mirror of
https://github.com/horsicq/Detect-It-Easy.git
synced 2026-06-24 01:54:08 +00:00
15dfcd3a0e
Rename and tidy up multiple Detect It Easy rule files. CFBF rules Microsoft_Office and Microsoft_Installer were renamed to format_Microsoft_Office.1.sg and installer_Microsoft_Installer.1.sg and had minor whitespace/mode fixes. Several ELF rule files were renamed to the compiler_* namespace (including Free_Pascal and HP_C++), Borland_Kylix.4.sg was removed and replaced with a new compiler_Borland_Kylix.4.sg that consolidates section checks with OR conditions. Minor code cleanups: IBM_AIX kernel loader newline fix, and Oracle_Solaris_Studio improvements (initialize string via String(), combine var declarations, return cleaned strings with File.cleanString(), add braces and reorder bDetected assignment).
46 lines
No EOL
1.5 KiB
JavaScript
46 lines
No EOL
1.5 KiB
JavaScript
// Detect It Easy: detection rule file
|
|
// Author: Levis <levintaeyeon@live.com>
|
|
// EP sigs by hypn0 <hypn0@mail.ru>
|
|
// Lazarus Free Pascal
|
|
|
|
meta("compiler", "Free Pascal");
|
|
|
|
function detect() {
|
|
if (ELF.compareEP("5989e38d44....83e4..8915........a3........890d........891d........e8........8925........31ede8........c3")) {
|
|
sVersion = "2.6.0";
|
|
bDetected = true;
|
|
} else if (ELF.compareEP("31ED5989E3")) {
|
|
bDetected = true;
|
|
} else if (ELF.isSectionNamePresent(".fpc.resources")) {
|
|
bDetected = true;
|
|
} else if (ELF.isSectionNamePresent(".fpcdata")) {
|
|
bDetected = true;
|
|
|
|
var nSection = ELF.getSectionNumber(".fpcdata"),
|
|
nOffset = ELF.getSectionFileOffset(nSection),
|
|
nSize = ELF.getSectionFileSize(nSection);
|
|
|
|
if (nSize > 0) {
|
|
var nStringOffset = ELF.findString(nOffset, 4, "FPC ");
|
|
if (nStringOffset != -1) {
|
|
sVersion = ELF.getString(nStringOffset + 4);
|
|
}
|
|
}
|
|
} else if (ELF.isSectionNamePresent(".data")) {
|
|
var nSection = ELF.getSectionNumber(".data"),
|
|
nOffset = ELF.getSectionFileOffset(nSection),
|
|
nSize = ELF.getSectionFileSize(nSection);
|
|
|
|
if (nSize >= 0x100) {
|
|
var nStringOffset = ELF.findString(nOffset + nSize - 0x100, 0x100, "FPC ");
|
|
if (nStringOffset != -1) {
|
|
sVersion = ELF.getString(nStringOffset + 4);
|
|
bDetected = true;
|
|
}
|
|
}
|
|
}
|
|
|
|
sLang = "Pascal";
|
|
|
|
return result();
|
|
} |