Detect-It-Easy/db/PE/protector_VBox.2.sg

// Detect It Easy: detection rule file
// Author: hypn0 <hypn0@mail.ru>

meta("protector", "VBox");

function detect() {
    if (PE.compareEP("ff7424..ff7424..ff7424..68........68........68........68........ff15")) {
        if (PE.isLibraryPresent("vboxp410.dll")) {
            sVersion = "4.10";
            bDetected = true;
        } else if (PE.isLibraryPresent("vboxp403.dll")) {
            sVersion = "4.03";
            bDetected = true;
        }
    }

    if (PE.findSignature(PE.getEntryPointOffset(), 0x1000, "558bec83c4..5657be........8b45..8946..ff75..8f46..8b45..8946..56") !== -1) {
        sVersion = "4.20";
        bDetected = true;
    }

    return result();
}