Do not generate tags for an unpacked section

[hasherezade]

Test case

• Banker Mekotio: full package: 1131624ba8d17448c628bc89a8e650c7, the malicious DLL: 106e9deece0f1298bb2559fe29f38ef7f2f67c7974478c845435b4d4ca4f7980

  How it is:

  Currently, any modifications in sections are treated as patches. Hovewer, sometimes the modified section is not patched, but fully unpacked from the memory. Example: Before: After: Currently, the content of such section is compared with an empty region. It generates a lot of noise, i.e.:

  How it should be

  Sections that are fully unpacked in the memory should not be treated the same as patched. No tags should be generated for them, and they should be marked as unpacked.

[hasherezade]

Result

The code scan for the above test case, after the introduced changes: The same code scan can show also patches (if other code sections were patched), i.e.: