mirror of
https://github.com/horsicq/Detect-It-Easy.git
synced 2026-06-24 01:54:08 +00:00
57 lines
No EOL
1.7 KiB
JavaScript
Executable file
57 lines
No EOL
1.7 KiB
JavaScript
Executable file
// Detect It Easy: detection rule file
|
|
// Author: horsicq <horsicq@gmail.com>
|
|
|
|
// https://en.wikipedia.org/wiki/PureBasic
|
|
meta("compiler", "PureBasic");
|
|
|
|
function detect() {
|
|
|
|
|
|
var codeSectionDetected = false; // If no code section is detected, then it is not PureBasic
|
|
|
|
for (var i = 1; i < PE.getNumberOfSections() && !codeSectionDetected; i++) {
|
|
if (PE.section[i].Characteristics == 0x60000020) {
|
|
codeSectionDetected = true;
|
|
}
|
|
}
|
|
|
|
if (!codeSectionDetected) return false;
|
|
|
|
|
|
if (!PE.is64()) {
|
|
if (PE.compareEP("68....0000680000000068......00E8......0083C40C6800000000E8......00A3")) {
|
|
sVersion = "4.X-6.X";
|
|
bDetected = true;
|
|
} else if (PE.compareEP("837C24080175..8B442404A3........E8")) {
|
|
sVersion = "4.X";
|
|
bDetected = true;
|
|
}
|
|
} else {
|
|
if (PE.compareEP("4883EC..49C7C0........4831D248B9................E8........4831C9E8")) {
|
|
sVersion = "4.X-6.X";
|
|
bDetected = true;
|
|
}
|
|
}
|
|
|
|
if (PE.isSectionNamePresent(".drectve")) {
|
|
var sn = PE.getSectionNumber(".drectve");
|
|
|
|
if (PE.isSignatureInSectionPresent(sn, "'pb_datapointer'")) {
|
|
sVersion = "6.X";
|
|
sOptions = "gcc";
|
|
bDetected = true;
|
|
}
|
|
}
|
|
|
|
if (!bDetected && PE.getImportLibraryName(0) === "KERNEL32.dll") {
|
|
const rdataSection = PE.section[".rdata"];
|
|
|
|
if (rdataSection) {
|
|
bDetected = PE.findSignature(rdataSection.FileOffset, 5120, "1415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F30313233") !== -1;
|
|
}
|
|
}
|
|
|
|
sLang = "PureBasic";
|
|
|
|
return result();
|
|
} |