From 557114d92d6039fd2a85d8c6da67ffcf5585fb37 Mon Sep 17 00:00:00 2001 From: SilasLaspada Date: Sun, 21 Mar 2021 22:39:01 -0600 Subject: [PATCH] Add CExe detection (#30) * Add CExe detection * Optimize check --- BurnOutSharp/PackerType/CExe.cs | 44 +++++++++++++++++++++++++++++++++ README.md | 1 + 2 files changed, 45 insertions(+) create mode 100644 BurnOutSharp/PackerType/CExe.cs diff --git a/BurnOutSharp/PackerType/CExe.cs b/BurnOutSharp/PackerType/CExe.cs new file mode 100644 index 00000000..8f4aa0da --- /dev/null +++ b/BurnOutSharp/PackerType/CExe.cs @@ -0,0 +1,44 @@ +using System.Collections.Generic; +using System.IO; + +namespace BurnOutSharp.PackerType +{ + // The official website for CExe also includes the source code (which does have to be retrieved by the Wayback Machine). http://www.scottlu.com/Content/CExe.html + public class CExe : IContentCheck, IScannable + { + /// + public bool ShouldScan(byte[] magic) => true; + + /// + public string CheckContents(string file, byte[] fileContent, bool includePosition = false) + { + // "%WoÁa6.’a6.’a6.’a6.’{6.’.).’f6.’‰).’`6.’Ù0.’`6.’" + byte?[] check = new byte?[] { 0x25, 0x57, 0x6F, 0xC1, 0x61, 0x36, 0x01, 0x92, 0x61, 0x36, 0x01, 0x92, 0x61, 0x36, 0x01, 0x92, 0x61, 0x36, 0x00, 0x92, 0x7B, 0x36, 0x01, 0x92, 0x03, 0x29, 0x12, 0x92, 0x66, 0x36, 0x01, 0x92, 0x89, 0x29, 0x0A, 0x92, 0x60, 0x36, 0x01, 0x92, 0xD9, 0x30, 0x07, 0x92, 0x60, 0x36, 0x01, 0x92 }; + if (fileContent.FirstPosition(check, out int position, end: 200)) + { + return "CExe"; + } + + return null; + } + + /// + public Dictionary> Scan(Scanner scanner, string file) + { + if (!File.Exists(file)) + return null; + + using (var fs = File.OpenRead(file)) + { + return Scan(scanner, fs, file); + } + } + + /// + // TODO: Add extraction if viable + public Dictionary> Scan(Scanner scanner, Stream stream, string file) + { + return null; + } + } +} diff --git a/README.md b/README.md index b74b38c5..0b41ae76 100644 --- a/README.md +++ b/README.md @@ -89,6 +89,7 @@ Below is a list of the protections that can be detected using this code: Below is a list of the executable packers that can be detected using this code: - Armadillo +- CExe - dotFuscator - EXE Stealth - Inno Setup