Detect-It-Easy/db/PE/protector_Ste@lth_PE.2.sg

// Detect It Easy: detection rule file
// Author: hypn0 <hypn0@mail.ru>

meta("protector", "Ste@lth PE");

function detect() {
    if (PE.findSignature(PE.getSize() - 0x40, 0x40, "ba........b8........8902424242b8........89024a4a4affd2") != -1) {
        sVersion = "2.X";
        bDetected = true;
    } else if (PE.findSignature(PE.getSize() - 0x40, 0x40, "b8........ba........8910404040ba........891048484850c3") != -1) {
        sVersion = "2.X";
        bDetected = true;
    }

    return result();
}