From 5465c57d965638ee182afa5d9eccda82e0398ed8 Mon Sep 17 00:00:00 2001
From: TheRogueArchivist <silasqwerty@ymail.com>
Date: Wed, 22 Mar 2023 12:26:25 -0600
Subject: [PATCH] Add NeoLite detection (#245)

* Add NeoLite detection.
* Update README.
---
 BinaryObjectScanner.Packer/NeoLite.cs | 58 +++++++++++++++++++++++++++
 README.md                             |  1 +
 2 files changed, 59 insertions(+)
 create mode 100644 BinaryObjectScanner.Packer/NeoLite.cs

diff --git a/BinaryObjectScanner.Packer/NeoLite.cs b/BinaryObjectScanner.Packer/NeoLite.cs
new file mode 100644
index 00000000..b9b6ceaa
--- /dev/null
+++ b/BinaryObjectScanner.Packer/NeoLite.cs
@@ -0,0 +1,58 @@
+using System.IO;
+using BinaryObjectScanner.Interfaces;
+using BinaryObjectScanner.Wrappers;
+
+namespace BinaryObjectScanner.Packer
+{
+    /// <summary>
+    /// NeoLite (https://web.archive.org/web/20000815214147/http://www.neoworx.com/products/neolite/default.asp) was a packer created by NeoWorx.
+    /// The most common version appears to be 2.0, with earlier versions existing but with no archived copies available.
+    /// NeoWorx was acquired by McAfee in October 2001, who seemingly dropped support for NeoLite (https://web.archive.org/web/20020603224725/http://www.mcafee.com/myapps/neoworx/default.asp).
+    /// 
+    /// Additional references and documentation:
+    /// NeoLite 2.0 evaluation installer: https://web.archive.org/web/20001012061916/http://www.neoworx.com/download/neolte20.exe
+    /// PEiD scanning definitions that include NeoLite: https://raw.githubusercontent.com/wolfram77web/app-peid/master/userdb.txt
+    /// Website listing various packers, including NeoLite: http://protools.narod.ru/packers.htm
+    /// </summary>
+    public class NeoLite : IExtractable, IPortableExecutableCheck
+    {
+        // TODO: Find samples of NeoLite 1.X.
+        /// <inheritdoc/>
+        public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
+        {
+            // Get the sections from the executable, if possible
+            var sections = pex?.SectionTable;
+            if (sections == null)
+                return null;
+
+            // Get the .neolit section, if it exists.
+            // TODO: Check if this section is also present in NeoLite 1.X.
+            bool neolitSection = pex.ContainsSection(".neolit", exact: true);
+            if (neolitSection)
+                return "NeoLite";
+
+            // If more specific or additional checks are needed, "NeoLite Executable File Compressor" should be present
+
+            return null;
+        }
+
+        /// <inheritdoc/>
+        public string Extract(string file, bool includeDebug)
+        {
+            // TODO: Add extraction
+            if (!File.Exists(file))
+                return null;
+
+            using (var fs = File.Open(file, FileMode.Open, FileAccess.Read, FileShare.Read))
+            {
+                return Extract(fs, file, includeDebug);
+            }
+        }
+
+        /// <inheritdoc/>
+        public string Extract(Stream stream, string file, bool includeDebug)
+        {
+            return null;
+        }
+    }
+}
diff --git a/README.md b/README.md
index 75f2bda4..3bf64fd9 100644
--- a/README.md
+++ b/README.md
@@ -138,6 +138,7 @@ Below is a list of executable packers detected by BurnOutSharp. The three column
 | Installer VISE | Yes | No | No | |
 | Intel Installation Framework | Yes | No | No | |
 | Microsoft CAB SFX | Yes | No | No | |
+| NeoLite | Yes | No | No | Only confirmed to detect version 2.X |
 | NSIS | Yes | No | No | |
 | PECompact | Yes | No | No | |
 | PEtite | Yes | No | No | |