BurnOutSharp/ProtectionType/SafeLock.cs

using System.Collections.Concurrent;
using System.Collections.Generic;
using System.Linq;
using BurnOutSharp.ExecutableType.Microsoft;
using BurnOutSharp.Matching;

namespace BurnOutSharp.ProtectionType
{
    public class SafeLock : IContentCheck, IPathCheck
    {
        /// <inheritdoc/>
        private List<ContentMatchSet> GetContentMatchSets()
        {
            // TODO: Obtain a sample to find where this string is in a typical executable
            return new List<ContentMatchSet>
            {
                // SafeLock
                new ContentMatchSet(new byte?[] { 0x53, 0x61, 0x66, 0x65, 0x4C, 0x6F, 0x63, 0x6B }, "SafeLock"),
            };
        }

        /// <inheritdoc/>
        public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
        {
            var contentMatchSets = GetContentMatchSets();
            if (contentMatchSets != null && contentMatchSets.Any())
                return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug);

            return null;
        }

        /// <inheritdoc/>
        public ConcurrentQueue<string> CheckDirectoryPath(string path, IEnumerable<string> files)
        {
            // TODO: Verify if these are OR or AND
            var matchers = new List<PathMatchSet>
            {
                new PathMatchSet(new PathMatch("SafeLock.dat", useEndsWith: true), "SafeLock"),
                new PathMatchSet(new PathMatch("SafeLock.001", useEndsWith: true), "SafeLock"),
                new PathMatchSet(new PathMatch("SafeLock.128", useEndsWith: true), "SafeLock"),
            };

            return MatchUtil.GetAllMatches(files, matchers, any: true);
        }

        /// <inheritdoc/>
        public string CheckFilePath(string path)
        {
            var matchers = new List<PathMatchSet>
            {
                new PathMatchSet(new PathMatch("SafeLock.dat", useEndsWith: true), "SafeLock"),
                new PathMatchSet(new PathMatch("SafeLock.001", useEndsWith: true), "SafeLock"),
                new PathMatchSet(new PathMatch("SafeLock.128", useEndsWith: true), "SafeLock"),
            };

            return MatchUtil.GetFirstMatch(path, matchers, any: true);
        }
    }
}
-												Concurrent protection scans per file (#52)

* Move to ConcurrentDictionary

* Convert to ConcurrentQueue
											
										
										
											2021-07-18 09:44:23 -07:00
+								using System.Collections.Concurrent;
 								using System.Collections.Generic;
-												Cleanup and bugfixes; additional notes

											
										
										
											2021-09-10 15:32:37 -07:00
+								using System.Linq;
-												Only deserialze a file once per round of checks

											
										
										
											2021-09-10 16:10:15 -07:00
+								using BurnOutSharp.ExecutableType.Microsoft;
-												Use content matching helper, part 4

											
										
										
											2021-03-21 22:19:38 -07:00
+								using BurnOutSharp.Matching;
-												Separate protections into their own classes

											
										
										
											2019-09-27 23:52:24 -07:00
 								namespace BurnOutSharp.ProtectionType
 								{
-												Add IContentCheck interface

											
										
										
											2021-02-26 01:26:49 -08:00
+								    public class SafeLock : IContentCheck, IPathCheck
-												Separate protections into their own classes

											
										
										
											2019-09-27 23:52:24 -07:00
+								    {
-												Add IContentCheck interface

											
										
										
											2021-02-26 01:26:49 -08:00
+								        /// <inheritdoc/>
-												Cleanup and bugfixes; additional notes

											
										
										
											2021-09-10 15:32:37 -07:00
+								        private List<ContentMatchSet> GetContentMatchSets()
-												Separate protections into their own classes

											
										
										
											2019-09-27 23:52:24 -07:00
+								        {
-												Add note to SafeLock

											
										
										
											2021-09-02 16:09:29 -07:00
+								            // TODO: Obtain a sample to find where this string is in a typical executable
-												ContentMatchSets are now expected in IContentCheck

											
										
										
											2021-08-25 19:37:32 -07:00
+								            return new List<ContentMatchSet>
-												Fix static matcher issues (fixes #51)

Note: This may result in slower, but more accurate, scans

											
										
										
											2021-07-17 23:40:16 -07:00
+								            {
 								                // SafeLock
 								                new ContentMatchSet(new byte?[] { 0x53, 0x61, 0x66, 0x65, 0x4C, 0x6F, 0x63, 0x6B }, "SafeLock"),
 								            };
-												ContentMatchSets are now expected in IContentCheck

											
										
										
											2021-08-25 19:37:32 -07:00
+								        }
-												Fix static matcher issues (fixes #51)

Note: This may result in slower, but more accurate, scans

											
										
										
											2021-07-17 23:40:16 -07:00
-												ContentMatchSets are now expected in IContentCheck

											
										
										
											2021-08-25 19:37:32 -07:00
+								        /// <inheritdoc/>
-												Only deserialze a file once per round of checks

											
										
										
											2021-09-10 16:10:15 -07:00
+								        public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
-												Cleanup and bugfixes; additional notes

											
										
										
											2021-09-10 15:32:37 -07:00
+								        {
 								            var contentMatchSets = GetContentMatchSets();
 								            if (contentMatchSets != null && contentMatchSets.Any())
 								                return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug);
 								            return null;
 								        }
-												Separate protections into their own classes

											
										
										
											2019-09-27 23:52:24 -07:00
-												Add IPathCheck interface

											
										
										
											2021-02-26 00:32:09 -08:00
+								        /// <inheritdoc/>
-												Concurrent protection scans per file (#52)

* Move to ConcurrentDictionary

* Convert to ConcurrentQueue
											
										
										
											2021-07-18 09:44:23 -07:00
+								        public ConcurrentQueue<string> CheckDirectoryPath(string path, IEnumerable<string> files)
-												Separate protections into their own classes

											
										
										
											2019-09-27 23:52:24 -07:00
+								        {
-												Split IPathCheck method

											
										
										
											2021-03-19 15:41:49 -07:00
+								            // TODO: Verify if these are OR or AND
-												Final batch of first pass for path check conversions

											
										
										
											2021-03-23 10:36:14 -07:00
+								            var matchers = new List<PathMatchSet>
-												Separate protections into their own classes

											
										
										
											2019-09-27 23:52:24 -07:00
+								            {
-												Final batch of first pass for path check conversions

											
										
										
											2021-03-23 10:36:14 -07:00
+								                new PathMatchSet(new PathMatch("SafeLock.dat", useEndsWith: true), "SafeLock"),
 								                new PathMatchSet(new PathMatch("SafeLock.001", useEndsWith: true), "SafeLock"),
 								                new PathMatchSet(new PathMatch("SafeLock.128", useEndsWith: true), "SafeLock"),
 								            };
-												Reduce boilerplate for directory checks

											
										
										
											2021-03-23 13:35:12 -07:00
+								            return MatchUtil.GetAllMatches(files, matchers, any: true);
-												Split IPathCheck method

											
										
										
											2021-03-19 15:41:49 -07:00
+								        }
 								        /// <inheritdoc/>
 								        public string CheckFilePath(string path)
 								        {
-												Final batch of first pass for path check conversions

											
										
										
											2021-03-23 10:36:14 -07:00
+								            var matchers = new List<PathMatchSet>
-												Separate protections into their own classes

											
										
										
											2019-09-27 23:52:24 -07:00
+								            {
-												Final batch of first pass for path check conversions

											
										
										
											2021-03-23 10:36:14 -07:00
+								                new PathMatchSet(new PathMatch("SafeLock.dat", useEndsWith: true), "SafeLock"),
 								                new PathMatchSet(new PathMatch("SafeLock.001", useEndsWith: true), "SafeLock"),
 								                new PathMatchSet(new PathMatch("SafeLock.128", useEndsWith: true), "SafeLock"),
 								            };
-												Separate protections into their own classes

											
										
										
											2019-09-27 23:52:24 -07:00
-												Final batch of first pass for path check conversions

											
										
										
											2021-03-23 10:36:14 -07:00
+								            return MatchUtil.GetFirstMatch(path, matchers, any: true);
-												Separate protections into their own classes

											
										
										
											2019-09-27 23:52:24 -07:00
+								        }
 								    }
 								}