sg to extender_Phar_Lap.0a.sg to standardize database file naming. No other logic changes.
Rename multiple files in db/MSDOS to add category prefixes (e.g. converter_, extender_, packer_, protector_, self-displayer_) for clearer organization. Remove executable bit on several .sg files (mode 100755 -> 100644) and apply minor whitespace/line-ending normalization in a few detection rules (no functional changes).
Append Rabby Wallet signature string to the PE heuristic list in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to improve detection of Rabby Wallet-related binaries.
Stop forcing sOptions = "C/C++" in db/MACH/compiler_gcc.4.sg when libgcc_s.1.dylib is present. The detection now only sets bDetected, avoiding an unintended override of compiler option state elsewhere.
Limit iteration in scanForObfuscations_NET by adding an early-exit condition to the for loop (for ... && !isStrangeEpPosition) and remove the redundant break. Also append the OneKey signature string to the malicious signature array in scanForMaliciousCode_NET_and_Native so it is recognized by heuristics.
Extend the PE.compare pattern used to skip bitmap resources by adding extra trailing zero bytes to the signature, reducing false positives when determining resource types. Also perform minor whitespace/formatting cleanups in heuristic functions (isNameObfuscated and scanForLanguagesAndCompilers) to improve readability.
Add a guard in scanForPackersAndCryptors_NET_and_Native to skip sections with FileOffset == 0 or FileSize < 0x1000 before calculating entropy. This avoids reading invalid/empty section data and reduces false/high-entropy detections for very small sections, improving robustness of packer/cryptor detection.
Restrict the small-section skip in scanForMaliciousCode_NET_and_Native to cases where sectionOffset > 0. This prevents erroneously bypassing section processing when sectionOffset is zero or unset, preserving entry/resource section checks and improving heuristic scanning accuracy in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Replace the fixed immediate bytes in the heuristic pattern (was `81 ED 32 6F 01 20`) with wildcards (`81 ED ?? ?? 01 20`) in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. This relaxes the signature for the `sub ebp, imm` instruction so the rule can match more binary variants while keeping the surrounding instruction sequence intact for detection.
Introduce a percentageOfRiskScore variable to avoid recomputing the risk expression and clamp it to 100. Use this variable in the verdict details string and append the mayBeInfected note when the computed percentage is below 70%, improving readability and providing conditional infection context.
Extracted a reusable scanArea(areaOffset, areaSize) helper to centralize base64/anchor scanning and replaced global/unicode scanning with targeted scans. Add targeted scanning of PE sections, unmanaged resources and the overlay (gated by packer/protector results), with optimizations to skip unlikely sections (small sections, common .text/.rsrc/.idata/.reloc cases) and to only target large resources (>4KB) while skipping bitmaps. Also renamed/cleaned up offset variables and simplified encrypted-payload scanning logic by consolidating maxScanSize/dataBuffer creation and removing redundant conditionals. These changes improve performance and detection coverage.
Update the section name pattern from /^\.(?:r)?data$/i to /^\.[rex]?data$/i so .edata and .xdata (in addition to .rdata and .data) are recognized and get the larger scan size when scanning for malicious code.
Replace simple signature variants with robust Base64 payload detection for both ASCII and UTF-16LE encodings. The patch checks for "TV" + raw postfix bytes in the DOS stub (ASCII) and searches for a UTF-16LE "TV" anchor plus Unicode signature masks, sets a base64Version flag, and emits an "Encoded executable payload" verdict including the encoding (Base64, ASCII/UTF-16LE). Removes the prior validateGlobalUnicodeString/validateSignature path and consolidates detection logic.
Update comment to explicitly state the heuristic detects encrypted PE files in resources, sections, and overlay via KPA (Known Plaintext Attack). This is a documentation-only change to clarify detection scope; no functional code changes.
Update verdict labels to specify "executable" for Base64 and encrypted payloads for clarity. Add an optimization comment and additional checks to skip scanning common PE sections (.rsrc, .idata, .reloc) when they're unlikely to contain encrypted payloads, and reorder a conditional for the entry-point/.text check to be more robust.
Performance and readability refactor of the PE heuristic scanner.
- Introduce Uint8Arr alias (fallback to Array) and a hexLUT typed lookup table for fast hex-to-byte decoding.
- Replace dynamic per-byte hex parsing with LUT and allocate decoded buffers as Uint8Arr to reduce overhead.
- Refactor scanBuffer: hoist variables, minimize re-computation, and apply lazy evaluation for alternative decryption checks (ADD/SUB and SUB/REV) to short-circuit work when XOR/XNOR matches.
- Minor cleanup of PE header offset assignment/comment.
Changes are intended to improve speed and reduce allocations while preserving existing verification logic.
Change the inner getDecrypted implementation to a named function with combined variable declarations and clearer multiline ternary formatting for readability; no functional change to the decryption logic. Also add "conhost.exe" to systemFileNamesDict so the console host is treated as a system-signed filename.
Add detection/support for a new SUB-REV (arithmetic-reverse) decryption mode: introduce mode 2 in verifyPeSignature and extend the universal decryptor return to handle SUB-REV. Compute reverse expected bytes (e0_rev/e1_rev) and add a matching detection branch. Also fix PE header offset handling (avoid double addition of peStartOffset) and normalize algorithm labels (e.g. "XOR-XNOR", "ADD-SUB") and the verdict version string to include "Algo: ". These changes improve heuristic coverage for encrypted PE payloads using reversed subtraction schemes.
Eliminate the unnecessary .replace(/\s/g,'') call when obtaining the hex signature in scanForMaliciousCode_NET_and_Native (db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg). PE.getSignature already provides the expected format, so this avoids redundant processing and preserves the original returned string.
Adjust the maxScanSize calculation in scanForMaliciousCode_NET_and_Native so non-.rdata PE sections are scanned up to 0x3000 bytes (was 0x2500). .rdata sections remain capped at 0x6000. This expands the scan window to improve detection coverage for larger sections.
Introduce getDecodedBuffer(offset, size) to decode PE.getSignature hex strings into byte arrays and replace three duplicated decoding loops (resources, overlay, sections) with calls to this helper. This reduces code duplication, improves readability and maintainability, and preserves existing scanBuffer behavior. Also removes a stray blank line.
Use lfaNewOffset directly for the PE header offset (avoids adding peStartOffset incorrectly). Normalize hex signatures by removing whitespace and uppercasing lowercase hex chars before byte conversion (applied to resource, overlay and section scans). Increase overlay scan limit from 0x1000 to 0x14000 to allow scanning larger overlays. These changes improve signature parsing reliability and broaden scanning coverage.
Coerce the computed e_lfanew to an unsigned 32-bit value using >>> 0 to avoid negative/incorrect offsets. Also tighten the remaining-buffer length passed to verifyPeSignature from (bufferSize - j - 4) to (bufferSize - j - 0x20) in both signature-check branches to avoid overly permissive/unsafe verification and reduce risk of out-of-bounds reads.
Lower max scan size for resource and overlay scans from 0x2000 to 0x1000 to reduce scanning work, and add a new section-scanning pass to detect encrypted payloads. The new loop skips obvious benign sections (entry-point .text and .rsrc) and only scans large sections (>0x2500), using a larger window for data-like sections (.data/.rdata). Hex signatures are converted to a byte buffer and fed to scanBuffer; if a match is found isEncPePresent is set to true.
Extract repeated KPA scanning logic into a scanBuffer helper to avoid duplication and simplify resource scanning. Extend detection to include PE overlays (in addition to resources), reading up to 0x2000 bytes of overlay data (only if overlaySize > 0x1000 and the PE is unsigned) and converting the hex signature into a data buffer before scanning. Updated comment to reflect overlay support and preserved existing multi-algorithm/key-length verification via verifyPeSignature.
Reduce the allowed NumberOfSections upper bound from 96 to 48 to tighten PE header validation and reduce false positives. Increase the targeted resource payload threshold from 0x300 (768 bytes) to 0x1000 (4096 bytes) so the heuristic focuses on larger payloads; the comment was updated accordingly. Changes made in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Add KPA-based detection for encrypted PE files embedded in resources, supporting multiple algorithms (XOR/XNOR and ADD/SUB) and key lengths up to 20 bytes. Replace isXorPePresent with a generic isEncPePresent and track detectedAlgo. Introduce mode-aware decryptor and stronger PE header verification (checks for PE signature, Optional Header magic, NumberOfSections and Characteristics). Adjust resource size/scan thresholds and skip bitmap-like resources. Report encrypted payloads with detected algorithm type.
Expand the Known-Plaintext Attack (KPA) support from 16 to 20-byte keys by resizing offset arrays and updating loops; document that 20 bytes is the mathematical maximum for this O(1) KPA using the e_res2 20-byte zero block. Replace throw string with throw new Error for consistent error objects. Increase minimum resource size check from 0x100 to 0x800 (2 KB) to avoid scanning tiny resources, remove noisy debug/key-dump logging, and simplify fast-fail logic and comments for clearer, slightly faster XOR-PE detection.
Move several loop/index variables (len, i, k, p, j, L) into their for-loop headers with var to limit scope and avoid accidental globals. Remove redundant initializations and a stray variable declaration. Also convert the verifyPeSignature function expression into a function declaration for clarity. No algorithmic changes intended—this is a scoping/cleanup refactor to reduce potential bugs.
Add heuristic to detect XOR-encrypted PE files embedded in resources using a known-plaintext attack (assumes 'MZ'). Supports key lengths 1–16 bytes and precomputes offset maps to avoid costly modulo math in the hot loop. Implements a strict verifyPeSignature routine to validate e_lfanew/PE signature, limits scans to the first 4KB of each resource for performance, and reports a "XOR-encrypted payload" verdict when found.
Update PE heuristic database to improve detection coverage and correct signatures: add "NSS_Init" to Firefox-related fingerprints; include alternate WindowsLive/\My Received Files path variant; broaden Paltalk registry keys to include uppercase SOFTWARE and HKCU variants; add NoIP (Vitalwerks DUC) registry keys; include "Ftplist.txt" for FTP Commander detection; and clarify the generic entry comment to reduce false positives. These changes refine string matches and widen coverage for legitimate variations of targeted applications.
Update PE heuristic database to broaden credential and artifact detection: add alternate key filenames (\keys3.db, \keys4.db), include additional Outlook profile GUIDs, and add Microsoft Edge user-data path. Expand IMVU name variants for case-insensitive matching and add extra password token variants (including spaced and uppercase forms) to improve credential string matching.
Extend the detect() logic to also check for xessGetVersion and xessDestroyContext via PE.isFunctionPresent so the Intel XeSS library is detected even when the lib name isn't found. Preserve the export-symbol regex fallback that sets sOptions to "static" only when matching xess export functions are present. This makes detection more reliable and reduces false positives for static-only classification.
Add libeay32 and ssleay32 to the OpenSSL detection regex in db/PE/library_OpenSSL.4.sg so the PE scanner also recognizes legacy Windows OpenSSL library names (libeay32/ssleay32) in addition to libssl/libcrypto.
Add new detection rule (db/PE/library_Nvidia_GeForce_NOW_SDK.4.sg) to identify the NVIDIA GeForce NOW SDK. The rule checks for presence of GfnRuntimeSdk.dll or exported functions matching /^gfn(?:Free|Get|Register|Start|Stop)/, sets the "static" option for EAT-based detections, and returns the detection result. File includes author/contact metadata.
Tighten the "protector" detection regex in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to avoid false positives. The updated pattern adds anchors and exclusions to skip Unity symbols like `_guard_c`/`_guard_d` and avoid matching Chromiums' exact "prot" token, and includes an inline comment explaining the exceptions.
Add db/PE/library_Brotli.4.sg to detect the Google Brotli library in PE files. The rule checks for library names matching brotlidec/brotlienc and for exported functions starting with BrotliDecoder or BrotliEncoder; when only exports are present it sets sOptions to "static". File includes author/contact metadata.
Add two new string indicators ('GrabFiles', 'StealFiles') to the signsToCheck array in the PE generic heuristic analysis script to improve detection of file-exfiltration/stealer behaviors. Also adjust formatting of the array entries for clarity.
Refine DLSS detection regex to match '.dlss' followed by either a dot or underscore (changed from '.dlss(.|_)' to '.dlss[._]') for simpler, equivalent matching. Add new detection rule db/PE/library_Nvidia_NTC.4.sg to detect Nvidia NTC (matches 'libntc') and return the detection result.
Expand and correct heuristic detection patterns across multiple app rules. Fix ProtonVPN string, add OpenVPN profile/ovpn matches, include NordApp, FileZilla.log and extra Ethereum/Electrum/Bitcoin/Bytecoin path variations. Add new rules for Yahoo/YahooMessenger, Kazaa, Digsby, PuTTY, Microsoft Office registry keys, and VimeWorld Minecraft entries. Enhance Discord, DashCore and Chromium signatures and extend the generic block with RDP, password patterns, credit-card/ID regexes and Active Setup keys to improve coverage and reduce false negatives.
Extend heuristic signatures and simplify detection logic:
- Add more Steam config path variants and FlashFXP v4 / ProgramData quick.dat paths.
- Reorder/remove duplicate registry entries (Rockstar GTA IV entry moved/cleaned).
- Add additional detection strings (DisableTaskMgr, DisableRegistry, keyscrambler) to the generic string list.
- Replace a long chain of PE.isNetObjectPresent(...) checks with a consolidated signsToCheck array and loop, adding more variants (KeyLogger/ClipLogger/GrabPasswords/ScanWallets/etc.) and breaking on first match to reduce duplication and improve maintainability.
Rename several entries under db/MSDOS to include a category prefix (compiler_, extender_, immunizer_, installer_, loader_, protector_) for clearer organization. Affected files include Fitted_Modula-2.4, Lahey_Fortran.4, Lattice_C.4, PDC_Prolog.4, EMMXXXX0_check.0a, GameWizard_DOS_Extender.0a, File_Shield.1, GamBit_Pro_Library.1, DOS32_loader.0a, and Eliashim's_CodeTrack.1. This improves discoverability and groups records by type.
Expand and refine PE heuristic checks: add Firefox artifacts (mozsqlite3.dll, encryptedPassword) to improve Firefox profile/password detection; normalize Yahoo name casing and add Yahoo Messenger profile/archive paths; add MSN "\My Received Files\" string and new Skype and Paltalk heuristics (Skype folder checks, Paltalk registry/software keys); include Opera wand.dat locations to catch older Opera profile files. These changes broaden detection coverage for various browsers and instant‑messaging clients.
Update PE heuristic database to include additional names/aliases for wallet detections. Added "ElectrumRule", "AtomicRule", and "ArmoryRule" to the respective name arrays to provide consistent rule identifiers and improve matching/lookup for Electrum, AtomicWallet, and Armory entries.
Update PE heuristic signatures to improve detection coverage: add a duplicated "Mozilla Firefox\\" variant and "moz_logins" to Firefox-related string checks, and introduce multiple cryptocurrency address regexes (Bitcoin, Bitcoin Cash, Ethereum, Litecoin, Ripple, Tron, etc.) to the malicious-string list. These changes expand browser artifact detection and enable spotting embedded wallet addresses in analyzed binaries.
Update PE heuristic DB to improve detection coverage:
- Add Yahoo registry key "Software\\Yahoo\\pager" to Yahoo signature.
- Include "pstorec.dll" in credential-related signatures.
- Reorder MSN-related strings and add IMVU detection entries for HKEY_CURRENT_USER\\Software\\IMVU\\username/password.
- Normalize and reorder Steam entries by adding "SOFTWARE\\Valve\\Steam" and adjusting config/blob path entries.
These changes broaden heuristic matches for various IM clients and Steam registry variants and include an additional DLL used in credential storage.
Update PE heuristic signature entries: consolidate ProtonVPN string literals onto a single line, add alternate path variants for FlashFXP and Pidgin (without leading backslash/escape), and include an additional "FTP Commander" identifier for the FTPCommander entry. These minor formatting and signature expansions improve detection coverage for varied path/registry representations.
Update PE heuristic database to improve detection coverage and consistency. Adds additional VM identifier variants (VMware/VirtualBox) and normalizes several string lists by including variants with and without leading backslashes. Expanded detections for Telegram, credential stores, multiple VPN clients (PiaVPN, ExpressVPN), various cryptocurrency wallets (Monero, Litecoin, Exodus, Electrum, Bytecoin, Bitcoin Core, AtomicWallet), Yahoo Messenger, and Steam (added Steampath and several config/login vdf patterns). These changes increase match robustness across different path formats and naming variations.
Restructure the RAT detection condition (adjusted parentheses/grouping) and remove the surrounding verdicts.length===0 guards so signature/group checks are evaluated consistently. Move the signGroupsToCheck definition out of the conditional and update/extend signature groups (add Guarda, Coinomi, IE78 and other string/name refinements) and minor formatting improvements.
Update generic heuristic rules: add ProtonVPNRule and ExodusRule to name lists; include FileZilla sitemanager.xml; extend Firefox signatures with Gecko and nss3.dll/softokn3.dll; add Chrome LocalPrefs.json; include HKLM Steam registry path and reorder Steam entries; move cryptowallet extension IDs into a separate generic signature object. Minor formatting and ordering tweaks for readability.
Add an early break when detectedRiskScoreCounter reaches 9 to prevent further counting, and reduce the per-item risk increment by changing the scaling factor from (35/3) to (35/6). This halves the incremental score growth for items beyond the threshold, limiting overly aggressive risk estimates in the PE heuristic scan.
Update heuristic detection groups and scoring logic: add new signature names (GetMSN, GetChrome, GetOpera) and additional search strings ("WindowsLive:name=*", "outpost"). Remove short-circuiting in the string/name loops so all group entries are evaluated. Lower the detection threshold from 4 to 3 and replace the static "Z-Engine_alpha" detail with a computed "RiskScore" percentage. Move the signGroupsToCheck cleanup to after verdict determination. These changes increase sensitivity and provide a dynamic risk score while keeping the dictionary release at the end of processing.
Update PE heuristic signatures and scanning logic in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. Add extra Zcash signature entries and consolidate several string arrays (minor reordering/formatting of wallet, VPN, Outlook and Minecraft markers); remove the "taskmgr" token from the generic list. Change the two inner loops to short-circuit on detection (add && !isElementFromGroupDetected) instead of using break statements for clarity/efficiency. Raise the detected risk score threshold for a Stealer verdict from 3 to 4 to reduce false positives.
Reflowed and consolidated string array entries in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg for readability and line-length consistency. Added additional application name variants (e.g. CoreFtp, FlashFxp and other casing variants) and introduced the generic token "DisableCMD" to broaden heuristic detection. These are mostly formatting and minor detection-expansion changes; no algorithmic logic was altered.
Add additional VM-related unicode checks and an extra malicious indicator. The update expands anti-VM heuristics with "VirtualBox Graphics Adapters" and "VMWARE svga 2" (and reorders inclusion of "vmware"), and adds "*.txt" to the list of strings checked in scanForMaliciousCode_NET_and_Native to broaden detection coverage.
Reflowed and reorganized long string literal arrays in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to improve readability and line-wrapping. This is a formatting-only change; no heuristic logic or string content was altered.
Update PE heuristic DB: add Proxifier detection entry (names 'Proxifier', 'proxifier' with profile path '\Roaming\Proxifier\Profiles\Default.ppx' and 'Default.ppx') in scanForMaliciousCode_NET_and_Native(), and add 'card_number_encrypted' to the Chrome credit-card artifact strings to catch additional stored card indicators.
Update db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to broaden heuristic detections: expand OpenVPN name variants; add PIA (pia_manager) detection; add ExpressVPN detection; reintroduce NordVPN with additional casing and an executable pattern; add MetaMask wallet detection strings. These changes improve coverage for common name variants and additional wallet/VPN artifacts.
Update db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg: extend the array used by scanForMaliciousCode_NET_and_Native with a large list of known cryptowallet extension IDs and a comment marking them. This change ensures the heuristic routine recognizes these extension IDs (reducing false positives or enabling targeted handling) when analyzing PE samples.
Rename and clarify variables used for signature/group detection (groups -> signGroupsToCheck, detectedCounter -> detectedRiskScoreCounter, found -> isElementFromGroupDetected) and update loop variable names for readability. Add several new heuristics/patterns (additional Jaxx, Exodus, Firefox, Yahoo, Discord entries and API v7) and normalize string arrays formatting; insert a cleanup assignment (signGroupsToCheck = undefined) after use. Functionality preserved: increments detection counter per matched group and triggers the existing Stealer verdict when >= 3 matches.
Expand and refine heuristic signatures used by the PE scanner: add "Telegram Desktop" to Telegram checks; include "StoredPassword" for ICQRecover; add jDownloader database config SQL pattern; extend Minecraft detection and add Roblox registry token lookup; and significantly enlarge the generic blacklist with antivirus/vt domains, numerous GUIDs and common computer/user names to improve detection coverage and reduce false negatives.
Update db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg: include "CMSNMessengerPasswords" in the names array alongside "MSN" and "getMSN75Passwords". This expands the heuristic's alias coverage so signatures using the CMSNMessengerPasswords identifier will match the existing MSN Messenger password extraction strings; no other logic was changed.
Add a second ELF entry-point signature to detect Movfuscator v2 by OR-ing a new pattern with the existing one. The change sets sVersion to "v2" and ensures bDetected is flagged for the new signature, improving detection coverage in db/ELF/compiler_movfuscator.4.sg.
Modify PE heuristic scanner: add additional Firefox SQLite queries (moz_disabledHosts and moz_places) alongside moz_logins, and introduce new detection string sets for RuneScape (RSBot_Accounts.ini) and ICQRecover (\ICQ, \Owner.mdb). These extend the generic heuristic analysis to catch more credential/storage artifacts.
Update PE heuristic database to broaden application and credential-stealing detections. Add/normalize strings and name variants for ProtonVPN, FileZilla, Firefox (extra DLLs, profiles, SQL queries), Discord API v6 endpoint, Bitcoin wallet paths, Steam registry keys, Trillian, CoreFTP, LastPass, Pidgin, FTPCommander, and SmartFTP case variants. Insert a generic GUID indicator and restore some path variants (e.g., recentservers.xml). Extend .NET object presence checks to include KeyLogger/keylogger and Cliplogger to improve detection of key/clipboard loggers.
Include Firefox profile DB names (moz_places, moz_cookies, moz_bookmarks) in the heuristic signatures and add a generic 'Cookies' path for Opera entries in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to improve detection of browser-stored data (history, cookies, bookmarks).
Update PE heuristic rules in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg: remove TGrabber and DGrabber from the Telegram/Discord name groups, add additional network-object presence checks (GrabPasswords, GetCookies, TGrabber, DGrabber) to improve stealer detection, and reflow a GameKeys strings line for readability. These changes broaden detection coverage and tidy up name lists.
Add additional detection strings for Firefox (profiles, mozglue, signons.sqlite and certificate OID hex patterns) and add patterns for Yahoo Messenger paths. Expand the GameKeys heuristic by adding multiple alias names and many registry key patterns and common key-related tokens (CDKey, ProductKey, Serial, RegistrationCode, etc.) to improve coverage for license/key-stealer and license-related artifact detection.
Fix Internet Explorer name entries (corrected CIE7Passwords), add Chrome Web Data path to improve credential detection, and add new heuristics for FlashFXP (quick.dat) and SmartFTP (Quick Connect favorites). Also add "EnableLUA" to generic strings to catch additional system settings. These changes expand coverage for common browsers and FTP clients in the heuristic scanner.
Update PE heuristic patterns to improve detection coverage: add a new alias "CIEPasswords" to the Internet Explorer/IE7 heuristic and include the GUID "{5E7E8100-9138-11D1-945A-00C04FC308FF}" in its string list. Also add a small generic heuristic that looks for the string "taskmgr". Changes applied in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg within scanForMaliciousCode_NET_and_Native.
Enhance PE heuristic signatures in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg: add additional Electrum path patterns (electrum_data and variants) to improve detection, include a generic "wallet.dat" entry for BitcoinCore signatures to catch more wallet files, and remove a duplicate Steam config entry (\config\SteamAppData.vdf) from the Steam strings.
Update PE generic heuristic scan to add more credential indicators and Firefox-related strings. The Creds list is expanded with numerous payment/card name variants (e.g. Amex Card, BCGlobal, Mastercard, Visa Card, Express Card, etc.) to improve detection of stored payment data. A new FireFox/Firefox/firefox block was added with strings "\\mozglue.dll" and "\\Firefox\\Profiles\\" to help identify Firefox installations and profiles.
Extend scanForMaliciousCode_NET_and_Native with a large set of application/group indicators (wallets, browsers, VPNs, messengers, steam, game keys, etc.) and check both Net UStrings and NetObjects. Count matched groups and emit a "Stealer" verdict with details "Z-Engine_alpha" when >=3 groups are detected; otherwise fall back to existing NetObject checks to produce a generic "Stealer" verdict. This replaces/relocates the previous simpler NetObject-only check and centralizes heuristics for broader, multi-indicator detection.
Add a guard in getAsmOpCode to check for a falsy instruction before calling indexOf/split. This prevents runtime errors when instruction is null/undefined and preserves the existing behavior for valid instruction strings (returning the opcode or the original string).
Add a new entry for XerinFuscator (version 8.X.X) with the ".xerin" extension to the PE heuristic scanner list in scanForPackersAndCryptors_NET_and_Native. This complements the existing ".Xerin" entry to ensure detection of the lowercase extension variant.
Centralize version extraction into a new getVersion() helper and simplify detection branches. The change replaces per-branch section scanning with a single function that searches all sections for the "XerinFuscator v" marker, cleans the string and extracts the version via regex. Detection now sets bDetected when a version is found and supports both "Xerin.Runtime" and "XerinFuscator" object presence, reducing duplicated code and improving robustness.
Improve detection for XerinFuscator by adding a .NET library entry ("Xerin.Runtime") and registering the ".Xerin" packer signature (with reference URL). Remove the duplicate ".Xerin" entry and add a protector metadata file that includes the official XerinFuscator site. These changes enhance heuristic coverage for identifying XerinFuscator-protected samples.
Only append the "no init" option when no init function is detected and the PE is not a DLL. This prevents falsely marking DLLs (which may legitimately lack a normal init entry) as "no init" in the detect() logic in db/PE/compiler_tcc.6.sg.
Extend the Imminent Monitor RAT heuristic in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg: allow a detection when the .NET unicode string 'nAvgBytesPerSec: ' is present in addition to the existing LZLoader+Injector object check. This increases coverage for samples that expose the characteristic string but may not have both .NET objects.
Add a heuristic to the PE generic analysis to identify RevengeRAT (v0.3) when a .NET assembly or module name is "Nuclear Explosion" or "Nuclear Explosion.exe". This pushes a verdict with type "RevengeRAT" and empty details. Referenced Malpedia indicator.
Clean up and simplify Makeself detector: combine variable declarations and perform an early size check; replace Binary.isSignaturePresent with Binary.compare and short-circuit when too small; reformat regex matching for readability; remove the separate bHasBinary flag and use bDetected directly with an early-exit loop when scanning the trailer. Overall this streamlines the code and reduces temporary state used during binary-presence checks.
Add an additional EP signature to the v1.00 detection (OR in PE.compareEP for "60FCB9...F3A4"). Remove a redundant PE.compare fallback ("'BeRo'******!PE") and keep the primary signature check. Add a new check for the special header pattern ("52c3'BeRo^fr!PE'") that sets sOptions to "Special PE Header". Ensure bDetected remains driven by sVersion or sOptions.
Add an additional PE.compare check in detect() to match the signature "'BeRo'******!PE" at offset 4 (ORed with the existing check). This broadens detection for BeRoEXEPacker-packed PE files and sets bDetected when matched without altering existing checks.
Introduce a new heuristic in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to detect the Echelon Stealer. The check adds a verdict when the module name is "Echelon.exe", a .NET object "TGrabber" is present, or the embedded string "\n📂 FileGrabber: " is found. A reference to the archived repository is included as a comment.
Use File.cleanString on ProductVersion and ProductName in db/PE/protector_HASP.2.sg detect() to normalize and strip unwanted characters (e.g. whitespace/control chars) before detection. This makes string comparisons more robust and improves detection reliability without changing detection logic.
Extend the Orcus RAT heuristic in the PE generic analysis to also check for the .NET user string ".orcusInstallation". Previously the detection relied on the module name "Orcus.exe" or the presence of the "Orcus.Connections" .NET object; this change adds PE.isNetUStringPresent(".orcusInstallation") to catch variants that embed an installation marker before pushing the Orcus verdict.
Add heuristic entries to db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to detect Ramnit and Parite infections: a ".rmnet" section name for Ramnit and a regex (\.[a-z]{3}[\u0006\u0007\u0009]$) for Parite. Also adjust whitespace/comment alignment for the Themida 3.XX entry. These changes improve PE section-name based detection and clean up formatting.
Apply whitespace/formatting and minor readability edits to db/Binary/media_ASF_WMA_WMV.1.sg (reflow const block, spacing, and comment placement) without changing detection behavior. In db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg replace pariteSubFound boolean with a pariteState numeric state machine (0/1/2) and adjust the detection flow to require a PUSH/XOR -> SUB -> JNE sequence; simplify logic by removing the previous target disasm check and adding explicit state resets (including on JNE/JMP). This clarifies intent and tightens the Parite heuristic control flow.
Add new rule db/PE/library_ImGui.4.sg to detect the ImGui library in PE files. The rule marks a match if the library name contains "imgui" or if exported functions start with "ImGui" (sets sOptions to "static" for EAT). Includes author/contact metadata.
Microsoft Advanced Systems Format container added (known to laymen as WMA/WMV because nothing else took off), info-ed & ripper-ready.
Duration reporting is off, which is weird
Introduce a new PE linker signature check to recognize the Valve Linker. Adds a PE.compare for "**010000'VLV'0001'" at offset 0x3c, sets sName to "Valve Linker" and marks bDetected = true; placed before the Turbo Linker case.
Introduce a local rdataSection variable and use rdataSection.FileOffset and rdataSection.FileSize when calling PE.isSignaturePresent. This replaces the previous use of PE.section[0].FileOffset and PE.getSize() - PE.getOverlaySize(), restricting signature scanning to the .rdata section and improving detection accuracy (avoids scanning overlays or incorrect sections).
Extend the Helios entry in the PE heuristic database to include the .htext extension alongside .helios, improving detection of files produced by the Helios protection service.
Add a Detect It Easy (DIE) detection rule for the Astral-PE tool. The rule matches PE files with an empty first section name, no Rich signature, zero TimeDateStamp and CheckSum, zero linker versions, and an exported library path pattern (indicating IAT mutation). When matched, it sets sOptions to "IAT mutation".
Register Helios in the PE heuristic list used by scanForPackersAndCryptors_NET_and_Native. Adds an entry to detect the .helios extension (Helios protection/online service) with a reference link.
Rename and reorganize multiple MSDOS rule files into categorized names (compiler_*, converter_*, debug_data_*, protector_*). Add sLang="C" to Aztec C detection, adjust Borland TDS meta key to "debug data" and tweak its description. Improve PE generic heuristic whitelist with many new/expanded regexes for dates, versions, GUIDs/hashes, naming conventions, platform identifiers and product/package tokens. Update author/attribution comments for several PE cryptor/compiler rules to DosX, and fix detection logic in Duals eXe Encryptor by marking bDetected earlier. Miscellaneous formatting and comment cleanups.
