diff --git a/BurnOutSharp/ExecutableType/Microsoft/Entries/ResourceDataEntry.cs b/BurnOutSharp/ExecutableType/Microsoft/Entries/ResourceDataEntry.cs index d0700794..5c56fb92 100644 --- a/BurnOutSharp/ExecutableType/Microsoft/Entries/ResourceDataEntry.cs +++ b/BurnOutSharp/ExecutableType/Microsoft/Entries/ResourceDataEntry.cs @@ -74,7 +74,7 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Entries rde.Reserved = stream.ReadUInt32(); int realOffsetToData = (int)PortableExecutable.ConvertVirtualAddress(rde.OffsetToData, sections); - if (realOffsetToData > -1 && realOffsetToData < stream.Length) + if (realOffsetToData > -1 && realOffsetToData < stream.Length && (int)rde.Size > 0 && realOffsetToData + (int)rde.Size < stream.Length) { long lastPosition = stream.Position; stream.Seek(realOffsetToData, SeekOrigin.Begin); @@ -95,7 +95,7 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Entries rde.Reserved = BitConverter.ToUInt32(content, offset); offset += 4; int realOffsetToData = (int)PortableExecutable.ConvertVirtualAddress(rde.OffsetToData, sections); - if (realOffsetToData > -1 && realOffsetToData < content.Length) + if (realOffsetToData > -1 && realOffsetToData < content.Length && (int)rde.Size > 0 && realOffsetToData + (int)rde.Size < content.Length) rde.Data = new ArraySegment(content, realOffsetToData, (int)rde.Size).ToArray(); return rde; diff --git a/BurnOutSharp/ExecutableType/Microsoft/Entries/ResourceDirectoryString.cs b/BurnOutSharp/ExecutableType/Microsoft/Entries/ResourceDirectoryString.cs index 33e150d9..566df51a 100644 --- a/BurnOutSharp/ExecutableType/Microsoft/Entries/ResourceDirectoryString.cs +++ b/BurnOutSharp/ExecutableType/Microsoft/Entries/ResourceDirectoryString.cs @@ -27,6 +27,9 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Entries var rds = new ResourceDirectoryString(); rds.Length = stream.ReadUInt16(); + if (rds.Length + stream.Position > stream.Length) + return null; + rds.UnicodeString = new string(stream.ReadChars(rds.Length, Encoding.Unicode)); return rds; @@ -37,6 +40,9 @@ namespace BurnOutSharp.ExecutableType.Microsoft.Entries var rds = new ResourceDirectoryString(); rds.Length = BitConverter.ToUInt16(content, offset); offset += 2; + if (rds.Length + offset > content.Length) + return null; + rds.UnicodeString = Encoding.Unicode.GetString(content, offset, rds.Length); offset += rds.Length; return rds; diff --git a/BurnOutSharp/ExecutableType/Microsoft/PortableExecutable.cs b/BurnOutSharp/ExecutableType/Microsoft/PortableExecutable.cs index e01b07ac..317e763a 100644 --- a/BurnOutSharp/ExecutableType/Microsoft/PortableExecutable.cs +++ b/BurnOutSharp/ExecutableType/Microsoft/PortableExecutable.cs @@ -100,12 +100,12 @@ namespace BurnOutSharp.ExecutableType.Microsoft } /// - /// Get the section based on name, if possible + /// Get the first section based on name, if possible /// /// Name of the section to check for /// True to enable exact matching of names, false for starts-with /// Section data on success, null on error - public SectionHeader GetSection(string sectionName, bool exact = false) + public SectionHeader GetFirstSection(string sectionName, bool exact = false) { // If we have no sections, we can't do anything if (SectionTable == null || !SectionTable.Any()) @@ -120,6 +120,27 @@ namespace BurnOutSharp.ExecutableType.Microsoft return SectionTable.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).Trim('\0').StartsWith(sectionName)); } + /// + /// Get the last section based on name, if possible + /// + /// Name of the section to check for + /// True to enable exact matching of names, false for starts-with + /// Section data on success, null on error + public SectionHeader GetLastSection(string sectionName, bool exact = false) + { + // If we have no sections, we can't do anything + if (SectionTable == null || !SectionTable.Any()) + return null; + + // If we're checking exactly, return only exact matches (with nulls trimmed) + if (exact) + return SectionTable.LastOrDefault(s => Encoding.ASCII.GetString(s.Name).Trim('\0').Equals(sectionName)); + + // Otherwise, check if section name starts with the value + else + return SectionTable.LastOrDefault(s => Encoding.ASCII.GetString(s.Name).Trim('\0').StartsWith(sectionName)); + } + /// /// Get the list of section names /// @@ -210,11 +231,10 @@ namespace BurnOutSharp.ExecutableType.Microsoft // } // Resource Table - var table = pex.GetSection(".rsrc", true); + var table = pex.GetLastSection(".rsrc", true); if (table != null && table.VirtualSize > 0) { - int tableAddress = (int)ConvertVirtualAddress(table.VirtualAddress, pex.SectionTable); - stream.Seek(tableAddress, SeekOrigin.Begin); + int tableAddress = (int)table.PointerToRawData; pex.ResourceSection = ResourceSection.Deserialize(stream, pex.SectionTable); } } @@ -276,10 +296,10 @@ namespace BurnOutSharp.ExecutableType.Microsoft // } // Resource Table - var table = pex.GetSection(".rsrc", true); + var table = pex.GetLastSection(".rsrc", true); if (table != null && table.VirtualSize > 0) { - int tableAddress = (int)ConvertVirtualAddress(table.VirtualAddress, pex.SectionTable); + int tableAddress = (int)table.PointerToRawData; pex.ResourceSection = ResourceSection.Deserialize(content, ref tableAddress, pex.SectionTable); } } @@ -307,10 +327,14 @@ namespace BurnOutSharp.ExecutableType.Microsoft if (sections[i] == null) continue; + // If the section "starts" at 0, just skip it + if (sections[i].PointerToRawData == 0) + continue; + // Attempt to derive the physical address from the current section var section = sections[i]; if (virtualAddress >= section.VirtualAddress && virtualAddress <= section.VirtualAddress + section.VirtualSize) - return section.PointerToRawData + virtualAddress - section.VirtualAddress; + return section.PointerToRawData + virtualAddress - section.VirtualAddress; } return 0; diff --git a/BurnOutSharp/ExecutableType/Microsoft/Resources/StringFileInfo.cs b/BurnOutSharp/ExecutableType/Microsoft/Resources/StringFileInfo.cs index b0f35128..74fa3ce5 100644 --- a/BurnOutSharp/ExecutableType/Microsoft/Resources/StringFileInfo.cs +++ b/BurnOutSharp/ExecutableType/Microsoft/Resources/StringFileInfo.cs @@ -1,6 +1,4 @@ -using System; using System.IO; -using BurnOutSharp.Tools; namespace BurnOutSharp.ExecutableType.Microsoft.Resources { diff --git a/BurnOutSharp/ExecutableType/Microsoft/Resources/StringStruct.cs b/BurnOutSharp/ExecutableType/Microsoft/Resources/StringStruct.cs index 1f1d4033..80b4e357 100644 --- a/BurnOutSharp/ExecutableType/Microsoft/Resources/StringStruct.cs +++ b/BurnOutSharp/ExecutableType/Microsoft/Resources/StringStruct.cs @@ -1,4 +1,3 @@ -using System; using System.IO; using System.Text; using BurnOutSharp.Tools; diff --git a/BurnOutSharp/ExecutableType/Microsoft/Resources/Var.cs b/BurnOutSharp/ExecutableType/Microsoft/Resources/Var.cs index 51caea47..32c66195 100644 --- a/BurnOutSharp/ExecutableType/Microsoft/Resources/Var.cs +++ b/BurnOutSharp/ExecutableType/Microsoft/Resources/Var.cs @@ -1,6 +1,4 @@ -using System; using System.IO; -using BurnOutSharp.Tools; namespace BurnOutSharp.ExecutableType.Microsoft.Resources { diff --git a/BurnOutSharp/ExecutableType/Microsoft/Resources/VarFileInfo.cs b/BurnOutSharp/ExecutableType/Microsoft/Resources/VarFileInfo.cs index 0952cae3..4dd3efe1 100644 --- a/BurnOutSharp/ExecutableType/Microsoft/Resources/VarFileInfo.cs +++ b/BurnOutSharp/ExecutableType/Microsoft/Resources/VarFileInfo.cs @@ -1,6 +1,4 @@ -using System; using System.IO; -using BurnOutSharp.Tools; namespace BurnOutSharp.ExecutableType.Microsoft.Resources { diff --git a/BurnOutSharp/ExecutableType/Microsoft/Sections/ImportDataSection.cs b/BurnOutSharp/ExecutableType/Microsoft/Sections/ImportDataSection.cs index 0fc65024..3564631f 100644 --- a/BurnOutSharp/ExecutableType/Microsoft/Sections/ImportDataSection.cs +++ b/BurnOutSharp/ExecutableType/Microsoft/Sections/ImportDataSection.cs @@ -1,6 +1,5 @@ using System.Collections.Generic; using System.IO; -using System.Linq; using BurnOutSharp.ExecutableType.Microsoft.Tables; namespace BurnOutSharp.ExecutableType.Microsoft.Sections diff --git a/BurnOutSharp/FileType/Executable.cs b/BurnOutSharp/FileType/Executable.cs index cb28981f..0407351c 100644 --- a/BurnOutSharp/FileType/Executable.cs +++ b/BurnOutSharp/FileType/Executable.cs @@ -6,7 +6,6 @@ using System.Linq; using System.Reflection; using System.Text; using System.Threading.Tasks; -using BurnOutSharp.Matching; using BurnOutSharp.Tools; namespace BurnOutSharp.FileType @@ -104,19 +103,6 @@ namespace BurnOutSharp.FileType if (ShouldAddProtection(contentCheckClass, scanner, protection)) Utilities.AppendToDictionary(protections, file, protection); - // If we didn't find anything in a custom check, use the content match sets - if (!foundProtection) - { - var contentMatchSets = contentCheckClass.GetContentMatchSets(); - if (contentMatchSets != null && contentMatchSets.Any()) - { - protection = MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, scanner.IncludeDebug); - foundProtection |= !string.IsNullOrWhiteSpace(protection); - if (ShouldAddProtection(contentCheckClass, scanner, protection)) - Utilities.AppendToDictionary(protections, file, protection); - } - } - // If we have an IScannable implementation if (contentCheckClass is IScannable scannable) { diff --git a/BurnOutSharp/IContentCheck.cs b/BurnOutSharp/IContentCheck.cs index d4c47de8..b7f680b2 100644 --- a/BurnOutSharp/IContentCheck.cs +++ b/BurnOutSharp/IContentCheck.cs @@ -1,7 +1,4 @@ -using System.Collections.Generic; -using BurnOutSharp.Matching; - -namespace BurnOutSharp +namespace BurnOutSharp { // TODO: This should either include an override that takes a Stream instead of the byte[] // OR have a completely separate check for when it's an executable specifically @@ -9,15 +6,8 @@ namespace BurnOutSharp // and DOS Executable, then add an override for `CheckContents` that takes an executable type // as one of the arguments. This will reduce the amount of times the same file will be parsed // into an in-memory header - // TODO: Once all checks are converted over to executable section based, remove the `GetContentMatchSets` from this internal interface IContentCheck { - /// - /// Get a list of content match sets that represent a protection - /// - /// List of content match sets, null if not applicable - List GetContentMatchSets(); - /// /// Check a path for protections based on file contents /// diff --git a/BurnOutSharp/PackerType/AdvancedInstaller.cs b/BurnOutSharp/PackerType/AdvancedInstaller.cs index c033c893..67e41a37 100644 --- a/BurnOutSharp/PackerType/AdvancedInstaller.cs +++ b/BurnOutSharp/PackerType/AdvancedInstaller.cs @@ -9,9 +9,6 @@ namespace BurnOutSharp.PackerType // TODO: Add extraction and verify that all versions are detected public class AdvancedInstaller : IContentCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/PackerType/Armadillo.cs b/BurnOutSharp/PackerType/Armadillo.cs index e1334ecd..2e477179 100644 --- a/BurnOutSharp/PackerType/Armadillo.cs +++ b/BurnOutSharp/PackerType/Armadillo.cs @@ -10,7 +10,7 @@ namespace BurnOutSharp.PackerType public class Armadillo : IContentCheck { /// - public List GetContentMatchSets() => null; + private List GetContentMatchSets() => null; // { // // TODO: Remove this if the below section check is proven // return new List @@ -52,6 +52,10 @@ namespace BurnOutSharp.PackerType return match; } + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + return null; } } diff --git a/BurnOutSharp/PackerType/CExe.cs b/BurnOutSharp/PackerType/CExe.cs index f70384d2..d9907425 100644 --- a/BurnOutSharp/PackerType/CExe.cs +++ b/BurnOutSharp/PackerType/CExe.cs @@ -1,6 +1,7 @@ using System.Collections.Concurrent; using System.Collections.Generic; using System.IO; +using System.Linq; using BurnOutSharp.Matching; namespace BurnOutSharp.PackerType @@ -13,8 +14,9 @@ namespace BurnOutSharp.PackerType public bool ShouldScan(byte[] magic) => true; /// - public List GetContentMatchSets() + private List GetContentMatchSets() { + // TODO: Obtain a sample to find where this string is in a typical executable return new List { // %Wo�a6.