avast · s3rvac · Jul 15, 2020 · Jun 18, 2020 · Jun 23, 2020 · Jun 23, 2020
diff --git a/src/cpdetect/heuristics/pe_heuristics.cpp b/src/cpdetect/heuristics/pe_heuristics.cpp
@@ -776,9 +776,6 @@ void PeHeuristics::getActiveMarkHeuristics()
 void PeHeuristics::getRLPackHeuristics()
 {
 	if (search.exactComparison(
-			"B800000000600BC07458E8000000005805430000008038E9750361EB35E800000000582500F0FFFF33FF66BB195A6683C33466391875120FB7503C03D0BBE944",
-			toolInfo.epOffset)
-		|| search.exactComparison(
 			"57C7C772AFB4DF8D3D5FBA581AFFCF0FACF7F20FBDFEF7C75CDC30270FBAF7330FBBF70FCFBF64A909DB85F681DFAC194648F7DF0FA3F7C7C741BC79A085F7D1",
 			toolInfo.epOffset))
 	{
@@ -940,7 +937,7 @@ void PeHeuristics::getUpxHeuristics()
 	// format: x.xx'\0'UPX!
 	const std::size_t minPos = 5, verLen = 4;
 	pos = content.find("UPX!");
-	if (pos >= minPos && pos < 0x500)
+	if (pos >= minPos && pos < 0x500 && pos < sections[0]->getOffset())
 	{
 		std::string version;
 		std::size_t num;
@@ -1981,17 +1978,13 @@ void PeHeuristics::getPeSectionHeuristics()
 	{
 		addPacker(source, strength, "LameCrypt");
 	}
-	if (lastName == ".rmnet")
-	{
-		addPacker(source, strength, "Ramnit");
-	}
 	if (firstName == ".Upack" || firstName == ".ByDwing")
 	{
 		addPacker(source, strength, "Upack");
 	}
 	if (lastName == "yC" || lastName == ".y0da" || lastName == ".yP")
 	{
-		addPacker(source, strength, "yoda's Crypter");
+		addPacker(source, strength, "yoda's Protector");
 	}
 	if (findSectionName(".petite") == 1)
 	{
@@ -2101,7 +2094,8 @@ void PeHeuristics::getPeSectionHeuristics()
 	}
 	if (noOfSections > 2)
 	{
-		if (firstName == "UPX0" && secondName == "UPX1")
+		if (firstName == "UPX0" && secondName == "UPX1"
+				&& sections[0]->getSizeInFile() == 0)
 		{
 			addPacker(source, strength, "UPX");
 		}

diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara
@@ -227,18 +227,6 @@ rule installshield_uv_3 {
 		$1 at pe.entry_point
 }
 
-rule installshield_uv_04 {
-	meta:
-		tool = "I"
-		name = "InstallShield"
-		source = "Made by Retdec Team"
-		pattern = "558BEC6AFF68????4?0068????4?0064A100000000506489250000000083EC585356578965E8FF15????4?0033D28AD48915????4?008BC881E1FF000000890D????4?00C1E10803CA890D????4?00C1E810A3????4?00??????????0?00"
-	strings:
-		$1 = { 55 8B EC 6A FF 68 ?? ?? 4? 00 68 ?? ?? 4? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 ?? ?? 4? 00 33 D2 8A D4 89 15 ?? ?? 4? 00 8B C8 81 E1 FF 00 00 00 89 0D ?? ?? 4? 00 C1 E1 08 03 CA 89 0D ?? ?? 4? 00 C1 E8 10 A3 ?? ?? 4? 00 ?? ?? ?? ?? ?? 0? 00 }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule installshield_uv_05 {
 	meta:
 		tool = "I"

diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -1584,18 +1584,6 @@ rule adflt2 {
 		$1 at pe.entry_point
 }
 