Add several regex whitelist entries in isTokenObfuscated to reduce false positives: braced GUIDs, compact ISO 8601 datetime stamps, .NET PublicKeyToken fields, and multi-component OID strings. This updates db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to better recognize common legitimate tokens.
Refine PE generic heuristic whitelist to reduce false positives and cover more real-world versioning/token patterns: extend numeric timestamp/changelist length, add runtime/tool version and .NET TFM regexes, adjust PascalCase/camelCase/snake_case rules, broaden library/version, SemVer and curve patterns, and update related comments. Also tweak various suffix and identifier patterns for better coverage of product/component names. In compiler_IBM_VisualAge_PL_I.6.sg set sLang = "PL/I" (add language identifier) and terminate file with a newline.
Introduce a case-insensitive regex to isTokenObfuscated to match delimiter-separated word identifiers (e.g. dotnet-sdk-9.0.202-w, libssl-3.0.9-dev, api-2.1, bin-debug). This complements existing version/assembly and suffix patterns to reduce false positives for product names, filenames and package IDs by allowing letter groups separated by '-', '_' or '.' with optional numeric segments.
Move the iteration over systemFileNamesDict inside the check for PE_Cached.isDotNet / rich-signature absence and packer/protector results. This avoids running the loop when there are no packer/protector signatures (or when the .NET/rich-signature condition isn't met), reducing unnecessary iterations and improving clarity. The behavior remains the same: isFakeOrInfected is set only when compareOriginalAndInternalNames matches and packer/protector results are present.
Replace magic numeric literals in the log() function with logType enum constants for clarity and consistency (use logType.warning and logType.nothing instead of -2 and 0). Also update the switch case from logType.dotNet to logType.net to match enum naming.
Replace numeric case labels (-2, -1, 1, 2) with descriptive logType constants (warning, about, any, dotNet) in the log() switch to remove magic numbers and improve readability and maintainability. No functional change intended.
Add a check for PE.isSectionNamePresentExp(/\.CRT(?:\$[A-Z]{3})?$/i) in the language heuristic branch that sets the language to C/C++. This treats CRT-related sections (e.g. .CRT, .CRT$XYZ) as indicators of MSVC C/C++ runtime usage, improving detection when api-ms-win-crt or .msvcjmc are present.
Improve IL2CPP detection by introducing an isIl2cpp flag and a regex check for .rtc sections (PE.isSectionNamePresentExp(/^\.rtc\$[IT](?:AA|ZZ)$/)). Collapse and reorder the section-name checks into a smaller array and defer setting the compiler/lang result until after detection completes. This makes the detection flow clearer and handles .rtc variants more reliably.
Mark the PE entry point as incorrect when the first disassembled instruction is a DB byte directive. This adds a check for /^DB / against PE_Cached.firstEpAsmInstruction to catch cases where the EP is damaged or points to the wrong location. Also trims an extra blank line near the isVbNetStandardLibraryPresent comment.
Add execArgv: [] when creating the Worker and introduce a 'settled' flag with a once() helper to ensure 'message', 'error', and 'exit' handlers only act once. This prevents multiple resolve/stat updates if the worker emits multiple events (avoiding duplicate stats increments, repeated resolves, and noisy error handling). Keeps existing resourceLimits and preserves logging for failures.
Insert external reference comments into two PE protection rule files: a Wikipedia link for Microsoft Warbird in db/PE/protection_Microsoft_Warbird.2.sg and a Freedownloadmanager page for Softlocx in db/PE/protection_Softlocx.1.sg. These are non-functional comment additions to provide source/context for the detections.
Expand the heuristic whitelist in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to reduce false positives when detecting obfuscated tokens. The change augments the existing build/CI keyword regex with additional channel/release terms (nightly, canary, stable, preview, insider, hotfix, snapshot, release, update, patch, master, develop) and adds several new regex patterns to recognize common versioning and naming schemes: ECC curve identifiers, semantic versions (with pre-release/build metadata), library version tokens (underscore/dot-separated), long-name+date suffixes, uppercase acronym+revision patterns, module names with embedded dot-versions, and common product suffixes like installer/launcher/updater. These additions improve detection accuracy for legitimate versioned/module names that previously looked like obfuscated tokens.
Update the whitelist date/year regex to accept a wider variety of date formats (years, ranges, DD.MM.YYYY, YYYY-MM-DD, etc.) and optional trailing comma/period to reduce false positives when detecting obfuscated tokens. Add clearer example comments to document accepted forms. Also make a minor formatting tweak to the opcode byte-string comment alignment in the EP comparison for readability.
Add a heuristic in scanForMaliciousCode_NET_and_Native that checks unmanaged resources for a resource named "BINRES" containing the signature bytes "4D 5A 90" (MZ header). If found and no prior verdicts exist, push an "Equation Group" verdict (empty version/details) and stop further checks. This adds a targeted detection for Equation Group artifacts.
Set this.Name to this.FileName in the Resource constructor. This exposes a Name property mirroring FileName (alongside existing FileSize/FileOffset aliases) to improve compatibility with callers that expect a Name field.
Introduce a new heuristic in __GenericHeuristicAnalysis_By_DosX to detect Olympic Destroyer: when there are unmanaged resources and no prior verdicts, compare the first resource at FileOffset against the signature "C1 7E 20 A2 DA F9 56 45 61 39 EB DB 51 9D A7 4F" and push a verdict object with type "Olympic Destroyer". Includes Malpedia reference and is placed before the existing win.bozok check.
Introduce a heuristic in GenericHeuristicAnalysis that appends a 'Slingshot APT' verdict when there are no prior verdicts and the PE.section['LineRecs'] field is present. Includes a reference comment to the Habr article and initializes version and details as empty strings.
Replace the capturing group with a non-capturing group in the Microsoft Fax library detection regex (FXS(?:API|TIFF|CLNTR)). This avoids creating an unnecessary capture while preserving the original matching behavior (case-insensitive match for FXSAPI, FXSTIFF, FXSCLNTR).
Rename db/ELF/packer_Virbox.2.sg to db/ELF/protector_Virbox.2.sg and update rule metadata from meta("packer", "Virbox") to meta("protector", "Virbox"). Also remove the now-unnecessary sVersion assignment for "Virbox Protector" after detection.
Replace the unnecessary alternation /^dplay(x|)/i with /^dplay/i in db/PE/library_DirectPlay.4.sg to simplify and clarify the library presence check. This keeps matching both 'dplay' and 'dplayx' while removing a redundant capture/alternation.
Add a heuristic in scanForObfuscations_Native to detect mutated import table entries (e.g. names prefixed with '././' or '.\\./') by checking for libraries matching /^
\.[\\/]\.[\\/]/. When found, set an "IAT mutation" option so such import obfuscation is flagged.
Add an exclusion to the generic System.Net.Sockets heuristic so it won't trigger when njRatVersion is already detected, reducing false positives for NjRAT. Also set sVersion to "3.X" for a specific WiX Toolset installer entrypoint pattern to improve installer version detection.
Introduce a heuristic in scanForMaliciousCode_NET_and_Native to detect StormKitty RAT by looking for .NET Unicode strings. The new check adds a verdict when either "\nStormKitty v" is present or both "---" and "btc" are found, referencing Malpedia detection patterns. Version and details fields are left empty for now.
Enhance .NET malware heuristics in scanForMaliciousCode_NET_and_Native:
- Add dedicated NjRAT detection: introduce isNjRatDetected, njRatVersion and a Unicode separator pattern. Detect NjRAT via assembly names, specific strings (im523 -> version 0.7D Green Edition), njLogger, |PWD| and request-separator signatures.
- Avoid duplicate separator generation and reuse the new detection flag to push NjRAT verdicts with the discovered version.
- Guard several checks with verdicts.length === 0 to prevent further matching after a prior verdict (including the System.Net.Sockets import-based check).
- Tighten AsyncRAT detection: require Pastebin+Packet or Antivirus+Pong combinations instead of Pastebin alone.
- Add detection for a "Stealer" .NET object in the final object-check group.
Small refactor and consolidation to reduce duplicated logic and reduce false positives.
Extend the Denuvo detection pattern to also match "irdeto" so Irdeto-based protections are recognized. Also adjust the ASCII comment header line to include window control symbols (cosmetic change).
Update PE heuristic database: rename XVolkolak label to "XVolkolak (unpacked)" and add a new "Scylla (dumped)" entry (.SCY) to better distinguish unpackers vs dumpers/reconstructors. Also broaden the "a protector" heuristic by including the token "trial" to improve detection of protection-related markers.
Refactor: rename clearSectionName() to cleanSectionName() and update all call sites to use the new name. Also make small related fixes in the same changeset: 1) short-circuit the licensing-strings loop (add && !isInterestingStringsFound) instead of relying on break; 2) sanitize extracted PDB path with File.cleanName; 3) switch a section-name regex group to non-capturing. These changes improve naming clarity, tighten string-search logic, and sanitize output paths.
Replace the literal ASMG.DLL resource check with a regex that matches either ASMG.DLL or ASM_GUARD and remove the duplicate literal entry. This makes the heuristic more robust to different ASM Guard resource naming variants in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Add a guard in db/PE/packer_UPX.2.sg detect() so that "modified" is appended to sOptions only if sOptions is not already set. This prevents appending the flag to an existing options string and avoids producing duplicate or malformed option values during UPX detection.
Introduce BASE_GIT_URL in autotools/partner/CONFIG pointing to the Detect-It-Easy GitHub repo. This provides a configurable base repository URL for partner autotools/scripts that need to fetch or reference the Detect-It-Easy project.
Tighten the scanForPackersAndCryptors_NET_and_Native heuristic by adding a check that section[2] is not RWX while still validating it is readable or read+write. This reduces false positives when multiple sections had RWX characteristics.
Rename RIFF, U-Boot and shellcode rule files to a standardized naming scheme (format_RIFF.1.sg, format_U-Boot.1.sg, shellcode_pe_to_shellcode.1.sg), clear the executable bit on the renamed files, and apply code style/whitespace cleanup across the JS detection rules. Also tidy up db/Binary/ROM_1.sg (minor formatting changes and replace meta("ROM", "") with meta("ROM")). No substantive logic changes intended.
Rename several detection rule files to enforce a consistent naming scheme: Maxon_C++.4.sg -> compiler_Maxon_C++.4.sg, TNM/Time/Titanics_Cruncher.1.sg -> cruncher_*.1.sg, and players.1.sg -> player_players.1.sg. Also rename db/PE/linkers.6.sg -> _linkers.6.sg and change its mode from executable (100755) to non-executable (100644). File contents are unchanged (high similarity); these changes improve clarity and organization of the db directory.
Change detection logic in protection_obfusheader_h.5.sg to require .enigma1, .vmp0 and .xtls sections (and set bDetected = true) before appending the "fake signs" option — this avoids relying on a prior bDetected flag and reduces false positives. Also update protector_DNGuard.2.sg metadata to reflect a new author (DosX) and add contact links.
Add 'NecroVM.Runtime' to the .NET obfuscator signature list. Introduce heuristics to detect Qatar RAT (module 'QatarC.exe') and Cryptobytes/UXCryptor (checks for 'lc.exe' or assembly 'lc' and a specific .NET object signature). Reference links for both detections are included as comments.
Add Detect It Easy rule (db/PE/library_bzip2.4.sg) to detect bzip2 in PE files. The rule sets meta("library", "bzip2") and uses PE.isLibraryPresentExp(/(?:bzip|libbz)2/i) to mark detection; includes author/contact metadata.
Add a new PE detection rule at db/PE/library_prometheus-net.4.sg that marks files as detected when the .NET object "Prometheus.NetStandard" is present.
Add a Detect It Easy PE rule (db/PE/library_TimeZoneConverter.4.sg) to detect the TimeZoneConverter .NET library. The rule uses PE.isNetObjectPresent("TimeZoneConverter") to mark detection and includes author metadata.
Refactor Perl runtime detection: replace direct sLang assignments with a call to _setLang("Perl"), move the final sLang = "Perl" to the end of the function, and change the empty-string result argument to String(). Also reorder bDetected/sVersion assignment for clarity. These changes standardize language setting and ensure the result uses a String() placeholder.
Introduce a heuristic in PE generic analysis to detect Win32/Polip-like infections. The new logic (x86 only, non-64bit) checks for executables with multiple sections where the entry instruction is PUSH or CALL, then scans unnamed sections for RWX flags, excludes known sections (entry, resource, import, export, relocs, TLS), high entropy (>7.3) and a byte-sequence signature (push ebp; mov ebp, esp; sub esp, ...; pushal). If matched, it pushes a "Polip" infected verdict. Includes reference to the Microsoft threat encyclopedia URL.
Require an explicit 32-bit guard for the CIH heuristic and reorganize cacheMap initialization.
- In scanForMaliciousCode_NET_and_Native, added !PE_Cached.is64bit to the condition that checks for the x86 'push ebp' entry-point pattern, preventing the heuristic from running on 64-bit PEs.
- In initializeCache, moved local function bindings (isArchX86, isCppClrLikeApp, isVbNetStandardLibraryPresent, isJscriptNetStandardLibraryPresent, firstEpAsmInstruction) below the computed/native entries to group related cache entries and improve initialization ordering/readability.
Extracted and de-duplicated the main heuristic logic, making detect() only call main() during heuristic scans. The update reorganizes file-suffix handling and enhances JS content analysis: it skips string literals, properly handles template literals and nested ${...} expressions (using skipNestedTemplate), and distinguishes bytecode vs. plain-text scripts. Detection for minified/compiled code was improved by scanning code segments outside strings with updated regex checks.
Change the Binary.getSize() check from >3000 to >0x400 (1024) so the MiniJavaScript heuristic will run on smaller binary/text inputs. This makes the detector cover scripts between ~1KB and the previous 3KB cutoff, improving detection for smaller embedded scripts.
Escape closing brace and parenthesis inside the regex character class used by the minification heuristic. This corrects the token-matching pattern so punctuation like ";", "}" and ")" are recognized reliably and prevents potential regex parsing issues in db/Binary/__MiniJavaScriptHeuristic_By_DosX.7.sg.
Introduce skipNestedTemplate(s, i) to robustly skip JavaScript template literals, handling nested ${} expressions, inner string literals, escape sequences, and recursion. Replace the previous ad-hoc template-scanning loop in main with a call to this helper when encountering a nested backtick, simplifying the logic and improving correctness when parsing nested templates in scriptContent during heuristic scans.
Improve the MiniJavaScript heuristic parsing: skip escaped characters, properly skip string literals inside expressions, and handle nested template literals (tracking ${} depth) to avoid false positives when scanning script content. Also tighten regexes by switching to non-capturing groups and refining the whitespace/token check used to detect minified/compiled code.
Recognize .jsx, .mjs, and .cjs as JavaScript file types in the MiniJavaScript heuristic. Adds switch cases for JavaScript XML, Module, and CommonJS Module in db/Binary/__MiniJavaScriptHeuristic_By_DosX.7.sg to improve detection of modern JS file extensions.
Refactor compiler_DMC.6.sg detection routine: replaced loose equality checks with strict (===), combined major/minor linker version declarations into one statement, adjusted indentation and whitespace, and tidied bracket alignment. These are stylistic/clarity changes and should not alter detection logic or behavior.
Switch entropy and signature checks to use PE_Cached.dosStubSize and PE_Cached.fileBodySize instead of hardcoded 0x00 or getSize()-getOverlaySize(). Changes in scanForPackersAndCryptors_NET_and_Native, scanForLicensingSystems_NET_and_Native and scanForLanguagesAndCompilers_NET_and_Native ensure scans skip the DOS stub and overlay, producing more accurate entropy/signature results and reducing false positives.
Add computed fields to PE cache (fileBodySize, addressOfUnmanagedEntryPoint, dosStubSize) and update many routines to use PE_Cached instead of repeated PE.get*/VAToOffset/findSignature calls for correctness/performance. Adjust Intel C++ compiler detection to only compare watermark on 32-bit builds. Minor fixes: simplify byte buffer concat and add "Enhanced by: DosX" credit to pkr_ce1a rule.
Replace a single signature scan with a set of stricter checks to reduce false positives: ensure the binary is 32-bit, has at least 4 sections, matches an entry-point byte pattern, imports KERNEL32.dll, exposes IsDebuggerPresent and LoadLibraryA/W, and contains the specific signature in section 1 instead of scanning the entire file. This makes packer detection more precise.
Fix heuristic entry for ANDpakk: rename product from 'ANDpakk2' to 'ANDpakk' and add version '2.0' while preserving the match token 'ANDpakk2' for detection. Also remove an extraneous blank line in other_GSplit.1.sg as a minor whitespace cleanup.
Add a new Detect It Easy (DIE) detection rule for the Rusty PE packer (db/PE/packer_Rusty.2.sg). The rule (author: DosX) marks files as packed by "Rusty" based on import/resource heuristics and specific import-position hashes, and flags binaries as "modified" when the first resource name differs from "STUB". Includes metadata and source reference to the original Rusty-PE-Packer project.
Add comment reference URLs to two PE tool metadata files for context. Inserted a Wikipedia link for Microsoft Visual Studio in db/PE/tool_Microsoft_VisualStudio_NET.6.sg and a GitHub link for de4dot in db/PE/tool_de4dot.6.sg; these are non-functional comments intended as source/reference annotations.
Add an extra EP signature check and a comment to improve detection for Clickteam Fusion. The detect() function now includes an additional PE.compareEP("E8........E9$$$$$$$$6A14") check.
Broaden Clickteam Fusion 2.X+ detection by adding a rich-signature + entry-point pattern check (compareEP with "E8........E9........CCCCCCCCCCCCCCCCCCCCCC"). Retains the existing export-function + overlay check (zi32Support + compareOverlay) as an alternative detection path.
Add a Detect It Easy rule (db/PE/game_engine_ClickteamFusion.3.sg) to identify Clickteam Fusion executables. The rule checks for the PE export function `zi32Support` and an overlay signature, sets the detected version to `2.X+`, and includes author metadata.
Add defensive checks to avoid using invalid offsets and missing disassembly strings. Guard against -1 resource/VAToOffset results before calling PE.compare/PE.isSignaturePresent, cache the resource offset in a local variable, and break when PE.getDisasmString() returns falsy to avoid caching undefined. These changes prevent false matches and runtime errors when resources or disassembly are not present.
Use substring instead of substr for string slicing in heuristic scanners and simplify a redundant ASCII check. Updates in scanForObfuscations_NET and scanForObfuscations_Native: replace sectionName.substr(1, ...) and libraryName.substr(..., 4) with substring calls, and remove a redundant !isAsciiString(libraryName) condition in the import-character test. These changes improve consistency and clarity of the string operations without altering the intended detection logic.
Replace loose inequality checks with strict !== to avoid type-coercion issues in PE heuristic scanning. Changes apply to db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg across functions like scanForPackersAndCryptors_NET_and_Native, validateSignature, validateNetByteCode, validateGlobalUnicodeString, generateUnicodeSignatureMask, and scanForObfuscations_Native. This is a behavior-preserving refactor intended to make comparisons more robust and explicit.
Break out of the loop if PE.getDisasmString returns a falsy value. Adds a guard in emulateAndGetEpAsmPattern to avoid appending undefined instructions and to prevent potential crashes or infinite loops when disassembly is unavailable.
Replace loose comparisons (==/!=) with strict operators (===/!==) in NetOpCodes, scanForBadFileFormat_NET_and_Native, and isNameObfuscated for correctness and consistency. Also compute sectionEntropy once in scanForPackersAndCryptors_NET_and_Native and reuse it for the threshold check and logging to avoid redundant calculations and improve readability/performance.
In scanForObfuscations_Native(), replace calls to getAsmOpCode(PE_Cached.firstEpAsmInstruction) with direct regex tests against PE_Cached.firstEpAsmInstruction. This affects both x86 and ARM branches that detect breakpoint/return patterns for TLS entry point checks, reducing redundant parsing and ensuring the regex matches the actual instruction text.
In scanForDebugData_NET_and_Native (db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg): stop the backward scan for the PDB path at PE.getDosStubOffset() + PE.getDosStubSize() instead of 0 to avoid scanning into the DOS stub region, and relax the absolute-path check to accept either backslash or forward slash (so both C:\... and C:/... are recognized). These changes reduce false positives and prevent reading outside the intended bounds.
Replace loose inequality checks (!=) with strict (!==) across multiple scan functions in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg (e.g. scanForObfuscations_NET, scanForAntiAnalysis_NET, scanForPackersAndCryptors_NET_and_Native, scanForLicensingSystems_NET_and_Native, scanForBadFileFormat_NET_and_Native, scanForDebugData_NET_and_Native, scanForObfuscations_Native, scanForInterestingMarkers_NET_and_Native). This change enforces strict type-safe comparisons to avoid unintended type coercion and improve reliability of detection logic. No other logic changes made.
Tighten the loop that finds the last non -1 section address in scanForPackersAndCryptors_NET_and_Native(): use strict equality (===) and add an upper bound (i <= PE_Cached.numberOfSections) to avoid infinite loops or out-of-range section accesses when no valid section is found.
Start the short-name detection loop at index 0 so the first character in the 'chars' set is checked (previously it was skipped). Also correct hex byte formatting when building the buffer by left-padding single-digit hex strings (currentByte.length === 1) with a '0' instead of only handling the literal '0', ensuring bytes like 0x0A produce '0a' instead of 'a'.
Change handling of leading uppercase tokens in isNameObfuscated() from returning false to continuing, so an uppercase abbreviation at the start doesn't prematurely mark the whole name as not-obfuscated and allows subsequent tokens to be evaluated. Also tighten the copyright-year whitelist regex in isTokenObfuscated() by anchoring the end (added $) to require a full-token match, preventing partial matches that could cause false positives.
Calculate ctorSignatureOffset and handle a -1 result from PE.findSignature so subsequent reads/comparisons aren't done at an invalid offset. Only run the short-name detection, the short-name scanning loop, and the buffer read loop when a valid afterCtorOffset exists. Also rename the signature variable for clarity and change protectionsRuntime from const to var (compatibility/consistency). These changes prevent out-of-bounds reads and false detections when the <Module> .ctor signature is not found.
Fix several PE heuristic issues: unloadCache now clears all enumerable properties from PE_Cached instead of setting it to undefined to avoid leaving stale object references; correct the MSIL ldloca opcode from "FE09????" to "FE0D????"; and adjust the PE.findSignature call to pass sectionSize (instead of sectionOffset + sectionSize) so signature searches use the proper length. These changes address cache-clearing bugs, an incorrect opcode mapping, and an incorrect signature search range.
Clarify unloadCache JSDoc to state it removes all enumerable properties from PE_Cached instead of setting it to undefined, keeping the documentation consistent with the implementation in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Remove unnecessary .toUpperCase() calls when constructing option strings in two places (scanForPackersAndCryptors_NET_and_Native and scanForObfuscations_Native). The code now concatenates the raw first character with the lowercased remainder, avoiding potential runtime issues and ensuring consistent label formatting for detected opcodes near EP.
Tighten the heuristic in scanForMaliciousCode_NET_and_Native: only treat the Unicode " RAT" signature as a trigger when it appears together with at least one of the specified objects (System.Net.Sockets, GetWindowText, avicap32.dll). Keeps the existing fallback checks for other Net objects (AntiTaskManager, BlockAvSites, UpdaterEXE, etc.). This reduces false positives by requiring both the signature and contextual API/library usage.
Avoid indexing the regex result directly when no match is found. Assign the full match array to sVersion, check that it contains a capture group, then extract the version token and validate it (1..13). This prevents runtime errors on null matches and ensures correct Direct3D version detection.
Restrict Direct3D import detection to 1-2 digit versions and ensure detected versions are in the 1..13 range. The import regex was changed from /d3dx?(\d+)/i to /d3dx?(\d{1,2})/i, maxVersion is now validated (<= 13), and the fallback now extracts the d3d major version with PE.isLibraryPresentExp(/^d3d(\d{1,2})/i)[1] and validates it before setting bDetected. This prevents false positives and out-of-range version matches.
Fix a heuristic bug by changing the KD transport regex from /^kd[_n]/i to /^kd(?:_|net_)/i so it correctly matches "kd_..." and "kdnet_..." prefixes (avoids accidental matches like "kdn..."). Also tweak the changelist/build comment examples to emphasize numeric parts (e.g. CL [35398403], Build [123456]). These edits improve token obfuscation detection accuracy and comment clarity in the PE heuristic rules.
Add several regex patterns to isTokenObfuscated whitelist in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. New rules recognize common OOP/API noun suffixes (handler, manager, factory, callback, decoder, etc.), Hungarian-style Windows API prefixes (lpsz/dw/hWnd/... followed by PascalCase), PascalCase/camelCase names with trailing version digits (e.g. Direct3D9, CreateFile2), and multi-segment snake_case identifiers. These additions aim to reduce false positives by treating legitimate identifier naming conventions as non-obfuscated tokens.
Change the Direct3D module name pattern from /^d3d/i to /^d3d\d{1,2}/i in the PE heuristics. This requires 1–2 digits after 'd3d' (e.g. D3D9, D3D10, D3D11) and reduces false positives from tokens that merely start with 'd3d'.
Expand and refine the heuristic whitelist used in PE generic analysis. Added more driver/service suffixes (srv, svc, port, bus, hub, hid) to the existing regex to reduce false positives for Windows components. Introduced new patterns to recognize PascalCase and camelCase compound identifiers and a regex for known Windows kernel/network component substrings (ndis, acpi, storport, usbhub, etc.). These changes improve whitelisting of legitimate symbol names and reduce accidental obfuscation flags.
Replace many individual token.match checks with a single whitelist array of regular expressions and iterate over it, reducing duplication and improving readability/maintainability. Tighten the Windows resource/constant identifier regex to require an underscore and a stricter pattern; all other whitelist patterns were preserved but consolidated into the array. Changes are localized to the PE heuristic whitelist logic.
Tighten heuristics in isTokenObfuscated(): strengthen the hardware/model whitelist to require a well-formed prefix+digit block and optional underscore/dash suffixes (anchored to the end) to avoid accidentally whitelisting random strings; add CUDART64_132_51 to examples. Also adjust the SCREAMING_SNAKE_CASE rule to require at least one underscore so all-caps hex-like identifiers (e.g. DEADBEEF) are no longer whitelisted.
Update PE generic heuristic rules to reduce false positives and better recognize benign tokens: add a debug _setResult call when an obfuscated chunk is logged; expand benign token whitelist with cuda, iscsi, scsi, sstp, uart; add DirectX (d3d) and kernel debugger (kd_) exclusions; add hardware chip/model pattern and driver/service suffix exclusions. Also relax the uppercase-only resource token rule by removing the lower-case check, and raise the repeated-consonant detection threshold from 5 to 7 to avoid flagging legitimate names (examples: luainstall.dll, rassstp.sys, msiscsi.sys). Changes applied to db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Enhance isTokenObfuscated checks to reduce false positives and better recognize common non-obfuscated tokens. Added regexes to allow partial GUIDs/GUID fragments and build/version hashes with optional word suffixes. Extended CI/build keyword list (added sql,tmp), added charset/codepage name detection (cp/iso/utf/ucs/etc.), and added detection for uppercase Windows resource/constant identifiers. Tightened obfuscation rule for long consonant clusters by raising the threshold from 6 to 8 and updating the related comment and regex.
Remove an obsolete CFG-without-DEP check and refactor heuristic checks for fake build info and system files. Rename companyNames to companyNamesDict, and introduce combined system file name lists with a helper to compare OriginalFilename/InternalName. Defer adding verdicts until a consolidated isFakeOrInfected flag is determined, and add additional checks for Rich signature, signing, .NET builds, and packer/protector heuristics to reduce false positives.
Wrap the export-name condition in parentheses to ensure functionName is evaluated before checking if it starts with a digit or is non-ASCII. This prevents isAsciiString from being called when functionName is falsy and fixes the logical precedence that could yield false positives for strange exports.
Adjust mangled symbol parsing in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg: for _E/_G/_R patterns (destructor, vector destructor, RTTI) strip the prefix and return the name suffix instead of the whole token; normalize class method parsing by removing a leading '$' before splitting, and compare against 'bctr'/'bdtr' (without $) to correctly detect constructors/destructors and return class name or '~class'. This corrects incorrect name extraction for those mangled forms.
Replace unnecessary capturing groups with non-capturing groups (?: ) in several regular expressions inside scanForObfuscations_Native in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. This removes spurious capture overhead for patterns matching INT 3, RET <n>, and BX LR while keeping behavior unchanged (used for TLS/EP heuristic checks).
Add detection entry for the Rusty PE packer (magic 0xa2260c1d, heuristic value 10). Also add documentation comments/URLs for Packman and Amber and tidy related inline comments; no other functional changes.
Add inline reference comments for py2exe and BoxedApp entries in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to document source websites. This is a non-functional change (comments only) to improve maintainability and provide quick lookup links for those packer signatures.
Include additional common tokens (mgr, vds, word, runtime) in the build/CI server pattern inside isTokenObfuscated(). This prevents those tokens from being treated as obfuscated by the heuristic and reduces false positives when analyzing PE names.
Expand the standardSectionsWithUnusualValuesDict to a multi-line array for readability and add the '.imrsiv' entry (with a comment marking it as UWP). Also annotate 'hydrated' as .NET Native. This extends heuristic recognition for .NET Native and UWP binaries.
Add a heuristic that flags PE files whose OriginalFilename or InternalName matches common Windows system executables (e.g. csrss.exe, wininit.exe, lsass.exe, svchost.exe, taskhostw.exe, ntkrnlmp.exe) but that are .NET, lack a Rich signature, or are unsigned. When detected, a verdict of "Fake ...system file" is appended to indicate possible masquerading or infection. This helps catch malware that copies legitimate system names without proper signing or Rich signature metadata.
Use File.cleanString(PE.getFileVersion()) when populating sVersion for several game engine detectors (Atlas, Godot, Wintermute) to ensure cleaned/normalized version strings. Refactor Director detector to remove repeated sVersion assignments and set sVersion once (cleaned) when any detection branch matches. Minor whitespace cleanup included.
Enhance heuristic detection for Microsoft Warbird and adjust token obfuscation exclusions.
- db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg: broaden Warbird signature to include PROTDATA and section-name patterns (/^PAGE(?:VRFY|wx[1-6])$/). Also add "krnl" to the list of tokens treated as non-obfuscated.
- db/PE/protection_Microsoft_Warbird.2.sg: add fallback detection that marks Warbird as present when a .sys library exists and a PAGEVRFY/PAGEwx1-6 style section name is present.
These changes make Warbird identification more reliable by matching additional known markers and prevent mislabeling common kernel-related tokens as obfuscated.
Register inject2pe as a known packer by adding the ".inj" signature to db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. This enables heuristic detection of inject2pe-packed files (reference: https://github.com/0xballistics/inject2pe).
