mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity
Detect-It-Easy/db/PE/protector_NetReactor.2.sg
DosX 09e52a2dc9 Standardize and reorganize database file naming for DosX's rules 
Renamed and reorganized numerous database files across APK, DEX, ELF, PE, and other directories to use consistent prefixes such as 'library_', 'protector_', 'packer_', 'cryptor_', 'tool_', and similar. This improves clarity, maintainability, and categorization of the database entries.
2026-01-12 00:02:11 +03:00

84 lines
No EOL
3.6 KiB
JavaScript
Raw Permalink Blame History

// Detect It Easy: detection rule file
// Author: DosX
// E-Mail: collab@kay-software.ru
// GitHub: https://github.com/DosX-dev
// Telegram: @DosX_dev
// ----------------
// First version of detect made by ajax
// https://www.eziriz.com/dotnet_reactor.htm
meta("protector", ".NET Reactor");
function detect() {
if (PE.section[".reacto"]) {
if (PE.section[1].FileSize == 0 && PE.section[2].FileSize == 0 && PE.section[3].FileSize == 0) {
sVersion = "2.0-2.1";
bDetected = true;
}
} else if (PE.compareEP("558becb90f0000006a006a004975f951535657b8........e8")) {
sVersion = "2.X-3.X";
bDetected = true;
} else if (PE.resource["__"] && PE.compareEP("e8$$$$$$$$8bff558bec83ec10")) {
if (PE.compareEP("e8........e9........6a0c68")) {
sVersion = "4.2";
bDetected = true;
} else if (PE.compareEP("e8........e9........8bff558bec83ec208b45085657")) {
sVersion = "4.5-4.7";
bDetected = true;
}
} else if (PE.isNet()) {
if (PE.isSignatureInSectionPresent(0, "558becb90f0000006a006a004975f951535657b8........e8")) {
sVersion = "3.X";
bDetected = true;
} else if (PE.section.length >= 2) {
if (PE.section[1].Characteristics == 0xc0000040) { // .sdata
if (PE.isSignatureInSectionPresent(1, "5266686E204D182276B5331112330C6D0A204D18229EA129611C76B505190158")) {
sVersion = "4.8-4.9";
bDetected = true;
}
}
}
if (PE.isNetObjectPresent("NecroVM.Runtime")) return;
if (PE.isSignatureInSectionPresent(0, "6D5F6973526561644F6E6C790B636F6D70617265496E666F0874657874496E666F076E756D496E666F0C6461746554696D65496E666F0863616C656E6461720A6D5F646174614974656D0963756C747572654944066D5F6E616D65116D5F757365557365724F76657272696465")) {
sVersion = "6.X";
}
var signatureToScan = String();
for (var i = 0; i < 5; i++) {
signatureToScan += "'m_'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%00";
}
if (PE.isSignatureInSectionPresent(0, signatureToScan)) {
sOptions = sOptions.append("Control Flow");
sVersion = "6.X";
bDetected = true;
}
if (PE.isSignatureInSectionPresent(0, "'$$method0x'363030303331372D310024246D6574686F643078363030303333322D310024246D6574686F643078363030303333322D320024246D6574686F643078363030303334302D310024246D6574686F643078363030303334302D320024246D6574686F643078363030303335332D310024246D6574686F64")) {
sVersion = "6.5";
bDetected = true;
}
if (PE.isNetGlobalCctorPresent()) {
if (PE.isNetObjectPresent("BinaryReader") && PE.isNetObjectPresent("RSACryptoServiceProvider") && PE.isSignatureInSectionPresent(0, "2000690073002000740061006D00700065007200650064002E00")) {
sOptions = sOptions.append("Anti-tamper");
bDetected = true;
} else if (PE.isNetObjectPresent("kernel32") && PE.isSignatureInSectionPresent(0, "6B00650072006E0065006C002000")) {
bDetected = true;
}
}
if (PE.isNetObjectPresent("SuppressIldasmAttribute"))
sOptions = sOptions.append("Anti-ILDASM");
if (PE.isSignatureInSectionPresent(0, "45007A006900720069007A0027007300200022002E004E00450054002000520065006100630074006F0072002200210020005400680069007300200061") && PE.isNetObjectPresent("DateTime")) {
sOptions = sOptions.append("Demo");
bDetected = true;
}
}
return result();
}
Reference in a new issue View git blame Copy permalink