�a6.�a6.�a6.�{6.�.).�f6.��).�`6.��0.�`6.� @@ -32,7 +34,14 @@ namespace BurnOutSharp.PackerType } /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } /// public ConcurrentDictionary> Scan(Scanner scanner, string file) diff --git a/BurnOutSharp/PackerType/EXEStealth.cs b/BurnOutSharp/PackerType/EXEStealth.cs index 82f1a0a3..89a2c624 100644 --- a/BurnOutSharp/PackerType/EXEStealth.cs +++ b/BurnOutSharp/PackerType/EXEStealth.cs @@ -1,4 +1,5 @@ using System.Collections.Generic; +using System.Linq; using BurnOutSharp.Matching; namespace BurnOutSharp.PackerType @@ -6,7 +7,7 @@ namespace BurnOutSharp.PackerType public class EXEStealth : IContentCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -24,6 +25,13 @@ namespace BurnOutSharp.PackerType } /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } } } diff --git a/BurnOutSharp/PackerType/InnoSetup.cs b/BurnOutSharp/PackerType/InnoSetup.cs index 5892c1fd..180834f4 100644 --- a/BurnOutSharp/PackerType/InnoSetup.cs +++ b/BurnOutSharp/PackerType/InnoSetup.cs @@ -14,9 +14,6 @@ namespace BurnOutSharp.PackerType /// public bool ShouldScan(byte[] magic) => true; - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/PackerType/InstallerVISE.cs b/BurnOutSharp/PackerType/InstallerVISE.cs index 52fb2ab9..d3a6bb8b 100644 --- a/BurnOutSharp/PackerType/InstallerVISE.cs +++ b/BurnOutSharp/PackerType/InstallerVISE.cs @@ -13,9 +13,6 @@ namespace BurnOutSharp.PackerType /// public bool ShouldScan(byte[] magic) => true; - /// - public List GetContentMatchSets() => null; - //TODO: Add exact version detection for Windows builds, make sure versions before 3.X are detected as well, and detect the Mac builds. /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) diff --git a/BurnOutSharp/PackerType/IntelInstallationFramework.cs b/BurnOutSharp/PackerType/IntelInstallationFramework.cs index cbd65dc6..1ba701cc 100644 --- a/BurnOutSharp/PackerType/IntelInstallationFramework.cs +++ b/BurnOutSharp/PackerType/IntelInstallationFramework.cs @@ -1,9 +1,5 @@ using System; -using System.Collections.Generic; -using System.Linq; -using System.Text; using BurnOutSharp.ExecutableType.Microsoft; -using BurnOutSharp.Matching; using BurnOutSharp.Tools; namespace BurnOutSharp.PackerType @@ -11,9 +7,6 @@ namespace BurnOutSharp.PackerType // TODO: Add extraction, seems to primarily use MSZip compression. public class IntelInstallationFramework : IContentCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/PackerType/MicrosoftCABSFX.cs b/BurnOutSharp/PackerType/MicrosoftCABSFX.cs index 21b9b77d..0a1b7f74 100644 --- a/BurnOutSharp/PackerType/MicrosoftCABSFX.cs +++ b/BurnOutSharp/PackerType/MicrosoftCABSFX.cs @@ -16,9 +16,6 @@ namespace BurnOutSharp.PackerType /// public bool ShouldScan(byte[] magic) => true; - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/PackerType/NSIS.cs b/BurnOutSharp/PackerType/NSIS.cs index 5e30fec7..f30aaf11 100644 --- a/BurnOutSharp/PackerType/NSIS.cs +++ b/BurnOutSharp/PackerType/NSIS.cs @@ -9,28 +9,16 @@ namespace BurnOutSharp.PackerType { public class NSIS : IContentCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { - // TODO: Implement resource finding instead of using the built in methods - // Assembly information lives in the .rsrc section - // I need to find out how to navigate the resources in general - // as well as figure out the specific resources for both - // file info and MUI (XML) info. Once I figure this out, - // that also opens the doors to easier assembly XML checks. - - // TODO: Use this instead of the seek inside of `.rsrc` when that's fixed - //string description = Utilities.GetManifestDescription(fileContent); - // Get the sections from the executable, if possible PortableExecutable pex = PortableExecutable.Deserialize(fileContent, 0); var sections = pex?.SectionTable; if (sections == null) return null; + // TODO: Find this inside of the .rsrc section using the executable header // Get the .rsrc section, if it exists var rsrcSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".rsrc")); if (rsrcSection != null) diff --git a/BurnOutSharp/PackerType/PECompact.cs b/BurnOutSharp/PackerType/PECompact.cs index 70481d61..0e2130b1 100644 --- a/BurnOutSharp/PackerType/PECompact.cs +++ b/BurnOutSharp/PackerType/PECompact.cs @@ -1,9 +1,6 @@ -using System; -using System.Collections.Generic; -using System.Linq; +using System.Linq; using System.Text; using BurnOutSharp.ExecutableType.Microsoft; -using BurnOutSharp.Matching; namespace BurnOutSharp.PackerType @@ -11,9 +8,6 @@ namespace BurnOutSharp.PackerType // TODO: Add extraction and better version detection public class PECompact : IContentCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/PackerType/SetupFactory.cs b/BurnOutSharp/PackerType/SetupFactory.cs index 31b77cfc..63c72341 100644 --- a/BurnOutSharp/PackerType/SetupFactory.cs +++ b/BurnOutSharp/PackerType/SetupFactory.cs @@ -1,11 +1,7 @@ using System; using System.Collections.Concurrent; -using System.Collections.Generic; using System.IO; -using System.Linq; -using