Detect-It-Easy/db/PE/VMProtect_NET.2.sg

// Detect It Easy: detection rule file

// Author: DosX
// E-Mail: collab@kay-software.ru
// GitHub: https://github.com/DosX-dev
// Telegram: @DosX_dev

// https://vmpsoft.com/
meta("protector", "VMProtect");

function detect() {

    if (PE.isNet() && PE.getNumberOfSections() >= 3 && PE.isNetObjectPresent("SuppressIldasmAttribute") && PE.isNetGlobalCctorPresent()) {

        const chunk = "%% %% %% %% %% %% %% %% 00", // chunk size is 8 bytes
            scanBytes = PE.getSize() - PE.getOverlaySize();

        var patternFromCctor = "'<Module>'00",
            globalBigPattern = "00";

        for (var t = 0; t < 4; t++) {
            patternFromCctor += chunk;

            for (var i = 0; i < 2; i++) {
                globalBigPattern += chunk;
            }
        }

        if (PE.findSignature(0x00, scanBytes, patternFromCctor) != -1 ||
            PE.findSignature(0x00, scanBytes, globalBigPattern) != -1) {
            sVersion = "3.X";
            bDetected = true;
        }


        if (bDetected) {
            if (PE.findSignature(0x00, scanBytes, generateUnicodeSignatureMask("Program will be terminated."))) { // Unicode [global] string
                sOptions = "Resources protection";
            }

            var sectionNameCollision = PE.getSectionNameCollision("0", "1");

            if (sectionNameCollision === ".vmp") {
                sVersion = "2.X-3.X";
            } else if (sectionNameCollision) {
                sOptions += (sOptions.length != 0 ? " + " : "") + "Custom sections";
            }

            bDetected = bDetected && !PE.isNetObjectPresent("VMProtect"); // fake signature
        }
    }

    return result();
}

function generateUnicodeSignatureMask(inputString) {
    var output = "";
    for (var c = 0; c < inputString.length; c++) { output += (c != 0 ? "00" : "") + "'" + inputString[c] + "'"; }
    return output;
}

// Hello Ivan Permyakov and thanks for your contribution to Open Source!