SabreTools/BinaryObjectScanner
1
0
Fork 0
mirror of https://github.com/SabreTools/BinaryObjectScanner.git synced 2026-04-18 20:22:42 +00:00
Code Issues 295 Packages Projects Releases 20 Wiki Activity

Read MS-DOS stub data directly; use with CExe

Browse Source
This commit is contained in:
Matt Nadareski
2021-09-11 21:54:38 -07:00
parent 7b71d7b4bf
commit 44c44be412
3 changed files with 36 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
BurnOutSharp/ExecutableType/Microsoft/Headers/MSDOSExecutableHeader.cs
View File

@@ -124,6 +124,11 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Headers
#endregion
/// <summary>
/// All data after the last item in the header but before the new EXE header address
/// </summary>
public byte[] ExecutableData;
public static MSDOSExecutableHeader Deserialize(Stream stream, bool asStub = true)
{
MSDOSExecutableHeader idh = new MSDOSExecutableHeader();
@@ -152,6 +157,7 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Headers
{
idh.Reserved1[i] = stream.ReadUInt16();
}
idh.OEMIdentifier = stream.ReadUInt16();
idh.OEMInformation = stream.ReadUInt16();
idh.Reserved2 = new ushort[Constants.ERES2WDS];
@@ -159,7 +165,9 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Headers
{
idh.Reserved2[i] = stream.ReadUInt16();
}
idh.NewExeHeaderAddr = stream.ReadInt32();
idh.ExecutableData = stream.ReadBytes(idh.NewExeHeaderAddr - (int)stream.Position);
return idh;
}
@@ -192,6 +200,7 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Headers
{
idh.Reserved1[i] = content.ReadUInt16(ref offset);
}
idh.OEMIdentifier = content.ReadUInt16(ref offset);
idh.OEMInformation = content.ReadUInt16(ref offset);
idh.Reserved2 = new ushort[Constants.ERES2WDS];
@@ -199,7 +208,9 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Headers
{
idh.Reserved2[i] = content.ReadUInt16(ref offset);
}
idh.NewExeHeaderAddr = content.ReadInt32(ref offset);
idh.ExecutableData = content.ReadBytes(ref offset, idh.NewExeHeaderAddr - offset);
return idh;
}

12
BurnOutSharp/ExecutableType/Microsoft/PortableExecutable.cs
View File

@@ -92,28 +92,28 @@ namespace BurnOutSharp.ExecutableType.Microsoft
// - .tls *1 protection Thread-local storage (object only)
//
// Here is a list of non-standard sections whose contents are read by various protections:
// X - CODE *1 protection WTM CD Protect
// X - CODE 2 protections SafeDisc, WTM CD Protect
// X - .grand *1 protection CD-Cops / DVD-Cops
// X - .init *1 protection SolidShield
// - .NOS0 *1 protection UPX (NOS Variant) [Used as endpoint]
// - .NOS1 *1 protection UPX (NOS Variant) [Used as endpoint]
// - .pec2 *1 protection PE Compact [Unconfirmed]
// X - .txt2 *1 protection SafeDisc
// - .UPX0 *1 protection UPX [Used as endpoint]
// - .UPX1 *1 protection UPX [Used as endpoint]
//
// Here is a list of non-standard sections whose existence are checked by various protections:
// Here is a list of non-standard sections whose data is not read by various protections:
// - .brick 1 protection StarForce
// - .cenega 1 protection Cenega ProtectDVD
// - .icd* 1 protection CodeLock
// - .ldr 1 protection 3PLock
// - .ldt 1 protection 3PLock
// - .nicode 1 protection Armadillo
// - .NOS0 *1 protection UPX (NOS Variant) [Used as endpoint]
// - .NOS1 *1 protection UPX (NOS Variant) [Used as endpoint]
// - .pec1 1 protection PE Compact
// - .securom 1 protection SecuROM
// - .sforce 1 protection StarForce
// - stxt371 1 protection SafeDisc
// - stxt774 1 protection SafeDisc
// - .UPX0 *1 protection UPX [Used as endpoint]
// - .UPX1 *1 protection UPX [Used as endpoint]
// - .vob.pcd 1 protection VOB ProtectCD
// - _winzip_ 1 protection WinZip SFX
//

45
BurnOutSharp/PackerType/CExe.cs
View File

@@ -1,7 +1,6 @@
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using BurnOutSharp.ExecutableType.Microsoft;
using BurnOutSharp.Matching;
@@ -14,37 +13,31 @@ namespace BurnOutSharp.PackerType
/// <inheritdoc/>
public bool ShouldScan(byte[] magic) => true;
/// <inheritdoc/>
private List<ContentMatchSet> GetContentMatchSets()
{
// TODO: Obtain a sample to find where this string is in a typical executable
return new List<ContentMatchSet>
{
// %Wo<57>a6.<2E>a6.<2E>a6.<2E>a6.<2E>{6.<2E>.).<2E>f6.<2E><>).<2E>`6.<2E><>0.<2E>`6.<2E>
new ContentMatchSet(
new ContentMatch(new byte?[]
{
0x25, 0x57, 0x6F, 0xC1, 0x61, 0x36, 0x01, 0x92,
0x61, 0x36, 0x01, 0x92, 0x61, 0x36, 0x01, 0x92,
0x61, 0x36, 0x00, 0x92, 0x7B, 0x36, 0x01, 0x92,
0x03, 0x29, 0x12, 0x92, 0x66, 0x36, 0x01, 0x92,
0x89, 0x29, 0x0A, 0x92, 0x60, 0x36, 0x01, 0x92,
0xD9, 0x30, 0x07, 0x92, 0x60, 0x36, 0x01, 0x92
}, end: 200), "CExe"),
};
}
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
if (sections == null)
var stub = pex?.DOSStubHeader;
if (stub == null)
return null;
var contentMatchSets = GetContentMatchSets();
if (contentMatchSets != null && contentMatchSets.Any())
return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug);
var matchers = new List<ContentMatchSet>
{
// %Wo<57>a6.<2E>a6.<2E>a6.<2E>a6.<2E>{6.<2E>.).<2E>f6.<2E><>).<2E>`6.<2E><>0.<2E>`6.<2E>
new ContentMatchSet(new byte?[]
{
0x25, 0x57, 0x6F, 0xC1, 0x61, 0x36, 0x01, 0x92,
0x61, 0x36, 0x01, 0x92, 0x61, 0x36, 0x01, 0x92,
0x61, 0x36, 0x00, 0x92, 0x7B, 0x36, 0x01, 0x92,
0x03, 0x29, 0x12, 0x92, 0x66, 0x36, 0x01, 0x92,
0x89, 0x29, 0x0A, 0x92, 0x60, 0x36, 0x01, 0x92,
0xD9, 0x30, 0x07, 0x92, 0x60, 0x36, 0x01, 0x92
}, "CExe")
};
string match = MatchUtil.GetFirstMatch(file, pex.DOSStubHeader.ExecutableData, matchers, includeDebug);
if (!string.IsNullOrWhiteSpace(match))
return match;
return null;
}