Add YARA rules for PEPack and SoftwareCompress packers

DosX-dev · DosX-dev · commit 5077e432c13f · 2025-09-22T00:35:19.000+03:00
Introduced two new rules: Packer__PEPack and Packer__SoftwareCompress. These rules detect PE files packed with PEPack and SoftwareCompress by checking for specific section names in the PE headers.
diff --git a/yara_rules/DiE_InterestingThings_by_DosX.yar b/yara_rules/DiE_InterestingThings_by_DosX.yar
@@ -103,6 +103,26 @@ rule Packer__XPack {
         pe.sections[0].name == ".XPack0"
 }
 
+rule Packer__PEPack {
+    condition:
+        IsPE and
+        IsNative and (
+            for any i in (0..pe.number_of_sections - 1) : (
+                pe.sections[i].name == "PEPACK!!"
+            )
+        )
+}
+
+rule Packer__SoftwareCompress {
+    condition:
+        IsPE and
+        IsNative and (
+            for any i in (0..pe.number_of_sections - 1) : (
+                pe.sections[i].name == "SoftComp"
+            )
+        )
+}
+
 rule Protection__obfus_h {
     condition:
         IsPE and