System.Text; using BurnOutSharp.ExecutableType.Microsoft; -using BurnOutSharp.Matching; using BurnOutSharp.Tools; namespace BurnOutSharp.PackerType @@ -15,9 +11,6 @@ namespace BurnOutSharp.PackerType /// public bool ShouldScan(byte[] magic) => true; - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/PackerType/UPX.cs b/BurnOutSharp/PackerType/UPX.cs index 4cecb972..70a0626c 100644 --- a/BurnOutSharp/PackerType/UPX.cs +++ b/BurnOutSharp/PackerType/UPX.cs @@ -9,9 +9,6 @@ namespace BurnOutSharp.PackerType { public class UPX : IContentCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/PackerType/WinRARSFX.cs b/BurnOutSharp/PackerType/WinRARSFX.cs index 40fe524a..479dcde4 100644 --- a/BurnOutSharp/PackerType/WinRARSFX.cs +++ b/BurnOutSharp/PackerType/WinRARSFX.cs @@ -17,9 +17,6 @@ namespace BurnOutSharp.PackerType /// public bool ShouldScan(byte[] magic) => true; - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/PackerType/WinZipSFX.cs b/BurnOutSharp/PackerType/WinZipSFX.cs index 4ffee884..9fd83e76 100644 --- a/BurnOutSharp/PackerType/WinZipSFX.cs +++ b/BurnOutSharp/PackerType/WinZipSFX.cs @@ -18,9 +18,6 @@ namespace BurnOutSharp.PackerType /// public bool ShouldScan(byte[] magic) => true; - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/PackerType/WiseInstaller.cs b/BurnOutSharp/PackerType/WiseInstaller.cs index 1a60fdfc..241a88d0 100644 --- a/BurnOutSharp/PackerType/WiseInstaller.cs +++ b/BurnOutSharp/PackerType/WiseInstaller.cs @@ -17,7 +17,7 @@ namespace BurnOutSharp.PackerType public bool ShouldScan(byte[] magic) => true; /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Keep this around until it can be confirmed with NE checks as well // TODO: This _may_ actually over-match. See msvbvm50.exe for an example @@ -35,7 +35,13 @@ namespace BurnOutSharp.PackerType PortableExecutable pex = PortableExecutable.Deserialize(fileContent, 0); var sections = pex?.SectionTable; if (sections == null) + { + var neMatchSets = GetContentMatchSets(); + if (neMatchSets != null && neMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, neMatchSets, includeDebug); + return null; + } // Get the .data section, if it exists var dataSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".data")); @@ -75,6 +81,10 @@ namespace BurnOutSharp.PackerType return match; } + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + return null; } diff --git a/BurnOutSharp/PackerType/dotFuscator.cs b/BurnOutSharp/PackerType/dotFuscator.cs index ca4bc6a6..dad34f34 100644 --- a/BurnOutSharp/PackerType/dotFuscator.cs +++ b/BurnOutSharp/PackerType/dotFuscator.cs @@ -1,4 +1,5 @@ using System.Collections.Generic; +using System.Linq; using BurnOutSharp.Matching; namespace BurnOutSharp.PackerType @@ -6,7 +7,7 @@ namespace BurnOutSharp.PackerType public class dotFuscator : IContentCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -22,6 +23,13 @@ namespace BurnOutSharp.PackerType } /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } } } diff --git a/BurnOutSharp/ProtectionType/ActiveMARK.cs b/BurnOutSharp/ProtectionType/ActiveMARK.cs index 13fa6dfe..5a6a854f 100644 --- a/BurnOutSharp/ProtectionType/ActiveMARK.cs +++ b/BurnOutSharp/ProtectionType/ActiveMARK.cs @@ -10,7 +10,7 @@ namespace BurnOutSharp.ProtectionType public class ActiveMARK : IContentCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -53,6 +53,10 @@ namespace BurnOutSharp.ProtectionType return match; } + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + return null; } } diff --git a/BurnOutSharp/ProtectionType/AlphaROM.cs b/BurnOutSharp/ProtectionType/AlphaROM.cs index 11c212e9..727b7c1a 100644 --- a/BurnOutSharp/ProtectionType/AlphaROM.cs +++ b/BurnOutSharp/ProtectionType/AlphaROM.cs @@ -1,4 +1,5 @@ using System.Collections.Generic; +using System.Linq; using BurnOutSharp.Matching; namespace BurnOutSharp.ProtectionType @@ -6,7 +7,7 @@ namespace BurnOutSharp.ProtectionType public class AlphaROM : IContentCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -17,6 +18,13 @@ namespace BurnOutSharp.ProtectionType } /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } } } diff --git a/BurnOutSharp/ProtectionType/Bitpool.cs b/BurnOutSharp/ProtectionType/Bitpool.cs index d9885dae..973d04f4 100644 --- a/BurnOutSharp/ProtectionType/Bitpool.cs +++ b/BurnOutSharp/ProtectionType/Bitpool.cs @@ -1,5 +1,6 @@ using System.Collections.Concurrent; using System.Collections.Generic; +using System.Linq; using BurnOutSharp.Matching; namespace BurnOutSharp.ProtectionType @@ -29,7 +30,14 @@ namespace BurnOutSharp.ProtectionType } /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } /// public ConcurrentQueue CheckDirectoryPath(string path, IEnumerable files) diff --git a/BurnOutSharp/ProtectionType/CDCheck.cs b/BurnOutSharp/ProtectionType/CDCheck.cs index d5ab10d4..e0a905c7 100644 --- a/BurnOutSharp/ProtectionType/CDCheck.cs +++ b/BurnOutSharp/ProtectionType/CDCheck.cs @@ -53,6 +53,10 @@ namespace BurnOutSharp.ProtectionType return match; } + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + return null; } diff --git a/BurnOutSharp/ProtectionType/CDCops.cs b/BurnOutSharp/ProtectionType/CDCops.cs index 52c2f7f0..e160a73f 100644 --- a/BurnOutSharp/ProtectionType/CDCops.cs +++ b/BurnOutSharp/ProtectionType/CDCops.cs @@ -11,7 +11,7 @@ namespace BurnOutSharp.ProtectionType public class CDCops : IContentCheck, IPathCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -59,6 +59,10 @@ namespace BurnOutSharp.ProtectionType // return "CD-Cops (Unknown Version)"; } + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + return null; } diff --git a/BurnOutSharp/ProtectionType/CDKey.cs b/BurnOutSharp/ProtectionType/CDKey.cs index 5521b392..014f9400 100644 --- a/BurnOutSharp/ProtectionType/CDKey.cs +++ b/BurnOutSharp/ProtectionType/CDKey.cs @@ -1,18 +1,11 @@ using System; -using System.Collections.Generic; -using System.Linq; -using System.Text; using BurnOutSharp.ExecutableType.Microsoft; -using BurnOutSharp.Matching; using BurnOutSharp.Tools; namespace BurnOutSharp.ProtectionType { public class CDKey : IContentCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/CDLock.cs b/BurnOutSharp/ProtectionType/CDLock.cs index 2004ca50..a999e464 100644 --- a/BurnOutSharp/ProtectionType/CDLock.cs +++ b/BurnOutSharp/ProtectionType/CDLock.cs @@ -9,9 +9,6 @@ namespace BurnOutSharp.ProtectionType { public class CDLock : IContentCheck, IPathCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/CDSHiELDSE.cs b/BurnOutSharp/ProtectionType/CDSHiELDSE.cs index 0b742b28..1c087c8d 100644 --- a/BurnOutSharp/ProtectionType/CDSHiELDSE.cs +++ b/BurnOutSharp/ProtectionType/CDSHiELDSE.cs @@ -1,4 +1,5 @@ using System.Collections.Generic; +using System.Linq; using BurnOutSharp.Matching; namespace BurnOutSharp.ProtectionType @@ -6,7 +7,7 @@ namespace BurnOutSharp.ProtectionType public class CDSHiELDSE : IContentCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -17,6 +18,13 @@ namespace BurnOutSharp.ProtectionType } /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } } } diff --git a/BurnOutSharp/ProtectionType/CactusDataShield.cs b/BurnOutSharp/ProtectionType/CactusDataShield.cs index 0494d7d4..fc0242be 100644 --- a/BurnOutSharp/ProtectionType/CactusDataShield.cs +++ b/BurnOutSharp/ProtectionType/CactusDataShield.cs @@ -12,7 +12,7 @@ namespace BurnOutSharp.ProtectionType public class CactusDataShield : IContentCheck, IPathCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Both of these are found in Mac binaries return new List @@ -58,6 +58,10 @@ namespace BurnOutSharp.ProtectionType return match; } + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + return null; } diff --git a/BurnOutSharp/ProtectionType/CenegaProtectDVD.cs b/BurnOutSharp/ProtectionType/CenegaProtectDVD.cs index 3df4d85d..8a7975d6 100644 --- a/BurnOutSharp/ProtectionType/CenegaProtectDVD.cs +++ b/BurnOutSharp/ProtectionType/CenegaProtectDVD.cs @@ -9,7 +9,7 @@ namespace BurnOutSharp.ProtectionType public class CengaProtectDVD : IContentCheck { /// - public List GetContentMatchSets() => null; + private List GetContentMatchSets() => null; // { // // TODO: Remove this if the below section check is proven // return new List @@ -33,6 +33,10 @@ namespace BurnOutSharp.ProtectionType if (cenegaSection != null) return "Cenega ProtectDVD"; + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + return null; } } diff --git a/BurnOutSharp/ProtectionType/CodeLock.cs b/BurnOutSharp/ProtectionType/CodeLock.cs index da17a1ba..3525fa97 100644 --- a/BurnOutSharp/ProtectionType/CodeLock.cs +++ b/BurnOutSharp/ProtectionType/CodeLock.cs @@ -9,7 +9,7 @@ namespace BurnOutSharp.ProtectionType public class CodeLock : IContentCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -30,13 +30,23 @@ namespace BurnOutSharp.ProtectionType PortableExecutable pex = PortableExecutable.Deserialize(fileContent, 0); var sections = pex?.SectionTable; if (sections == null) + { + var neMatchSets = GetContentMatchSets(); + if (neMatchSets != null && neMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, neMatchSets, includeDebug); + return null; + } // If there are more than 2 icd-prefixed sections, then we have a match int icdSectionCount = sections.Count(s => Encoding.ASCII.GetString(s.Name).StartsWith("icd")); if (icdSectionCount >= 2) return "CodeLock"; + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + return null; } } diff --git a/BurnOutSharp/ProtectionType/CopyKiller.cs b/BurnOutSharp/ProtectionType/CopyKiller.cs index 716e7cd4..ba8a82d3 100644 --- a/BurnOutSharp/ProtectionType/CopyKiller.cs +++ b/BurnOutSharp/ProtectionType/CopyKiller.cs @@ -1,5 +1,6 @@ using System.Collections.Concurrent; using System.Collections.Generic; +using System.Linq; using BurnOutSharp.Matching; namespace BurnOutSharp.ProtectionType @@ -7,7 +8,7 @@ namespace BurnOutSharp.ProtectionType public class CopyKiller : IContentCheck, IPathCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -22,7 +23,14 @@ namespace BurnOutSharp.ProtectionType } /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } /// public ConcurrentQueue CheckDirectoryPath(string path, IEnumerable files) diff --git a/BurnOutSharp/ProtectionType/DVDCops.cs b/BurnOutSharp/ProtectionType/DVDCops.cs index 1354789a..2b19e736 100644 --- a/BurnOutSharp/ProtectionType/DVDCops.cs +++ b/BurnOutSharp/ProtectionType/DVDCops.cs @@ -8,7 +8,7 @@ namespace BurnOutSharp.ProtectionType public class DVDCops : IContentCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -24,7 +24,14 @@ namespace BurnOutSharp.ProtectionType /// TODO: Does this look for the `.grand` section like CD-Cops? /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } public static string GetVersion(string file, byte[] fileContent, List positions) { diff --git a/BurnOutSharp/ProtectionType/ElectronicArts.cs b/BurnOutSharp/ProtectionType/ElectronicArts.cs index 8a629227..32f3e5d3 100644 --- a/BurnOutSharp/ProtectionType/ElectronicArts.cs +++ b/BurnOutSharp/ProtectionType/ElectronicArts.cs @@ -15,7 +15,7 @@ namespace BurnOutSharp.ProtectionType // - Reference to `EASTL` and `EAStdC` are standard for EA products and does not indicate Cucko by itself // - There's little information outside of PiD detection that actually knows about Cucko /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -75,6 +75,7 @@ namespace BurnOutSharp.ProtectionType return match; } + // TODO: Find this inside of the .rsrc section using the executable header // Get the .rsrc section, if it