From 475e0b9d916512aa70668d5bf4b93d79be55a2af Mon Sep 17 00:00:00 2001
From: SilasLaspada <silasqwerty@ymail.com>
Date: Sat, 5 Jun 2021 16:08:10 -0600
Subject: [PATCH] Add support for detecting Installer VISE (#38)

* Add support for detecting Installer VISE

* Add comment about extraction
---
 BurnOutSharp/PackerType/InstallerVISE.cs | 51 ++++++++++++++++++++++++
 README.md                                |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 BurnOutSharp/PackerType/InstallerVISE.cs

diff --git a/BurnOutSharp/PackerType/InstallerVISE.cs b/BurnOutSharp/PackerType/InstallerVISE.cs
new file mode 100644
index 00000000..ae940d4c
--- /dev/null
+++ b/BurnOutSharp/PackerType/InstallerVISE.cs
@@ -0,0 +1,51 @@
+using System.Collections.Generic;
+using System.IO;
+using BurnOutSharp.Matching;
+
+namespace BurnOutSharp.PackerType
+{
+    public class InstallerVISE : IContentCheck, IScannable
+    {
+        /// <summary>
+        /// Set of all ContentMatchSets for this protection
+        /// </summary>
+        private static readonly List<ContentMatchSet> contentMatchers = new List<ContentMatchSet>
+        {
+            //TODO: Add exact version detection for Windows builds, make sure versions before 3.X are detected as well, and detect the Mac builds.
+
+            // ViseMain
+            new ContentMatchSet(
+                new ContentMatch(new byte?[] { 0x56, 0x69, 0x73, 0x65, 0x4D, 0x61, 0x69, 0x6E }, start: 0xE0A4, end: 0xE0A5),
+                "Installer VISE"), 
+        };
+
+        /// <inheritdoc/>
+        public bool ShouldScan(byte[] magic) => true;
+
+        /// <inheritdoc/>
+        public string CheckContents(string file, byte[] fileContent, bool includePosition = false)
+        {
+            return MatchUtil.GetFirstMatch(file, fileContent, contentMatchers, includePosition);
+        }
+
+        // TODO: Add Installer VISE extraction
+        // https://github.com/Bioruebe/UniExtract2
+        /// <inheritdoc/>
+        public Dictionary<string, List<string>> Scan(Scanner scanner, string file)
+        {
+            if (!File.Exists(file))
+                return null;
+
+            using (var fs = File.OpenRead(file))
+            {
+                return Scan(scanner, fs, file);
+            }
+        }
+
+        /// <inheritdoc/>
+        public Dictionary<string, List<string>> Scan(Scanner scanner, Stream stream, string file)
+        {
+            return null;
+        }
+    }
+}
diff --git a/README.md b/README.md
index 19ffd96b..cc7de5f8 100644
--- a/README.md
+++ b/README.md
@@ -93,6 +93,7 @@ Below is a list of the executable packers that can be detected using this code:
 - dotFuscator
 - EXE Stealth
 - Inno Setup
+- Installer VISE
 - NSIS
 - PECompact
 - Setup Factory