Tighten the Detect It Easy rule for inject2pe: require non-64-bit, zero DOS stub size, and use strict comparisons; keep checks for single section, specific Characteristics, header size, no imports, and non-console. Add detection of modified wrappers by marking sOptions="modified" when the section name is not ".inj". Minor formatting and return placement adjusted to improve accuracy and reduce false positives.
Add validation in scanForObfuscations_Native() to detect invalid DLL characteristic combinations: flag Control Flow Guard (IMAGE_DLLCHARACTERISTICS_GUARD_CF) when NX/DEP (IMAGE_DLLCHARACTERISTICS_NX_COMPAT) is not set (adds option "CFG without DEP"), and flag No-SEH (IMAGE_DLLCHARACTERISTICS_NO_SEH) when the image is 64-bit (adds option "No-SEH on x64"). These identify broken or nonsensical security flag combinations that are not produced by legitimate toolchains.
Add a heuristic that detects when IMAGE_DLLCHARACTERISTICS_GUARD_CF is set but IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE is not. When observed, the code appends the "CFG without ASLR" option to the analysis results to highlight a potentially inconsistent or suspicious configuration (CFG is only effective on ASLR-enabled images).
Add a check in scanForObfuscations_Native to detect when IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY is set but IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE (ASLR) is not. When found, set isForceIntegrityWithoutAslr and add the "Force integrity without ASLR" option so such PE images are flagged during heuristic analysis.
Refine high-entropy VA handling: change the existing option text to "High entropy VA without ASLR" and add a new check to detect when IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA is set on 32-bit images (which is meaningless). When detected, add the "High entropy VA on x32" option to avoid misleading heuristics/false positives.
Add a heuristic in scanForObfuscations_Native to detect when the IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA flag (0x0020) is set but IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE (ASLR, 0x0040) is not. When this inconsistent combination is found, set an option message "High entropy VA needs ASLR" to flag the likely misconfiguration or ineffective setting. This helps identify PE files that declare 64-bit ASLR entropy while ASLR itself is disabled.
Define IMAGE_DLLCHARACTERISTICS constants and add a check in scanForObfuscations_Native to read DllCharacteristics from the PE optional header. The new logic detects if reserved bits 0-4 are set (which should never be used) and marks the binary with the "Invalid DLL flags" option when found. This enhances heuristic detection of malformed or potentially obfuscated PE files by validating DLL characteristic flags.
Three small edits to PE heuristic logic and comments:
- Remove the "43210" alternative from the numeric-sequence regex used to detect 5+ digit ascending/descending sequences.
- Clean up a block comment header for ARM/ARM64 NOP-equivalent instructions (remove an extra leading '*' and align text).
- Add "DECRYPTOR" to the resource-name detection regex so resources named DECRYPTOR are flagged alongside PAYLOAD, SHELLCODE, INJECT, and CRYPTED.
Add a new detection rule db/PE/library_SSH_NET.sg that identifies the SSH.NET .NET library by checking for the presence of the Renci.SshNet object. The rule includes a library meta tag and author/contact metadata to help PE analysis detect SSH.NET in binaries.
Refactor and extend obfuscation checks for tokens. Consonant-repetition logic now only runs for tokens under 15 chars and uses a regex-based consonant test with an inline counter/early return for >=5 repeats. Expanded keyboard-walk detection to cover horizontal row patterns (5+ chars, forward/backward) and added vertical column patterns (6+ chars) as well as number-row sequences (5+ consecutive digits). These changes tighten thresholds to reduce false positives and broaden detection of common obfuscation patterns.
Add a Detect It Easy (DIE) rule to identify the inject2pe tool's wrapper method. The rule (author: Yosef Khaled) tags files with meta tool="inject2pe" and matches PEs with no imports, a single section, SizeOfHeaders == 0x200, first section Characteristics == 0xE0000020 and not a console binary; it sets options to "shellcode2exe wrapper". Includes link to the project: https://github.com/0xballistics/inject2pe.
Add contributor attribution ('Enhanced by: Yosef Khaled') and minor formatting. Remove the else branch in detect() that set sVersion = "custom" when the section name was ".fpack ", altering the version-detection behavior for this packer.
Co-Authored-By: Yosef Khaled <124172634+tenzzzzzz@users.noreply.github.com>
Add new detection rule db/Binary/format_Torrent.1.sg for Detect It Easy to identify .torrent files. The rule checks for the bencoded 'd8:announce' key and a URL signature ('://') within the header to detect torrent metadata. File includes author contact and metadata.
Add a Detect It Easy rule (db/ZIP/format_Minecraft_Bedrock.1.sg) to identify Minecraft Bedrock ZIP packages. The script checks for ZIP file format version 2.0 with Deflate compression and matches file suffixes mcworld, mcpack, and mcaddon to set options to "World", "Resource Pack", or "Add-on" and tag the result as Bedrock Edition. Includes author metadata.
Allow heuristic scanning to continue when the PE entry point is 0 by removing the early break, ensuring packer/cryptor detection still runs. Also broaden .NET malicious detection: in addition to detecting a 'avfucker' object, treat the presence of both Unicode strings 'SharpInvoker' and 'myres' as an indicator for the 'RAT Injector' verdict when no other verdicts exist.
Add a guard using PE.isEntryPointCorrect() and fetch the entry point earlier. If the entry point is zero, exit the check early. This removes a redundant PE.getAddressOfEntryPoint() call and prevents invalid/zero EP values from being compared against the last section address when scanning for packers/cryptors in non-DLL PE files.
Replace unnecessary capturing groups (...) with non-capturing groups (?:...) in several regex literals in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg (e.g. section/flag and numeric suffix patterns). This prevents creating unused capture groups, clarifies intent, and preserves existing behavior.
Replace unnecessary capturing groups with non-capturing groups in two Denuvo-related regexes. Updated patterns to /^GetDenuvo(?:TimeTicketRequest|TicketLocation)$/ (in __GenericHeuristicAnalysis_By_DosX.7.sg) and /^ANTICHEAT_OBFUSCATE_(?:.+_)?CODEMARKER$/ (in protection_Denuvo.5.sg). This avoids creating unused capture groups and prevents unintended capture-index shifts, with no change to matching behavior.
Allow an optional 'v.' prefix when matching version numbers (accepts 'v.1.2' in addition to 'v1.2' and '1.2') and refactor the character-type branches in isTokenObfuscated() into single-line conditionals to reduce line count while preserving the counting and type-assignment behavior.
Enhanced FatPack detection
I have corrected the detection logic as follows:
1-Since different versions of "fatpack" do not have a constant number of sections, I eliminated that criterion from the code.
2-Avoided false detections for manually unpacked samples.
3-Improved the detection of packed samples using the --resources option by looping through all resources and searching for the signature "5D00001000" in any of them. If found, it means the resource payload has been identified. This modification is more reliable because resource names and counts can be modified or manipulated, so the detection now relies on deeper analysis.
4-Improved the code readability.
Add a missing closing quotation mark for "intel" in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. This corrects a syntax error in the companyNames array that could cause the script to fail parsing.
Remove the 'avg' entry and replace the 'amd' abbreviation with the full name 'advanced micro devices' in the companyNames array used by the PE heuristic scan. This clarifies vendor matching strings for the malicious code detection routine.
Rename and relocate LICENSE files from autotools/dbcompiler/node_modules into autotools/dbcompiler/node_licenses/ (e.g. LICENSE -> LICENSE.<pkg>.txt) to centralize third-party licenses. Also remove assorted package metadata and docs (README, CHANGELOG, tests, CONTRIBUTING, governance, etc.) from vendor node_modules entries to reduce noise in the tree.
Add Windows batch script node_modules_clean.cmd that copies LICENSE/LICENCE/COPYING files from node_modules into a node_licenses directory (creating it if missing), renaming saved files to include package names, and invokes npx modclean -n default:safe -r to remove extraneous files. Intended to gather third-party licenses for offline/legal distribution and clean node_modules.
Add archiver dependency to package.json and update package-lock. Require archiver in task.js and implement createDieDb(srcDir, archivePath) to produce zip-based .die-db archives of processed output directories. After cleaning and reporting, the script now creates a .die-db archive per input directory and logs success/failure with archive sizes.
Add isJson helper and handle .json files specially: attempt to minify by JSON.parse+JSON.stringify and write result; on parse error fall back to writing the original file and mark the result as failed. Update result flags to reflect whether the file was minified, skipped, failed, or failed-skip so callers can distinguish outcomes. This ensures JSON assets are compacted and errors are handled gracefully.
Use File.cleanString when reading the BIOS version string in detect() to remove unwanted/control characters before storing sOptions. Also add a TODO to validate the version string with a regex for stricter checking.
Add inline comments to the PE heuristic scanner: include an archived reference URL for a SumHex decryptor and document the purpose of the subsequent resource-name checks in .NET/native assemblies (to flag builders or attempts to hide payloads). These are non-functional clarifications to aid future maintainers.
Extend the PE generic heuristic for Ramnit: in addition to checking for a ".rmnet" section, add a PE.compareEP() check for a specific entry-point byte pattern (pushal, call, pop ebp, mov eax, ebp, sub/mem ops, mov al,0). If no prior verdicts and either condition matches, the analyzer now emits a Ramnit verdict to improve detection of samples that lack the .rmnet section.
Increase the iteration limit in scanForMaliciousCode_NET_and_Native from 300 to 364 so the heuristic disassembly (parite scanning) examines a larger range of instructions. This expands the window for detecting additional opcode/obfuscation patterns in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Replace multiple regex capture groups with non-capturing groups (?:...) across the PE heuristic scanner to avoid unintended captures and clarify intent (affects packer/cryptor detection, section/name/resource checks, debug detection, token heuristics, export checks, etc.). Also rename local variable asmInstruction to currentInstruction in scanForObfuscations_Native and update its usages. These are refactors only — no behavioral logic changes intended beyond regex grouping and naming clarity.
Introduce a heuristic to detect Parite (win.parite) infections in the PE scanner. For x86 binaries (and only when no prior verdicts exist) the code scans up to 300 instructions from the entry point, looking for a SUB followed by a backwards JNE to a target containing PUSH/XOR DWORD PTR [reg + reg] patterns. It counts repeated loop occurrences and emits a "Parite" infected verdict when the pattern repeats >= 0x20. Reference: Malpedia win.parite.
Update db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg: expand the non-obfuscation token regex in isTokenObfuscated to include beta, alpha, and client, and adjust the Windows variant grouping (win(32|64|2)). This change broadens the whitelist of common build/CI and client-related tokens to reduce false positives when detecting obfuscated tokens.
Avoid accessing _gyminfo[0] when parseMDGYM may return null/undefined during heuristic/deep scans. Add a guard to return early if _gyminfo is falsy to prevent runtime errors in the GYM audio parser.
Update comment to use defanged URL (https://max[.]ru/) and append a "Malicious site; Be careful!" note. This is a non-functional change to clarify that the referenced site is malicious.
In db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg, reduce the signature search window from 0x30 to 0x20 in scanForMaliciousCode_NET_and_Native when scanning for the Win9x CIH-like instruction patterns near the entry point. Also include minor whitespace/comment alignment cleanups for readability. The change limits the distance searched from the entry point, reducing unnecessary matches and work.
Rename several detection rule files to use underscores (e.g. archive.ACE.1.sg -> archive_ACE.1.sg, archive.ZIP.1.sg -> archive_ZIP.1.sg) and rename Amiga_loadable.1.sg to format_Amiga_loadable.1.sg.
Add a heuristic to flag fake LegalCopyright version strings that impersonate well-known vendors (e.g. Microsoft, Google, Adobe, Kaspersky, Nvidia, etc.). The new check ignores entries that include standard copyright markers and scans the LegalCopyright field for known company names; if found, it pushes a "Fake build info" verdict (using mayBeInfected details). Also modernize a local variable by changing `var fieldsToCheck` to `const fieldsToCheck`.
Rename multiple database entries to include explicit category prefixes for clarity. Files in db/Amiga were renamed to use compiler_, cruncher_, font_, and sfx_ prefixes; files in db_extra/PE were renamed to use installer_, protector_, and sfx_ prefixes. All changes are pure renames (100% similarity) with no content modifications.
Rename several Amiga database entries to use clearer prefixes (compiler_*/cruncher_*). Update db/MSDOS/virus.1.sg to call meta("virus") without the empty second argument. Normalize wildcard placeholders in PE/__GenericHeuristicAnalysis_By_DosX.7.sg from "??" to "..", adjust a region comment spacing, and make minor comment/formatting tweaks to improve consistency and readability.
Update scanForPackersAndCryptors_NET_and_Native to require PE.section[0].FileSize === 0 when checking three-section PE files with RWX flags. This narrows the heuristic to better detect packer/cryptor layouts (first section with zero FileSize) and reduce false positives. Change is in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
Co-Authored-By: Yosef Khaled <124172634+tenzzzzzz@users.noreply.github.com>
Remove unused nDataSize parameter and simplify detectUnknownDebugData signature; use PE.getDebugDataSize(i) for the size check. Compact and reformat switch cases in detect() (single-line cases and grouped fall-throughs) and normalize empty-string arguments to String() for consistent typing in _setResult calls. Purely stylistic/refactor changes intended to preserve existing behavior.
Collect detected PE debug-data types into an array, map known type tokens to human-friendly names (e.g., CodeView, VC Feature, Ext-DLL Characteristics, Reserved (10)), preserve all-caps abbreviations (REPRO, POGO, COFF, FPO), and capitalize other types. Then sort normal names and abbreviations separately and join them into sOptions. This also replaces the previous naive toLowerCase/append approach and fixes incorrect sOptions.append usage.
Introduce a heuristic to detect the Win9x CIH (Chernobyl) virus by scanning for a small sequence of instruction signatures near the entry point on x86 binaries. The new code builds an instruction pattern array, searches forward from the EP offset using PE.findSignature (0x30 window), and pushes a "Win9X.CIH" verdict if all patterns are found. Also includes a minor comment spacing tweak in an unrelated mov comment.
Add an x86 entry-point byte-pattern check to the generic PE heuristic scanner to detect Slugin infections (based on a sample referenced from securityhome). The new rule matches a sequence of instructions (pushal, call, sub ebx/esp, movs) and pushes a "Slugin" verdict when no prior verdict exists. Applied only for 32-bit PE files using PE.compareEP.
Rename multiple Amiga database entries to use consistent prefixes (cruncher_*/sfx_*) for better categorization and filenames. Also add sLang = "E" to compiler_Amiga_E.4.sg to explicitly set the language; no other functional changes were made.
Rename several db/Amiga rule files to use a consistent "compiler_" prefix (AMOS_Basic, Absoft_AC_Basic, Absoft_Fortran, Blitz_BASIC, Free_Pascal, Lattice_C, Storm_C). Add a new Detect It Easy rule db/Amiga/compiler_Amiga_E.4.sg (author: hypn0) that checks three entry-point signatures and sets sOptions to "type 1", "type 2" or "type 3" on detection.
Rename three db/COM sample files to include type prefixes for clearer categorization. No content changes; only filenames updated:
- db/COM/WiZ_Cryptor.2.sg -> db/COM/cryptor_WiZ_Cryptor.2.sg
- db/COM/VSF&K_protection.2.sg -> db/COM/protector_VSF&K_protection.2.sg
- db/COM/WSP_self_update.2.sg -> db/COM/sfx_WSP_self_update.2.sg
This standardizes naming (cryptor/protector/sfx) for easier maintenance and discovery.
Rename multiple detection rule files under db/COM to more specific names (e.g. Unknown_cryptors.2.sg → cryptor_cryptors_pt2.2.sg, Text_Header.1.sg → other_Text_Header.1.sg, etc.). Update metadata strings: change cryptor meta from "Unknown cryptor" to "Cryptor" and set the virus rule meta to "Cascade". Also modify the virus detection logic to append the version suffix to sName (sName += ".1701" / ".1704") instead of assigning it, preserving any existing name prefix.
Rename IBM_AIX_kernel_loader.4.sg to boot_IBM_AIX_kernel_loader.4.sg and tighten detection: only set sVersion to "PowerPC" if the AIX loader was actually detected (bDetected) to avoid false positives. In compiler_Rust.4.sg apply minor comment formatting and sanitize the extracted rustc version by using File.cleanString when assigning sVersion.
Rename and tidy up multiple Detect It Easy rule files. CFBF rules Microsoft_Office and Microsoft_Installer were renamed to format_Microsoft_Office.1.sg and installer_Microsoft_Installer.1.sg and had minor whitespace/mode fixes. Several ELF rule files were renamed to the compiler_* namespace (including Free_Pascal and HP_C++), Borland_Kylix.4.sg was removed and replaced with a new compiler_Borland_Kylix.4.sg that consolidates section checks with OR conditions. Minor code cleanups: IBM_AIX kernel loader newline fix, and Oracle_Solaris_Studio improvements (initialize string via String(), combine var declarations, return cleaned strings with File.cleanString(), add braces and reorder bDetected assignment).
Replace hardcoded PE.compare hex signatures with dynamic detection using PE.getDosStubSize() and PE.isSignaturePresent at offset 0x80 searching for the '[LordPE]' marker. Sets sOptions = 'rebuilded' on detection and marks bDetected true. Also update author comment to 'Rewritten by: DosX' and remove the old hex-based checks.
Normalize the detected TASM32 product version string from "5.x" to "5.X" in db/PE/compiler_TASM32.4.sg. This maps TLINK32 linker version 2.25 to a consistent uppercase format for the version placeholder.
Add contributor header and adjust PE signature matching to use an offset (pass 2) and remove the leading MZ bytes from the pattern. Also add an else-if branch to detect an additional LordPE variant (using the same offset) and mark it as detected. Keeps the original sVersion assignment for the primary match.
Add stricter detection for embedded WannaCry payloads by verifying an embedded PE ('MZ') and a '.wnry' marker using the resource's FileSize. For other cases (embedded ZIP and modified variants), construct a Unicode-aware cmd signature via generateUnicodeSignatureMask("%s\\ProgramData") with padding and search both .rsrc and .data sections for the 'cmd.exe /c' invocation to improve detection of modified loaders.
Introduce explicit file-prefixed properties and compatibility aliases in db/PE/_init: Resource.Name/Offset/Size were renamed to FileName/FileOffset/FileSize, and both Resource and Section now expose Size and Offset mapped to the corresponding FileSize/FileOffset. This clarifies file vs virtual fields in PE parsing while preserving existing Size/Offset accessors.
Rename multiple files in db/COM to include category prefixes for clearer organization. Examples: Microsoft_C.4.sg -> compiler_Microsoft_C.4.sg, SPHINX_C--.4.sg -> compiler_SPHINX_C--.4.sg, Microsoft_RTL.3.sg -> library_Microsoft_RTL.3.sg, several Crypt_/Inbuild_/Maveriks_/MrHDKiller_* -> protector_*, and LHarc_SFX.1.sg -> sfx_LHarc_SFX.1.sg. These are pure path renames (no content changes).
Broaden resource-name check to accept three-letter uppercase names (e.g., "XIA") and include scanning the .data section (in addition to .rsrc) for the "cmd.exe /c ..." signature. Extracted the signature into a cmdSignature constant and consolidated variable declarations for clarity. These changes improve detection of variants that embed payloads in .data or use different resource naming.
Refactors the WannaCry detection path: add a guard on PE_Cached.numberOfUnmanagedResources and check the first resource name, detect embedded executables by checking PE.resource[0] for an 'MZ' header, and fall back to the previous .rsrc signature check. Uses an isWannaCryDetected flag to centralize the decision and only push the verdict when a positive indicator is found, reducing false positives and clarifying control flow.
Introduce a heuristic in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to detect WannaCry samples on x86. The new check matches a common entry-point prologue (push ebp; mov ebp, esp) and looks for a resource signature containing 'cmd.exe /c' pattern; when matched it pushes a verdict object with type "WannaCry". The check only runs if no other verdicts exist and targets x86 binaries. Reference to Malpedia added in a comment.
Add and refine section-name patterns to improve detection coverage: expand Denuvo section patterns (.xtls, .trace, .arch, .ooa), add a Themida fake-section regex entry and an Alienyze fake-section entry in validations, and tidy up various alignment/whitespace in the detection table. Also change the section warning text to separate offset/size with '/' instead of ' and ' for clearer messaging.
Add a new case in detect() (db/PE/packer_PECompact.2.sg) to map build code 20250 to sVersion "2.80+" so the detector recognizes newer 2.80 Blender builds.
Reformat BUILD.md for consistency and readability: standardize section headings (add spaces and unify Qt capitalization), move and reformat tutorial/link entries, add blank lines around blocks for clarity, and ensure newline at EOF. These are non-functional documentation edits to improve maintainability and presentation.
Broaden the heuristic condition when detecting UPX-like structures: require GetProcAddress plus either VirtualProtect or LoadLibraryA (previously VirtualProtect was mandatory), still combined with ExitProcess/CopyContext. This expands detection to variants that use LoadLibraryA and tweaks the condition grouping for clarity.
Add Huan cryptor signatures and file marker: include a fingerprint entry and the ".huan" extension to packer/cryptor detection. Remove a duplicated Perplex extension entry. Add ACProtect and PE-SHiELD fake-section name checks, normalize Themida entry placement and clean up duplicates in the fake-section name mappings. Includes reference URLs for Huan.
Reformat the obfuscatorsAttributes array in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg for consistent spacing and aligned comments. Also adjust the order of a few signature entries (minor reordering of SkiDzEX/Sixxpack entries). No functional changes to the signature strings — just readability and style improvements.
Replace the simple section-name check with a stricter detection routine for the Huan cryptor: require exactly one import table, match a specific entry-point signature via PE.compareEP, and verify the first import functions are "VirtualAlloc" and "LoadLibraryA". Sets bDetected when matched and marks sOptions as "modified" if the last section name is not ".huan". This makes detection more accurate and flags renamed/modified samples.
Apply minor code-style adjustments and a variable rename for clarity. Added spaces after '//' in several comments (PKZIP-SFX, RAR-SFX, installer_instyler) to improve readability. In protector_PE-Shield, rename peAnakinSection to anakin98Section and update references to match the actual section name; this is a non-functional rename to make the code more consistent.
Update packer signatures in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg: the PE-SHiELD entry now matches either "PESHiELD" or "ANAKiN98" to broaden detection of that packer variant in the heuristic scanner. Reference link preserved.
Move PKZIP-SFX and RAR-SFX detection rules from db_extra/LX to db/LX and add reference URLs. Normalize the installer name capitalization by changing "instyler" to "Instyler" in db/Binary/data_overlays.6.sg (sName) and in the installer rule meta("installer", "Instyler"). No functional behavior changes aside from metadata and comment updates.
Wrap PE.getString calls with File.cleanString to sanitize extracted version text (offsets +10, +19, +22). Replace the numeric comparison if (bDetected == 1) with a boolean truthiness check if (bDetected). Minor syntax/punctuation adjustments for consistency.
Normalize whitespace and formatting across multiple db/*.sg detection scripts: reindent code blocks, consolidate var declarations, reflow conditional expressions and comments, add missing trailing newlines, and standardize a version string to "2.71.X". Updated files include db/Binary/audio.AIFF.1.sg, db/PE/packer_RLPack.2.sg, db/PE/players.1.sg, db/PE/protector_PE-Shield.2.sg, db/PE/sfx_LZH_SFX.1.sg, db/PE/sfx_Zip_SFX.2.sg, db_extra/LX/PKZIP-SFX.1.sg, db_extra/LX/RAR-SFX.1.sg, db_extra/PE/ARDI-SFX.1.sg, db_extra/PE/installer_TInstall.1.sg, and db_extra/PE/installer_instyler.1.sg. These are primarily non-functional formatting changes; no logic alterations were intended except the noted version string normalization.
Rename db/PE/protector_Denuvo.2.sg to db/PE/protection_Denuvo.5.sg and update the meta key from "protector" to "protection" for the Denuvo rule. No detection logic was modified; this aligns the file and meta naming with the current convention.
Adjust indentation of sOptions and bDetected assignments in db_extra/PE/ARDI-SFX.1.sg so they are correctly nested under their respective if branches (for the 2002 and 1999 signatures). This is a whitespace-only change and does not alter logic.
Simplify substring usage for firstEpAsmOpCode and refactor opcode detection: rename strangeReadableOpCodesNearEp to strangeOpCodesNearEp, store opcodes in uppercase, and remove redundant toUpperCase() calls in comparisons. Also improve the displayed option text by capitalizing the detected opcode when adding the "near EP" message. These changes improve consistency and readability.
Refactor the strangeReadableOpCodesNearEp array into a multiline list and add inline comments showing the instruction byte sequences for Cpuid, Rdtsc, Rdtscp, Rdrand, and Rdseed. Also combined the strangeOpCodeDetected declaration onto the same line. This is purely cosmetic/documentation—no logic changes.
Add "Rdrand" and "Rdseed" to the strangeReadableOpCodesNearEp list so the generic PE heuristic flags hardware RNG instructions near the entry point as potentially suspicious. This improves detection of obfuscation/packing techniques that use RDRAND/RDSEED.
Update the strangeReadableOpCodesNearEp array in scanForObfuscations_Native to use the correct opcode name 'Rdtscp' instead of 'Rdrsc' (and adjust ordering). This fixes the heuristic used to detect unusual x86 instructions near the PE entry point.
Replace direct disassembly helpers with emulation-based variants to improve accuracy when analyzing entry-point and nearby instructions. Renamed getEpAsmPattern -> emulateAndGetEpAsmPattern and getAsmInstructionByIndex -> emulateAndGetAsmInstructionByIndex, updated all callers in NET/Native heuristic scans, and adjusted getFirstEpAsmInstruction to use the emulated instruction getter. This change aims to better detect obfuscation patterns (NOP padding, CALL $+5 stack trick, CPUID checks, etc.) by leveraging emulation results.
Update comment in scanForObfuscations_Native to state the check is for "strange opcodes" at the entry point rather than specifically CPUID. This aligns the comment with the surrounding code (isStrangeOpCodeNearEpPresent) and improves clarity.
Update comment in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to include "native code emulation" among the heuristic analysis techniques and adjust surrounding wording for clarity. This is a documentation/comment-only change clarifying supported analysis methods.
Generalize CPUID detection to check for multiple suspicious opcodes near the entry point. Replaced the CPUID-specific flag with a generic isStrangeOpCodeNearEpPresent and iterate over an array of readable opcodes (Cpuid, Rdrsc, Rdtsc). For non-DLL x86 binaries the first 15 instructions are scanned (retaining the safety check); when a match is found the opcode is logged and the corresponding "<Op> near EP" option is added.
Add a heuristic signature for PELock (x32) to the PE heuristic database. The pattern "6A6068........E8........BF94" was inserted into the entries array in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to improve detection of 32-bit PELock-packed samples.
Insert a space between 'Thinstall' and '(VMware ThinApp)' in db/PE/protector_Thinstall.2.sg meta(...) for improved readability/consistency. This is a non-functional formatting change and does not alter detection logic.
Update MPRESS detection logic: set default sOptions to "modified DOS", always run the non-.NET EP signature checks (removed the !bDetected guard), and add a post-detection check to mark the binary as having modified sections when section names differ from ".MPRESS1"/".MPRESS2". Also normalize the NT Packer 2.0 entry-point signature to a contiguous hex string to fix matching/parsing of the pattern.
Update PE heuristic database (db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg): add signatures for KByS (x32) and NakedPacker (x32) — "68........E8........C3C3", "60FC0FB605", and "60B8" — to improve packer detection. Also remove ".imports" from the Themida 3.XX section-name list to refine Themida detection.
Remove the Telegram Bot entry from the contact section and normalize extra spacing in the DiE API Library link label. Minor README formatting/cleanup to tidy up links.
Update protector_Denuvo.2.sg to relax the export-name regex used by PE.isExportFunctionPresentExp. The previous /^ANTICHEAT_OBFUSCATE_.+_CODEMARKER$/ required a middle token (and underscore), which missed names like ANTICHEAT_OBFUSCATE_CODEMARKER. The new /^ANTICHEAT_OBFUSCATE_(.+_)?CODEMARKER$/ matches both variants.
Update db/PE/protector_Denuvo.2.sg: broaden the PE.isLibraryPresentExp regex to match both '/' and '\\' path separators, properly escape the dot before 'dll', and add case-insensitive matching. This makes detection of Core/Activation.dll and Core\Activation64.dll more robust across platforms and case variations.
Enhance GenericHeuristicAnalysis_By_DosX by adding multiple PE.isNetUStringPresent checks to broaden UX-Locker detection. New signatures include memory/service messages ("\r\nMemory section at address 0x0424* is locked!", "\r\nService UXCryptor started.", "\r\n\r\n * Windows blocked!"), "lc.exe error", bypass markers ("ByPassWarnMsg", "ByPassMessage"), "ux-cryptor.exe", the ransom message "YOU ARE HACKED!\\1", and a combined pattern requiring both "_o_program" and "border_1". These additions improve detection coverage for UXCryptor/locker behaviors.
Replace a complex export-name check inside scanForObfuscations_Native with a simpler condition that flags exports starting with a digit or containing non-ASCII characters. Removed the additional checks for mangled names and underscore-replaced obfuscation testing. Note: the parentheses were changed, so the !isAsciiString check is now evaluated independently of the functionName truthiness (behavior may differ subtly).
Update PE heuristic rules: add a kernel32 library presence check to the UPX-like detection conditional to ensure VirtualProtect is resolved from kernel32, and change NsPack detection flag from 0 to -1. Also apply non-functional formatting/comment alignment across db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg for readability.
Add an inline comment marking the static export option for Audiokinetic detection (sOptions = "static" // EAT). Tighten Denuvo protector detection by consolidating separate export checks into a single conditional that requires >10 imports, a d3d library import, and an export matching GetDenuvo(TimeTicketRequest|TicketLocation). This removes redundant individual export checks and reduces false positives by adding import/library heuristics.
Broaden Denuvo signature and add heuristics for more reliable detection. The packer signature now recognizes .etext/.xtext section names in addition to .ecode/.xcode. Added a heuristic that marks Denuvo if Core/Activation(64).dll is present or if the binary has >10 sections, >10 unmanaged imports, and either a .etext/.xtext section or exports like GetDenuvoTimeTicketRequest/GetDenuvoTicketLocation. SteamStub detection was moved earlier and now checks for the E8 stub at the entry point and a trailing .bind section. Removed duplicated older checks and added contextual comments/links.
Add contributor tag and refine detect() to prefer PE.isFunctionPresent("AkTlsAllocateSlot") first; if only the export exists, set sOptions = "static" and mark detection. This distinguishes static vs exported symbol cases for more accurate Audiokinetic library detection.
Delete obsolete db/PE/library_AMD_FidelityFX.4.sg detection rule. Update db/PE/protector_Denuvo.2.sg to relax the section-count check from >12 to >10, broadening matches for Denuvo-protected binaries (logic and other checks unchanged).
Tighten and expand section-name checks in db/PE/protector_Denuvo.2.sg: require both the .[e|x](text|code) and corresponding data section when checking PE files with >12 sections, extend accepted data section name patterns (add .sx and allow .code variants and xp/xd forms), and update detection comments to include Deathloop and Immortals Fenyx Rising alongside Atomic Heart. Also includes a minor whitespace adjustment.
