Detect-It-Easy/db/PE/XComp.2.sg

// Detect It Easy: detection rule file

init("packer", "XComp");

function detect() {
    if (PE.getNumberOfImports() == 1 &&
        PE.getNumberOfImportThunks(0) == 5 &&
        PE.getImportFunctionName(0, 0) == "GetProcAddress" &&
        PE.getImportFunctionName(0, 1) == "LoadLibraryA" &&
        PE.getImportFunctionName(0, 2) == "VirtualAlloc" &&
        PE.getImportFunctionName(0, 3) == "VirtualFree" &&
        PE.getImportFunctionName(0, 4) == "VirtualProtect") {
        if (PE.compareEP("68........9C60E8$$$$$$$$E8$$$$$$$$5B5D833B00")) {
            bDetected = true;
        }
    }

    return result();
}