Detect-It-Easy

mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00

History

DosX a41cd5eca0 Add PE entry-point anomaly YARA rules Introduce a new "Entry point anomalies" block with multiple YARA rules to detect suspicious PE entry-point placements and characteristics. Adds rules: Anomaly__EntryPointInLastSection (EP in last section, common for appended code/packers), Anomaly__EntryPointInNonCodeSection (EP inside a section without CODE flag), Anomaly__EntryPointOutsideAnySections (EP not in any section, skips DLLs and zero EP, ignores sections with no raw data), Anomaly__EPStartsWithNops (EP begins with a 4+ NOP sled), and Anomaly__EPStartsWithInt3 (EP begins with INT3). Rules use raw file offsets for pe.entry_point and include guards to reduce false positives.		2026-04-10 16:39:47 +03:00
..
crypto_signature.yar	Style: unify rule brace placement in YARA files	2026-02-23 12:44:03 +03:00
DiE_BasicHeuristics_by_DosX.yar	Rename and updateYARA rules	2025-09-22 00:30:45 +03:00
DiE_EnhancedHeuristics_by_DosX.yar	Add PE entry-point anomaly YARA rules	2026-04-10 16:39:47 +03:00
DiE_InterestingThings_by_DosX.yar	Add rule for Microsoft Linker detection	2025-11-02 22:02:00 +03:00
malware_analisys.yar	Add initial YARA rules for malware and crypto detection	2025-09-19 18:58:32 +03:00
packer.yar	Style: unify rule brace placement in YARA files	2026-02-23 12:44:03 +03:00
packer_compiler_signatures.yar	Style: unify rule brace placement in YARA files	2026-02-23 12:44:03 +03:00
peid.yar	Remove ': PEiD' specifiers from YARA rules	2026-02-23 12:35:20 +03:00