Adjust Denuvo detection heuristics: increase section-count threshold from >6 to >12, tighten and anchor section-name regular expressions (add '^' anchors, include 'my' and explicit .[ex]text pattern), and consolidate some checks to use isSectionNamePresentExp. Update the Atomic Heart version tag from "17.0" to "12.0-17.0+". These tweaks aim to reduce false positives and improve matching for newer builds.
Add 'ezip' (1.X) signature to scanForPackersAndCryptors list in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to improve detection of ezip-packed binaries. Signature hex: 0x174efb84.
Insert NakedPacker entry (version 1.0, id 0x64910c88) into the packers list in scanForPackersAndCryptors_NET_and_Native within db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to add detection for NakedPacker.
Add an NTPacker entry (version 1.0, signature 0x1a721d2d) to the packers/cryptors array in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg so the heuristic scanner can detect files packed with NTPacker.
Insert a new signature for JDPack 1.01 (hash 0xd9380ce5) and update the existing entry to use the consistent 'JDPack' casing for the 2.00 signature (0xc002db0e) in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. This improves packer detection accuracy and naming consistency.
Add new signature 558BEC83C4E05333C0 to scanForPackersAndCryptors_NET_and_Native in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to detect NTPacker (x32) samples. Improves heuristic detection coverage for this packer.
Enhance PE heuristic DB by adding multiple detection signatures for the Petite packer: introduce a 2.1 entry with three signatures, retain the existing 2.2 entry, and add two 2.X signatures. These changes improve detection of Petite variants in the scanForPackersAndCryptors_NET_and_Native routine while preserving the original reference link.
Replace explicit checks for vcruntime140.dll and vcruntime140_1.dll with PE.isLibraryPresentExp using a regex that matches multiple vcruntime140 naming variants (debug builds, _1, hashed suffixes, optional .dll). This broadens library detection to capture more runtime DLL name patterns while preserving the existing behavior of setting sOptions to "dynamic" and bDetected to true in db/PE/library_Microsoft_C_Runtime.4.sg.
Corrects the conditional in scanForObfuscations_Native so the heuristic flags when the first PE section is not ".text", ".textbss" or ".code" and a text section exists elsewhere. The previous check only triggered when the first section was exactly ".code", which missed other non-text section names and caused false negatives in the text-section-not-first detection.
Separate UPX-like structure detection from import/IAT checks by adding isUpxLikeImports. Move VirtualProtect/GetProcAddress/ExitProcess|CopyContext validation into a nested branch so we only mark IAT-like when imports are present. Update logging to show R(W) and build the option label to include "and IAT" only when import checks pass. Also require both structure and imports for the final ~packer UPX-like result to reduce false positives.
Reformatted the licesingStrings array into a multiline list for readability (entries reordered but behavior unchanged). Added inline comments linking to Denuvo and SteamStub resources above their respective detection checks to provide context for the DRM heuristics.
Replace a loose library check with a stricter, anchored regex so the heuristic only matches exact DLL names (e.g. Core/Activation.dll or Core/Activation64.dll, allowing either slash or backslash and case-insensitive). This reduces false positives when detecting Denuvo activation libraries.
Register SteamStub as a known packer ('.bind') and detect SteamStub DRM in licensing scans. Adds a packer list entry for SteamStub and checks for the SteamStub pattern in scanForLicensingSystems by verifying the entry-point opcode via PE.compareEP("E800000000") and that the last section is named ".bind", then adds the "SteamStub DRM" option when matched.
Add a check in the Denuvo protector detection to ensure PE.section[0].Name !== ".text" before applying the existing heuristics (sections > 6 and special section-name patterns or .arch/.xtext/.xtls). This reduces false positives for binaries whose first section is .text and improves readability by splitting the long conditional across lines.
Introduce a Denuvo entry to the PE heuristic database in scanForPackersAndCryptors_NET_and_Native. Adds a pattern (regex for .excode/.xcode and ".ooa") so the scanner can recognize Denuvo-protected binaries and improve detection coverage.
Update PE protector detection regex in db/PE/protector_Denuvo.2.sg to also match '.udata' sections by changing \.(e|sr|x(p|d))data$ to \.([eu]|sr|x(p|d))data$. This expands detection coverage for Denuvo-protected native PE files that use .udata sections.
Tighten the Phoenix PE detector by adding a PE.isNetObjectPresent("?0?") check before the existing signature match, reducing false positives for non-.NET binaries. Updates db/PE/protector_Phoenix.2.sg to only mark version 1.7-1.8 when both the .NET object and signature are present.
Rename db/PE/protector_Sixxpack.2.sg to db/PE/packer_Sixxpack.2.sg and change meta tag from "protector" to "packer". Add an additional guard so detection only runs when PE.isNet() and PE.isNetUStringPresent("Data Error") is present, preserving existing signature checks for versions 2.2, 2.4 and 2.X.
Add a check for PE.isNetObjectPresent("AssemblyInfoAttribute") in the Crypto Obfuscator detector before matching the signature. This ensures the detection only runs for managed assemblies that include the AssemblyInfoAttribute, reducing false positives when PE.isNet() is true but the attribute is absent.
Refine detection for the .netshrink packer: add an "Enhanced: DosX" note, require a specific .NET object presence (PE.isNetObjectPresent("\u0002\u2001")) to reduce false positives, and add a resource-based signature ('stub_2.netrsrc.resources') to detect 2.9+ builds. Existing 2.01 Demo signature checks are preserved.
Update changelog entry to use American English spelling: changed 'Add AVX2 and SSE2 optimisation' to 'Add AVX2 and SSE2 optimization'. This is a documentation-only change with no code impact.
Delete obsolete boolean-version check from db/language::_setLang. The early return for when version === false (WAYBACK support) was legacy compatibility and is no longer needed, simplifying the language detection control flow.
Normalize indentation and spacing across multiple YARA rule files. Changes are whitespace/formatting-only (alignment of comments, blocks, and string sections) and do not modify rule logic or conditions. Updated files: yara_rules/DiE_BasicHeuristics_by_DosX.yar, yara_rules/DiE_EnhancedHeuristics_by_DosX.yar, yara_rules/DiE_InterestingThings_by_DosX.yar, yara_rules/crypto_signature.yar, yara_rules/malware_analisys.yar, yara_rules/packer.yar, yara_rules/packer_compiler_signatures.yar, yara_rules/peid.yar.
Consolidate spaced byte-wildcards across many YARA signatures in yara_rules/peid.yar (e.g. "?? ?? ??" -> "??????" and similar) to make wildcard runs consistent and more compact. This is a bulk normalization change to improve readability and ensure uniform pattern expressions across multiple rules at the PE entry-point signatures.
Normalize indentation and formatting in yara_rules/packer_compiler_signatures.yar: convert tabs/irregular spacing to consistent spaces, align comments and condition blocks, and standardize meta/strings formatting across many rules. This is a whitespace/style-only change — no detection logic or rule conditions were altered.
Reformat yara_rules/packer.yar: standardize 'meta' author lines and normalize hex string patterns for readability and consistency. Consecutive 00 bytes and wildcard groups (??) were compacted/standardized, spacing in byte sequences was unified, and several pattern placeholders were adjusted to a consistent notation. No functional rule logic was changed—these are formatting/normalization edits to make maintenance of YARA signatures easier.
Reformatted yara_rules/malware_analisys.yar by merging multi-line "condition:" labels and their expressions onto single lines across many rules for consistent styling and readability. These are purely formatting/whitespace changes and do not alter rule logic.
Refactor many YARA rule string literals to collapse repeated byte sequences (e.g. runs of 0x00, 0x90, etc.) into compact continuous hex tokens across multiple rules. This normalizes formatting of the pe.entry_point patterns for readability and consistency without changing rule conditions or semantics.
Normalize formatting in yara_rules/peid.yar by collapsing multi-line 'strings' and 'condition' blocks into single-line declarations and adjusting indentation across many rules. This is purely a stylistic/whitespace change to make the file more compact; no rule logic or signatures were modified.
Standardize db/MSDOS filenames by adding type prefixes (compiler_, cryptor_, protector_, sfx_, other_PK_). Rename multiple detection rule files accordingly. Also normalize file modes for protector_DAEMON_Protect.2.sg and sfx_Disk_eXPress.1.sg (100755 -> 100644) and apply minor formatting/whitespace normalization; no detection logic changes.
Relax detection in scanForPackersAndCryptors_NET_and_Native(): accept the third section as read-write in addition to read, and treat CopyContext as an alternative to ExitProcess when identifying UPX-like layouts. This accommodates variants such as UPX-Patcher while preserving the original RWX/RWX/ R pattern detection logic.
Fix PE section lookup in tool_UPX-Patcher by using dosxSection.Number when computing fishSectionByIndex. Previously the code used dosxSection directly (which can be an object), producing an incorrect index; this change ensures a numeric index is used and prevents detection failures.
Introduce reusable SECTION_FLAGS_* constants and derived RWX masks to avoid duplicated local constants. Add a heuristic for detecting UPX-like binaries (3-section layout + RWX checks + common imports) and mark such files as a suspicious packer. Refactor packer/protector detection flow to use an isPackerOrProtectionNotDetected guard and to emit a "UPX-like" suspicion when appropriate. Also replace local RWX_MASK/RWX_CODE_MASK usage in scanForObfuscations_Native with the new global masks.
Treat the floating-point FNOP opcode the same as NOP in scanForObfuscations_Native by adding FNOP to the initial opcode check. This ensures sequences starting with FNOP are identified as NOPs and improves detection of NOP-equivalent obfuscation patterns.
Add a Detect It Easy rule (db/PE/tool_Scylla.6.sg) to identify Scylla reconstructed PE dumps. The script (authored by DosX) skips .NET binaries, checks the last section for the name ".SCY" and a characteristics mask (0xe0000020), and marks the sample as a reconstructed dump by setting sOptions and bDetected. Includes upstream project link metadata.
Add a heuristic in scanForObfuscations_Native to detect a phantom Export Address Table (EAT). If the PE header indicates an export section but numberOfUnmanagedExports is zero, the code now flags the sample by adding the "Phantom EAT" option. This helps identify an obfuscation trick that misleads PE parsers and analyzers.
Introduce two YARA rules to detect PE signature/trust anomalies under a new section: Anomaly__AuthenticodeCorrupt (flags a present security directory with size smaller than a minimal PKCS#7 structure, ~8 bytes) and Anomaly__SecurityDirPointsBeyondFile (flags when the security directory offset + size exceeds the file size, indicating appended or corrupt data). Both rules target PE files and inspect pe.data_directories[4].
Append several structural/whole-file heuristic YARA rules to detect anomalous PE characteristics often associated with packers or custom toolchains. Rules added: TinyPE (filesize < 1KB), DOSStubMissing (e_lfanew < 0x50 indicating no DOS stub), DOSStubCustom (missing standard DOS stub strings), SelfModifyingHeaders (PE header located in a writable section), WholeFileHighEntropy (overall entropy > 7.0 for files >4KB), and VersionInfoMissing (native non-DLL PE with no version resource). Includes comments and detection thresholds explaining the rationale for each heuristic.
Introduce two YARA rules to detect anomalous resources in PE files:
- Anomaly__ResourceHighEntropy: flags .rsrc sections >4KB with entropy >7.4 (used to catch likely encrypted/compressed payloads while acknowledging legitimate high-entropy resources like PNG/JPEG).
- Anomaly__ResourceDominatedBinary: flags PE files where a .rsrc section comprises >90% of the file size (possible embedded payload), excluding DLLs to reduce false positives.
Also adds a Resource anomalies comment header for organization.
Introduce three YARA rules to detect PE data-directory anomalies: TLS callbacks (potential anti-debug/evasion), stripped debug directory despite a Rich header, and presence of CLR metadata in a PE with many native imports (mixed .NET/native). Rules check relevant data_directories indices (TLS=9, DEBUG=6, CLR=14), Rich signature, size, and import count to flag suspicious or uncommon binaries.
Introduce three new YARA rules detecting suspicious PE TimeDateStamp values: FutureTimestamp (pe.timestamp > Jan 1, 2026), AncientTimestamp (pe.timestamp < Jan 1, 1990 and not zero), and ZeroTimestamp (pe.timestamp == 0). These heuristics help flag likely forged, pre-PE-era, or intentionally stripped timestamps for further analysis.
Add two YARA rules to detect suspicious overlays in PE files: Anomaly__LargeOverlay (flags overlays larger than 50% of the file, indicating possible embedded payloads) and Anomaly__OverlayPresent (flags overlays >1KB with entropy >7.0, indicating compressed/encrypted data). These heuristics help surface appended data that may contain hidden or packed content for further analysis.
Add three import-related heuristics to DiE_EnhancedHeuristics_by_DosX.yar to detect suspicious PE import tables: Anomaly__NoImports (native PE with zero imports, excluding DLLs), Anomaly__SingleImportDll (native PE with exactly one import DLL), and Anomaly__SuspiciousMinimalImports (PEs importing only LoadLibrary[AW] and GetProcAddress). These rules help flag likely packed/crypted executables that resolve APIs manually and supplement existing entry-point/int3 heuristics.
Introduce a new "Entry point anomalies" block with multiple YARA rules to detect suspicious PE entry-point placements and characteristics. Adds rules: Anomaly__EntryPointInLastSection (EP in last section, common for appended code/packers), Anomaly__EntryPointInNonCodeSection (EP inside a section without CODE flag), Anomaly__EntryPointOutsideAnySections (EP not in any section, skips DLLs and zero EP, ignores sections with no raw data), Anomaly__EPStartsWithNops (EP begins with a 4+ NOP sled), and Anomaly__EPStartsWithInt3 (EP begins with INT3). Rules use raw file offsets for pe.entry_point and include guards to reduce false positives.
Add multiple YARA rules to detect PE section anomalies commonly associated with packers, obfuscators, or tampered binaries. New rules cover: writable+executable code sections, executable .data/.rdata/.bss, empty or non-printable section names, sections with zero raw size but non-zero virtual size and execute flag, raw data extending beyond file size, virtual size much larger than raw size (excluding .bss), high-entropy sections (excluding .rsrc), and duplicate section names. These heuristics improve detection of suspicious PE files for further analysis.
Add new YARA rules (yara_rules/DiE_EnhancedHeuristics_by_DosX.yar) for the Detect It Easy project authored by DosX. The file imports pe and math and defines reusable predicates (IsPE, IsNative, Is64) plus multiple PE header anomaly rules to detect suspicious or tampered PE files (e.g. zero-sized optional header, suspicious image base, zero entry point, entry point beyond image, invalid/tiny alignments, checksum mismatch, zero size_of_image, large section counts, suspicious subsystem, and forced integrity dll characteristic). These heuristics help flag manually crafted, packed, or corrupted binaries; copyright/author metadata is retained in the file.
In detect(), assign sType.toLowerCase() to a local variable and only append it to sOptions when non-empty. This prevents empty strings from being added to sOptions when the debug type is blank, making debug data type handling more robust.
Broaden the UX-Locker heuristic to trigger not only on lc.exe/lc module or assembly names but also on several .NET indicators. Add checks for PE.isNetObjectPresent("0xC00000FD: The memory location at the specified address returned \"null\"") and PE.isNetUStringPresent for "%temp%\\$unlocker_id.ux-cryptobytes", "attrib $h $s $r $i /D ", and "OneDrive10293" so samples without the original module/assembly names are still identified.
Add a heuristic in scanForMaliciousCode_NET_and_Native to push a UX-Locker verdict when no other verdicts exist and the .NET module or assembly name is 'lc.exe' or 'lc'. The verdict object includes empty version and details fields. This introduces an early detection rule before existing RAT/anti-AV checks.
In detect() (db/ELF/_ELF.0.sg) handle the case where ELF.getOperationSystemVersion() returns the string "0" by converting it to an empty string (sVersion = String()). This prevents a misleading '0' value from being treated as a real version when verbose output is enabled.
Add a short-term compatibility check in db/language::_setLang to support legacy Wayback calls: if version is the boolean false, the function returns null and aborts further processing. Comment notes this is temporary and will be removed.
Expand and refine the list of DOS-mode signature messages used for custom DOS detection. Adds additional known headers (e.g., "This program requires Microsoft Windows" for MASM/FASM/older assemblers and "Win32 only." for Pellec C), reorders entries, and clarifies comments for existing strings (twinBASIC, Borland, Legacy Win32 SDK, Watcom). This improves detection of DOS stub messages emitted by various compilers/linkers.
Add a guard using PE.isOverlayPresent() before calling PE.compareOverlay in the detect() function. This ensures overlay comparison only runs when an overlay exists, avoiding false comparisons or errors for files without an overlay. (Updated db/PE/sign_tool_Windows_Authenticode.7.sg)
Update db/PE/_debug_data.5.sg: remove a duplicated header comment and add a new "// Enhanced: DosX" note. This clarifies the file metadata without changing detection logic for PE Debug Directory entries.
Broaden the section name check to match both ".rsrc" and ".reloc" (using /. (rsrc|reloc)/i) instead of only matching "rsrc". This ensures reloc sections are counted in the resourceSectionsCounter and improves accuracy when identifying resource/relocation sections in PE parsing.
Add CompanyName check for "Communication Platform LLC" alongside ProductName "Max" so the heuristic also flags samples by company, and change the verdict type string from "Max Spyware" to "MAX Spyware". Also reformat a long isSignaturePresent call into multiple lines for readability.
Rename debug_data.5.sg to _debug_data.5.sg and remove executable bit (100755 -> 100644). Add a meta declaration for "debug data" records and refactor detect flow: rename variables for clarity, mark bDetected when records exist, accumulate debug types into sOptions (lowercased), and return result(). The unknown-data detection logic (Borland TDS / Delphi / C++ TDS) was preserved but moved below detect for clearer organization.
Move and split peid_rules/userdb.txt into multiple PE-focused signature files under peid_rules/PE (compiler, file_format, installer, joiner, overlay, packer, protection, protector, sfx_archive, and PE/userdb.txt). Add split_userdb.ps1 script used to perform the split and include the generated PE signature files (auto-categorized from the original userdb).
Add peid_rules/userdb.txt: a new PEiD-style user signature database (generated with Add Signature v2.00) containing thousands of packer/protector signatures (e.g. PseudoSigner, VMProtect, UPX, Armadillo and many heuristics). This file enables additional detection rules for PE scanning and packer identification.
Introduce scanForInterestingMarkers_NET_and_Native to detect GameDefinitionFile (__GDF_XML) resources in unmanaged PE resources and set a ~marker result when present. Hook the new scan into main() under verbose mode and add a log message to scanForDebugData_NET_and_Native. Provides additional heuristic detection for specific OS-read markers in .NET and native binaries.
Add a reference URL for SteamStub and change the second PE.compareEP check from an independent if to an else if. This ensures the x64 pattern is only considered when the first pattern doesn't match, preventing multiple matches from conflicting and improving architecture detection (sOptions/bDetected handling).
Rename detection file from db/PE/other_Steam.6.sg to db/PE/protection_SteamStub.5.sg and update metadata from meta("other", "Steam") to meta("protection", "SteamStub"). Remove the unused sVersion = "stub" assignment; detection logic is unchanged. This reclassifies the rule as a protection signature and cleans up the file.
Rename several MSDOS database files to add category prefixes and reorganize one entry into db_extra. No content changes (100% similarity); this is a file-structure cleanup to make types explicit:
- db/MSDOS/Power_C.4.sg -> db/MSDOS/compiler_Power_C.4.sg
- db/MSDOS/CauseWay_DOS_Extender.0a.sg -> db/MSDOS/extender_CauseWay_DOS_Extender.6.sg
- db/MSDOS/Copy_Protector.2.sg -> db/MSDOS/protector_Copy_Protector.2.sg
- db/MSDOS/Copylock_PC.1.sg -> db/MSDOS/protector_Copylock_PC.2.sg
- db/MSDOS/FCP_IV.2.sg -> db_extra/MSDOS/packer_FCP_IV.2.sg
Tighten heuristic for detecting obfuscated tokens by updating the consonant-cluster rule. Adds an exclusion for abbreviation-style doubled consonants (e.g., "spprgrss.dll") so strings with repeated consonants aren't falsely flagged, while preserving existing common-pattern exceptions (str|chr|thr|sch|scr|spr). Updated comment and combined regex checks to reduce false positives.
Introduce isDllIatAndEatMissing and move the check earlier to detect DLLs that lack both Import Address Table and Export Address Table (but have an entry point). When such DLLs are found the option "No IAT and EAT" is added. Adjust the subsequent EAT-missing logic to skip when both IAT and EAT are missing to avoid duplicate/conflicting flags. This ensures correct heuristics for DLLs without imports/exports (excluding resource-only DLLs).
Adjust VM image detector to assign the raw version byte (remove the "v" prefix) and add missing statement terminator in db/Binary/format_img.VM.1.sg. Also remove an unused local variable (test) from the PerlApp PE resource loop in db/PE/compiler_PerlApp.1.sg to avoid dead code/lint issues. These are small cleanups to correct version handling and tidy up the PE detection code.
Rename several db/MSDOS detection rules to include category prefixes (compiler_, packer_, protector_, sfx_) for clearer organization. Example renames: BSTAR_FORTH.4.sg -> compiler_BSTAR_FORTH.4.sg, Symantec_BASIC.4.sg -> compiler_Symantec_BASIC.4.sg, Topspeed_C.4.sg -> compiler_Topspeed_C.4.sg, Turbo_Basic.4.sg -> compiler_Turbo_Basic.4.sg, Turbo_Prolog.4.sg -> compiler_Turbo_Prolog.4.sg, Tenth_Planet.2.sg -> packer_Tenth_Planet.2.sg, AVAST_CRC-Check.2.sg -> protector_AVAST_CRC-Check.2.sg, PKZIP_mini-sfx.1.sg -> sfx_PKZIP_mini-sfx.1.sg.
Also adjusted BSTAR_FORTH file mode from 100755 to 100644 (removed executable bit) and fixed a minor formatting/brace issue in the BSTAR_FORTH detection function. No other functional changes to rule logic.
ROM_1: 'SEGA' @100h ROM family vastly improved, info-ed & ripper-ready (not enough testing data but should work fine)
HIP: the text was written in as text (KISS principle)
Replace temporary nMajor/nMinor vars with direct PE.getMajorLinkerVersion()/PE.getMinorLinkerVersion() calls when detecting TASM32 (maps TLINK32 2.25 to TASM32 5.x). Also update linkers.6.sg EOF so the file no longer ends with a trailing newline.
Stylistic and wording cleanup across db/Binary rule files. archive_PEA: condensed multi-line switch cases into single-line statements for readability. debug_data_debugData: merged related var declarations into a single statement. format_bin.KeePass: normalized version labels to 1.X/2.X and adjusted pre-release wording; options unchanged. win_resources: removed empty second argument from meta("format"), tightened mapNames spacing/formatting, and fixed file trailing newline. Changes are primarily formatting and minor text normalizations with no intended functional changes.
Add heuristic to detect 'Max' product in PE heuristics: push a "Max Spyware" verdict when ProductName equals "Max" in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. Add a new binary DB file dbs_special/db_view_resource_names.db. Add ren_files_by_dosx.js: a Node.js utility that recursively finds .sg files, extracts the first argument passed to meta(), and renames files by prefixing that value (underscores in names are used to skip renaming). The script includes logging, safety checks for existing target names, and accepts a start directory argument (defaults to current dir).
Reformat YARA rule declarations across yara_rules/crypto_signature.yar, yara_rules/packer.yar and yara_rules/packer_compiler_signatures.yar by moving the opening brace onto the same line as the `rule` name and cleaning up surrounding blank lines/indentation. These are non-functional, stylistic changes to improve consistency and readability; rule logic and string conditions were not altered.
Update yara_rules/peid.yar by stripping the ': PEiD' module/inheritance specifier from numerous rule declarations, converting them to plain 'rule <Name>' forms. Also apply minor formatting cleanup across the file to improve YARA compatibility and consistency.
Use File.cleanString on the regex matches for sName and sVersion to sanitize extracted values. Replace the simple null check with a stricter condition (truthy and length < 32) so only valid, reasonably sized version strings mark the PE detection as true, reducing false positives.
Store result of PE.compareOverlay("'PK'") in a local isPkOverlay variable and reuse it in the detection logic to avoid calling the check twice. This improves readability and avoids redundant overlay comparisons without changing behavior.
Change cache format and related handling: computeKeyForPath now produces a hex 64-bit-like key (adler32<<32 | crc32). Cache read/write switched from zlib deflate/inflate to Brotli compression/decompression with max quality and text mode. Cache entries are stored as sorted key=hex_value pairs joined by ';' for better compression; load parses hex values via parseInt(...,16). Miscellaneous improvements: always update newCache with current mtime before skipping unchanged files, move obsolete-file deletion earlier (and skip the cache file itself), log skipped/deleted counts, and small style refactors (grouped const declarations) in file traversal helpers.
Add a regex in isTokenObfuscated to treat version-style tokens (e.g., v1.0, v21.9) as non-obfuscated. This reduces false positives by excluding common version control tags from heuristic obfuscation detection alongside existing CI/build token exceptions.
Rename multiple files in db/COM to include explicit category prefixes (e.g. compiler_, converter_, cryptor_, immunizer_, other_, packer_, protector_) for clearer organization. Example changes: 8086_Forth_83.4.sg -> compiler_8086_Forth_83.4.sg, EXETools_EXE2COM.1.sg -> converter_EXETools_EXE2COM.1.sg, Anti-Lamer_Cryptor.2.sg -> cryptor_Anti-Lamer_Cryptor.2.sg, ARF_AV_Inject.1.sg -> immunizer_ARF_AV_Inject.1.sg, integrity_checker.1.sg -> other_integrity_checker.1.sg, CyberWare_Packer.2.sg -> packer_CyberWare_Packer.2.sg, and several protector_ renames. Also a tiny whitespace/newline adjustment was made in the Borland C++ detector file during the rename.
Introduce a simple on-disk cache to avoid reprocessing unchanged DB files. Adds zlib-compressed CACHE_FILE in the output dir, Adler32+CRC32 key generation (computeKeyForPath), and loadCache/saveCache helpers (with fallback to plain text). The main flow now loads the cache, compares stored mtime values to current mtimes, increments stats.skipped and skips unchanged files, processes only files that changed, and writes an updated cache at the end. Includes defensive parsing/IO handling and keeps existing deletion of obsolete output files.
Avoid unnecessary file rewrites and prune stale outputs. Add writeIfChanged to worker.js to skip writing identical content (new 'skipped' / '*-skip' result types), update task.js to count skipped/deleted files and report stats, and introduce syncDeleteOldFiles/getAllFilesInDir/deleteEmptyDirs to remove obsolete files from dbs_min before processing. Also restore MAX_PARALLEL to 16 and simplify worker resolution/exit handling. Finally, comment out the unconditional rd command in dbs_min_generate.cmd so the output folder is preserved.
Fix minor issues in PE detection scripts: add a missing semicolon to the sOptions assignment in db/PE/game_engine_DEV7.3.sg, and insert a blank line before the return statement in db/PE/game_engine_Atlas.3.sg and db/PE/game_engine_Wintermute.3.sg for improved readability.
Add PE_Cached.isArchX86 guards around SFX entry-point comparisons, entry-like-packer checks, and several EP-based malicious signature matches so x86-only byte-pattern tests are not applied to non-x86 binaries. Also move isSfx assignment inside the guarded block and make minor whitespace/comment alignment changes in MSIL opcode definitions for readability.
Update isTokenObfuscated in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to improve detection and reduce false positives. Adds exemptions for pure-digit changelist/build numbers (6–12 digits) and common build/CI/server keywords (jenkins, gitlab, buildbot, steam, win32/64, x86/x64, etc.). Introduces new obfuscation detections: repeating 2–3 char segments, repeated letter+digit clusters, chaotic letter+digit alternation, long consonant clusters, excessive repetition of a single consonant for short tokens, common keyboard walks, and high digit-letter transition counts (thresholds to flag likely obfuscated tokens). Includes a TODO note for future upgrades.
Refactor the file header comment in db/PYC/packer_UPP.1.sg: replace the specific "UPP Packer detection for Python Bytecode" line with a generic "detection rule file" and move the project URL to its own commented line. This is purely a comment/formatting change with no functional impact.
Updates PE heuristic script and 7z detector:
- Add supported architectures list to header comment.
- Require DIE engine >= 3.20 (message updated) and add debugger triggers in legacy/wrong-environment/cache stubs for easier debugging.
- Add detection for single-section PE files in both .NET and native scans and add an "Only one section" option when found.
- Normalize logging categories (logType.net/logType.any) and update several log messages for clarity.
- Fix isArchX86 logic and documentation to correctly map ARM/ARMNT/THUMB and x86 variants.
- Tweak opcode/net checks and minor message changes in various scan routines.
- Tighten 7z overlay detection to only mark bDetected when the parsed version matches a numeric X.Y pattern.
Files changed: db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg, db/PE/archive_7z.6.sg.
Use a shorter hex offset (0x58) and add a strict regex check for the build date string before setting sVersion and bDetected. This avoids treating arbitrary or malformed data as a valid build date; only strings matching the expected "Mon Mon DD HH:MM:SS YYYY" pattern are accepted and prefixed with "Build date:".
Improve detection of 'MUDGE4' archive headers by matching a date (DD/MM/YYYY) and Copyright owner in the version string. The code now captures the date and owner via regex, formats sVersion as "DD/MM/YYYY, Owner", and sets bDetected; this replaces the previous numeric-only version check.
Update scanForMaliciousCode_NET_and_Native to expand heuristic detections: - Include PE.isNetObjectPresent("BlockAvSites") in existing RAT-like signature checks. - Add a new heuristics block that pushes a "Stealer" verdict when various .NET objects (potentiallyVulnerablePasswords, ScanGeckoBrowsersPaths, ScannedWallets, GetPasswords, ScanSteam, GetCookies) are present. - Treat assembly/module names containing "payload" as suspicious alongside other obfuscation/name indicators. These changes improve detection coverage for credential/wallet stealers and payload-named assemblies.
Added a missing semicolon in a logging call and normalized comment spacing. Replaced a redundant second if with else if in Mystic Compressor to avoid an extra check when the first pattern matches. Simplified nested conditionals in SerGreen Appacker by combining NET and overlay checks into a single if to reduce nesting and improve readability. Overall minor cleanup and refactor of PE detection code.
Refactor entry-point heuristic checks to be architecture-aware and use cached PE data (PE_Cached). Split x86/x64 and ARM/ARM64 logic for stack-op detection, strange call/jmp detection, NOP-equivalents, CPUID and "stack-push" tricks; add ARM/ARM64 opcode lists and branch checks (B/BL/BX/BLX) and extend NOP detection to ARM MOV-based equivalents. Also replace direct PE queries with cached values (firstEpAsmInstruction, isArchX86, is64bit, isDynamicLinkLibrary), adjust scan ranges, and improve TLS/EP breakpoint/return detection. These changes improve reliability across different CPU architectures and reduce repeated calls to disassembly functions.
Populate new cached fields (firstEpAsmInstruction, is64bit, isDotNet, isDynamicLinkLibrary, indexOfImportsSection, indexOfExportsSection) in the PE cache and replace numerous direct PE.* calls with PE_Cached.* checks throughout the heuristics to improve performance and consistency. Refactor getFirstEpAsmOpCode to use the cached instruction. Also expand and clean up the packer/cryptor/protector section-name database (add many signatures, remove/merge duplicates and reorder entries) and apply related logic/formatting tweaks across native/.NET detection rules.
Add PE_Cached.isDotNet to the PE cache and switch repeated PE.isNet() checks to use the cached flag for consistency/performance. Align and clarify inline comments (logType, PE_Cached, MSIL opcode annotations), adjust ASCII-art indentation, and make small formatting tweaks across NetOpCodes and other .NET-related scans.
Skip marking a global .NET constructor as present if the binary links the unpackaged Windows App SDK. Adds an additional check to scanForObfuscations_NET so PE_Cached.isNetGlobalCctorPresent is only acted on when not C++/CLR-like and when isUnpackagedWindowsAppSdkLinked() is false, reducing false positives for apps that link the Windows App SDK.
Clean up and add heuristics in PE analysis: release the protectionsRuntime dictionary by setting protectionsRuntime = undefined to avoid lingering state; introduce isUnpackagedWindowsAppSdkLinked() to detect unpackaged Windows App SDK linkage by checking for .NET objects "AutoInitialize" and "InitializeWindowsAppSDK"; and update the isArchX86 JSDoc to clarify which architectures are treated as x86-like.
Add detection for the .NET 'sqlite-net' library in the PE scanner. Inserted a comment linking to the sqlite-net GitHub repo and added logic: if not already detected and PE.isNet() and PE.isNetObjectPresent("SQLite-net"), append -net to sName and set bDetected = true. This enables identifying sqlite-net in .NET PE files.
Corrects a misspelled mapping for the mangled operator code '4' in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg: changes 'operator_assigтгn' to 'operator_assign' so the heuristic correctly names the assignment operator (operator=).
Removed unnecessary whitespace and unused return statement in _NetCompilersLibs.4.sg. Updated Go compiler version string in compiler_Go.4.sg for improved clarity.
Renamed and reorganized numerous rule files in db/PE and db/MSDOS to use consistent prefixes (e.g., compiler_, installer_, packer_, etc.) and moved some files to db_extra. Also deleted the obsolete IBM_VisualAge_PL_I.6.sg file. This improves maintainability and clarity of the rule database.
Added a GitHub reference to the Alcatraz protector rule for additional context. Renamed 'scrambler_UnoPiX.2.sg' to 'tool_UnoPiX.2.sg' and updated the meta tag from 'scrambler' to 'tool' to better reflect its classification.
Renamed and moved numerous .sg files in the db directory to follow a more consistent naming convention and directory structure, grouping by type (e.g., compiler, cruncher, packer, protector, etc.). This improves maintainability and clarity of the signature database organization.
Renamed PE rule files to use a consistent naming convention with prefixes indicating their type (e.g., compiler_, packer_, installer_, etc.). Also updated file permissions to 100644 where needed and made minor whitespace-only changes to some files for consistency. This improves maintainability and clarity of the signature database.
Detection rule files were renamed and reorganized to use more descriptive prefixes (e.g., compiler_, packer_, sfx_, etc.) for improved clarity and maintainability. Minor code formatting changes were made to some files, and a new detection rule for IBM VisualAge PL/I was added.
Changed meta() name from 'Squirrel Installer' to 'Squirrel'
change filename from Squirrel_installer.1.sg to installer_Squirrel.1.sg
Change _sVersion to versionString to avoid duplication names in signature
Introduces a new detection rule for the EuroASM compiler in the PE database. The rule identifies EuroASM-compiled binaries based on specific PE header values and byte patterns, supporting version differentiation and architecture detection.
Deleted unused, commented-out detection logic from MoleBox.2.sg to clean up the code. Also renamed 'sign tool_Windows_Authenticode.7.sg' to 'sign_tool_Windows_Authenticode.7.sg' for consistency.
Refined the Intel C/C++ detection rule to better extract version information and updated author metadata. Enhanced CodeBase library detection by setting sOptions to 'static' when the export function is present.
Renamed numerous db_extra/PE and db/Binary rule files to use consistent prefixes (e.g., cryptor_, protector_, installer_, etc.) for improved organization and clarity. Minor metadata and whitespace adjustments were made in a few files to match naming conventions.
Renamed numerous files in the db/Binary, db/ELF, db/ISO9660, db/NE, and db/PE directories to use a consistent naming convention with underscores and clearer prefixes (e.g., archive_, audio_, format_, library_, tool_, etc.). This improves clarity, organization, and maintainability of the database file structure.
Renamed and moved several PE detection rule files to /db_extra/. Minor comment updates were made in Sepanta.1.sg and PyInstallerHider.1.sg to standardize file headers and improve clarity.
Renamed and reorganized numerous database files across APK, DEX, ELF, PE, and other directories to use consistent prefixes such as 'library_', 'protector_', 'packer_', 'cryptor_', 'tool_', and similar. This improves clarity, maintainability, and categorization of the database entries.
Reduced MAX_PARALLEL from 16 to 6 to prevent resource exhaustion. Refactored worker event handling in processFile to ensure proper cleanup and avoid multiple resolutions by introducing an isResolved flag and a cleanup function.
Replaced direct calls to .NET detection functions with cached values in PE_Cached for improved performance and consistency. Updated logic in scanForObfuscations_NET, isCppClrLikeApp, and isFrameworkComponent to use these cached properties.
Enhanced the universal safe JavaScript parser to better skip comments, strings, and regexes. Added new post-processing steps for legacy compatibility: replace empty constructors (String(), Boolean(), Number()) with literals, improved arrow function replacement, and refined delete statement handling for strict mode. Refactored code for clarity and robustness in minification workflow.
Refactored the let-to-var replacement logic to use a new parseJSCodeSafe utility for safer code parsing. Added replaceBDetectedSafe to convert bDetected=!0/!1 patterns to bDetected=1/0, and updated the processing pipeline to include this transformation for improved legacy compatibility.
Added isCppClrLikeApp property to the cache map and updated references to use the cached value instead of calling isCppClrLikeApp() repeatedly. This improves performance and consistency in .NET obfuscation scanning logic.
After generating the database, the script now calls db_compress to further process the output. This automates compression as part of the generation workflow.
Moved file minification and copying logic into a new worker.js file, enabling parallel processing of files using Node.js worker_threads. The main task.js script now manages a pool of workers (up to 16 in parallel) for improved performance and responsiveness when processing large numbers of files.
Refactors the replaceLetWithVarSafe function to more accurately handle JavaScript string and regex literals, preventing incorrect replacements inside them. This change improves the safety and correctness of code transformations involving 'let' to 'var' replacements.
Enhanced the replaceLetWithVarSafe function to prevent replacing 'let' inside regular expression literals. This change reduces the risk of incorrect code transformation when processing JavaScript files.
Replaces direct assignment of Binary.getString with a cleaned string using File.cleanString in the detect() function to ensure the options string is properly sanitized.
Replaces direct calls to PE.isRichSignaturePresent() with cached value in PE_Cached for consistency and performance. Adds detection logic for Daleth RAT v1.0. Refactors BitRAT detection to distinguish Tor stub version and introduces unloadCache() to clear cached PE data.
Detection now checks for the presence of the 'UnityMain' export function in addition to 'UnityPlayer.dll', increasing reliability in identifying Unity Engine binaries.
Introduced fixDeleteStatements to replace 'delete varName' with 'varName = undefined' before minification, preventing strict mode errors. Also updated UglifyJS minify options to allow bare returns.
Added or updated metadata comments and detection logic in several rule files for improved clarity and accuracy. Refactored AutoHotKey manifest detection for efficiency, fixed a missing semicolon in doc.PDF.1.sg, and renamed Cryptect.1.sg to Cryptect.2.sg with no logic changes. Minor code style and comment adjustments were also made.
Introduced the isWinCert function to skip WIN_CERTIFICATE overlays during scans for efficiency. The detect function now returns early if a WIN_CERTIFICATE is detected.
Updated isNameObfuscated to skip tokens starting with 3+ uppercase letters, treating them as non-obfuscated (e.g., abbreviations in resource file names). This prevents false positives for names containing abbreviations separated by spaces.
Refactored multiple ISO9660 tool and library detection scripts to improve code clarity and consistency. Changes include combining variable declarations, minor whitespace adjustments, and reordering assignments for better readability. No functional changes were made.
Enhanced the detect() function to identify the programming language (VB.NET, C#, F#, C++) by scanning for specific signatures after detecting the PDB version. Refactored version detection logic for clarity and maintainability.
Replaced empty string defaults with String() constructor for better clarity and consistency when parsing mangled item patterns. Added a reference link for .NET array initializers in scanForObfuscations_NET.
Modified the regular expression to improve detection of minified or compiled JavaScript code by allowing for more flexible matching of equality and negation operators.
Refactored the script to more accurately split code outside of string literals, handling escaped quotes and template literal expressions. The detection now processes code segments outside of strings, improving reliability when identifying minified or compiled JavaScript.
Moved 'includeScript' calls for '_runtime_helpers' and 'language' to the top of the file for better initialization order. No functional changes to logic.
Enhanced the meta function to use named parameters and provide clearer error messages for missing detection type. Added error handling in result for missing detection name. Default values are now set using String() for consistency.
Replaced PE.findSignature with PE.isSignaturePresent for improved clarity and updated string reading from X.SU16 to PE.read_unicodeString. These changes enhance code readability and maintainability in the detection function.
Added 'INJECT' and 'CRYPTED' to the resource name detection regex for broader malicious resource identification. Also refactored the obfuscation check in isTokenObfuscated for clarity by inlining the transition ratio calculation.
Expanded the whitelist to exclude more common legitimate patterns such as version numbers, UUIDs, file sizes, IP addresses, and acronyms. Improved obfuscation detection by adding checks for character type transitions, repetitive patterns, and refined statistical thresholds. Updated comments for clarity and reorganized logic for better maintainability.
Updated isTokenObfuscated to exclude common date formats (e.g., YYYY-YYYY, DD.MM.YYYY) from obfuscation checks, reducing false positives. Also refactored scanForMaliciousCode_NET_and_Native for clarity.
Simplified and corrected loop conditions for anti-analysis and sandbox detection in scanForAntiAnalysis_NET. Replaced incorrect loop conditions and redundant checks with more concise and efficient logic, improving code readability and correctness.
Updated a comment in scanForObfuscations_NET to specify 'ldc.i4 0' instead of just 'ldc.i4' for clarity. Added extra blank lines before the main function for improved readability.
Updated the detection logic to recognize .NET 10 by checking for the 'D'00'O'00'T'00'N'00'E'00'T'00'_' signature in addition to existing patterns. Updated a TODO comment to reflect the need for further improvements and explicit .NET 10 support.
Introduced #region and #endregion comments to group related functions such as obfuscations, anti-analysis, packers, licensing systems, corrupted data, debug data, languages and compilers, and malicious code. This improves code readability and maintainability by clearly delineating functional sections.
Introduces a new detection heuristic for Amp WinLocker (Sumhex Edition) based on specific PE characteristics, including absence of Rich signature, presence of TLS, and certain import position hashes. This enhances detection coverage for this malware variant.
Updated the regular expression to match resource names with any three uppercase letters after 'STUB.' instead of only 'EXE' or 'DLL'. This broadens detection coverage for anomalous resources.
Replaced for-in loops with standard index-based for-loops for array iteration in scanForObfuscations_NET and related functions. This improves code clarity, correctness, and avoids potential issues with iterating over array properties.
Introduced a PE_Cached object and an initializeCache function to cache frequently accessed PE properties. Updated all relevant code to use cached values instead of repeated PE API calls, improving performance and code clarity.
Moved environment checks directly into the detect() function and adjusted main() to be called only after passing those checks. This clarifies the flow and ensures early returns for unsupported environments.
Replaces loose falsy checks with explicit zero comparisons for linker version detection. Updates the option label from 'No linker version' to 'Zero linker version' for clarity.
Update the logic to only display the linker version if the major version is not zero when detecting Microsoft Linker. This prevents showing an empty or misleading version string.
Adds a check for PE files with both major and minor linker versions set to zero. If detected, the option 'No linker version' is added to the analysis results.
Fixed Qatar RAT 1.2 detection to use .NET module name 'QatarC.exe' instead of import hash checks. Removed the previous MPRESS-packed import hash-based detection.
Updated the resource name regular expression in scanForMaliciousCode_NET_and_Native to match both .EXE and .DLL extensions for 'STUB' resources. This enhances detection of anomalous resources in PE files.
Updated the export function name check in scanForObfuscations_Native to flag names that start with a digit as potentially obfuscated. This enhances the heuristic for identifying suspicious or obfuscated export names in PE files.
Introduces a new detection script for identifying Antlr .NET libraries (versions 3.X and 4.X) in PE files. The rule checks for the presence of Antlr3.Runtime and Antlr4.Runtime objects.
Added new anti-VM triggers for 'VMBusHID' and 'WDAGUtilityAccount' in .NET analysis. Included reference comments for dnSpy and ILSpy detection logic. Also fixed a minor formatting issue in obfuscation attribute detection.
Added detection for Anti-Wine techniques by checking for the presence of 'wine_get_unix_file_name' in global Unicode strings or signatures. If detected, the 'Anti-Wine' option is added to the analysis results.
Added detection logic for Anti-Cuckoo Sandbox techniques by checking for Cuckoo Sandbox-related signatures and objects in .NET binaries. This enhances heuristic analysis by identifying attempts to evade Cuckoo Sandbox environments.
Added detection logic for Qihoo 360 Sandbox anti-analysis techniques in .NET binaries. The scan now checks for specific Qihoo 360 signatures and related .NET objects, improving heuristic analysis coverage.
Added detection logic for Comodo Sandbox anti-analysis techniques in the scanForAntiAnalysis_NET function. The code now checks for Comodo-related module signatures and .NET object presence, similar to existing Sandboxie detection.
Introduces a new Detect It Easy rule file to identify the presence of the ReaLTaiizor UI library in .NET PE files. The rule checks for the 'ReaLTaiizor' object and sets detection accordingly.
Updated several function calls to use direct argument passing instead of named parameters, improving code readability and consistency. Also added a comment explaining the RunPE method. Refactored a loop to use a standard for-loop for better clarity.
Introduces detection logic for Webremote TorCT in the scanForMaliciousCode_NET_and_Native function by adding relevant references and marking it as VB.NET. Also refines PDB signature search and adds minor code formatting improvements.
Added additional assembly and module name checks for NjRAT detection ("k" and "k.exe") and refactored AsyncRAT detection condition for clarity. This improves coverage for variants using different names.
Refactored the detection of required .NET imports to count found imports and require 'System.Net.Sockets' plus at least two others. Also fixed loop condition for checking malicious import patterns. This enhances accuracy in identifying suspicious .NET binaries.
Introduces heuristic checks to identify Syndrome RAT version 4.3.X based on import hashes and absence of Rich signature. Also fixes formatting in Remcos RAT detection condition.
Simplified the logic for detecting executable-like DLLs by replacing multiple explicit export function checks with a single regular expression-based check using PE.isExportFunctionPresentExp.
Adds a heuristic to identify Liberium WinLocker by checking for the presence of the 'button_unlock_Click' .NET object. This improves detection coverage for specific WinLocker variants during PE analysis.
Adds explicit 'infected' detail for Ramnit verdict and improves code formatting for detection logic. Also adds a blank line after anti-tamper detection for readability.
Caches the result of validateNetObject('<PrivateImplementationDetails>') to avoid redundant calls during the obfuscation scan loop, improving performance and code clarity.
Replaces 'for...in' with a standard 'for' loop when iterating over compressionClasses to prevent issues with unexpected properties and ensure correct array traversal.
Simplified the structure of dbCollectionOfFakeSectionNamesDict by removing unused null values and adjusting the mapping logic to correctly assign regex patterns. This improves code clarity and consistency in section name validation for packer and cryptor detection.
Introduces a new heuristic to detect ConsoleDevil RAT variants (v1.0 and v1.2) by matching specific entry point patterns and import hashes. This enhances the scanner's ability to identify and classify ConsoleDevil samples.
Replaced PE.isResourceNamePresent("STUB") with PE.isResourceNamePresentExp(/^STUB(\.EXE)?$/) to allow matching both 'STUB' and 'STUB.EXE' resource names. This enhances detection of anomalous resources in the scanForMaliciousCode_NET_and_Native function.
Replaces hardcoded fake section names with a dynamically generated list using a mapping function for improved maintainability and clarity in the scanForPackersAndCryptors_NET_and_Native function.
Added vbCompilerRuntime variable and enhanced detection of modified/patched VB libraries in Microsoft.6.sg. Updated DOS stub signature check to use isSignaturePresent in __GenericHeuristicAnalysis_By_DosX.7.sg for improved accuracy.
Introduced logic to detect Aqua RAT variants (0.0.1 and 0.2) in VB5 binaries lacking a Rich signature by checking import position hashes and section signatures.
Refines the detection conditions by adding checks for 'get_IsAttached' and 'OpCodes' objects, simplifies pattern construction, and updates signature matching logic for better accuracy in identifying VMProtect .NET 3.X.
Updated Aeco_installer.1.sg and Watcom.6.sg detection scripts to assign version information to sVersion instead of sOptions, improving consistency in version handling.
Applies .trim() to the result.code before further legacy compatibility transformations, ensuring that leading and trailing whitespace is removed from the output.
Updated string replacement logic to use String() for consistency. Added Malpedia reference comments for several RAT detections and set Orcus RAT version explicitly. Improved variable initialization and clarified detection logic for multiple malware families.
Changed debug section name matching to be case-insensitive and reordered NjRAT detection logic to include additional heuristics such as checking for '|PWD| ' string presence. These updates enhance detection accuracy for both debug sections and NjRAT malware.
Replaces overlay comparison with PE.isSigned() for signature detection and refines overlay check to append 'after overlay' to options if applicable. Improves accuracy and clarity of detection rule.
Replaces multiple string checks with a regular expression to detect debug sections, simplifying and consolidating the logic for identifying TCC/GCC and modern LLVM debug sections.
Added 'verdicts.length === 0' checks to ensure only one verdict is pushed per scan. Inserted Malpedia reference comments for several RAT families (Ramnit, Neshta, Poison Ivy, Gh0st RAT, DarkComet, BitRAT, Octopus RAT, Bozok, NetWire, Remcos) to improve code clarity and maintainability. Also refactored some conditional formatting for consistency.
Added heuristic to identify Bozok RAT versions 1.0, 1.2-1.3, and 1.4-1.5.X based on import position hashes and absence of Rich signature. Detected variants are added to the verdicts array.
Added a heuristic to identify 'Exception RAT' malware by checking if the first PE section name matches a specific pattern. This enhances detection capabilities for this threat.
Introduces a new heuristic to identify Aquates RAT v1.0 based on import count, Rich signature, and specific import position hash. This enhances the detection capabilities of the PE analysis script.
Replaced for-in loops with standard for loops when iterating over arrays in scanForAntiAnalysis_NET and scanForPackersAndCryptors_NET_and_Native functions. This prevents potential issues with inherited properties and ensures correct array traversal.
Added 'QQProtect' to the packer/cryptor detection list and updated the resource name check to include 'SHELLCODE' alongside 'PAYLOAD' for improved malicious code detection.
Changed uninitialized variables 'versionBySectionDetected' and 'versionByResourceDetected' to be initialized as empty strings. Also updated a regular expression to match 'a pc' in section name validation logic.
Wrapped anti-tamper and kernel32 signature checks within a global .cctor presence condition. Added an alternative detection path for kernel32 object and signature, improving detection accuracy.
Added detection for JScript.NET standard library and adjusted build info modification logic to avoid false positives for JScript.NET modules. Introduced isJscriptNetStandardLibraryPresent() to support this detection.
Corrects the way the '.fish' section is accessed by using the section index rather than the section object. This prevents potential errors when checking for the '.fish' section after '.dosx'.
Reformatted and expanded the file's header comments for improved readability. Added a new donation section with cryptocurrency addresses and updated the ABOUT and CONTACTS sections.
This commit refactors several PE detection scripts to improve code consistency, formatting, and readability. Changes include normalizing indentation, fixing comment formatting, removing redundant code, and updating string concatenation to use the 'append' method where appropriate. No functional logic changes were made except for minor cleanups.
Introduced a new YARA rule 'Linker__Microsoft_Linker' that triggers when the Rich signature is present, leveraging the existing IsRichSignPresent rule.
Updated the detection logic in OpenColorIO.4.sg and libpng.4.sg to use case-insensitive regular expressions, ensuring more robust identification of the respective libraries.
Added a new detection case in nPack.2.sg for PE files with specific entry point and import hash. Mark detected files as 'modified' if the .nPack section is missing. Also updated a comment in bin.SystemErr.1.sg for clarity.
Modified signature scanning in detect() to start from the first section's file offset instead of 0x00. Also replaced PE.findSignature with PE.isSignaturePresent for Unicode string detection.
Added detection signatures for 'Vbs To Exe', 'CodeVeil', 'DZA Patcher', and 'UPX Protector' in the packer and cryptor analysis database. These updates improve the heuristic analysis coverage for .NET and native applications.
Refined the detection logic for FFmpeg to use a case-insensitive regex and simplified the PortAudio regex to match 'portaudio_x86' or 'portaudio_x64' more concisely.
Corrected the function name from isVbNetstandardLibraryPresent to isVbNetStandardLibraryPresent for consistency. Also updated the resource name check to use PE.isResourceNamePresent("STUB") instead of a regex.
Added a heuristic to identify Octopus RAT by checking for a specific import position hash and the presence of the 'Octopus' signature in a section. This enhances detection capabilities for this malware family.
Added heuristic to identify Furax RAT by checking for specific import position hashes in PE files. This enhances detection capabilities for this malware family.
Adds a heuristic to flag files as 'Imminent Monitor RAT' if both 'LZLoader' and 'Injector' .NET objects are present and no other verdicts have been made.
Added a heuristic to identify Orcus RAT (versions 1.3-1.9.1) by checking for the presence of the 'Orcus.Shared' .NET object. This enhances detection coverage for this malware family.
Adds a heuristic to identify DarkRAT when the .NET module name is 'Client.exe' and the 'fusion' object is present. This enhances detection coverage for this specific malware family.
Adds a heuristic to identify jnRAT by checking if the .NET module name is 'Kheir.exe' and no other verdicts have been found. This enhances detection coverage for this specific malware variant.
Enhanced the logic in scanForLanguagesAndCompilers_NET_and_Native to explicitly check for '.eh_frame' and '.build-id' sections using PE.section. This refines the detection of MinGW and Microsoft Visual Studio by considering these sections, improving accuracy in compiler identification.
Updated the PyInstaller.2.sg script to no longer require the presence of a Rich Signature for detection, allowing analysis of files without this signature. The check for .NET files remains in place.
Enhanced detection for DragonArmor by supporting optional leading dot in 'DAStub'. Added new signatures for 'SoftEntry' and 'ASM Guard' packers in the resource name checks.
Refined section name matching in DragonArmor detection to use a regular expression and adjusted PyInstaller detection to remove 'modified' from the options when an overlay is present.
Added blank lines for readability after return statements and updated example variable names in documentation for PE.section and PE.resource to be more descriptive.
Adds a check in the detect() function to set sOptions to 'modified' if a section matching /^(peb|PEB)undle$/ is not present. This helps flag modified bundles for further processing.
Refactors section name check to use cached 'peShieldSection' variable and adds handling for cases where the section is missing but detection is true, setting sOptions to 'modified'.
Modified the logic in scanForLanguagesAndCompilers_NET_and_Native to trigger on the presence of a Rich signature alone, rather than requiring a specific pattern match. This broadens detection for Microsoft Visual Studio compiled binaries.
Adds a check for the presence of a resource named 'stub' (case-insensitive) in PE files. If found, an 'Anomalous resources' verdict is added, potentially indicating suspicious or malicious content.
Introduced a check for known packer and protector resource names in PE files by adding a resource name validation step in the heuristic analysis. Added the `validateResourceNames` function to support this feature. Also fixed a typo in the operator name mapping.
Introduced PE.isResourceNamePresentExp to locate the first resource whose name matches a given pattern. The function returns match details including the resource number and captured subpatterns, or null if not found.
Refactored ElectronApp detection to check for the existence of the CPADinfo section object before searching for strings. Updated Intel XeSS detection to use a regular expression for library presence, allowing for more flexible matching.
Renamed UPX_Mutanter.2.sg to AHTeam_UPX_Mutanter.2.sg and updated its metadata for clarity. Corrected the protector name casing in beria.2.sg and improved formatting. Added language metadata to obfus_h.5.sg for better identification.
Replaces the use of PE.isLibraryPresentExp with PE.isLibraryPresent for detecting ScriptHookV.dll. Also adds a reference link to the official ScriptHookV page.
Added 'Fatpack' to the list of known packers and updated the section names dictionary to improve detection coverage in scanForPackersAndCryptors_NET_and_Native.
Introduces a new rule file for identifying the Fatpack packer in PE files. The rule checks for specific characteristics such as 64-bit architecture, TLS presence, import hashes, section/resource counts, and resource/section names to determine detection and options.
Added detection for Smart RAT 1.0.X based on import position hashes and improved NjRAT detection by checking for the presence of the 'njLogger' .NET object.
Simplified the React OS detection logic in db/PE/_PE.0.sg and removed an unnecessary blank line in db/PE/AverCryptor.2.sg. Cleaned up formatting in the DiE_InterestingThings_by_DosX.yar YARA rules file. Also removed screenshot.jpg from the repository.
Added a heuristic to identify NonEuclid RAT by checking for the presence of the .NET object 'isVM_by_wim_temper' in the scanForMaliciousCode_NET_and_Native function.
Expanded detection patterns for 'DxPack' and 'SoftSentry' packers in the scanForPackersAndCryptors_NET_and_Native function. 'DxPack' now checks for both 'coderpub' and '.reloc1', while 'SoftSentry' includes a regex for multiple section names and '.prdata'.
Introduced new rule files for identifying EAX Unified (EAX.dll) and Vorbis libraries in PE files. These rules help automate detection of these audio libraries in binaries.
Co-Authored-By: Benjamin Funke <58399929+BJNFNE@users.noreply.github.com>
Replaces PE.findSignature with PE.isSignatureInSectionPresent for improved accuracy when detecting the SettingsSingleFileGenerator signature in .NET assemblies.
Refined ASDPack detection logic to check for exactly one import, three sections, and specific import details. Added a reference link to PACE detection rule for context.
Added new detection condition for files with zero imports and a specific import position hash. Also, set 'modified' option if the '.bedrock' section name is not present after detection.
Refined detection logic and signatures for BeRoEXEPacker, HidePE, and generic heuristic analysis scripts. Adjusted string patterns and options for improved accuracy in identifying packers and cryptors.
Added an additional detection condition to BeRoEXEPacker.2.sg for '(C)BeRo!PE' signature. Renamed VisualStudio_NET.6.sg to Microsoft_VisualStudio_NET.6.sg.
Introduces a new Detect It Easy rule file to identify the presence of TNTSI.dll in PE files.
Co-Authored-By: Benjamin Funke <58399929+BJNFNE@users.noreply.github.com>
Updated multiple PE detection rule files to use a consistent header format: '// Detect It Easy: detection rule file' and standardized author attribution. This improves clarity and maintainability across the rule database.
Added a description header to the PETetris rule file for clarity. Modified the detection function to return the result of main() instead of just calling it. Extended the section name validation to include PETetris in the heuristic analysis.
Added detection signatures for PwdProtect and ID Application packers in the heuristic analysis script. Renamed 'TheHypers protector.2.sg' to 'TheHypers.2.sg'.
PwdProtect.2.sg was moved from db/PE to db_extra/PE. Also, the sOptions value in bin.XBE.1.sg was updated from 'Unsigned' to 'unsigned' for consistency.
Added detection for new packers and cryptors (Lumy, KeySec, TomatoX) in scanForPackersAndCryptors_NET_and_Native. Refactored scanForLanguages_NET_and_Native to scanForLanguagesAndCompilers_NET_and_Native and updated its usage. Improved section name handling and regular expression matching for exception sections.
Enhanced log messages for better clarity in .NET obfuscation and packer detection routines. Added explicit messages for virtualization-like behavior and improved consistency in log formatting.
Introduced log statements at the start of various scanning functions to indicate the type of scan being performed. Also updated some log message texts for clarity and consistency.
Added missing MSIL opcodes, improved coverage for arithmetic, logical, array, indirect, control flow, type, object, and exception handling operations. Enhanced comments and formatting for clarity and maintainability.
Replaced string-based DLL detection with regular expression-based checks for MSVBVM60, MSVBVM50, and VB40032 libraries to improve flexibility and case insensitivity.
Replaces 'for...in' loops with standard index-based loops for iterating over antiDnSpyTriggers and antiIlSpyTriggers arrays, ensuring correct traversal and detection logic.
Refactored the detect() function to use section name lookups and added a check for the number of sections. Enhanced entry point comparison logic and improved code readability.
Added checks for 'WinMain', 'wWinMain', and 'EntryPoint' export functions when determining if a DLL is acting as an executable. This enhances the heuristic analysis for obfuscated PE files.
Consolidated section skipping logic in VMProtect.2.sg, replaced multiple import function checks with hash-based checks in XComp.2.sg and XPACK.2.sg for improved performance, and removed redundant line in Zig.4.sg. These changes streamline detection logic and enhance maintainability.
Refactored function names to camelCase for consistency, updated option strings to lowercase, improved return values to use booleans, and cleaned up author comments. Also commented out the unused detect_old function and made minor formatting improvements.
Adds a check to identify DLLs that lack both Import Address Table (IAT) and Export Address Table (EAT) sections, and marks them with a new option. This helps flag potentially suspicious or obfuscated DLLs.
Added logic to identify DLLs with missing or empty Export Address Tables (EAT). Flags 'No EAT' for DLLs without exports and entry point, and 'Empty EAT' for DLLs with an empty export table.
Updated the condition to check for a valid import section before marking the IAT directory as empty. This prevents false positives when the import section is missing.
Enhanced the heuristic analysis to distinguish between missing and empty Import Address Table (IAT) in PE files. Now adds a separate 'Empty IAT' option when the IAT section exists but contains no imports.
Updated the detect function to require the presence of an export section (EAT) when identifying the NET Native format. This enhances detection accuracy by ensuring the export address table is always present.
Updated log message formatting for section name collisions to use double quotes. Added a log entry at the start of the malicious code scanning function to indicate when scanning begins.
Refactored and enhanced detection logic for various tracker and module formats, improving accuracy and robustness. Updated module metadata to include more precise author and tracker attributions. Replaced many 'return false' error paths with early returns for clarity and maintainability. Improved verbose output and added missing TODOs for future enhancements.
Co-Authored-By: Kae <Kaens@users.noreply.github.com>
Refactored the detection function to check for the 'ASMGUARD' section name first, and added detection for the 'NT.DLL' resource name. Removed overlay signature search and related logic for improved accuracy and maintainability.
