Detect-It-Easy/db/PE/NetShieldProtector.2.sg

// Detect It Easy: detection rule file
// Author: KDSS-Research
// Edited: DosX

init("protector", "NetShield Protector");

function detect() {
    if (PE.isNET()) {
        bDetected = true;
        if (validateReferences(
                isPositive = true,
                references = [
                    "System.Security.Cryptography",
                    "System.Text",
                    "System.CodeDom.Compiler",
                    "System.Reflection"

                ]
            )) {
            bDetected = false;
            return null; // end
        }
        if (!PE.isSectionNamePresent("!Sugar")) {
            bDetected = false;
        }
        if (!PE.isNetObjectPresent("_Lambda$__1") ||
            !PE.isNetObjectPresent("_Lambda$__2") ||
            !PE.isNetObjectPresent("k.exe")) {
            sOptions += "renaming";
        }
        if (PE.isNetObjectPresent("ConfusedByAttribute")) {
            sOptions += (sOptions ? " + " : "") + "fake signs";
        }
    }

    return result();
}


// validateReferences by DosX
function validateReferences(isPositive, references) {
    for (var i = 0; i < references.length; i++) {
        var sign = "00'" + references[i] + "'00";
        if (isPositive == true) {
            if (!PE.isSignatureInSectionPresent(0, sign)) {
                return true;
            }
        } else { // negative
            if (PE.isSignatureInSectionPresent(0, sign)) {
                return true;
            }
        }
    }
    return false;
}