-rule ahpack_01 {
-	meta:
-		tool = "P"
-		name = "AHPack"
-		version = "0.1"
-		pattern = "606854??????B848??????FF1068B3??????50B844????00FF106800"
-	strings:
-		$1 = { 60 68 54 ?? ?? ?? B8 48 ?? ?? ?? FF 10 68 B3 ?? ?? ?? 50 B8 44 ?? ?? 00 FF 10 68 00 }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule ahteam_ep_protector_03_041 {
 	meta:
 		tool = "P"
@@ -2782,17 +2770,6 @@ rule asdpack_20_02 {
 		$1 at pe.entry_point
 }
 
-rule aspack_uv_01 {
-	meta:
-		tool = "P"
-		name = "ASPack"
-		pattern = "5D81ED??????00BB??????0003DD2B9D??????0083BD??????0000899D??????000F85????00008D85??????0050FF95??????008985"
-	strings:
-		$1 = { 5D 81 ED ?? ?? ?? 00 BB ?? ?? ?? 00 03 DD 2B 9D ?? ?? ?? 00 83 BD ?? ?? ?? 00 00 89 9D ?? ?? ?? 00 0F 85 ?? ?? 00 00 8D 85 ?? ?? ?? 00 50 FF 95 ?? ?? ?? 00 89 85 }
-	condition:
-		$1 in (pe.entry_point + 6 .. pe.entry_point + 7)
-}
-
 rule aspack_uv_02 {
 	meta:
 		tool = "P"
@@ -3406,6 +3383,17 @@ rule asprotect_uv_04 {
 		$1 at pe.entry_point
 }
 
+rule asprotect_uv_05 {
+	meta:
+		tool = "P"
+		name = "ASProtect"
+		pattern = "5D81ED??????00BB??????0003DD2B9D??????0083BD??????0000899D??????000F85????00008D85??????0050FF95??????008985"
+	strings:
+		$1 = { 5D 81 ED ?? ?? ?? 00 BB ?? ?? ?? 00 03 DD 2B 9D ?? ?? ?? 00 83 BD ?? ?? ?? 00 00 89 9D ?? ?? ?? 00 0F 85 ?? ?? 00 00 8D 85 ?? ?? ?? 00 50 FF 95 ?? ?? ?? 00 89 85 }
+	condition:
+		$1 in (pe.entry_point + 6 .. pe.entry_point + 7)
+}
+
 rule asprotect_10 {
 	meta:
 		tool = "P"
@@ -8258,18 +8246,6 @@ rule mew_11_se_12 {
 		$1 at pe.entry_point + 48
 }
 
-rule mew_11_se_10_12 {
-	meta:
-		tool = "P"
-		name = "MEW"
-		version = "11 SE 1.0 - 1.2"
-		pattern = "E9??????FF0??0??0?0000000??0??00??????????0??0"
-	strings:
-		$1 = { E9 ?? ?? ?? FF 0? ?0 ?? 0? 00 00 00 0? ?0 ?? 00 ?? ?? ?? ?? ?? 0? ?0 }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule mew_5xx {
 	meta:
 		tool = "P"
@@ -14185,9 +14161,9 @@ rule stealth_101 {
 		tool = "P"
 		name = "Ste@lth"
 		version = "1.01"
-		pattern = "??????????BA??????00"
+		pattern = "BA??????00FFE2BA??????00B8????????890283C203B8????????890283C2FDFFE2"
 	strings:
-		$1 = { ?? ?? ?? ?? ?? BA ?? ?? ?? 00 }
+		$1 = { BA ?? ?? ?? 00 FF E2 BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 03 B8 ?? ?? ?? ?? 89 02 83 C2 FD FF E2 }
 	condition:
 		$1 at pe.entry_point
 }
@@ -14197,9 +14173,18 @@ rule stealth_pe_11 {
 		tool = "P"
 		name = "Stealth PE"
 		version = "1.1"
-		pattern = "BA??????00FFE2BA??????00B8????????890283C203B8????????890283C2FDFFE2"
+	condition:
+		stealth_101
+}
+
+rule stealth_210 {
+	meta:
+		tool = "P"
+		name = "Ste@lth"
+		version = "2.10"
+		pattern = "B8????????BA????????B9????????310183C1044A75F8EBC0"
 	strings:
-		$1 = { BA ?? ?? ?? 00 FF E2 BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 03 B8 ?? ?? ?? ?? 89 02 83 C2 FD FF E2 }
+		$1 = { B8 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 31 01 83 C1 04 4A 75 F8 EB C0 }
 	condition:
 		$1 at pe.entry_point
 }
@@ -14583,18 +14568,6 @@ rule telock_096 {
 		$1 at pe.entry_point
 }
 