Adds a check for the presence of the 'AZPR0001' section name in the PE file. If the section is missing, sets the options to 'modified' to indicate a potentially altered protector.
Refined detection logic for ASPack, Agile, and Babel .NET to improve accuracy and reliability. Renamed Amazon_X-Ray signature file to Amazon_X-Ray.4.sg. Added a reference link to Smart Install Maker signature.
Refines the detection of ACProtect 1.X by checking the '.perplex' section's Characteristics field with a bitmask, ensuring more accurate version identification.
Added blank lines after log statements and enhanced comments for better readability in the scanForObfuscations_NET and scanForAntiAnalysis_NET functions. Also updated packer signature comments with relevant URLs for reference.
Replaces repeated manual string concatenation for the 'options' variable with a new addOption() helper function throughout the analysis scripts. This improves code readability and maintainability by centralizing the logic for appending option strings.
Detection now checks the entry point pattern before verifying the '.avc' section. Also adds an option flag 'modified' if the section is missing, improving detection accuracy for modified samples.
Renamed version detection functions for clarity (e.g., getVersion to getEnigmaVersion). Updated detection logic to use new function names and improved structure for .NET and native stubs. Minor code style improvements and added missing variable initializations.
Replaced outdated or less relevant URLs with current or archived GitHub links for AtomPePacker, Private EXE Protector, and Windows PE Packer by Chenzs108. Added or updated comments in heuristic analysis to reference these sources and clarified some existing comments for accuracy.
Updated the regular expression for detecting 'fake Enigma' section names to more accurately match only '.enigma' or 'enigma', improving the precision of packer and cryptor detection.
Updated author information and added contact details and relevant links. Enhanced detection logic to identify 'Anti-ILDASM' and 'Anti-de4dot' features, and improved option labeling for 'Fake signs'.
Replaces the old NetShieldProtector.2.sg rule with a new NetShield.2.sg detection rule, simplifying detection logic. Also moves Box_Stub.1.sg from db/PE to db_extra/PE for better organization.
Changed meta field from 'plugin' to 'library' and improved section detection logic to check for specific characteristics in the MacroMix section. Also added author attribution for the rewrite.
Updated the detection function to include additional checks for 32-bit, non-.NET binaries, section count, import position hash, and entry point comparison. Also added logic to flag modified sections and import address table (IAT) changes.
Improved MinGW PE detection by checking '.eh_frame' section characteristics. Moved ADS_Self_Extractor.1.sg, Box_Stub.1.sg, and DirTy CrYpt0r.2.sg to db_extra/PE/ and normalized the filename for DirTy CrYpt0r. Minor formatting changes in bin.BSP.1.sg and bin.HNM.1.sg.
Added additional entry point patterns to the obfuscation detection logic in scanForObfuscations_Native. This enhances detection of proxy jumps by including more opcode sequences.
Enhanced checks for PE section FileOffset and FileSize to detect invalid values exceeding the file size minus overlay. Fixed a missing end-of-line anchor in the RET opcode regex for more accurate matching.
Added several missing MSIL opcodes to the NetOpCodes function, including ldelem.ref, jmp, leave, leave.s, and various conv and conv.ovf instructions. This improves the completeness of the opcode mapping for .NET bytecode analysis.
Expanded the NetOpCodes function with additional MSIL opcode mappings for comparison, constant loading, argument, local variable, and indirect operations. Also removed an extraneous entry from the packers and cryptors list.
Added new signatures for XComp, SDProtector, Shielden, SimbiOZ, SoftSentry, PE Lock Phantasm, LARP, DalKrypt, Fish PE, NoobyProtect (Safengine), Xenocode Postbuild, XVolkolak, and LordPE. Updated BeRoEXEPacker and Windows PE Packer by Chenzs108 identifiers. Removed DotFix NiceProtect entry.
Updated detection logic and signatures for several PE rule scripts, improving accuracy and maintainability. Notable changes include refactoring detection conditions, updating string and section checks, and moving the Win9x.CIH virus rule to a more descriptive location with improved metadata.
Enhanced the detect() function to also identify static linking by checking for exported functions matching /^curl_easy_/. Sets sOptions to 'static' when detected.
Added '.securom' and '.dsstext' as additional SecuROM indicators in the heuristic analysis script. Introduced a new YARA rule to detect SecuROM by checking for a '.securom' section in PE files.
Updated the regular expression in the export function check to properly match any characters between 'ANTICHEAT_OBFUSCATE_' and '_CODEMARKER', ensuring more accurate detection.
Renamed 'WWPACK.2.sg' to 'WWPack32.2.sg' and updated metadata to reflect 'WWPack32'. Added an additional detection condition for DLLs with a '.WWP32' section. Included author attribution and a reference URL.
Updated the regular expression for detecting packers to include additional patterns such as 'exe' and optional 'a' in 'pack'. This enhances the accuracy of packer identification in .NET and native application scans.
Standardized 'SHRINKER' to 'Shrinker' and refined regex patterns for detecting packers, cryptors, and protectors. Improved matching for terms like 'shell', 'enc', 'obf', and 'shield' to enhance heuristic analysis accuracy.
Introduced about.txt files in db/PE/dotnet_only and db/PE/native_only directories to clarify their purpose for storing scripts specific to .NET and Native PE files.
Refined detection conditions in Microsoft_C_Runtime.4.sg and Microsoft_Class_Installer.1.sg to ensure bDetected is set only when appropriate. Updated obfusheader_h.5.sg to use section file offset for signature detection, improving accuracy.
Standardized code formatting, improved switch/case and conditional statements, and updated version string formats across multiple detection rule files. These changes enhance readability and maintain consistency in detection logic and output.
Refines the detection condition to check for a signature presence and updates verbose output to use X.isVerbose() and append magic value to version string.
Refactored the detection logic to check for the presence of the .eh_frame section when no overlay is present, enhancing accuracy in identifying MinGW binaries.
Introduces a new detection rule file for Virbox protector in APKs. The rule checks for the presence of specific library files to identify Virbox protection.
Adds a null check for the .rsrc section and enhances detection by checking for a specific overlay signature when the initial detection fails but an overlay is present.
Introduces a new rule file to identify executables packed with czs108's Windows PE Packer by checking import count, library name, and section presence.
Added PESpin and DBPE signatures to the packer and section name databases for improved detection. Updated section name validation logic to use PE.isSectionNamePresent for string checks, enhancing accuracy.
Simplifies and restructures the detection logic for .NET Reactor versions and options. Replaces multiple variables with unified ones, improves signature checks, and streamlines result handling for better maintainability and clarity.
Updated RCryptor detection to use a regular expression for section name matching. Added '.Polyene' as a valid section for AverCryptor and included RCryptor in the heuristic analysis. Expanded cryptor keyword matching to include 'inj'.
Added official website URLs as comments for several packers and protectors in the scanForPackersAndCryptors_NET_and_Native function to improve documentation and facilitate further research.
Uses File.cleanString to sanitize the CLR version obtained from PE.getNETVersion and trims the first character before appending to dotNetLibraryVersion. This improves the accuracy and formatting of the detected CLR version string.
Removed unnecessary assignment to 'references' in isAllNetReferencesPresent calls for clarity. Added 'use strict' directive at the top of the file. Removed a sample opCode pattern and updated a log message for mangled export detection.
Updated Go signature version string to '1.15.0+' for clarity. Removed assignment of 'unknown' version strings in Obsidium detection and simplified generic entry point checks for improved maintainability.
Introduces a new rule for identifying binaries compiled with Wutao Easy Compiler (EPL). The rule checks for a specific signature in the .ecode section and sets language and version metadata accordingly.
Introduced additional MSIL opcodes for array element storage (stelem_i2, stelem_i8, stelem_r4, stelem_r8, stelem_ref) and added a new obfuscation detection pattern for ArmDot in .NET analysis.
Changed sOptions from 'Evaluation' to 'demo' in Codewall.2.sg detection logic. Minor formatting updates in AtariST scripts to ensure consistent file endings.
Extended the detect() function to identify RLPack when there is only one import and the .RLPack section is present. This improves detection accuracy for additional RLPack variants.
Introduces detection for PolyCrypt version 2.8 in the scanForPackersAndCryptors_NET_and_Native function by matching section names with the pattern /^sec[0-9]$/. This enhances the heuristic analysis for .NET and native applications.
Added and reorganized RLPack packer signatures, including a fake sign for Obsidium. Simplified the IAT missing check by removing unnecessary section name validation.
Corrects a variable name from isStrangeResourcesPresent to isStrangeUnmanagedResourcesPresent, fixes isAsciiString to return false for invalid input, and updates loop logic in scanForMaliciousCode_NET_and_Native to properly check pattern imports.
Refactored mangler detection to return both compiler and language information, updating related function names and usages. Enhanced scanning logic to better distinguish between C++ and other languages, and improved loop conditions for obfuscation checks. Updated packer detection patterns for accuracy.
Updated the detection pattern in bin.CSO.1.sg for more accurate matching and standardized function closing in bin.HSM.1.sg and bin.SDI.1.sg by removing unnecessary characters and ensuring consistent formatting.
Reordered version detection in JDPack.2.sg for accuracy and added logic in RCryptor.2.sg to flag modified packers when the .RCryptor section is missing. Minor formatting update in Free_Pascal.6.sg.
Refines the detection logic by checking for the presence of the 'coderpub' section and setting options accordingly. This change ensures more accurate handling of cases where detection status and section presence differ.
Expanded the documentation for getManglerNameByMangledItem to mention Swift as a possible detected mangler. The function now clarifies support for C++ and Swift mangling schemes.
Extended heuristic analysis to detect and decode Swift-mangled symbol names. Updated isItemMangled and getManglerNameByMangledItem to recognize Swift patterns, and enhanced getNameOfMangledItem to extract readable names from Swift mangled symbols. Added documentation and examples for Swift support.
Replaced the use of PE.getDisasmString with PE.getAsmInstructionByIndex(0) in getFirstEpAsmInstruction for improved accuracy or consistency. The previous implementation is now commented out.
Introduces caching for entry point assembly instructions to avoid redundant disassembly calls. Updates related functions to use the cached instructions, improving performance and code clarity.
Added a check for a specific import position hash to identify Ace RAT version 1.X in the scanForMaliciousCode_NET_and_Native function. This enhances detection capabilities for this malware family.
Moved demo version detection to occur after confirming BoxedApp presence. Added an alternative detection path based on import count and entry point comparison for improved accuracy.
Adds detection for Thread Local Storage (TLS) with a suspicious entry point (such as INT3 or RET instructions) in the generic heuristic analysis. This helps identify obfuscation techniques used to hide the real entry point, commonly seen in packers like BoxedApp.
Introduces a new rule 'Packer__BoxedApp' to identify PE files packed with BoxedApp by checking for '.bxpck' and '.main' section names. This enhances detection capabilities for packed executables.
Added a header comment to the Py2exe.1.sg rule file for clarity. Introduced a new YARA rule to detect py2exe-packed PE files by checking for the 'PyArg_ParseTuple' export.
Updated LCL.5.sg to use section[0].FileOffset for signature search, improving accuracy. Added new heuristic in __GenericHeuristicAnalysis_By_DosX.7.sg to detect Biorante malware based on import position hashes.
- mostly it shouldn't redefine the functions if they exist
- prototype.includes drastically reworked. Hopefully no other issues occur
- overwritten DosX's version, I'm really sorry but this just seemed a better idea
- in db/read, CheckpointTimer added for profiling functions in a succinct manner; outputs as detection results type "Prof".
Added a check for PE files with a single import and specific import position hashes to identify BitRAT variants (stub.bin and stub_tor.bin) in the generic heuristic analysis function.
Moved all prototype and helper functions from db/_init to a new db/_runtime_helpers file for better modularity and maintainability. Updated db/_init to include the new helpers script and removed duplicate code. No functional changes to detection logic.
Updates the detect() function to set sOptions to 'demo' if a specific signature is present in section 0. This enhances detection capabilities for demo builds.
Log entry point and last section addresses in hexadecimal for better readability. Update packer detection to support multiple section names for StarForce and Private EXE Protector.
Standardized version and option strings in BackupMii, Private_EXE_Protector, and SpicesNet signature scripts. Changed 'v1.0' to '1.0', replaced 'Trial' and 'Evaluation' with 'demo' for consistency.
Added detection for 'fake Beds-Protector' obfuscator and several new packers/cryptors including 'Quick Batch File Compiler', 'ORiEN', 'Goliath', 'PE Encrypt', and 'PECRYPT32'. Improved SVK Protector section name matching for better accuracy.
Adjusted the version string for PESpin 1.3 to include a comma and 'beta'. Updated Perl version signature patterns to use '%%' placeholders (ASCII) for improved matching and modified patch version detection logic accordingly.
- Hobeta header added to rom.1.sg
- bin.VCF.1.sg mess turned into proper vCard detection (the other format will need to wait)
- bin.CVM.1.sg rewritten from archive.CVM.1.sg: tightened, detailed, attributed, ripper-ready
Refined detection condition in Microsoft.6.sg to check for Rich signature and TLS presence. Renamed isImportHashPositionPresent to isImportPositionHashPresent in PELock.2.sg.
Replaces Rich Signature check with a 64-bit check to exclude unsupported AMD64 files. Adds detection for PELock 2.X using a new entry point signature and import hash position.
Refactored variable names for clarity in SpicesNet.2.sg, simplified version assignment in Python.4.sg, and added missing language assignment in linker.6.sg. Also improved detection loop logic in rar.1.sg and removed unnecessary code in Microsoft.6.sg and Pelles_C.6.sg. These changes improve code readability and maintainability.
Introduces a new detection rule for Swift-compiled PE files in db/PE/Swift.6.sg. Also removes trailing newlines from bin.DAA.1.sg and bin.GBI.1.sg for consistency.
Standardized file endings by ensuring no trailing newlines and removed unnecessary blank lines. Also fixed the order of assignments in db/PE/Direct3D.4.sg to set sVersion before bDetected, improving code clarity.
Adds a command to write the current date to dbs_min/timestamp.log after running the dbcompiler task, providing a record of when the generation script was executed.
Corrected the casing of 'PECompact' in Adobe_FlashPlayer_downloader.1.sg, fixed detection flag placement and formatting in AtomPePacker.2.sg, and updated signature check to use isSignaturePresent in MaskPE.2.sg for improved accuracy and consistency.
Refined the detection patterns for RPCrypt and fake VMProtect packers to use regular expressions, improving accuracy in identifying these packers during heuristic analysis.
Improved the CPUID detection loop to exit early if CPUID is found. Added detection for proxy JMP instructions at the entry point. Updated language extension mapping for Java from 'class' to 'jar' in the language scan function.
Replaces all instances of 'EAT, static' with 'static' and adds a comment '// EAT' for clarity in multiple PE detection scripts. This change improves consistency and readability of the sOptions assignment.
Consolidated switch-case statements and variable declarations for improved readability and maintainability. Minor logic adjustments and code style improvements were made, including moving bDetected assignment and updating version handling.
Added detection for 'demo' version in BoxedApp by checking for a specific signature in the section. Updated generic heuristic analysis to include '.BJFnt' packer signature with version '1.X'.
Added a null check for the .rsrc section in OxiJoiner.2.sg to prevent errors if the section is missing. Also renamed 'Anslym Crypter.2.sg' to 'Anslym_Crypter.2.sg' for consistency.
Detection now checks for the absence of the 'nsp0' section name in addition to the existing entry point pattern. This enhances accuracy for version 1.3 identification.
In PECompact.2.sg, verbose output now reports unknown build numbers as options instead of versions. In PELock.2.sg, detection skips files with a Rich Signature in addition to .NET files.
Updated the detection logic to assign 'ConfuserEx' directly to sName instead of appending 'Ex' when certain conditions are met. This ensures consistent naming for detected variants.
Added additional signatures for eXPressor versions 1.6 and 1.6.1, and moved the PEBundle signature to a more appropriate location in the packer detection list.
Introduces a new rule to identify executables protected with AbyssMedia ScriptCryptor, based on resource names, import hashes, and export/import characteristics.
Added detection signatures for PKLITE32 v1.1 and PeX v0.99 packers in the scanForPackersAndCryptors_NET_and_Native function to improve packer identification coverage.
Added detection signatures for Virbox, ElecKey, and PKLITE32 packers in both hash and section name validation arrays to improve heuristic analysis coverage.
Updated the false positive detection for FASM by specifying the language as ASMx86 when the Simple Pack packer is present. This improves the accuracy of false positive removal.
Improves the Nullsoft Scriptable Install System (NSIS) detection by adding an early return for .NET binaries, simplifying switch-case formatting, and cleaning up commented code and whitespace for better readability.
Added checks in PyInstaller.2.sg to skip .NET files and those without a Rich Signature. Updated Python.4.sg to set sLangVersion if sVersion is available, improving version reporting.
Adds assignment of the sLang variable for LCC Linker and Turbo Linker (Delphi) in the detect() function, improving language identification for these toolchains.
Corrected indentation, return statement placement, and ensured consistent formatting in several binary detection scripts. No functional changes were made.
Set the format metadata for SQLite 3 database and remove redundant assignment in detection. Enhance kkrunchy PE detection to set 'modified' option if the 'kkrunchy' section is missing.
Added a comment header to the Huan detection rule file. Renamed Nuitka.1.sg to Nuitka.2.sg, changed file permissions, and updated the detection logic to remove the overlay presence check.
Refactored the detection logic for STK archives to improve signature matching and version extraction. Updated author and contributor metadata to reflect new maintainers and sample sources.
Refactored detection logic in Binary/graphics.1.sg to set bDetected based on sName, improving consistency. Updated Binary/formats.1.sg to use a similar approach. Enhanced PE/__GenericHeuristicAnalysis_By_DosX.7.sg with improved and additional packer and fake packer signatures, and commented out a problematic malicious code detection condition.
Updated the detection logic to require the presence of the 'kernel32' .NET object in addition to existing checks. This improves the accuracy of VMProtect_NET.2 identification.
Refines the PE format check by requiring a NOP before the entry point and removes the check for api-ms-win-crt libraries. Also adjusts the logic for detecting .NET runtime signatures in the second section.
Refined detection in archive.MS_Compound.1.sg by clarifying magic values, updating naming for Microsoft Installer and Office, and adding version info. In PELock.2.sg, added a check to skip detection for .NET binaries.
The version string assignment in the detect function no longer prepends 'v' to the version number. This change ensures the version is represented as a plain integer value.
This commit applies code formatting improvements, such as consistent indentation, removal of unnecessary blank lines, and switch statement compacting across multiple binary detection scripts. It also adds missing newlines at end of files and minor logic adjustments for clarity, improving maintainability and readability.
Simplified and consolidated variable declarations and switch statements in image.PSD.1.sg for improved readability. Combined conditional checks in DotFix_Nice_Protect.2.sg to streamline detection logic.
Corrected variable assignment in AOLSetup.1.sg, improved loop condition in ARJSFX.1.sg, condensed switch cases and fixed formatting in DBPE.2.sg, and updated sOptions value in Denuvo.2.sg. These changes improve code clarity and accuracy in detection logic.
Improved detection logic and code style in BeRoEXEPacker, Nullsoft Scriptable Install System, Nvidia DLSS, and PECompact scripts. Changes include more robust detection conditions, consistent switch/case formatting, removal of unnecessary blank lines, and clearer assignment of .NET-related options in PECompact.
Streamlined switch-case statements in several detection scripts for improved readability and maintainability. Updated version formatting and metadata in Fish_PE.2.sg and SfxCA.1.sg. Moved O'Setup95.1.sg to db_extra/PE and changed its file mode to 100644.
Removed unnecessary blank lines, fixed indentation, and ensured consistent placement of return statements across multiple binary detection scripts for improved readability and maintainability.
Simplified version assignment in nPack.2.sg by using single-line case statements. Updated Paquet.1.sg to combine version and author into one string. Removed redundant 'v' prefix in PyInstaller.2.sg version assignment for consistency.
Corrected conditional checks for version string assignment and detection in db/PE/Delphi.4.sg, ensuring sVersion is properly evaluated. Also updated linker.6.sg to retrieve compiler version and improved formatting of version string for Turbo Linker.
Introduces a new rule file for identifying .NET XorCryptor packer in PE files. The rule checks for specific .NET object and string patterns associated with XorCryptor.
Refactored detection logic in several PE database scripts for improved clarity and maintainability. Combined repetitive conditional checks in Acronis_installer.1.sg, simplified .NET detection in JScript.6.sg, fixed detection order in 7z.6.sg, added a default case in MPRESS.2.sg, and made a minor formatting adjustment in __GenericHeuristicAnalysis_By_DosX.7.sg.
Replaces String.prototype.replace with replaceAllInString for consistent pattern substitution in math mutation detection. Also changes for-in loop to a standard for loop when iterating protectionsRuntime to avoid prototype property issues.
Renamed the BatchToApp.2.sg file to BatchToApp.6.sg for consistency or versioning. Also removed the trailing newline from Borland_C++.6.sg to standardize file formatting.
Enhanced the detection for ACProtect 1.X by requiring both a specific entry point and the presence of the .perplex section. Also updated the detection flag logic to consider previous detection state and options.
Introduced two new rules: Packer__PEPack and Packer__SoftwareCompress. These rules detect PE files packed with PEPack and SoftwareCompress by checking for specific section names in the PE headers.
Renamed DosX_Heuristic.yar and DosX_InterestingThings.yar to DiE_BasicHeuristics_by_DosX.yar and DiE_InterestingThings_by_DosX.yar, respectively. Added comments indicating these modules are specifically for the Detect It Easy project and to retain copyright information.
Refines the detection by checking for the absence of a Rich signature and the presence of an overlay. Also adds language identification as Python and updates string search logic for better accuracy.
Added VPacker and RLPack to the hash-based packer detection list and TheArk to the section name-based detection list. Also removed a duplicate VPacker entry from the hash-based cryptor detection array.
Renamed the meta field from 'library' to 'marker' in AMD_PowerXpress and Nvidia_Optimus PE scripts to better reflect their purpose. Also incremented the indexes in the filenames.
Updated the signature scan in the Denuvo.2.sg detection script to start at the first section's file offset instead of 0. This ensures the signature search is limited to the relevant section, improving detection accuracy.
Introduces detection rules for VPacker and XPack packers. The VPacker rule matches a specific byte pattern at the PE entry point, while the XPack rule checks for a section named '.XPack0'.
Updated section name detection to use a regex-based method for improved accuracy. Reordered and refactored signature checks, replacing PE.findSignature with PE.isSignaturePresent and adjusting the order of Unity and signature checks. Added a Wikipedia reference for Denuvo.
Standardized return statement indentation and removed extraneous blank lines in several binary format detector scripts. Updated version string formatting in bin.PDB.1.sg to remove 'v' prefix for consistency.
Introduces a new detection script for QQProtect in the PE resource section. The rule checks for the presence of the 'QQPROTECT' resource name to identify protected files.
Updated several binary format detector scripts to only set sOptions when verbose mode is enabled, improved variable naming consistency, and standardized version and copyright extraction. These changes enhance code clarity and ensure that additional information is only shown when requested.
Renamed 'Microsoft Installer.1.sg' and 'Microsoft Office.1.sg' to use underscores instead of spaces for consistency. Also updated the Office version string from '97-2003' to '1997-2003' and fixed formatting in both scripts.
Standardized version extraction functions and improved code readability in DMD, FASM, and GCC ELF detection scripts. Updated variable naming for clarity, simplified logic, and made minor corrections to version string formatting.
Updated the detection logic in Borland_C.4.sg and Watcom_C.4.sg to set bDetected if any of sVersion, sOptions, or previous bDetected are truthy. Also fixed assignment to sVersion instead of sOptions in Borland_C.4.sg for better accuracy.
Simplified and standardized code in Delphi.4.sg, UPX.2.sg, and Zig.4.sg detection scripts. Improved readability by removing redundant variables, fixing indentation, and ensuring consistent return statements.
Updated the regular expression to only match copyright years between 1000 and 2999, preventing invalid years from being detected in the DCP archive detection logic.
Corrects regular expression usage by adding missing .test() calls in multiple binary file detectors. Also standardizes assignment to sVersion instead of sOptions for version information, and normalizes variable naming for consistency.
Introduced a private IsPE rule to check for PE files and updated multiple rules to require IsPE in their conditions. This ensures that rules only match on PE files, improving accuracy and reducing false positives.
Added new private rules for detecting 32-bit and DLL PE files, improved formatting and readability, and expanded comments for clarity. Updated conditions in several rules to use the new helpers and improved string/condition formatting for consistency.
Introduces a new set of YARA rules in DosX_InterestingThings.yar for identifying various PE file characteristics, including .NET Native, Qt Framework, UPX and MPRESS packers, and obfus.h protection. These rules help in automated detection and classification of Windows executables.
Introduces several new YARA rulesets: DosX_Heuristic.yar for obfuscation, packing, and anti-analysis detection; crypto_signature.yar for identifying cryptographic constants, algorithms, and related malware signatures; malware_analisys.yar, packer.yar, packer_compiler_signatures.yar, and peid.yar for further malware, packer, and PE analysis. These rules enhance the detection capabilities for malware analysis and reverse engineering workflows.
Updated the regular expression to only match years starting with 1 or 2, ensuring the copyright year is a valid 4-digit year. Minor whitespace adjustments were also made.
Enhanced the detect() function to better identify Lua runtimes by checking for export functions and extracting embedded version information from the .rdata section. Also refined the regular expression for library presence detection.
Improves the detection of .NET Native debug information by adjusting the conditions for identifying debug builds and exported functions. Also adds a check to ensure the binary is not a DLL when marking as 'modified'.
Moved reference URLs in Amiga detection rule files from commented 'Ref:' lines to direct comment lines for consistency. Also fixed minor whitespace and formatting issues in bin.DSW.1.sg.
Changed 'detect' from a constant assignment to a function declaration and replaced string initializations with String() for clarity. These changes improve code readability and maintain consistency in variable initialization.
Inlined resource and import section checks, condensed switch cases for version detection, and combined version/options assignment for Winlicense. These changes improve code readability and maintainability.
This commit adds missing semicolons to various functions and statements for consistency and to adhere to JavaScript best practices. It also updates some comments for clarity and changes the b64Chars variable to a constant.
Refactored detection of .NET Core, .NET Framework, and .NET Native by using section offsets and enhancing debug/release build identification. Updated string cleaning to use File.cleanString, improved section existence checks, and simplified version mapping for Visual Studio. Also made minor code cleanups and improved robustness when accessing PE sections.
Updated version strings to remove redundant 'v' prefixes and ensure consistent formatting across all detection cases. Also improved detection logic by updating the assignment to bDetected to account for sOptions.
Enhanced the README with improved example use cases, updated contributor acknowledgments, and replaced the mascot image with docs/logo2.png. Also updated the contributors image source and clarified the description of the lightweight GUI version.
Replaces the default parameter assignment for 'msg' with an explicit check and assignment inside the function. This ensures compatibility with environments that do not support default parameters.
Updated multiple PE detection scripts to set sOptions to 'EAT, static' instead of just 'EAT' when export address table (EAT) detection is used. Also refactored WwiseAudioEngine detection logic for clarity. Renamed WPF.MahApps_Metro.sg to WPF.MahApps_Metro.4.sg for consistency.
Standardized version strings in MEW.2.sg, corrected library metadata in MassTransit.4.sg, and updated protector metadata in Tages.2.sg. Renamed Python.3.sg to Python.4.sg and adjusted file permissions. Minor formatting improvements and whitespace adjustments in several detection scripts.
Found the FAS file in my Adiboo3 game directory.
The string said the FAS file was located for Adiboo3's game executable (Loader7.exe): (D:\coktel\Adiboo3\LOADER7.EXE)
Wrapped the IAT directory empty check in a condition to skip it when the linker is Turbo Linker, as indicated by the absence of a specific result. This prevents false positives for Delphi binaries.
Added a regex check to identify module names starting with 'tmp' or ending with '.tmp' as suspicious. This improves detection of potentially malicious or temporary modules during heuristic analysis.
Deleted detection rules for Bed's Protector and RabbitMQ .NET from the PE database. Integrated Bed's Protector detection logic into the Confuser rule, consolidating detection and reducing redundancy.
Introduces a new detection script for identifying the RNNoise Noise Suppressor library in PE files. The rule checks for the presence of RNNoise-related libraries or functions to improve detection accuracy.
The isSectionNamePresentExp function is now always defined, removing the previous check for undefined. This simplifies the code and ensures consistent function availability.
Removed unnecessary conditional wrapper from PE.isSectionNamePresentExp and reformatted multiple functions and variable declarations in db/read for consistent indentation and style. This improves code readability and maintainability.
Enhanced the detection function by adding checks for the number of sections and the file offset of the first section. This improves accuracy by reducing false positives.
Enhanced metadata and detection logic for GoldSrc, Intel IPP, Jar2Exe, MPQ, MSLRH, and NTPacker signature files. Added or updated URLs, improved detection accuracy, and clarified library/protector names. Also moved Native_UD_Packer.2.sg to db_extra/PE directory.
Enhanced the detect() function to check for text files and additional signature conditions before identifying '[Desktop Entry]'. This increases accuracy in detecting desktop shortcut files.
Introduced new Detect It Easy rule files for identifying several .NET libraries, including Alibaba Cloud SDK, Amazon CloudWatch, Amazon EC2, Amazon RDS, LibVLCSharp, Microsoft Azure SDK, Plivo, RamlToOpenApiConverter, Twilio, AvalonEdit, and ControlzEx. Each rule checks for the presence of a specific .NET object to detect the corresponding library.
Renamed the library meta to 'Microsoft Edge Chromium WebView' and improved detection logic to set bDetected for both native and .NET WebView2 components.
Refactored the detect() function to extract the SQLite version dynamically from library or export function names using regex. This enhances flexibility and reduces hardcoded checks for specific versions.
The check for a corrupted .NET CLR version now only runs if the binary is detected as a .NET binary. This prevents unnecessary checks and potential false positives for native binaries.
Modified the detect() function to check for either 'CrcBase' or 'Crc32Base' objects in addition to existing checks. This improves detection accuracy for different variants of the Crc.NET library.
Refactored signature checks to use logical OR for version 3.X detection, simplifying the condition. Enhanced section name collision handling to specifically detect '.vmp' and set version to 2.X-3.X, improving accuracy of version and options identification.
Enhanced the heuristic analysis to include a check for the presence of the 'UpdaterEXE' .NET object when scanning for malicious code. This improves detection coverage for certain malware variants.
Renamed 'Amiga font.1.sg' to 'Amiga_font.1.sg' for consistency. Corrected language assignment in GNU_C.4.sg from 'C++' to 'C'. Updated meta format in bin.CCD.1.sg from 'CloneCD Control File' to 'CloneCD Control'.
Added new rule files for a wide range of .NET libraries and NuGet packages under db/PE/. Each rule enables detection of a specific library by checking for unique .NET objects, improving automated identification of dependencies in PE files.
Renamed LDC.4.sg to LDC.6.sg in the PE database, added detection for 'SafeNet Sentinel LDK' in the generic heuristic analysis script, and fixed a formatting issue in the SingleJar APK detection script.
