mirror of
https://github.com/horsicq/Detect-It-Easy.git
synced 2026-06-24 01:54:08 +00:00
4dad7c20cf
Set the format metadata for SQLite 3 database and remove redundant assignment in detection. Enhance kkrunchy PE detection to set 'modified' option if the 'kkrunchy' section is missing.
38 lines
No EOL
1.1 KiB
JavaScript
Executable file
38 lines
No EOL
1.1 KiB
JavaScript
Executable file
// Detect It Easy: detection rule file
|
|
// Author: LinXP
|
|
// doc-ref: https://www.sqlite.org/fileformat.html
|
|
|
|
meta("format", "SQLite 3 database (.SQLITE)");
|
|
|
|
function detect() {
|
|
if (Binary.compare("'SQLite format 3'00")) {
|
|
bDetected = true;
|
|
|
|
var nAppID = Binary.read_uint32(0x44, _BE),
|
|
nSQLiteVersionNumber = Binary.read_uint32(0x60, _BE),
|
|
nChangeCount = Binary.read_uint32(0x18, _BE);
|
|
|
|
var nMajor = nSQLiteVersionNumber / 1000000 >> 0,
|
|
nMinor = (nSQLiteVersionNumber - nMajor * 1000000) / 1000 >> 0,
|
|
nRelease = nSQLiteVersionNumber - (nMajor * 1000000) - (nMinor * 1000) >> 0;
|
|
|
|
sVersion = nMajor + "." + nMinor + "." + nRelease;
|
|
|
|
switch (Binary.read_uint32(0x38, _BE)) {
|
|
case 1: sOption("UTF-8"); break;
|
|
case 2: sOption("UTF-16LE"); break;
|
|
case 3: sOption("UTF-16BE"); break;
|
|
default: return;
|
|
}
|
|
|
|
if (nAppID && Binary.isVerbose()) {
|
|
sOption("AppID: " + nAppID);
|
|
}
|
|
|
|
if (nChangeCount && Binary.isVerbose()) {
|
|
sOption("Changes: " + nChangeCount);
|
|
}
|
|
}
|
|
|
|
return result();
|
|
} |