Update __GenericHeuristicAnalysis_By_DosX.7.sg

DosX-dev · DosX-dev · commit c6284622a388 · 2025-04-09T20:50:36.000+03:00
diff --git a/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg b/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
@@ -62,12 +62,12 @@
 // Please do not read the code out loud unless you have exorcism skills
 
 const logType = {
-        warning: -2,
-        about: -1,
-        nothing: 0,
-        any: 1,
-        net: 2
-    },
+    warning: -2,
+    about: -1,
+    nothing: 0,
+    any: 1,
+    net: 2
+},
     heurLabel = "HEUR";
 
 var lastOffsetDetected = "0x00";
@@ -178,11 +178,11 @@ function scanForObfuscations_NET() {
     var isEntryPointModified = false;
 
     const vbNetEntries = [
-            "Main",
-            "main",
-            "MAIN",
-            "MyApplication"
-        ],
+        "Main",
+        "main",
+        "MAIN",
+        "MyApplication"
+    ],
         defaultEntries = [ // like MSIL, C#, C++ NET etc
             "Main",
             "main", // F# entry
@@ -348,9 +348,9 @@ function scanForObfuscations_NET() {
 
     if (validateNetByteCode(intConfusionXorPattern)) {
         if (validateNetByteCode( // samples by: Inx Obfuscator
-                intConfusionXorPattern +
-                (opCodes.bne_un_s + opCodes.ldc_i4_2 + opCodes.stloc_0 + opCodes.sizeof + opCodes.add)
-            ) ||
+            intConfusionXorPattern +
+            (opCodes.bne_un_s + opCodes.ldc_i4_2 + opCodes.stloc_0 + opCodes.sizeof + opCodes.add)
+        ) ||
             validateNetByteCode( // samples by: MindLated, NetShield
                 intConfusionXorPattern +
                 (opCodes.bne_un + opCodes.ldc_i4 + opCodes.stloc + opCodes.sizeof + opCodes.add)
@@ -455,9 +455,9 @@ function scanForObfuscations_NET() {
     var isCalliInvokesPresent = false;
 
     if (validateNetByteCode( // samples by: MindLated
-            opCodes.setStrict(opCodes.ldftn, "** ?? 00 0A") +
-            opCodes.setStrict(opCodes.calli, "** 00 00 11")
-        ) ||
+        opCodes.setStrict(opCodes.ldftn, "** ?? 00 0A") +
+        opCodes.setStrict(opCodes.calli, "** 00 00 11")
+    ) ||
         validateNetByteCode( // samples by: ArmDot, DarksProtector
             opCodes.idelem_i +
             opCodes.setStrict(opCodes.calli, "** 00 00 11")
@@ -474,8 +474,8 @@ function scanForObfuscations_NET() {
     var isLdftnPointersPresent = false;
 
     if (validateNetByteCode(
-            opCodes.nop + opCodes.setStrict(opCodes.ldftn, "** 00 00 06") + opCodes.stelem_i
-        ) ||
+        opCodes.nop + opCodes.setStrict(opCodes.ldftn, "** 00 00 06") + opCodes.stelem_i
+    ) ||
         validateNetByteCode(
             opCodes.nop + opCodes.setStrict(opCodes.ldftn, "** 00 00 0A") + opCodes.stelem_i
         ) ||
@@ -497,9 +497,9 @@ function scanForObfuscations_NET() {
     var isCtrlFlowPresent = false;
 
     if (validateNetByteCode( // samples by: ConfuserEx
-            opCodes.nop + opCodes.ldloc_0 + opCodes.ldc_i4 + opCodes.mul + opCodes.ldc_i4 + opCodes.xor + opCodes.br_s +
-            opCodes.nop + opCodes.ldloc_0 + opCodes.ldc_i4 + opCodes.mul + opCodes.ldc_i4 + opCodes.xor + opCodes.br_s
-        ) ||
+        opCodes.nop + opCodes.ldloc_0 + opCodes.ldc_i4 + opCodes.mul + opCodes.ldc_i4 + opCodes.xor + opCodes.br_s +
+        opCodes.nop + opCodes.ldloc_0 + opCodes.ldc_i4 + opCodes.mul + opCodes.ldc_i4 + opCodes.xor + opCodes.br_s
+    ) ||
         validateNetByteCode( // samples by: ConfuserEx (neo mod)
             opCodes.ldc_i4 + opCodes.ldc_i4 + opCodes.xor + opCodes.dup + opCodes.stloc_0 + opCodes.ldc_i4_3 + opCodes.rem_un + opCodes.switch__nobody
         ) ||
@@ -767,32 +767,32 @@ function scanForObfuscations_NET() {
     var isMathInversionsPresent = false;
 