-rule telock_098_10 {
-	meta:
-		tool = "P"
-		name = "tElock"
-		version = "0.98 - 1.0"
-		pattern = "E9????FFFF000000??????????????000000000000000000"
-	strings:
-		$1 = { E9 ?? ?? FF FF 00 00 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule telock_098_special_build {
 	meta:
 		tool = "P"
@@ -14751,18 +14724,6 @@ rule themida_18x_2x_winlicense {
 		$1 at pe.entry_point
 }
 
-rule themida_2010_winlicense {
-	meta:
-		tool = "P"
-		name = "Themida"
-		version = "2.0.1.0 or higher WinLicense"
-		pattern = "00000000????????000000006B65726E656C33322E646C6C00????????0000000000000000????????????????00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
-	strings:
-		$1 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-	condition:
-		$1
-}
-
 rule thewrap_uv {
 	meta:
 		tool = "P"
@@ -15553,6 +15514,18 @@ rule upack_039f_02 {
 		$1 at pe.entry_point
 }
 
+rule upack_039f_03 {
+	meta:
+		tool = "P"
+		name = "Upack"
+		version = "0.39f"
+		pattern = "BEB011????AD50FF7634EB7C4801????0B014C6F61644C6962726172794100001810000010000000????????0000????001000000002000004000000000039"
+	strings:
+		$1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 ?? ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 39 }
+	condition:
+		$1 at pe.entry_point
+}
+
 rule upack_039 {
 	meta:
 		tool = "P"
@@ -16780,7 +16753,10 @@ rule vmprotect_2x_xx {
 	strings:
 		$1 = { 50 F0 1F FD FD 8? ?7 92 6? ?? B4 ?? C2 ?? ?0 7? 4? ?? ?? C? C? ?F ?D 2? 6? ?1 9C BF 0? 99 12 ?7 17 ?? 36 35 CA 8A ?7 ?0 ?? ?F ?C ?D 7D 7? ?9 E5 ?1 ?8 4E 4? ?? 24 ?? D4 5? 5? C? 04 B9 E? D? 2? 15 ?8 9? ?6 ?7 84 ?? ?? ?D 9? ?1 ?1 ?E ?? 03 ?? ?? ?4 46 ?6 ?? ?3 EC 94 1E ?6 A? ?4 ?5 ?? ?? ?? ?? 8? C? ?8 ?? ?2 ?? ?0 C8 EB ?C 1? D? }
 	condition:
-		@1 < pe.overlay.offset
+		for any i in (0 .. pe.number_of_sections - 1): (
+			pe.sections[i].characteristics & pe.SECTION_CNT_CODE and
+			$1 in (pe.sections[i].raw_data_offset .. pe.sections[i].raw_data_offset + pe.sections[i].raw_data_size)
+		)
 }
 
 rule vob_protectcd_uv {
@@ -17722,18 +17698,6 @@ rule winkript_10 {
 		$1 at pe.entry_point
 }
 
-rule winupack_039f {
-	meta:
-		tool = "P"
-		name = "WinUpack"
-		version = "0.39f"
-		pattern = "BEB011????AD50FF7634EB7C4801????0B014C6F61644C6962726172794100001810000010000000????????0000????001000000002000004000000000039"
-	strings:
-		$1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 ?? ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 39 }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule wwpack32_1x {
 	meta:
 		tool = "P"