BurnOutSharp/PackerType/NSIS.cs

using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Interfaces;
using BurnOutSharp.Matching;

namespace BurnOutSharp.PackerType
{
    // TODO: Add extraction
    public class NSIS : IPortableExecutableCheck, IScannable
    {
        /// <inheritdoc/>
        public bool ShouldScan(byte[] magic) => true;

        /// <inheritdoc/>
        public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
        {
            // Get the sections from the executable, if possible
            var sections = pex?.SectionTable;
            if (sections == null)
                return null;

            string description = pex.ManifestDescription;
            if (!string.IsNullOrWhiteSpace(description) && description.StartsWith("Nullsoft Install System"))
                return $"NSIS {description.Substring("Nullsoft Install System".Length).Trim()}";

            // Get the .data section, if it exists
            if (pex.DataSectionRaw != null)
            {
                var matchers = new List<ContentMatchSet>
                {
                    // NullsoftInst
                    new ContentMatchSet(new byte?[]
                    {
                        0x4E, 0x75, 0x6C, 0x6C, 0x73, 0x6F, 0x66, 0x74,
                        0x49, 0x6E, 0x73, 0x74
                    }, "NSIS"),
                };

                string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug);
                if (!string.IsNullOrWhiteSpace(match))
                    return match;
            }

            return null;
        }
        
        /// <inheritdoc/>
        public ConcurrentDictionary<string, ConcurrentQueue<string>> Scan(Scanner scanner, string file)
        {
            if (!File.Exists(file))
                return null;

            using (var fs = File.OpenRead(file))
            {
                return Scan(scanner, fs, file);
            }
        }

        /// <inheritdoc/>
        public ConcurrentDictionary<string, ConcurrentQueue<string>> Scan(Scanner scanner, Stream stream, string file)
        {
            return null;
        }
    }
}
Ensure packer consistency 2022-05-01 21:02:59 -07:00			`using System.Collections.Concurrent;`
Use content matching helper, part 2 2021-03-21 15:24:23 -07:00			`using System.Collections.Generic;`
Ensure packer consistency 2022-05-01 21:02:59 -07:00			`using System.IO;`
Granularly separate out executable types 2022-03-14 10:40:44 -07:00			`using BurnOutSharp.ExecutableType.Microsoft.PE;`
Move interfaces to own namespace 2022-05-01 17:41:50 -07:00			`using BurnOutSharp.Interfaces;`
Use content matching helper, part 2 2021-03-21 15:24:23 -07:00			`using BurnOutSharp.Matching;`
Add support for detecting NSIS (#14) 2020-10-30 09:56:34 -06:00
New namespace for packers 2020-10-30 09:09:16 -07:00			`namespace BurnOutSharp.PackerType`
Add support for detecting NSIS (#14) 2020-10-30 09:56:34 -06:00			`{`
Ensure packer consistency 2022-05-01 21:02:59 -07:00			`// TODO: Add extraction`
			`public class NSIS : IPortableExecutableCheck, IScannable`
Add support for detecting NSIS (#14) 2020-10-30 09:56:34 -06:00			`{`
Ensure packer consistency 2022-05-01 21:02:59 -07:00			`/// <inheritdoc/>`
			`public bool ShouldScan(byte[] magic) => true;`

ContentMatchSets are now expected in IContentCheck 2021-08-25 19:37:32 -07:00			`/// <inheritdoc/>`
Better naming 2022-05-01 17:17:15 -07:00			`public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)`
Clean up some usings, add note to NSIS 2021-08-27 13:30:24 -07:00			`{`
Improve NSIS matching 2021-08-30 11:40:14 -07:00			`// Get the sections from the executable, if possible`
			`var sections = pex?.SectionTable;`
			`if (sections == null)`
			`return null;`

Add resource finding on creation 2022-04-02 16:12:23 -07:00			`string description = pex.ManifestDescription;`
Identify and use .rsrc item for NSIS 2021-09-10 21:45:14 -07:00			`if (!string.IsNullOrWhiteSpace(description) && description.StartsWith("Nullsoft Install System"))`
			`return $"NSIS {description.Substring("Nullsoft Install System".Length).Trim()}";`
Improve NSIS matching 2021-08-30 11:40:14 -07:00
			`// Get the .data section, if it exists`
Pre-read 3 most commonly-used section data This also adds comprehensive notes around the sections used in various protections, how they're used, and what we can do with them. It also adds a couple of various notes based on the findings from the protection audit 2021-09-11 16:47:25 -07:00			`if (pex.DataSectionRaw != null)`
Improve NSIS matching 2021-08-30 11:40:14 -07:00			`{`
			`var matchers = new List<ContentMatchSet>`
			`{`
			`// NullsoftInst`
Pre-read 3 most commonly-used section data This also adds comprehensive notes around the sections used in various protections, how they're used, and what we can do with them. It also adds a couple of various notes based on the findings from the protection audit 2021-09-11 16:47:25 -07:00			`new ContentMatchSet(new byte?[]`
			`{`
			`0x4E, 0x75, 0x6C, 0x6C, 0x73, 0x6F, 0x66, 0x74,`
			`0x49, 0x6E, 0x73, 0x74`
			`}, "NSIS"),`
Improve NSIS matching 2021-08-30 11:40:14 -07:00			`};`

Pre-read 3 most commonly-used section data This also adds comprehensive notes around the sections used in various protections, how they're used, and what we can do with them. It also adds a couple of various notes based on the findings from the protection audit 2021-09-11 16:47:25 -07:00			`string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug);`
Improve NSIS matching 2021-08-30 11:40:14 -07:00			`if (!string.IsNullOrWhiteSpace(match))`
			`return match;`
			`}`

Clean up some usings, add note to NSIS 2021-08-27 13:30:24 -07:00			`return null;`
			`}`
Ensure packer consistency 2022-05-01 21:02:59 -07:00
			`/// <inheritdoc/>`
			`public ConcurrentDictionary<string, ConcurrentQueue<string>> Scan(Scanner scanner, string file)`
			`{`
			`if (!File.Exists(file))`
			`return null;`

			`using (var fs = File.OpenRead(file))`
			`{`
			`return Scan(scanner, fs, file);`
			`}`
			`}`

			`/// <inheritdoc/>`
			`public ConcurrentDictionary<string, ConcurrentQueue<string>> Scan(Scanner scanner, Stream stream, string file)`
			`{`
			`return null;`
			`}`
Add support for detecting NSIS (#14) 2020-10-30 09:56:34 -06:00			`}`
			`}`