     if (validateNetByteCode(opCodes.ldc_i4 + opCodes.not) && (
-            validateNetByteCode( // ~(-(~(-(~(-(~(-( num ))))))))
-                opCodes.ldc_i4 +
-                opCodes.not + opCodes.neg + opCodes.not + opCodes.neg +
-                opCodes.not + opCodes.neg + opCodes.not + opCodes.neg
-            ) ||
-            validateNetByteCode( // ~(~(-(-(~(~( num ))))))
-                opCodes.ldc_i4 +
-                opCodes.not + opCodes.not + opCodes.neg + opCodes.neg +
-                opCodes.not + opCodes.not
-            ) ||
-            validateNetByteCode( // ~(-(~(~(-(-( num ))))))
-                opCodes.ldc_i4 +
-                opCodes.not + opCodes.neg + opCodes.not + opCodes.not +
-                opCodes.neg + opCodes.neg
-            ) ||
-            validateNetByteCode( // ~(-(~(-(~(~( num ))))))
-                opCodes.ldc_i4 +
-                opCodes.not + opCodes.neg + opCodes.not + opCodes.neg +
-                opCodes.not + opCodes.not
-            ) ||
-            validateNetByteCode( // ~(-(~(-(~(-( num ))))))
-                opCodes.ldc_i4 +
-                opCodes.not + opCodes.neg + opCodes.not + opCodes.neg +
-                opCodes.not + opCodes.neg
-            )
-        )) {
+        validateNetByteCode( // ~(-(~(-(~(-(~(-( num ))))))))
+            opCodes.ldc_i4 +
+            opCodes.not + opCodes.neg + opCodes.not + opCodes.neg +
+            opCodes.not + opCodes.neg + opCodes.not + opCodes.neg
+        ) ||
+        validateNetByteCode( // ~(~(-(-(~(~( num ))))))
+            opCodes.ldc_i4 +
+            opCodes.not + opCodes.not + opCodes.neg + opCodes.neg +
+            opCodes.not + opCodes.not
+        ) ||
+        validateNetByteCode( // ~(-(~(~(-(-( num ))))))
+            opCodes.ldc_i4 +
+            opCodes.not + opCodes.neg + opCodes.not + opCodes.not +
+            opCodes.neg + opCodes.neg
+        ) ||
+        validateNetByteCode( // ~(-(~(-(~(~( num ))))))
+            opCodes.ldc_i4 +
+            opCodes.not + opCodes.neg + opCodes.not + opCodes.neg +
+            opCodes.not + opCodes.not
+        ) ||
+        validateNetByteCode( // ~(-(~(-(~(-( num ))))))
+            opCodes.ldc_i4 +
+            opCodes.not + opCodes.neg + opCodes.not + opCodes.neg +
+            opCodes.not + opCodes.neg
+        )
+    )) {
         log(logType.net, "Math inversions detected, offset " + lastOffsetDetected);
         isMathInversionsPresent = true;
     }
@@ -923,12 +923,12 @@ function scanForObfuscations_NET() {
         }
 
         if ((!isWatermarkPresent && (
-                validateSignature("'Obfuscated'") ||
-                validateSignature("'obfuscated'") ||
-                validateSignature("'ByAttribute'") ||
-                validateSignature("'ObfuscatorAttribute'") ||
-                validateNetObject("ObfuscationAttribute")
-            )) && !isFrameworkComponent()) // System.Reflection.ObfuscationAttribute
+            validateSignature("'Obfuscated'") ||
+            validateSignature("'obfuscated'") ||
+            validateSignature("'ByAttribute'") ||
+            validateSignature("'ObfuscatorAttribute'") ||
+            validateNetObject("ObfuscationAttribute")
+        )) && !isFrameworkComponent()) // System.Reflection.ObfuscationAttribute
         {
             isWatermarkPresent = true;
         }
@@ -940,23 +940,23 @@ function scanForObfuscations_NET() {
 