Refactored and improved several PE detection scripts, including logic changes in 12Ghosts_Zip2, ActiveMark, FileSplit_Self-Merger, HASP_HL_Protection, HidePE, Photo_Compiler, and tcc.6. Updated meta fields for accuracy, improved detection logic, and standardized function signatures. Renamed multiple signature files to new version numbers for consistency.
Renamed multiple PE signature files to use the .6.sg extension for consistency. Also updated file permissions for JScript and Watcom signatures, and added 'sLang = "C++";' to obfusheader_h.5.sg to specify the language.
Updated the heuristic to exclude '.00cfg' from being flagged as a strange section name during native obfuscation scanning. This prevents false positives for legitimate section names.
Renamed MinGW.4.sg to MinGW.6.sg and RADBasic.4.sg to RADBasic.6.sg, updating detection logic in both scripts. Added a new detection pattern for MinGW and resource name check for RADBasic. Removed the obsolete gcc.4.sg detection script.
Introduces a new rule file for identifying executables compiled with twinBASIC. The rule checks for specific import hashes and resource names, and sets version information for 64-bit binaries.
Updated the Alienyze PE detection logic to check for absence of imports and to identify demo versions via signature matching. Also added detection of modified samples when the '.alien' section is missing.
Introduces detection logic for Orcus RAT, Liberium RAT, and ICARUS Evil Worm RAT based on .NET module names and object presence. Also simplifies the Remcos RAT import hash check for improved readability.
- RIFF .WAV fixed up a little, works on Qt5 again :D
- Audiokinetic Wwise RIFF .wem/.bnk added and infoed; it's similar to .wav but it's a special beast! The sizes are supposed to be wrong sometimes, welcome to the real world perfectionists
- Together with WEM, a new shared 'library' is introduced for various helper routines
Improves the detection functions for AMD FSR and Argon2 libraries by distinguishing between library presence and export function presence, and setting detection options accordingly. This enhances accuracy in identifying specific versions and features.
Refactored detection logic in multiple PE packer/protector scripts for consistency and clarity, including variable usage, code formatting, and detection conditions. Renamed Anticrack_Software_Protector.2.sg to Anticrack_Software.2.sg. Improved resource checks, section name handling, and streamlined result returns across scripts.
Enhanced detection functions for AMD FSR, Nvidia DLSS, OodleCompression, OpusAudio, and libfvad by refining regular expressions and setting sOptions to 'EAT' when export functions are present. These changes improve accuracy and consistency in identifying library versions and exported functions.
Added detection for Squishy (logicoma) and BattlEye (sections .be0, .be1, .be2) to the packer and cryptor signature list in scanForPackersAndCryptors_NET_and_Native.
Enhanced detection functions for AMD FSR, BattlEye, DeepSea, and Denuvo by broadening library matching patterns and refining version assignment logic. These changes improve accuracy and robustness in identifying protection technologies.
Adjusted detection thresholds and methods in Dotfuscator, Fish PE, Nvidia DLSS, and OodleCompression scripts. These changes improve accuracy by refining result limits, using section count functions, expanding library regex checks, and adding export function detection.
Refactored detection logic in several PE rule scripts for clarity and efficiency, including combining conditional checks, simplifying switch statements, and improving resource scanning loops. Added comments and minor documentation updates for Squishy and Yano rules. These changes enhance maintainability and detection accuracy.
Simplified the detection logic by removing redundant bDetected assignments and consolidating its final value based on sVersion. Also streamlined switch-case formatting for better readability.
Updated comments and logic in Alcatraz.2.sg, DMD.4.sg, FSG.2.sg, and eXPressor.2.sg for clarity and consistency. Moved TrueCrypt-VeraCrypt_installer.1.sg from db/PE to db_extra/PE, with minor code and metadata adjustments.
Consolidated SQL Server detection logic into the SQLite rule file and enhanced version detection for SQLite 3 and 4. Removed the redundant sql-server.4.sg file to streamline rule management.
Improved code style and consistency in detection logic for Metrowerks CodeWarrior, PyInstaller, RLP, and Setup Factory scripts. Updated function calls, streamlined conditional checks, and standardized version and options assignment.
Added detection for CliSecure obfuscator runtimes and Alcatraz packer in the heuristic analysis script to improve coverage of protected .NET applications.
Replaced deprecated PE.isPEPlus() with PE.is64(), improved resource and section access by using local variables, and standardized return values to boolean true/false for clarity. Also merged duplicate case statements and cleaned up code formatting for better readability.
Expanded the conditions for RAT detection to include 'AntiTaskManager', 'NtSetInformationProcess', and clarified signature checks. Also updated verdict type for NetWire detection to 'NetWire RAT' for consistency.
Introduced new detection logic for Babylon RAT by checking specific import position hashes, including variants for UPX packed samples. This enhances the heuristic analysis to identify more malware families.
Introduces detection logic for the presence of 'AntiTaskManager' .NET object as a RootKit and checks for specific import hashes to identify Sinique RAT v1.0. These additions enhance the coverage of the generic heuristic analysis for malicious code.
Simplified detection logic for OpenCV, Guna UI2, Krypton, MetroFramework, and MaterialSkin libraries by removing unnecessary PE.isNet() checks. Detection now relies solely on the presence of relevant .NET objects, improving code clarity.
Updated comments in bin.UPC.1.sg, bin.UPF.1.sg, and bin.UPI.1.sg to clarify the reference to 'My Fearless Friend' and its source link, improving readability and consistency.
Refactored switch statement formatting in PESpin.2.sg for readability. Corrected metadata casing in XPACK.2.sg and improved code formatting. Adjusted detection logic in XerinFuscator.2.sg to remove redundant check. Expanded XPack and added new entries in heuristic analysis. Renamed and updated STUD.2.sg, changing metadata from 'protector' to 'cryptor' and moved to db_extra.
Moved detection of fake packer signatures to a later stage in the validation process and added a new fake MPRESS signature. Updated conditional logic to improve accuracy of packer identification.
Replaced direct section checks with a regular expression using PE.isSectionNamePresentExp for improved maintainability and flexibility in detecting '.dyamarC' and '.dyamarD' sections.
Introduced new rule files for DnsClient.NET, Fasterflect, MongoDB.NET, Snappier, and Combres libraries. These rules enable identification of the respective .NET libraries in PE files by checking for specific .NET objects.
Renamed CrypToCrack_Pe_Protector.2.sg to CrypToCrack.2.sg. Moved Cryptic.2.sg and PE-Admin.2.sg from db/PE to db_extra/PE, updating file permissions and making minor formatting changes to both rule files.
Introduced Detect It Easy rule files for Autofac, LINQKit, RabbitMQ, RestSharp, SharpZipLib, log4net, and xUnit.net. These rules enable identification of these libraries in .NET PE files.
Introduces Detect It Easy rule files for multiple .NET libraries including Castle.Net, Discord.Net, FluentValidation, MassTransit, MessagePack, NJsonSchema, Nerdbank.Streams, NodaTime, OpenTelemetry, Perfolizer, Scrutor, Starkbank ECDSA, Telegram.Bot, and Twilio SendGrid. These rules enable identification of the respective libraries in PE files.
Renamed MSDOS.AddressToOffset to MSDOS.addressToOffset for consistency and added a backward compatibility alias. Updated detection scripts to use the new method name. Renamed and updated several PE rule files for clarity and accuracy, including metadata corrections and minor code improvements.
Added a standard header comment to all db framework and detection rule files, indicating they are part of the Detect It Easy (DiE-JS) framework and warning against unauthorized changes. This improves consistency and clarifies file purpose for maintainers.
Extended section name validation to include 'protector' signatures for improved detection of packers, cryptors, and protectors in .NET and native applications. Updated conditional logic to account for the new 'protector' category.
Improves the condition for identifying packer and cryptor section names by excluding generic matches for 'a cryptor' or 'a packer'. This helps prevent false positives when scanning for packers and cryptors in .NET and native applications.
Added new signatures for PEBundle, BoxedApp, KByS, and HyperTech Crackproof. Enhanced Themida and NsPack section name detection. Improved cryptor regex and export name obfuscation logic for more accurate identification.
Updated AutoHotKey.3.sg and AutorunProEnterpriseII.1.sg to add missing semicolons for consistency. Refactored Delphi.4.sg to use local variables for resource and section access, improving code readability and maintainability.
Consolidated multiple hash and section name signatures into arrays for packers, cryptors, and protectors in the detection database. Updated validation logic to support array-based matching for both import hashes and section names, improving maintainability and reducing redundancy.
Added support for detecting packer and cryptor section names using regular expressions in the section name validation logic. This improves heuristic analysis for .NET and native applications by broadening detection coverage.
Added detection for PECompact build 20316 (version 3.02.1b) and updated the default build number output. Also added CExe 1.0a packer signature to heuristic analysis.
Added detection signatures for py2exe, MEW, nPack, and XPack packers/protectors in the scanForPackersAndCryptors_NET_and_Native function to improve coverage of packed and obfuscated binaries.
- RIFF .WAV was corrected & now has lots more game resource detections thanks to vgmstream project
- Adobe Director Protected Cast .CXT added & integrity-checked & ripper-ready
Introduces a new detection rule for ExeShield in the PE database and updates the generic heuristic analysis to recognize the '.shield' section name associated with ExeShield.
Updated the logic to check for obfuscated export function names by ensuring names are not mangled before flagging them as obfuscated. This improves the accuracy of the obfuscation detection in native scans.
Updated detection logic for CrypToCrack and EXEFog to improve clarity and efficiency. Refactored Themida detection for better variable naming and logic. Moved FixupPak.2.sg from db/PE to db_extra/PE and changed its file mode to 100644.
Introduces log statements to record unusual or obfuscated resource names during .NET and native heuristic analysis. This improves traceability and debugging of resource name anomalies.
Refactored the detection logic to dynamically extract the EDG C/C++ version from the binary, replacing hardcoded checks for specific versions. This makes the rule more flexible and future-proof for additional versions.
Added detailed logging for RunPE-like behavior, compressed sections, sections with wrong offset/size, and duplicate section offsets. Moved PE-in-resources detection from scanForObfuscations_Native to scanForPackersAndCryptors_NET_and_Native for better organization. Enhanced export function name checks to include obfuscated names.
Renamed variable for overlay PE detection for clarity and updated log message. Added logic to scan resources for embedded PE files by checking for 'MZ' signatures, and updated options string accordingly.
Introduces detection of strange unmanaged resources in .NET and native PE scans by analyzing resource names for non-ASCII characters or obfuscation. Updates options to flag files with suspicious resources, improving heuristic analysis coverage.
The script now checks if heuristic scan and verbose mode are enabled before warning about running outside the environment. This prevents unnecessary messages when not in heuristic scan mode.
Enhanced NakedPacker detection to check for '.naked1' section and specific entry point. Moved fake UPX and Themida section names to the top of the section name database for improved heuristic analysis.
Updated Advanced BAT to EXE Converter script to use 'packer' instead of 'protector'. Enhanced AlushPacker detection by checking for 'FlushInstructionCache' import and refining packed section identification and signature matching.
Introduces a new detection rule for AlushPacker in the PE database. The rule checks for specific import functions, Rich signature, and vcruntime140 library presence to identify packed files, and flags them as modified if the .packed section is missing.
Refactored db/Binary/formats.1.sg to streamline detection by removing redundant bDetected assignments and ensuring bDetected is set based on sName. Enhanced db/PE/ExeStealth.2.sg with additional detection for ExeStealth using TN resource and section name checks. Added reference link for ExeStealth technique.
Added detection for 'ExeStealth' and additional fake UPX section names. Fixed logic for assigning section names when duplicate offsets are found, ensuring correct indices are used.
Updated the type system for packers, protectors, and protections to include a distinct 'cryptor' type. Adjusted hash database entries and detection logic to support the new type. Improved section name validation and added new fake packer/protector signatures for enhanced detection accuracy.
Added reference links to AZProtect and Alienyze detection scripts, updated Alienyze script filename, and changed UPX Protector type from 'tool' to 'protector' for consistency.
Adds a null check for export function names before verifying if they are ASCII strings in scanForObfuscations_Native(). Prevents potential errors when export names are missing.
Introduces a new rule file to identify the NSubstitute .NET library in PE files. The rule checks for the presence of the 'NSubstitute' object to determine detection.
Introduces a new detection rule file for the MimeKit library in Detect It Easy. The rule checks for the presence of MimeKit and MimeKitLite .NET objects to identify the library and its variant.
Excludes 64-character hexadecimal strings from being flagged as obfuscated, as these may be compiler-generated. This reduces false positives in the obfuscation heuristic.
Introduces Detect It Easy rule files for AngleSharp, CsvHelper, ImageSharp, LiteDB, MailKit, and Spectre.Console. These rules enable identification of the respective libraries in PE files by checking for their .NET objects.
Introduced Detect It Easy rule files for BenchmarkDotNet, Dapper, Humanizer, MediatR, NUnit, Polly, and Swashbuckle.AspNetCore. These rules enable identification of assemblies containing these libraries by checking for their respective .NET objects.
Introduces a new Detect It Easy rule file to identify the ManagedCuda .NET library in PE files. The rule checks for the presence of the 'ManagedCuda' object and sets detection accordingly.
Refactored import section analysis in scanForObfuscations_Native to better detect strange imports and use isAsciiString for validation. Updated warning message and clarified opcode pattern comments. Replaced isAnsiString with isAsciiString for section name checks.
Added logic to identify and flag PE files with export function names containing non-ASCII characters. Also renamed isAnsiString to isAsciiString for clarity and updated related references and comments.
Introduces a check in scanForObfuscations_NET to flag .NET PE files with more than 10 sections as potentially obfuscated. This enhances detection of suspiciously structured .NET binaries.
Replaces incorrect assignment of currentSectionIndex with itself instead of sectionIndex in scanForPackersAndCryptors_NET_and_Native. This change ensures the correct section index is used for further processing.
Renamed section index variables for clarity and consistency throughout the heuristic analysis functions. Added logic to detect zero padding at the beginning of the entry point section in scanForObfuscations_Native().
Standardized code style and improved logic in multiple PE detection scripts. Changes include removing unnecessary parentheses, adding missing semicolons, refining loop conditions, and updating version strings for clarity and consistency.
Simplified the conditional checks for XerinFuscator detection by moving '.Xerin' section name presence to the second detection branch. This improves clarity and ensures legacy detection is triggered appropriately.
Refines the detection conditions for ByteGuard by checking for specific section names and overlay patterns, improving accuracy and reducing false positives.
Enhanced the detection condition to check for multiple sections and ensure the first section is not '.text' when identifying XerinFuscator obfuscation. This increases accuracy for certain .NET binaries.
Enhanced the detect() function to identify Legacy CrytpoObfuscator by checking for the presence of the 'CrytpoObfuscator' .NET object. This improves detection coverage for obfuscation variants.
Standardized version string formatting by removing the 'v' prefix across multiple PE detection scripts. This improves consistency in version reporting for BattleshipCrypter, Denuvo, Fish_PE, Obsidium, OneVM, PEUnion, Perl, VbsToExe, WF.Guna.UI2, and _PE modules.
Improved detection logic for ByteGuard and XerinFuscator by refining section and string checks. Relocated Soft_Defender.2.sg to db_extra and streamlined its detection flow.
Changed the string search in the overlay detection logic to scan only the first 4096 bytes instead of the entire overlay size. This may improve performance and reduce false positives.
Added detection for corrupted .NET metadata when no imports are present and refined native obfuscation checks to require imports with .NET metadata. Also added comments for .NET runtime attach function detection.
Updated detection rule metadata and comments for several PE protectors. Fixed version string formatting in Instalit.1.sg. Moved Anskya_Binder.2.sg, BitShape_PE_Crypt.2.sg, and MZ-Crypt.2.sg to db_extra/PE, and normalized file permissions and formatting.
Standardized return values to boolean (true/false) in version detection functions and replaced multi-line switch cases with single-line format for brevity across several PE database scripts. Also improved string initialization and minor logic consistency.
Refactored detection logic in several PE and Binary rule files for improved readability and consistency, including switch-case formatting and loop conditions. Updated cab_resource to return boolean values. Renamed and moved Code-Lock.2.sg from db_extra/PE to db/PE, adding a reference URL.
Added detection for 'ExE Pack' packer signatures and implemented logic to identify .NET runtime attach functions by checking for _CorExeMain and _CorDllMain. This enhances heuristic analysis for both packers and .NET applications.
Added comments to indicate that bDetected is always set to true in detect() functions for Watcom and lipo scripts. This improves code clarity for future maintenance.
Refactored detection to set bDetected if sVersion or sOptions are present. Added check for _CorExeMain to identify DotNET and set sOptions accordingly.
Changed the conditional in the detect function to require both .rsrc section and CODE section name presence, improving accuracy of detection for Autorun Pro Enterprise installers.
Added a warning message when the script is run outside the expected environment. Refactored the Turbo Linker check to use _isResultPresent instead of _getNumberOfResults for improved clarity.
Expanded section name checks to include '.bss', 'BSS', and '.tls' for unusual values. Refined duplicate section offset detection to exclude standard sections. Added a condition to skip recurring import checks for Delphi binaries.
Renamed several dictionary variables to use 'Dict' suffix instead of 'Dictionary' for consistency and clarity. Also added explicit cleanup of these variables after use. No functional changes to logic.
Enhanced detection of compressed sections, sections with wrong offset or size, and sections with duplicate offsets in PE files. Updated output formatting to consistently use section numbers with '#' for clarity. Removed redundant and less accurate checks for sections without virtual address.
Modified Paquet.1.sg to update archive type and fix formatting. Expanded sql-server.4.sg detection to include SQLite. Moved INCrypter.2.sg from db/PE to db_extra/PE and changed file permissions.
Removed redundant bDetected assignments and improved detection logic in ASProtect.2.sg and Instalit.1.sg. Added clarifying comment in BattlEye.5.sg. Relocated BulletProofSoft_installer.1.sg, NOS_Installer.1.sg, and NOS_Packer.2.sg to db_extra/PE, and removed or adjusted sOptions assignments for Netopsystems.
Enhanced the scanForPackersAndCryptors_NET_and_Native function to identify and report PE sections with a file offset of 0x00, indicating a potentially incorrect section offset. This provides additional heuristics for analyzing suspicious or malformed PE files.
Simplified variable usage by assigning PE.section[".rsrc"] to a local variable and improved readability. Also fixed a logic error by comparing FileOffset to VirtualSize instead of FileSize to VirtualSize.
Added a check for the presence of a .NET global static constructor before confirming detection of Costura.Fody. This improves accuracy by ensuring both the global cctor and specific object/string are present.
Replaces the direct '7z.dll' check with a regular expression match using PE.isLibraryPresentExp(/^7z/), allowing detection of any library starting with '7z'.
Enhanced the regular expression for HTML detection to be more robust and case-insensitive. Also updated the language code from 'HTML' to 'HTM' for consistency.
Reformatted long string assignments in shellcode.pe_to_shellcode.1.sg for readability and grouped related variable declarations. Simplified and cleaned up the detection logic in srdi-monoxgas.1.sg by removing redundant checks and streamlining the detection flow for both 32-bit and 64-bit sRDI shellcode.
Simplified and condensed switch statements and loop logic in the TIFF image detection script. The changes improve code readability and maintainability by reducing nesting and removing redundant checks.
Refactored several binary detection scripts for consistency, improved code style, and reduced redundancy. Changes include switch statement simplifications, improved variable naming, removal of unnecessary code, and minor bug fixes. Some detection rules now use more concise or accurate format names, and verbose output handling is more consistent.
Enhanced the detection logic in bin.VTF.1.sg to match the VTF signature with additional bytes and updated the format name to 'Valve Texture'. Added a reference link for documentation.
Updated the detect() function to extract version information using a new signature search. Now both version and copyright year are concatenated if found, improving metadata detection.
Removed the text-based TOT detection rule and added a new binary-based TOT detection rule file. The new rule includes enhanced detection logic and version extraction.
Renamed the detection rule file from archive.PCK.1.sg to archive.DatPack.1.sg and updated the init function to reflect the new name. This improves clarity and consistency in detection rule naming.
Revised changelog entries for clarity and accuracy, including contributor names and bug fix notes. Cleaned up and refactored audio.RIFF-IMA.1.sg and audio.WAV.1.sg scripts for better readability and maintainability, including improved comments, formatting, and minor logic adjustments.
Refactored detection logic in BCSAR, RIFF-IMA, and STRM rule files for improved readability and maintainability. Added relevant documentation links to each file for easier reference. No functional changes to the WAV rule file; only whitespace and indentation adjustments.
Simplified and compacted the switch statement for Java version detection, improved variable declarations, and updated naming conventions for better readability and maintainability.
This only supports so far one of the earliest Coktel Vision games script.
Its the predecessor of the OBC script system.
3C 3E 01 27 00 00 = junk maybe we can somehow skip this? Without this "junk" it wont get detected at all.
Refactored all usages of PE.getEPSignature to PE.getEntryPointSignature for clarity and consistency. Updated function definition and all references in PE detection scripts.
Introduced PE.isSectionPresentExp, which searches for the first section matching a given pattern and returns its index, name, and captured subpatterns. This enhances the ability to query PE sections dynamically.
Standardized semicolon usage, improved code formatting, and enhanced readability across multiple files. Replaced direct property access with a function call in Alienyze.1.sg, and made minor logic and style improvements in chunkparsers and read. These changes improve maintainability and code quality without altering core functionality.
This commit corrects missing semicolons, simplifies conditional logic, and removes redundant or unreachable code in several PE signature detection scripts. These changes improve code consistency and maintainability across CodeCrypt, CoffeeCup_SFX, DNGuard, Eazfuscator, Instalit, Windows_Installer, and Zip_SFX signature files.
Added signatures for TSULoader and RPCrypt packers in the packer detection array. Introduced detection logic for a new RAT Injector based on the presence of the 'avfucker' .NET object.
Added detection entries for 'Huan' and 'Morphnah' packers in the scanForPackersAndCryptors_NET_and_Native function to improve heuristic analysis coverage.
Refactored detection logic for improved readability and conciseness in multiple PE rule files. Updated naming and version strings for accuracy. Moved ADS_Self_Extractor.1.sg, DataAnubis.1.sg, and UPXcrypter.2.sg from db/PE to db_extra/PE, adjusting file modes as needed. Minor code style and logic improvements applied throughout.
Enhanced the detect() function to check for a more specific signature pattern and verify the presence of an ELF header, increasing accuracy in identifying SPRX binaries.
Added detection for common .NET license checking methods and improved the logic for combining detected licensing options. Now, if both DotNET methods and Provider attribute are present, both are reflected in the options string.
Added archive.png, converter.png, malware, virus.png, and package.png to the db/_icons directory. Renamed library.png to library, module.png for improved clarity.
Added multiple PNG icon files to db/_icons/ representing different file types and categories such as compiler, linker, library, certificate, and more. These icons can be used for UI representation or categorization within the application.
Condensed switch cases in AHTeam_EP_Protector.2.sg for improved readability, simplified nested conditions in ANDpakk.2.sg, and standardized the init call in AutorunProEnterprise.1.sg to use lowercase 'installer'. These changes enhance code clarity and maintain consistency across detection scripts.
Improved detection logic for NjRAT and added new detection for AsyncRAT based on assembly/module names and object presence. Also expanded generic RAT detection to include additional signature and object checks for more accurate identification.
Simplified return statement in isSoundTrackerPro, added a check for Net global cctor in ByteGuard detection, and condensed switch cases in ORiEN detection for improved readability and maintainability.
@hypn0chka, crazy code-style! But if I were you I wouldn't use 'if' unless it's required.
Updated detection logic in Denuvo.2.sg and heuristic analysis to check for both Core/Activation.dll and Core/Activation64.dll, ensuring more accurate identification of Denuvo licensing systems.
Relocated checks for 'uplay_r1_loader64.dll' and 'Core/Activation64.dll' to run after the main detection logic, ensuring these checks are always performed regardless of earlier conditions.
Added detection for ILProtector runtime libraries and a new ASPack signature. Also introduced Denuvo DRM detection by checking for the Activation64 library in .NET and native licensing systems analysis.
Updated the detection function to check for export functions matching 'opus_(de|en)code*' in addition to library presence. Also updated the library name to 'Opus Audio' for clarity.
Simplified switch statements in the detect() function by converting multi-line case blocks to single-line case statements for improved readability and conciseness.
Simplified the format string in the init function and added assignment of sVersion in the detect function to specify 'Windows Registry Script' when detected.
Introduces dbs_min_generate_and_publish.cmd, which runs the dbs_min_generate.cmd script, stages changes in the dbs_min directory, commits with a standard message, and pushes to the repository.
Added missing semicolons throughout db/read and improved code consistency. Refactored variable declarations and switch statements in database.SQLite.1.sg for clarity. Removed unnecessary comments and improved formatting in audio.FSB.1.sg.
Updated various detection scripts to use consistent uppercase 'X' in version strings (e.g., '1.1x' to '1.1X') for standardization. Minor formatting and code cleanups were applied, including compacting switch cases, fixing indentation, and correcting return statements. Also, moved and changed permissions for CodeSafe.2.sg to db_extra/PE/CodeSafe.2.sg.
Removed outdated or redundant comments referencing Exeinfo PE detection from several detection rule files. Improved code clarity in UnoPiX.2.sg by simplifying section access and variable usage. Moved Wind_of_Crypt.2.sg from db/PE to db_extra/PE without content changes.
Replaces checks like `sVar == ""` with more idiomatic JavaScript falsy checks (`!sVar`) across multiple PE detection scripts for improved readability and consistency. Also splits variable declarations for clarity and updates a section name check to use falsy logic.
Updated various PE detection scripts to use uppercase 'X' in version suffixes (e.g., '1.3X' instead of '1.3x') for consistency. Also improved Themida detection logic, added .NET exclusion to WinRAR, removed Winlicense rule (merged with Themida), and renamed Xojo.3.sg to Xojo.4.sg with minor metadata changes.
Updated various detection rule files to consistently use uppercase 'X' in version strings (e.g., '1.x' to '1.X', '2.xx' to '2.XX'). This improves clarity and maintains uniformity across the database.
Replaced direct usage of PE.nEP with PE.getEntryPointOffset() across multiple PE detection scripts for consistency and improved encapsulation. Also made minor code cleanups and updated author comments in some files.
Replaces all occurrences of the PE.isNET() method with PE.isNet() across multiple PE detection scripts for consistency and to match updated API naming conventions.
Replaces 'return null' with 'return' in multiple PE detection scripts for consistency. Also updates NetShieldProtector's display name to 'NetShield' and adds .NET support checks to Kotlin and LCC-Win32 scripts. These changes improve code clarity and maintainability.
Added checks to skip detection for .NET binaries in several PE rule scripts (Denuvo, ENIGMA, EXECryptor, FreeBasic, Intel_C, IntelliProtector). Cleaned up code formatting and logic in multiple scripts. Removed Astral-PE rule, added a reference link to AMD_PowerXpress, and moved UPX_shit.2.sg to db_extra.
Refactored the isPatchedUPX function for clarity by renaming variables and consolidating detection conditions. Simplified getUPXOptions and getUPXVersion by using more concise checks. Improved detect function by removing redundant code and adding an early return for .NET binaries.
Enhanced the detection functions for SecretRabbitCode and Wwise Audio Engine libraries to check for additional function presence, increasing reliability in identifying these libraries.
Enhanced the detect() functions to recognize when the 'Disabled' export functions are present for both AMD PowerXpress and Nvidia Optimus, setting sOptions accordingly. Also renamed AMD_PowerXpressSDK.4.sg to AMD_PowerXpress.4.sg for clarity.
Introduces a new Detect It Easy rule file to identify the presence of the Epic Games Services SDK by checking for libraries matching the pattern 'EOSSDK'.
Condensed the switch statement for build number detection into a more compact format, reducing code length and improving readability. No functional changes were made.
Simplified conditional logic in Setup-Specialist.1.sg by combining nested if statements. Minor formatting improvements in SpicesNet.2.sg for better readability.
Removed redundant comments in the platform library detection logic for clarity. Added a new check for export functions matching ANTICHEAT_OBFUSCATE_*_CODEMARKER to enhance Denuvo detection.
Updated the regular expression to match both 'd3d' and 'd3dx' library names and added a fallback check for any 'd3d' library presence. This enhances detection accuracy for different Direct3D variants.
Simplifies the Direct3D version detection by scanning import and export names for the highest version number, removing redundant helper functions and streamlining the code.
Refactored the signature check in MPRESS.2.sg to use a switch statement for clarity and maintainability. Updated Sepanta.1.sg to detect overlays if either '<Sepanta>' or '</Sepanta>' is present, improving detection accuracy.
Improved version string formatting in Instalit.1.sg, condensed switch-case statements in N-Joy.2.sg, and simplified nested conditionals in NTkrnl_Protector.2.sg for better readability and maintainability.
Changed netshrink rule type from 'protector' to 'packer' and updated option descriptions to 'Encrypted/Password mode'. Added a blank line in HASP.2.sg for readability. Moved IMPostor_Pack.2.sg from db/PE to db_extra/PE.
Simplified and consolidated conditional checks in both EXEFog.2.sg and Gentee_Installer.1.sg detection scripts. This improves code readability and maintainability by reducing nested blocks and combining related conditions.
Refactored the detect() functions in Adveractive.1.sg and DelZip_SFX.2.sg to combine nested if statements into single conditional expressions, improving code readability and maintainability.
Added 'MRuntime3.dll' and 'Attick.dll' as indicators for Maxtocode obfuscator in the protectionsRuntime array to improve detection coverage in scanForObfuscations_NET.
Updated all PE detection scripts to use PE.is64() instead of PE.isPEPlus() for consistency and clarity in 64-bit checks. This change improves code readability and aligns the detection logic across multiple PE protector and packer scripts.
Introduced PE.isExportFunctionPresentExp to locate the first export function matching a given pattern, similar to the existing import library pattern matcher. Also updated function declarations to use consistent spacing.
Simplified and standardized conditional expressions in the getVersion function by removing unnecessary parentheses and using direct falsy checks for sVersion. This improves code readability and consistency.
Assigns 'Chromium-based' to sVersion when either WebView2Loader.dll or msedge_elf.dll is present, clarifying the detected version of Microsoft Edge WebView.
Detection now checks for the presence of the 'CPADinfo' section in addition to 'chrome_elf.dll', improving identification accuracy for Chromium WebView libraries.
Introduces a new detection script for identifying Argon2 library presence in PE files by checking for the 'argon2_hash' function. This helps automate detection of Argon2 usage in binaries.
Added detection for SQLite by checking for the 'sqlite3_dbdata_init' export function, allowing identification of SQLite version 3 even if the library name is not present.
Added a check for <PrivateImplementationDetails> objects with 40-character patterns to exit early. Also increased the threshold for strange patterns before marking bad namings from 1 to 2, refining the heuristic for detecting obfuscated .NET assemblies.
Introduces a new detection script for identifying the presence of the Intel Threading Building Blocks (TBB) library by checking for 'tbb.dll' in PE files.
