Add NeoLite detection (#245)

* Add NeoLite detection. * Update README.
2026-04-29 01:50:24 +00:00 · 2023-03-22 12:26:25 -06:00
parent 5082c8f705
commit 5465c57d96
2 changed files with 59 additions and 0 deletions
--- a/BinaryObjectScanner.Packer/NeoLite.cs
+++ b/BinaryObjectScanner.Packer/NeoLite.cs
@@ -0,0 +1,58 @@
+using System.IO;
+using BinaryObjectScanner.Interfaces;
+using BinaryObjectScanner.Wrappers;
+
+namespace BinaryObjectScanner.Packer
+{
+    /// <summary>
+    /// NeoLite (https://web.archive.org/web/20000815214147/http://www.neoworx.com/products/neolite/default.asp) was a packer created by NeoWorx.
+    /// The most common version appears to be 2.0, with earlier versions existing but with no archived copies available.
+    /// NeoWorx was acquired by McAfee in October 2001, who seemingly dropped support for NeoLite (https://web.archive.org/web/20020603224725/http://www.mcafee.com/myapps/neoworx/default.asp).
+    /// 
+    /// Additional references and documentation:
+    /// NeoLite 2.0 evaluation installer: https://web.archive.org/web/20001012061916/http://www.neoworx.com/download/neolte20.exe
+    /// PEiD scanning definitions that include NeoLite: https://raw.githubusercontent.com/wolfram77web/app-peid/master/userdb.txt
+    /// Website listing various packers, including NeoLite: http://protools.narod.ru/packers.htm
+    /// </summary>
+    public class NeoLite : IExtractable, IPortableExecutableCheck
+    {
+        // TODO: Find samples of NeoLite 1.X.
+        /// <inheritdoc/>
+        public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
+        {
+            // Get the sections from the executable, if possible
+            var sections = pex?.SectionTable;
+            if (sections == null)
+                return null;
+
+            // Get the .neolit section, if it exists.
+            // TODO: Check if this section is also present in NeoLite 1.X.
+            bool neolitSection = pex.ContainsSection(".neolit", exact: true);
+            if (neolitSection)
+                return "NeoLite";
+
+            // If more specific or additional checks are needed, "NeoLite Executable File Compressor" should be present
+
+            return null;
+        }
+
+        /// <inheritdoc/>
+        public string Extract(string file, bool includeDebug)
+        {
+            // TODO: Add extraction
+            if (!File.Exists(file))
+                return null;
+
+            using (var fs = File.Open(file, FileMode.Open, FileAccess.Read, FileShare.Read))
+            {
+                return Extract(fs, file, includeDebug);
+            }
+        }
+
+        /// <inheritdoc/>
+        public string Extract(Stream stream, string file, bool includeDebug)
+        {
+            return null;
+        }
+    }
+}
--- a/README.md
+++ b/README.md
@@ -138,6 +138,7 @@ Below is a list of executable packers detected by BurnOutSharp. The three column
 | Installer VISE | Yes | No | No | |
 | Intel Installation Framework | Yes | No | No | |
 | Microsoft CAB SFX | Yes | No | No | |
+| NeoLite | Yes | No | No | Only confirmed to detect version 2.X |
 | NSIS | Yes | No | No | |
 | PECompact | Yes | No | No | |
 | PEtite | Yes | No | No | |