 
     const protectorsLabelsToRemove = [ // Protectors with these names will be removed from results
-            "SafeNet Sentinel LDK .NET",
-            "Xenocode Postbuild",
-            "Smart Assembly",
-            "Dotfuscator",
-            "Babel .NET",
-            "Spices.Net",
-            "Maxtocode",
-            "FISH .NET",
-            "CliSecure",
-            "CodeWall",
-            "CodeVeil",
-            "Sixxpack",
-            "DNGuard",
-            "Goliath",
-            "Agile",
-            "Yano"
-        ],
+        "SafeNet Sentinel LDK .NET",
+        "Xenocode Postbuild",
+        "Smart Assembly",
+        "Dotfuscator",
+        "Babel .NET",
+        "Spices.Net",
+        "Maxtocode",
+        "FISH .NET",
+        "CliSecure",
+        "CodeWall",
+        "CodeVeil",
+        "Sixxpack",
+        "DNGuard",
+        "Goliath",
+        "Agile",
+        "Yano"
+    ],
         packersLabelsToRemove = [
             "ChainskiCrypter",
             "Quest PowerGUI",
@@ -1269,7 +1269,7 @@ function NetOpCodes() {
 
     // setStrict sets the strict value of the opcode for substitution
     // btw I like what I do
-    this.setStrict = function(opCodeMask, value) {
+    this.setStrict = function (opCodeMask, value) {
         // Remove spaces from opcode mask and value
         opCodeMask = removeSpaces(opCodeMask);
         value = removeSpaces(value);
@@ -1293,7 +1293,7 @@ function NetOpCodes() {
     }
 
     // Sets the mask value to zero for the specified opcode
-    this.setNullValue = function(opCodeMask) {
+    this.setNullValue = function (opCodeMask) {
 
         if (opCodeMask.indexOf("??") === -1) {
             _error("Instruction does not have a body to overwrite the value.");
@@ -1362,14 +1362,14 @@ function scanForPackersAndCryptors_NET_and_Native() { // For .NET and Native app
         var isAssemblyInvokeFound = false;
 
         if (isAllNetReferencesPresent( // TODO: update [!!!]
-                references = [
-                    "System.Reflection", // System.Reflection.dll
-                    "get_EntryPoint", // MSIL: '*.Assembly::get_EntryPoint()'
-                    "Assembly", // MSIL: 'System.Reflection.Assembly' from System.Reflection.dll
-                    "Invoke", // MSIL: '*.MethodBase::Invoke(object, object[])'
-                    "Load" // MSIL: '*.Assembly::Load(uint8[])'
-                ]
-            )) {
+            references = [
+                "System.Reflection", // System.Reflection.dll
+                "get_EntryPoint", // MSIL: '*.Assembly::get_EntryPoint()'
+                "Assembly", // MSIL: 'System.Reflection.Assembly' from System.Reflection.dll
+                "Invoke", // MSIL: '*.MethodBase::Invoke(object, object[])'
+                "Load" // MSIL: '*.Assembly::Load(uint8[])'
+            ]
+        )) {
             isAssemblyInvokeFound = true;
 
             options = "Assembly invoke";
@@ -2515,8 +2515,8 @@ function isAllNetReferencesPresent(references) {
  */
 function findAndMark(sign, isFullName) {
     if (PE.isSignatureInSectionPresent(0,
-            ("00'" + sign + "'") + // 00'string
-            (isFullName ? "00" : String()))) { // ... '00
+        ("00'" + sign + "'") + // 00'string
+        (isFullName ? "00" : String()))) { // ... '00
         return sign;
     }
     return String();
@@ -2727,9 +2727,9 @@ function scanForObfuscations_Native() {
     var exeAsDll = false;
 
     if (PE.isDll() && (
-            PE.isExportFunctionPresent("Start") ||
-            PE.isExportFunctionPresent("main") ||
-            PE.isExportFunctionPresent("_start"))) {
+        PE.isExportFunctionPresent("Start") ||
+        PE.isExportFunctionPresent("main") ||
+        PE.isExportFunctionPresent("_start"))) {
         exeAsDll = true;
     }
 
@@ -2877,8 +2877,8 @@ function getEpAsmPattern(onlyOpCodes, numberOf) {
         // Append either the opcode or the full instruction to the result
         result += (
             onlyOpCodes ?
-            getAsmOpCode(asmInstruction) : // "MOV"
-            asmInstruction // "MOV EAX, 4"
+                getAsmOpCode(asmInstruction) : // "MOV"
+                asmInstruction // "MOV EAX, 4"
         ) + _patternSplitter;
     }
 
@@ -2937,8 +2937,8 @@ function getInstructionsAsmPattern(instruction) {
     return _patternSplitter +
         (
             Array.isArray(instruction) ?
-            instruction.join(_patternSplitter) :
-            instruction
+                instruction.join(_patternSplitter) :
+                instruction
         ) +
         _patternSplitter;
 }
