mirror of
https://github.com/horsicq/Detect-It-Easy.git
synced 2026-06-24 01:54:08 +00:00
33 lines
No EOL
1.2 KiB
JavaScript
Executable file
33 lines
No EOL
1.2 KiB
JavaScript
Executable file
// Detect It Easy: detection rule file
|
|
|
|
// Author: DosX
|
|
// E-Mail: collab@kay-software.ru
|
|
// GitHub: https://github.com/DosX-dev
|
|
// Telegram: @DosX_dev
|
|
|
|
meta("protector", "DNGuard");
|
|
|
|
function detect() {
|
|
if (PE.isNet() && PE.isNetGlobalCctorPresent()) {
|
|
if (_getNumberOfResults("protector") <= 1) {
|
|
if (PE.isNetObjectPresent("ZYXDNGuarder") || PE.isNetObjectPresent("HVMRuntm.dll")) {
|
|
bDetected = true;
|
|
} else if (PE.isSignatureInSectionPresent(0, "'A newer version of DNGuard Runtime library is needed to run this application.'")) {
|
|
bDetected = true;
|
|
}
|
|
}
|
|
} else if (PE.is64()) {
|
|
var rdataSection = PE.section[".rdata"];
|
|
|
|
if (rdataSection &&
|
|
PE.isSignaturePresent(rdataSection.FileOffset, rdataSection.FileSize, "'DNGuard'") &&
|
|
PE.isImportPositionHashPresent(0, 0x38432571) && PE.compareEP("48 83 EC 28 E8 07 AD")) {
|
|
bDetected = true;
|
|
}
|
|
} else if (!PE.is64() && PE.isImportPositionHashPresent(0, 0x99f8b58e)) {
|
|
sVersion = "4.9+";
|
|
bDetected = true;
|
|
}
|
|
|
|
return result();
|
|
} |