Introduces a new detection rule file for the Wwise Audio Engine in the PE database. The rule checks for the presence of the 'g_pAKPluginList' export function to identify the library.
Commented out a WinRAR Installer signature, added AverCryptor to the packer list, and improved IL2CPP section detection by updating the compiler and language result strings.
Introduces a new Detect It Easy rule file to identify the AMD PowerXpress SDK by checking for the 'AmdPowerXpressRequestHighPerformance' export in PE files.
Refactored the detect function to assign section references to variables and check for their existence before proceeding. This enhances code readability and prevents potential errors if sections are missing.
Introduces a new script to detect Unity Engine libraries in PE files by checking for 'UnityPlayer.dll' and the 'il2cpp_alloc' export function. Sets relevant metadata when IL2CPP is detected.
Introduces a new detection script for identifying the Secret Rabbit Code (libsamplerate) library in PE files. The rule checks for the presence of the library or specific export functions to determine detection.
Refactored the version extraction to use String.slice instead of substr for better clarity. Introduced getVersionByExports to generalize version detection from export names, consolidating and improving the logic for identifying Direct3D versions from exports.
Simplified and condensed the version detection switch statements for Python compiled modules, improved magic value handling, and added a more robust file signature check. Also updated verbose output and increased the minimum binary size check for detection.
Lowered the threshold for strangePatternsCounter from 3 to 1 in scanForObfuscations_NET(), making the detection of obfuscated .NET names more sensitive.
Enhanced the detection function to check for specific export functions for Direct3D 12 and 11 when runtime library is not present. Also fixed minor syntax issues and improved code clarity.
Introduces a new detection rule for Oodle Compression libraries in PE files. The rule identifies the presence of Oodle library variants and extracts their version information.
Replaced isClrNET() with isCppClrLikeApp() for improved detection of C++/CLR .NET applications. Updated related heuristic checks and comments to reflect the new function and clarify its purpose.
Updated the RunPE detection conditions to require presence of 'ZwUnmapViewOfSection' alongside 'WriteProcessMemory' and 'VirtualAllocEx'. This improves accuracy in identifying RunPE techniques in .NET and native applications.
Added improved logic to detect RunPE techniques by checking for related .NET objects and API usage. Refactored NjRAT detection to use a generated Unicode signature mask for more robust identification.
Simplifies conditional statements by removing unnecessary parentheses and improves code style in DS.Unikey_dongle.5.sg and NTkrnl_Protector.2.sg. Also updates comment formatting for consistency.
Replaced traditional for loops with for-in loops for array iteration throughout the script, improving readability and consistency. Updated conditional checks to use truthy evaluations for array lengths. Removed 'SHA256Managed' and other SHA classes from the crypto class list. Refactored obfuscated name detection to use a loop over fields for maintainability. Minor fixes to string handling and loop logic.
Added 'ldtoken' MSIL opcode to NetOpCodes, expanded packer detection with WibuKey and Wibu CodeMeter signatures, and improved malicious code scan by checking additional version string fields for obfuscation and stub indicators. Also updated DeepSeaObfuscator detection to use strict inequality for offset comparison.
Improves detection logic in Nim.4.sg by adding checks for Rich signature and msvcrt library presence. Refactors StarForce.2.sg to use isSectionNamePresent and simplifies version detection by handling empty strings and undefined values more robustly.
Refactored string search loops in dongle detection scripts for Eutron SmartKey, Hardlock, MARX Crypto-Box, and Sentinel to improve clarity and correctness. Removed the obsolete EZ-Logic detection script. Simplified Zig compiler detection by streamlining section access and signature search.
Updated multiple files in db/PE to remove unnecessary parentheses in conditional expressions, standardizing the code style and improving readability. No functional changes were made.
Standardized comparison operators to use !== -1 for string and signature searches, replaced direct section access with isSectionNamePresent where appropriate, and improved code clarity and reliability in detection logic. Also removed unused and commented-out code blocks, and deleted Enigma_Virtual_Box.2.sg detection rule file.
Added type checks to removeWhitespaces, removeSpaces, replaceAllInString, and isAnsiString to prevent runtime errors when input is not a string. Also updated a comment in scanForMaliciousCode_NET_and_Native to clarify the check for obfuscated names and anomalous signs.
Added isAnsiString function to check if section names contain only ANSI printable characters. Updated .NET and Native obfuscation scan functions to flag sections with non-ANSI names as strange, improving detection of obfuscated binaries.
Enhanced the logic for detecting obfuscated names by refining chunk size, renaming functions for clarity, and expanding heuristics to include hexadecimal patterns and more robust statistical checks. This update increases detection accuracy for obfuscated tokens in .NET and native debug data analysis.
Improved the isNameObfuscated function to handle names with spaces by checking each token, and for names without spaces, by checking each chunk of the string. Extracted the obfuscation heuristic into a new isObfuscatedToken function for better modularity and clarity.
Adds logic to identify and flag unused exception sections (.pdata or .xdata) in native PE files by checking if the exceptions directory is empty. This enhances heuristic analysis for obfuscation detection.
Introduced getManglerNameByMangledItem to centralize mangler identification logic for C++ symbols. Updated scanForLanguages_NET_and_Native to use this function for both imports and exports, improving maintainability and consistency. Relocated export mangler detection for better code organization.
Added logic to scan export function names for mangling and log detected mangled exports. This enhances heuristic analysis by identifying libraries with mangled exports.
Corrected string formatting in log messages, improved options concatenation logic, and updated packer/protector hash database with new entries and naming consistency. Also refined section check logic in obfuscation detection.
Added detection for Xenocode postbuild using section name '.xcpad' and overlay comparison with 'xvm'0001. This improves coverage for additional Xenocode variants.
Updated DxPack.2.sg to add detection logic for 'coderpub' section and improved entry point comparison. In __GenericHeuristicAnalysis_By_DosX.7.sg, replaced direct section access with isSectionNamePresent for '_winzip_' and removed redundant obfuscation check for 'LegalCopyright'.
Enhanced entry point detection, improved string handling, and refined logging for obfuscation, packer, and debug data checks. Updated language heuristics, verdict structure, and obfuscation detection for .NET and native binaries. Refactored code for clarity and accuracy in identifying suspicious patterns and anomalous build information.
Introduces a new detection script for identifying Beds Protector in .NET PE files, specifically targeting assemblies with names starting with 'вє∂ѕ ρяσтє¢тσя'. Marks them as 'ConfuserEx modded' if detected.
Refactored HackShield.2.sg and NoobyProtect.2.sg to improve import section handling and null checks. Updated _FixDetects.9.sg to match 'Microsoft Visual Studio' tool name. Enhanced __GenericHeuristicAnalysis_By_DosX.7.sg to detect 'crtdll' as a C library and improved documentation formatting.
Refines the isFrameworkComponent() function to more accurately identify .NET framework components by checking for global static constructors and matching assembly/module naming conventions. Updates related heuristic and anti-analysis checks to use the improved detection, reducing false positives for system assemblies.
Adjusted formatting and minimum amounts for BTC and LTC donation options in the script's comment section. Clarified that any amount is accepted for Payeer and improved alignment for better readability.
Added detection for modified .NET build information by comparing assembly and module names. Introduced utility function getFileNameWithoutExtension. Refactored repeated warning string to a constant. Minor comment and formatting improvements.
Updated comments and log messages to clarify the 'Stack-push address near EP' detection. Moved and expanded the check for obfuscated names in .NET and native assemblies, improving detection of anomalous build information. Removed redundant code and improved code organization for better maintainability.
Replaces the check for '_error' with 'PE.getNetAssemblyName' to determine if the current engine supports the required functionality. This ensures the heuristic analyzer prompts for an update only when the necessary method is unavailable.
Refines the logic for detecting C/C++ and assembly compilers in PE files by adjusting section and library checks, improving accuracy for Microsoft Visual Studio, MinGW, and FASM. Removes unnecessary breaks in library detection loops and ensures language is only set when not already detected and relevant libraries are absent.
Refactored obfuscated name detection into a dedicated function with enhanced heuristics and logging. Adjusted thresholds for obfuscation detection. Moved Base64 payload detection logic to a more appropriate location and improved verdict reporting. Enhanced detection of anomalous .NET assembly/module names and streamlined log message handling.
Reformatted and enhanced the header comments for better readability and presentation. Added clarifying comments to code sections related to obfuscation detection and pattern scanning. Fixed minor string formatting in packer detection logic.
Replaces checks for options.length !== 0 with a simpler truthy check (options) for string concatenation throughout the file, improving readability. Also renames 'version' to 'edition' in malicious import pattern objects and updates related references for consistency. Minor comment clarification in a code pattern.
Replaces the 'edition' property with 'version' and adds a 'details' field in verdict objects for improved clarity and extensibility. Updates all relevant pattern definitions and verdict pushes, and adds new detection logic for general RAT and Neshta signatures.
Renamed 'strangeSections' to 'isStrangeSectionsPresent' for clarity in both .NET and Native obfuscation scans. Added detection for exported symbols via the -Wl,--export-all-symbols linker option in scanForDebugData_NET_and_Native().
Enhanced the isNetMetaDataPresent function to validate both the CLR directory RVA and size, ensuring more accurate detection of .NET metadata in PE files. Added clarifying comments for PE32 and PE64 offsets.
Refines the isNetMetaDataPresent function to more accurately detect the presence of .NET metadata by checking the number of RVA and sizes and validating offsets within PE file bounds. Also removes a redundant brfalse_s opcode definition and clarifies the brtrue_s comment.
Added detection for .NET metadata in native files, improved language heuristics to distinguish MSIL/C/C++ when .NET metadata is present, and expanded NjRAT detection signatures. Also added new MSIL opcode patterns and refactored entry point checks for managed code.
Updated the detection logic to check for both 'CodeWallTrialVersion' and 'CodeWallTrialVersion\u0001' .NET objects, enhancing the accuracy of identifying CodeWall trial versions.
Expanded packer and section name detection with new entries for 'bambam'. Improved Visual Studio detection logic and added heuristics for MinGW and FASM compilers. Refactored section name checks for better accuracy.
Refines the detection function to check for a 'mingw' signature in the .rdata section before falling back to the previous logic. This enhances the accuracy of MinGW identification in PE files.
Deleted multiple .sg files from db_extra/PE related to various crypters and protectors. This cleanup removes unused or outdated signature files to streamline the database.
Added new signatures for Petite 2.2, Themida, Private EXE Protector, NeoLite, and additional ASPack and Themida section names. Improved section name collision logging by sanitizing section names. Enhanced log function to sanitize illegal characters in log messages instead of throwing errors.
Trim and normalize whitespace in camera EXIF name detection for JPEGs. Corrected the packer name from 'NsPacK' to 'NsPack' in the PE detection rule and fixed minor formatting issues.
Added detection for RLPack and Crunch packers. Improved CPUID detection logic to check for presence near the entry point and updated related log messages. Added Ramnit detection based on the presence of the .rmnet section.
Added new detection logic for 'Trial' and '.-PEP-' section names when a specific import position hash is present. Also updated file comments with a source link and reformatted code for improved readability.
Added an additional detection method for PE-SHiELD by checking for a specific import position hash and section name. Also updated the author comment to include DosX.
Refactored Cab.1.sg to streamline resource section handling, improve version extraction, and consolidate detection conditions for SFX CABs. Updated __GenericHeuristicAnalysis_By_DosX.7.sg to avoid false positives by excluding a specific CALL opcode pattern at the entry point.
Refactored and improved code style and logic in multiple PE detection scripts for consistency and reliability. Updated comments, fixed comparison operators, merged conditional checks, and improved section and string search logic. Also updated heuristic analysis rules for EXECryptor and Themida, and made minor documentation and formatting improvements.
Refactored multiple detection scripts to simplify conditional logic, reduce variable usage, and improve code readability. Combined nested if statements, removed unnecessary variables, and standardized style across MSDOS and PE signature detection files. No changes to detection logic or functionality.
Applied consistent spacing in array definitions and control structures in PROTECT.2.sg, improved variable declarations and strict comparison in UPX.2.sg, and fixed formatting in virus.1.sg. These changes enhance code readability and maintainability without altering functionality.
Expanded the NetOpCodes class with comprehensive MSIL opcode documentation, additional opcodes, and improved helper methods for strict value substitution and opcode concatenation. Refactored utility functions for whitespace removal, string replacement, and section name sanitization to improve robustness and clarity. Fixed opcode usage in obfuscation detection logic and improved code comments for maintainability.
Extended isItemMangled and getNameOfMangledItem to detect and demangle Borland C++ symbol names. This improves recognition and extraction of function and method names from Borland-mangled symbols, including constructors and destructors.
Replaces all occurrences of PE.isNET() with PE.isNet() for consistency with naming conventions. Updates all loose equality checks (options.length != 0) to strict checks (options.length !== 0) throughout the file. Also corrects a compiler name from 'Microsoft Visual C/C++' to 'Microsoft Visual C++' and fixes a logic bug in section name checks.
Refactored and expanded the logic for detecting and extracting names from mangled C++ symbols, supporting both MSVC and GCC mangling schemes. Added detection for 'Address to stack trick' and CPUID at entry point. Improved function naming for clarity and updated usages to reflect new function names.
Expanded NOP-equivalent instruction detection for x86/x64, improved entry point pattern checks, and added new VMProtect signatures. Introduced linker detection and enhanced language detection heuristics for PE files. Also fixed a logic bug in IAT directory checks and removed redundant code.
Added a source URL to 12Ghosts_Zip2.1.sg and a header comment to BattleshipCrypter.2.sg for clarity. Moved ASPR_Stripper.2.sg from db/PE to db_extra/PE to better organize detection rule files.
Improved detection logic and code style in several PE database scripts. Added or updated metadata comments and language tags, fixed section name checks, and refactored switch/case statements for clarity. Also updated product names and URLs for better identification.
Several detection rule files were moved from db/ to db_extra/ for COM, ELF, MSDOS, and PE formats. Minor code style and comment updates were made to some scripts, and the about.txt file in db_extra was updated for clarity. The PE/Break_Into_Pattern.2.sg rule was renamed to Break-Into-Pattern.
Updated _setResult calls in scanForPackersAndCryptors_NET_and_Native and scanForBadFileFormat_NET_and_Native to use 'Generic' as the result description for consistency.
Updated heuristic to flag both CALL and JMP instructions at the entry point when it is located in the last section. This improves detection of suspicious control flow transfers at the entry point, not just CALLs.
Simplified the INTENIUM installer name, improved code formatting in Microsoft Class Installer and dotNET installer scripts, and moved Microsoft_Help.1.sg to db_extra/PE. These changes enhance code readability and maintainability.
Added a check to assign sVersion only if the PackagerVersion string length is less than 7. This prevents assigning unexpected version strings and improves detection accuracy.
Extracted compiler detection logic into a reusable isCompilerDetected() function. Added heuristic to detect IL2CPP by checking for specific section names. Improved comments and updated documentation for clarity.
Added a heuristic to identify NjRAT by checking for a specific byte pattern in section 0 when no other verdicts are present. This enhances detection of this malware family in .NET PE files.
Introduces a new sLangVersion parameter to the detection initialization and result functions, allowing the version of the programming language to be specified and passed to _setLang. This enhances detection granularity for language-specific features.
Removed the 'isPositive' argument from _setLang and updated all detection scripts to set language via variable assignment instead of calling _setLang directly. This streamlines language detection logic and centralizes result handling, improving maintainability and reducing redundant checks.
Deleted the _git.temp.task__setLang_to_sLang.js script, which was used to automate replacing _setLang calls with sLang assignments in .sg files. The script is no longer needed.
Introduces a Node.js script that recursively processes .sg files in the current directory, replacing calls to _setLang(..., bDetected) with sLang assignment statements.
Removed redundant code and unreachable returns in _FixDetects.9.sg. Updated _init to support an optional language parameter, ensuring language is set during result processing and variables are properly reset.
Moved and refactored the detection logic for various .NET malware families (e.g., NjRAT, XWorm, VenomRAT, RevengeRAT) from _simpleNetAntivirus.1.sg into __GenericHeuristicAnalysis_By_DosX.7.sg as scanForMaliciousCode_NET_and_Native. The new function is now called within the main heuristic analysis flow, consolidating detection and removing the standalone antivirus rule file.
Replaces assignment of String to a variable with a call to String(), ensuring 'version' is initialized as a string instance rather than referencing the String constructor.
Added new math opcode templates for .NET Reactor obfuscation detection and improved the logic for identifying strange calls at the entry point. Also added comments and structure for import-based packer/protector detection.
Cleaned up ARJSFX.1.sg by removing commented code and improving formatting. Updated detection labels in AHTeam_EP_Protector.2.sg to use consistent 'X' notation. Moved ARM_Protector.2.sg from db/PE to db_extra/PE.
Updated version string formatting to use uppercase 'X' for unknown digits in both Pantaray_QSetup and Perl detection scripts. Refactored redundant variable assignments and improved code clarity by removing unnecessary variables and comments. Also streamlined conditional checks and variable declarations for better readability.
Simplified the signature check in the detect function and replaced multiple _removeResult calls with a single call using an array of protector names. This improves code readability and maintainability.
Extended dbCollectionOfHashesDictionary entries with a type field to distinguish between packers, protectors, and protections. Updated detection logic to use this new field for more accurate classification. Also removed the unfinished scanForMaciliousCode_NET_and_Native implementation.
Functions like readBEword that've been lingering in db/read for backward compatibility have been removed, all functions using them corrected (into shorthand, might as well)
Be good to modernise the other signatures away from readByte and readWord in general, but that's many more changes to do
- image.TGA.1.sg improved against the ridiculously scary real world & is now in shorthand; the assumed charset is now explicit
- db/bytecodeparsers MUAP98 endless recursion fault fixed, tests tightened
- replaceAll added for String type in db/_init
- db/soundchips is going to be just a database of sorts
- db/bytecodeparsers created with the explicit purpose of handling bytecode parsing needed for the detections of some tougher stuff.
Has a uniform syntax.
Currently hosts MUAP98 and MXDRV parsers.
- db/_init now has Number.prototype.clamp() as in C++
- Nintendo Binary CTR Wave audio .BCWAV added, info-ed & ripper-ready
- Criterion's RenderWare collision data .COL redone, info-ed. Ripper-ready if such a weird situation were ever to occur.
- Nintendo .BCSAR redone: attributed, tight, has info & ripper-ready
- BCSTM fixed up to foresee the possible big-endian resources (I got nothing to test that on)
- all scripts in db/Binary now begin with "// Detect It Easy: detection rule file", and the detect() and result() now just have empty parentheses as per the modern syntax;
- since _init now imports "read" for everything, all explicit imports removed from the scripts in Binary;
- now that Binary.readBytes works as intended, the provisory readU8Array removed;
- FLAC and AmigaIcon added with much detail;
- flac and dbf extension-based heuristics removed;
- some of the more obscure GuitarPro files are now detected with more stability and share some info (WIP);
- Universal Binary is fully replaced by DIE's dedicated code so it's gone;
- the funSampleName in db/read grew another bit;
- your usual bloated audio.1.sg update's here too (Kaens/audio1sg history has the deets)
- other small fixes
_init:
- there's no reason to String() when you can just "";
- "append" String proto extension got a proper description and a more intuitive length check;
- other small stuff
- PCX now doesn't have a potentially undeclared variable;
- it's rewritten with shorthand;
- more suspicion-based checks;
- I finally tested a non-RLE PCX, it's all good :D
read:
- ATASCII and a couple of its options added (gods I should stop it with the hacking in of things)
- the more narrow side trianglies I used to be using for some reason are now proper side trianglies. I hate that Github is showing some of these characters on blue square background, they've been around since long before unicode existed...
chunkparsers:
- Atari binary detection can now start from a user-specified offset. Obvious stuff...
db/read:
- since File.readBytes is temporarily down, there's now a replacement for it in there;
- all affected files also modified
db/chunkparsers:
- I'm now collecting the chunked file structure parsers into this one cute file. They're supposed to quickly go through some common blocks, gathering the types, data offsets, data sizes (or whatever else would be necessary otherwise) and guessing the correct expected file size and reporting it too
- heuristics are now only checked when nothing was detected otherwise
- .TAP still managed to encounter FP and thus was moved to heuristics
- .Z80 was, on the contrary, strengthened enough to move out of heuristics; a bug fixed; SLT support added; infoed more & ripper-ready
db/read:
- readBytes sunset because the system function now exists
archives.ancient.sg, rom.1.sg, audio.DSS.1.sg, databases.1.sg, bin.PalmFile.1.sg:
- using the system readBytes now
- modernised the detect/result func syntax
- js beautify off
RPGMaker2000/2003 (Japanese locale):
- savefile .LSD and map tree data .LMT now detected, infoed and ripper-ready
- packed image .XYZ detected and infoed
TODO: .LMU and .LDB
- AU now recognises the more obscure formats (untested), attribution corrected, issue reporting fixed+modernised, detection tightened, some format info fixed, more text info displayed, and rippe r-ready when size specified
- Creative Voice File .VOC no longer crashes at implied codec audio (typically game rips), and recognises the incorrectly crafted files where only the 1A after the signature is right, but the one in it was changed for some reason
- deflate: archive finder off the first 40h bytes somewhat optimised for speed, file is now in shorthand script and uses tabs
- TGA: tightened by max width/height
- rom: TAP added. MGT cosmetics
- read: charStat fixed to catch eXtaSCii and foreign better
- PCX detection rehashed to match the real world some more but keeping the detection tight enough (never enough, it seems, with a flimsy format like this...)
rom.1.sg:
- added are Konami Picno .BIN, Leapfrog .BIN, iQue .CMD, EALIB, FCSX .FCS, PC98 floppy .FDI and HDD .HDI, floppy FS .MGT, Speccy floppy .SCL, Speccy snapshots .Z80 and .SZX, tape .TZX/.TSX, DOOM .WAD, some Palm OS .BINs, and MSX 1/2 cart .ROMs
- PalmFile added, detecting PRC and PDB as best it can given the flimsy nature thereof
db/read:
- firstNotOf: added as a much more general case of isAllZeroes (hi C++)
- outArray: now tags strings
- addEllipsis: l∞p fixed (omg)
- cosmetics
Palm OS .PDB/.PRC detected, info-ed & ripper-ready where available (the last chunk is supposed to encompass the entire file tail by design, but certain popular block types can be parsed). It's still possible some unconventional files break this...
- Z-lib BMP .ZBM added
Quite a few ROM/cartridge/disk image formats added, quite a few more yet to go (disk images in this one too because some formats are only different in the file type byte in this regard, so like "retro-or-not-so-much emulator-oriented content" is the actual name of the game here now :D)
- .WAV detection script fixed, migrated to tabs and shorthand and db/read, the ridiculously heavily-reformatted switch reverted to one-liner cases, please don't change that.
- BitReader moved from <<>> to Util.shl/ru64, fixing the signedness glitches and hopefully increasing speed
- added the versatile outArray, a prettier Array log output
- added the niche-helpful findGaps and findExtensions too
- added some _log* functions for ease of debugging and freedom of choice
- many cosmetic changes
databases.1.sg:
- DBF vastly improved, truncation possible (or should I say ripper-ready?)
db/read:
- CP866, KOI8-R Speccy encodings added
- functions secondsToTimeStr, charStat, toBase64 and _logBase64 added (read the file for docs)
- a makeshift "patching" ~engine~ added until it's native
- many more fields are now checked for sanity;
- suspicious values counter added (and doesn't detect if 4+ values are invalid)
This should finally be enough!
Additionally, tabs instead of spaces.
- audio.VOC.1.sg added, defines Creative Voice .VOC, infoed & ripper-ready
- doc.DJVU.1.sg added (and "DjVu image" removed from graphics.1.sg), with in-depth analysis, lots of info & ripper-ready
(both of the above are written in the shorthand that the new beta introduces (eg. X.U16 used to be File.read_uint16))
- image.LBM.1.sg chunk sizes are now aligned
- Various debug output points now commented out or removed
- The raw zlib/deflate stream detections at non-zero offsets now only trigger if the entropy of the following 256 bytes is over 7 (suggesting actual compression). Nobody should want a detection of deflate "store", so lots of FPs should go with this
image.TGA.1.sg:
- condition added that limits the origin x,y to the reasonably "they used to use these" type of monitor area of 1600x1200, effectively stopping the many FPs on plain-text files, as well as many other files. The fight is ongoing...
db/read:
- decEncoding now accepts the optional parameter that lets you choose how to treat the first 0~32 characters; currently there are tables implemented that leave either LF or CR & LF as-is, or turn either one into its character representation.
- accidental trailing spaces removed
db/read:
- readBytes now features an optional parameter "zspace" for a special case of those 1-byte-encoding strings where zeroes may be a visible part of the string: if zspace = true, all 0 become 0x20 in the read data.
audio.1.sg:
- script-breaking typo urgently fixed in STK
- Protracker .MOD smp/msg was missing a quote symbol
- ChipTracker .KRIS now outputs smp/msg & ripper-ready
audio.1.sg:
- Edlib .D00/.D01 more files detected, more info added
- The "DMF\x09" .DMF format (a "compactable" hack of AMF) renamed
- PSF's (MINI)NCSF subformat added
- Amstrad CPC's Soundtrakker .STK and .128 now report bad CRC
- .AVP proper sanity check detection added
- STarKos .STK tightened, vastly more info-ed & ripper-ready (and research published)
- STarKos compiled binary (sig. SK10) added
- Generic ProTracker .MOD info fixed & sample names added to output
- Game Music Creator .GMC check reworked following and improving on libopenmpt's, so the old and broken music is now detected properly
- Soundtracker .STK/.MOD tightened, number of notes now reported
- Hippel ST tightened, payload slightly reduced
- Activision Pro .AVP redone into a semi-sanity check
- Some debug output cleaned up
TODO.md: updated
db/read:
- added some exotic retro charsets (Amiga, RISC OS, Atari ST) for use with decAnsi/decEncoding;
- Option and OptionT commands now have a way to add the suffix too (just put "" as a prefix if you don't want one but a suffix is needed);
- decAnsi/decEncoding now make the pre-space and 0x7F characters visible, whilst making sure it doesn't interfere in the way JIS7X0201 or KOI7-R (should that ever be added in this regressive manner) control characters still work.
outSz function added to facilitate and make uniform the output of calculated file size(s), visually comparing that to the actual file size if not equal in a concise manner. Use regex to find it in the logs :)
For consistency, it seems that compiled scripts generally fall under the "format" category. For example "Microsoft Compiled HTML Help" or "Python Compiled Module"
Curiosity is key to driving the project forward. If you have questions or ideas for improvement, don't hesitate to reach out. You can start a discussion by [opening a new issue](https://github.com/horsicq/Detect-It-Easy/issues/new).
## How to Report Issues
To report bugs and errors, please [open a new issue](https://github.com/horsicq/Detect-It-Easy/issues/new) on GitHub. Include detailed steps to reproduce the bug, along with any relevant stack traces, error messages, or affected files.
## Feature Requests
If you have ideas for new features or enhancements, feel free to [open a new issue](https://github.com/horsicq/Detect-It-Easy/issues/new) to discuss them. Your input is valuable in shaping the future of the project.
## Coding Standards and Formatting Rules
To maintain code quality and consistency across the project, please adhere to the following guidelines when contributing code:
- **Language and Style**: The project primarily uses DiE-JS. Follow the existing code style.
- **Formatting**: Use consistent indentation (4 spaces, no tabs).
- **Commits**: Write descriptive commit messages. Use the imperative mood (e.g., "Fix bug in file parser" instead of "Fixed bug").
- **Testing**: Include unit tests for new features or bug fixes where applicable. Ensure they are compilable!
## Guidelines for Translations or Code Contributions
We welcome contributions to translations and code to make Detect-It-Easy accessible to a global audience:
- **Translations**: If you'd like to add or update translations, fork the XTranslation repository and work on the relevant language files (typically in the `dicts/` directory). Ensure translations are accurate and culturally appropriate. Test them in the application to verify context. Use poedit for translating languages!
- **Process**: Submit changes via a pull request (see below).
- **Quality**: Proofread your contributions for grammar and clarity. Maintain consistency with the existing tone and style.
## How to Submit Pull Requests
1. Fork the repository on GitHub.
2. Create a new branch for your changes (e.g., `feature/new-detection-rule` or `fix/bug-123`).
3. Make your changes, ensuring they follow the coding standards and guidelines above.
4. Test your changes thoroughly.
5. Commit your changes with a clear, descriptive message.
6. Push your branch to your fork and [open a pull request](https://github.com/horsicq/Detect-It-Easy/compare) against the main branch.
7. In the pull request description, explain what changes you made and why. Reference any related issues.
8. Be responsive to feedback from maintainers and make requested revisions.
Pull requests will be reviewed, and once approved, merged into the project. Thank you for helping improve Detect-It-Easy!
**Detect It Easy (DiE)** is a powerful tool for file type identification, popular among **malware analysts**, **cybersecurity experts**, and **reverse engineers** worldwide. Supporting both **signature-based** and **heuristic analysis**, DiE enables efficient file inspections across a broad range of platforms, including **Windows, Linux, and MacOS**. Its adaptable, script-driven detection architecture makes it one of the most versatile tools in the field, with a comprehensive list of supported OS images.
- [💬 Contribute to Translations](https://github.com/horsicq/XTranslation)
Detect It Easy, or abbreviated "DIE" is a program for determining types of files.
"DIE" is a cross-platform application, apart from Windows version there are also
available versions for Linux and Mac OS.
## 💡 Why use Detect It Easy?
Many programs of the kind (PEID, PE tools) allow to use third-party signatures.
Unfortunately, those signatures scan only bytes by the pre-set mask, and it is
not possible to specify additional parameters. As the result, false triggering
often occur. More complicated algorithms are usually strictly set in the program
itself. Hence, to add a new complex detect one needs to recompile the entire
project. No one, except the authors themselves, can change the algorithm of
a detect. As time passes, such programs lose relevance without the constant support.
Detect It Easy’s **flexible signature system** and **scripting capabilities** make it an essential tool for **malware analysis** and **digital forensics**. With traditional static analyzers often limited in scope and prone to false positives, DiE’s customizable design enables precise integration of new detection logic, ensuring reliable results across diverse file types.
Detect It Easy has totally open architecture of signatures. You can easily
add your own algorithms of detects or modify those that already exist. This
is achieved by using scripts. The script language is very similar to JavaScript
and any person, who understands the basics of programming, will understand easily
how it works. Possibly, someone may decide the scripts are working very slow.
Indeed, scripts run slower than compiled code, but, thanks to the good optimization
of Script Engine, this doesn't cause any special inconvenience. The possibilities
of open architecture compensate these limitations.
DIE exists in three versions. Basic version ("die"), Lite version ("diel") and
console version ("diec"). All the three use the same signatures, which are located
in the folder "db". If you open this folder, nested sub-folders will be found
("Binary", "PE" and others). The names of sub-folders correspond to the types of files.
First, DIE determines the type of file, and then sequentially loads all the signatures,
which lie in the corresponding folder. Currently the program defines the following types:
*bl contributors listed at <https://github.com/rvagg/bl#contributors>*
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
"deprecated":"Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
"deprecated":"This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.",