exists var rsrcSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".rsrc")); if (rsrcSection != null) @@ -147,6 +148,10 @@ namespace BurnOutSharp.ProtectionType return match; } + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + return null; } } diff --git a/BurnOutSharp/ProtectionType/GFWL.cs b/BurnOutSharp/ProtectionType/GFWL.cs index 9184a015..b4fffec6 100644 --- a/BurnOutSharp/ProtectionType/GFWL.cs +++ b/BurnOutSharp/ProtectionType/GFWL.cs @@ -11,9 +11,6 @@ namespace BurnOutSharp.ProtectionType { public class GFWL : IContentCheck, IPathCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/ImpulseReactor.cs b/BurnOutSharp/ProtectionType/ImpulseReactor.cs index 01ca89a5..a34a8d0d 100644 --- a/BurnOutSharp/ProtectionType/ImpulseReactor.cs +++ b/BurnOutSharp/ProtectionType/ImpulseReactor.cs @@ -12,9 +12,6 @@ namespace BurnOutSharp.ProtectionType // This is intentional, as that protection is highly related to Impulse Reactor public class ImpulseReactor : IContentCheck, IPathCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/Intenium.cs b/BurnOutSharp/ProtectionType/Intenium.cs index 915c8527..a484d684 100644 --- a/BurnOutSharp/ProtectionType/Intenium.cs +++ b/BurnOutSharp/ProtectionType/Intenium.cs @@ -24,9 +24,6 @@ namespace BurnOutSharp.ProtectionType * - NO NESTED PRMS SUPPORTED - 4E 4F 20 4E 45 53 54 45 44 20 50 52 4D 53 20 53 55 50 50 4F 52 54 45 44 */ - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { @@ -36,6 +33,7 @@ namespace BurnOutSharp.ProtectionType if (sections == null) return null; + // TODO: Find this inside of the .rsrc section using the executable header // Get the .rsrc section, if it exists var rsrcSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".rsrc")); if (rsrcSection != null) diff --git a/BurnOutSharp/ProtectionType/JoWood.cs b/BurnOutSharp/ProtectionType/JoWood.cs index bc4368e8..b8d8d352 100644 --- a/BurnOutSharp/ProtectionType/JoWood.cs +++ b/BurnOutSharp/ProtectionType/JoWood.cs @@ -12,9 +12,6 @@ namespace BurnOutSharp.ProtectionType // that now outputs a version of v1.4+. public class JoWood : IContentCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/KeyLock.cs b/BurnOutSharp/ProtectionType/KeyLock.cs index 7d1af0c4..e28202a9 100644 --- a/BurnOutSharp/ProtectionType/KeyLock.cs +++ b/BurnOutSharp/ProtectionType/KeyLock.cs @@ -1,4 +1,5 @@ using System.Collections.Generic; +using System.Linq; using BurnOutSharp.Matching; namespace BurnOutSharp.ProtectionType @@ -6,7 +7,7 @@ namespace BurnOutSharp.ProtectionType public class KeyLock : IContentCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -21,6 +22,13 @@ namespace BurnOutSharp.ProtectionType } /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } } } diff --git a/BurnOutSharp/ProtectionType/LaserLok.cs b/BurnOutSharp/ProtectionType/LaserLok.cs index 031005cc..5c3cff4d 100644 --- a/BurnOutSharp/ProtectionType/LaserLok.cs +++ b/BurnOutSharp/ProtectionType/LaserLok.cs @@ -13,9 +13,6 @@ namespace BurnOutSharp.ProtectionType { public class LaserLok : IContentCheck, IPathCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/MediaMaxCD3.cs b/BurnOutSharp/ProtectionType/MediaMaxCD3.cs index 56aa7d3e..4c45ad77 100644 --- a/BurnOutSharp/ProtectionType/MediaMaxCD3.cs +++ b/BurnOutSharp/ProtectionType/MediaMaxCD3.cs @@ -9,9 +9,6 @@ namespace BurnOutSharp.ProtectionType { public class MediaMaxCD3 : IContentCheck, IPathCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { @@ -44,6 +41,7 @@ namespace BurnOutSharp.ProtectionType return match; } + // TODO: Find this inside of the .rsrc section using the executable header // Get the .rsrc section, if it exists var rsrcSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".rsrc")); if (rsrcSection != null) diff --git a/BurnOutSharp/ProtectionType/OnlineRegistration.cs b/BurnOutSharp/ProtectionType/OnlineRegistration.cs index ff02d945..e53e1067 100644 --- a/BurnOutSharp/ProtectionType/OnlineRegistration.cs +++ b/BurnOutSharp/ProtectionType/OnlineRegistration.cs @@ -1,18 +1,11 @@ using System; -using System.Collections.Generic; -using System.Linq; -using System.Text; using BurnOutSharp.ExecutableType.Microsoft; -using BurnOutSharp.Matching; using BurnOutSharp.Tools; namespace BurnOutSharp.ProtectionType { public class OnlineRegistration : IContentCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/Origin.cs b/BurnOutSharp/ProtectionType/Origin.cs index fe3170ea..b3059232 100644 --- a/BurnOutSharp/ProtectionType/Origin.cs +++ b/BurnOutSharp/ProtectionType/Origin.cs @@ -1,5 +1,6 @@ using System.Collections.Concurrent; using System.Collections.Generic; +using System.Linq; using BurnOutSharp.Matching; namespace BurnOutSharp.ProtectionType @@ -7,7 +8,7 @@ namespace BurnOutSharp.ProtectionType public class Origin : IContentCheck, IPathCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -24,7 +25,14 @@ namespace BurnOutSharp.ProtectionType } /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } /// public ConcurrentQueue CheckDirectoryPath(string path, IEnumerable files) diff --git a/BurnOutSharp/ProtectionType/PSXAntiModchip.cs b/BurnOutSharp/ProtectionType/PSXAntiModchip.cs index ad640d16..bbce7356 100644 --- a/BurnOutSharp/ProtectionType/PSXAntiModchip.cs +++ b/BurnOutSharp/ProtectionType/PSXAntiModchip.cs @@ -6,7 +6,7 @@ namespace BurnOutSharp.ProtectionType public class PSXAntiModchip : IContentCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Detect Red Hand protection return new List diff --git a/BurnOutSharp/ProtectionType/ProtectDisc.cs b/BurnOutSharp/ProtectionType/ProtectDisc.cs index e95c888a..29a50bac 100644 --- a/BurnOutSharp/ProtectionType/ProtectDisc.cs +++ b/BurnOutSharp/ProtectionType/ProtectDisc.cs @@ -10,9 +10,6 @@ namespace BurnOutSharp.ProtectionType // This protection was called VOB ProtectCD / ProtectDVD in versions prior to 6 public class ProtectDISC : IContentCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/RingPROTECH.cs b/BurnOutSharp/ProtectionType/RingPROTECH.cs index 778f0067..b429257b 100644 --- a/BurnOutSharp/ProtectionType/RingPROTECH.cs +++ b/BurnOutSharp/ProtectionType/RingPROTECH.cs @@ -1,4 +1,5 @@ using System.Collections.Generic; +using System.Linq; using BurnOutSharp.Matching; namespace BurnOutSharp.ProtectionType @@ -6,7 +7,7 @@ namespace BurnOutSharp.ProtectionType public class RingPROTECH : IContentCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -21,6 +22,13 @@ namespace BurnOutSharp.ProtectionType } /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } } } diff --git a/BurnOutSharp/ProtectionType/SVKP.cs b/BurnOutSharp/ProtectionType/SVKP.cs index b7e443b0..26585bc2 100644 --- a/BurnOutSharp/ProtectionType/SVKP.cs +++ b/BurnOutSharp/ProtectionType/SVKP.cs @@ -1,17 +1,10 @@ -using System.Collections.Generic; -using System.Linq; -using System.Text; -using BurnOutSharp.ExecutableType.Microsoft; -using BurnOutSharp.Matching; +using BurnOutSharp.ExecutableType.Microsoft; namespace BurnOutSharp.ProtectionType { // TODO: Figure out how versions/version ranges work for this protection public class SVKProtector : IContentCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/SafeCast.cs b/BurnOutSharp/ProtectionType/SafeCast.cs index 0eade4fc..7b1feea7 100644 --- a/BurnOutSharp/ProtectionType/SafeCast.cs +++ b/BurnOutSharp/ProtectionType/SafeCast.cs @@ -1,6 +1,7 @@ using System; using System.Collections.Concurrent; using System.Collections.Generic; +using System.Linq; using BurnOutSharp.Matching; namespace BurnOutSharp.ProtectionType @@ -10,7 +11,7 @@ namespace BurnOutSharp.ProtectionType public class SafeCast : IContentCheck, IPathCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -38,7 +39,14 @@ namespace BurnOutSharp.ProtectionType } /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } /// public ConcurrentQueue CheckDirectoryPath(string path, IEnumerable files) diff --git a/BurnOutSharp/ProtectionType/SafeDisc.cs b/BurnOutSharp/ProtectionType/SafeDisc.cs index 6a31390b..35aa10ee 100644 --- a/BurnOutSharp/ProtectionType/SafeDisc.cs +++ b/BurnOutSharp/ProtectionType/SafeDisc.cs @@ -39,9 +39,6 @@ namespace BurnOutSharp.ProtectionType new PathMatchSet(".SafeDiscDVD.bundle", "SafeDisc for Macintosh"), }; - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/SafeLock.cs b/BurnOutSharp/ProtectionType/SafeLock.cs index 2c2487a8..c29ef355 100644 --- a/BurnOutSharp/ProtectionType/SafeLock.cs +++ b/BurnOutSharp/ProtectionType/SafeLock.cs @@ -1,5 +1,6 @@ using System.Collections.Concurrent; using System.Collections.Generic; +using System.Linq; using BurnOutSharp.Matching; namespace BurnOutSharp.ProtectionType @@ -7,7 +8,7 @@ namespace BurnOutSharp.ProtectionType public class SafeLock : IContentCheck, IPathCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -18,7 +19,14 @@ namespace BurnOutSharp.ProtectionType } /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) => null; + public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) + { + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + + return null; + } /// public ConcurrentQueue CheckDirectoryPath(string path, IEnumerable files) diff --git a/BurnOutSharp/ProtectionType/SecuROM.cs b/BurnOutSharp/ProtectionType/SecuROM.cs index 8395008c..e44a1cb5 100644 --- a/BurnOutSharp/ProtectionType/SecuROM.cs +++ b/BurnOutSharp/ProtectionType/SecuROM.cs @@ -13,9 +13,6 @@ namespace BurnOutSharp.ProtectionType // TODO: Does the ".shr" section in the code have anything to do with this? public class SecuROM : IContentCheck, IPathCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/SmartE.cs b/BurnOutSharp/ProtectionType/SmartE.cs index b0c8c8c6..4191d605 100644 --- a/BurnOutSharp/ProtectionType/SmartE.cs +++ b/BurnOutSharp/ProtectionType/SmartE.cs @@ -11,9 +11,6 @@ namespace BurnOutSharp.ProtectionType { public class SmartE : IContentCheck, IPathCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/SolidShield.cs b/BurnOutSharp/ProtectionType/SolidShield.cs index aecbbf8b..43a239bd 100644 --- a/BurnOutSharp/ProtectionType/SolidShield.cs +++ b/BurnOutSharp/ProtectionType/SolidShield.cs @@ -25,7 +25,7 @@ namespace BurnOutSharp.ProtectionType }; /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -92,6 +92,7 @@ namespace BurnOutSharp.ProtectionType return match; } + // TODO: Find this inside of the .rsrc section using the executable header // Get the .rsrc section, if it exists var rsrcSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".rsrc")); if (rsrcSection != null) @@ -142,6 +143,10 @@ namespace BurnOutSharp.ProtectionType } } + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + return null; } diff --git a/BurnOutSharp/ProtectionType/StarForce.cs b/BurnOutSharp/ProtectionType/StarForce.cs index e3527562..2d56bd9e 100644 --- a/BurnOutSharp/ProtectionType/StarForce.cs +++ b/BurnOutSharp/ProtectionType/StarForce.cs @@ -1,5 +1,4 @@ -using System; -using System.Collections.Concurrent; +using System.Collections.Concurrent; using System.Collections.Generic; using System.Linq; using System.Text; @@ -11,9 +10,6 @@ namespace BurnOutSharp.ProtectionType { public class StarForce : IContentCheck, IPathCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { @@ -32,6 +28,7 @@ namespace BurnOutSharp.ProtectionType if (!string.IsNullOrWhiteSpace(name) && name.Contains("Protected Module")) return $"StarForce 5"; + // TODO: Find this inside of the .rsrc section using the executable header // Get the .rsrc section, if it exists var rsrcSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".rsrc")); if (rsrcSection != null) diff --git a/BurnOutSharp/ProtectionType/Sysiphus.cs b/BurnOutSharp/ProtectionType/Sysiphus.cs index bb9cb2f6..a6422311 100644 --- a/BurnOutSharp/ProtectionType/Sysiphus.cs +++ b/BurnOutSharp/ProtectionType/Sysiphus.cs @@ -9,9 +9,6 @@ namespace BurnOutSharp.ProtectionType { public class Sysiphus : IContentCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/Tages.cs b/BurnOutSharp/ProtectionType/Tages.cs index 12ed1c5d..c1100da6 100644 --- a/BurnOutSharp/ProtectionType/Tages.cs +++ b/BurnOutSharp/ProtectionType/Tages.cs @@ -13,7 +13,7 @@ namespace BurnOutSharp.ProtectionType public class TAGES : IContentCheck, IPathCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -65,6 +65,10 @@ namespace BurnOutSharp.ProtectionType return match; } + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + return null; } diff --git a/BurnOutSharp/ProtectionType/ThreePLock.cs b/BurnOutSharp/ProtectionType/ThreePLock.cs index 5572f760..05f29d3e 100644 --- a/BurnOutSharp/ProtectionType/ThreePLock.cs +++ b/BurnOutSharp/ProtectionType/ThreePLock.cs @@ -1,28 +1,11 @@ -using System.Collections.Generic; -using System.Linq; +using System.Linq; using System.Text; using BurnOutSharp.ExecutableType.Microsoft; -using BurnOutSharp.Matching; namespace BurnOutSharp.ProtectionType { public class ThreePLock : IContentCheck { - /// - public List GetContentMatchSets() => null; - // { - // return new List - // { - // //This produced false positives in some DirectX 9.0c installer files - // //"Y" + (char)0xC3 + "U" + (char)0x8B + (char)0xEC + (char)0x83 + (char)0xEC + "0SVW" - // new ContentMatchSet(new byte?[] - // { - // 0x59, 0xC3, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x30, - // 0x53, 0x56, 0x57 - // }, "3PLock"), - // }; - // } - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { @@ -32,6 +15,9 @@ namespace BurnOutSharp.ProtectionType if (sections == null) return null; + //This produced false positives in some DirectX 9.0c installer files + //"Y" + (char)0xC3 + "U" + (char)0x8B + (char)0xEC + (char)0x83 + (char)0xEC + "0SVW" + // Get the .ldr and .ldt sections, if they exist -- TODO: Confirm if both are needed or either/or is fine var cmsdSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".ldr")); var cmstSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".ldt")); diff --git a/BurnOutSharp/ProtectionType/ThreeTwoOneStudios.cs b/BurnOutSharp/ProtectionType/ThreeTwoOneStudios.cs index 4ddde647..7f5ba7ab 100644 --- a/BurnOutSharp/ProtectionType/ThreeTwoOneStudios.cs +++ b/BurnOutSharp/ProtectionType/ThreeTwoOneStudios.cs @@ -1,18 +1,13 @@ -using System; -using System.Collections.Generic; +using System.Collections.Generic; using System.Linq; using System.Text; using BurnOutSharp.ExecutableType.Microsoft; using BurnOutSharp.Matching; -using BurnOutSharp.Tools; namespace BurnOutSharp.ProtectionType { public class ThreeTwoOneStudios : IContentCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { @@ -21,7 +16,8 @@ namespace BurnOutSharp.ProtectionType var sections = pex?.SectionTable; if (sections == null) return null; - + + // TODO: Find this inside of the .rsrc section using the executable header // Get the .rsrc section, if it exists var rsrcSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".rsrc")); if (rsrcSection != null) diff --git a/BurnOutSharp/ProtectionType/WTMCDProtect.cs b/BurnOutSharp/ProtectionType/WTMCDProtect.cs index 7024ee94..68ad0e42 100644 --- a/BurnOutSharp/ProtectionType/WTMCDProtect.cs +++ b/BurnOutSharp/ProtectionType/WTMCDProtect.cs @@ -9,9 +9,6 @@ namespace BurnOutSharp.ProtectionType { public class WTMCDProtect : IContentCheck, IPathCheck { - /// - public List GetContentMatchSets() => null; - /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { diff --git a/BurnOutSharp/ProtectionType/XCP.cs b/BurnOutSharp/ProtectionType/XCP.cs index f5dffa2a..33348685 100644 --- a/BurnOutSharp/ProtectionType/XCP.cs +++ b/BurnOutSharp/ProtectionType/XCP.cs @@ -14,7 +14,7 @@ namespace BurnOutSharp.ProtectionType public class XCP : IContentCheck, IPathCheck { /// - public List GetContentMatchSets() + private List GetContentMatchSets() { // TODO: Obtain a sample to find where this string is in a typical executable return new List @@ -73,6 +73,10 @@ namespace BurnOutSharp.ProtectionType return match; } + var contentMatchSets = GetContentMatchSets(); + if (contentMatchSets != null && contentMatchSets.Any()) + return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug); + return null; } diff --git a/BurnOutSharp/Tools/Utilities.cs b/BurnOutSharp/Tools/Utilities.cs index b96c4bbe..7ad6241e 100644 --- a/BurnOutSharp/Tools/Utilities.cs +++ b/BurnOutSharp/Tools/Utilities.cs @@ -181,7 +181,7 @@ namespace BurnOutSharp.Tools #endregion - #region Protection + #region Executable Information /// /// Get the company name as reported by the filesystem @@ -373,7 +373,7 @@ namespace BurnOutSharp.Tools /// String to use if checking for data starting with a string /// String to use if checking for data contains a string /// Full encoded resource data, null on error - private static ResourceDataEntry FindResourceInSection(ResourceSection rs, string dataStart = null, string dataContains = null) + public static ResourceDataEntry FindResourceInSection(ResourceSection rs, string dataStart = null, string dataContains = null) { if (rs == null) return null; @@ -435,7 +435,7 @@ namespace BurnOutSharp.Tools /// /// ResourceSection from the executable /// Full assembly manifest, null on error - private static string FindAssemblyManifest(ResourceSection rs) => FindResourceInSection(rs, dataStart: " FindResourceInSection(rs, dataStart: " /// Get the assembly identity node from an embedded manifest