mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity
Detect-It-Easy/db/PE/PyInstaller.2.sg
horsicq d35fa9aa77 Update file(s): 2025-04-27
2025-04-27 02:41:59 +02:00

76 lines
2.2 KiB
JavaScript
Executable file
Raw Blame History

// Detect It Easy: detection rule file
// Author: DosX
// E-Mail: collab@kay-software.ru
// GitHub: https://github.com/DosX-dev
// Telegram: @DosX_dev
init("packer", "PyInstaller"); // python = 💩
includeScript("python");
function detect() {
const overlaySignatureDetected = PE.compareOverlay("78da");
if (overlaySignatureDetected) {
const rdata = PE.section[".rdata"];
if (rdata &&
PE.findString(
rdata.FileOffset,
rdata.FileSize,
"PyInstaller: FormatMessageW failed."
) != -1) {
bDetected = true;
}
}
for (var i = 0; i < PE.getNumberOfResources() && !bDetected; i++) {
const resSize = PE.getResourceSizeByNumber(i);
if ((
resSize == 0x909b && // black
PE.calculateMD5(PE.getResourceOffsetByNumber(i), resSize) == "20d36c0a435caad0ae75d3e5f474650c"
) || (
resSize == 0x952c && // white
PE.calculateMD5(PE.getResourceOffsetByNumber(i), resSize) == "f6fbada22d6a6c07ef8fdaa504f117d5"
)) {
if (!overlaySignatureDetected) {
sOptions = "custom";
} else {
sOptions = PE.section[".rdata"] ? "modified" : "packed";
}
bDetected = true;
}
}
if (!bDetected && overlaySignatureDetected && PE.findSignature(
PE.getOverlayOffset(),
PE.getOverlaySize(),
"4d45490c0b0a0b0e"
) != -1) {
sOptions = "overlay; modified";
bDetected = true;
}
var version;
if (bDetected) {
for (var i = 0; i < 2 && !version; i++) {
var sign = PE.findSignature(
PE.getOverlayOffset(),
PE.getOverlaySize(),
"70 79 74 68 6F 6E'" + [2, 3][i] + "'");
if (sign && PE.findString(sign, 15, ".") != -1) {
version = "v" + getPythonVersionByDll(PE.getString(sign - 1, 15));
}
}
}
_setLang("Python", bDetected, version);
return result();
}
Reference in a new issue View git blame Copy permalink