Remove old Test executable; update docs

This commit is contained in:
Matt Nadareski
2024-11-04 14:58:21 -05:00
parent f7a4b6b43c
commit 57a5531fbd
13 changed files with 28 additions and 1018 deletions

View File

@@ -14,7 +14,8 @@ This is a guide for any developers who wish to research protections, implement n
| `BinaryObjectScanner.Interfaces` | Namespace containing interface definitions for scanning and detection. |
| `BinaryObjectScanner.Packer` | Namespace containing packer scanning definitions. |
| `BinaryObjectScanner.Protection` | Namespace containing protection scanning definitions. |
| `Test` | Testing executable that allows for standalone testing of the library. Includes the ability to scan files for protection as well as output executable information. |
| `ExtractionTool` | Testing executable that allows for standalone testing of extraction features of the library. |
| `ProtectionScan` | Testing executable that allows for standalone testing of protection detection features of the library. |
## Researching Protections
@@ -22,8 +23,8 @@ Researching copy protections and packers can be a massive undertaking. Some can
| Tool / Method | Description |
| --- | --- |
| `Test.exe --info [--json] <path>` | The `--info` option on the test executable is a really good way of getting started with investigation. The output of `--info` contains nearly all immediately parsable information from any executable that has a wrapper defined in `BinaryObjectScanner.Wrappers`. In general, the newer the executable format, the more information will be immediately available. For the most basic of protections and packers, this may be as far as you need to go for your research. Additionally, the `--json` flag allows for a formatted JSON output of the information for later parsing. This is only available in .NET 6+ builds. |
| `Test.exe [--debug] <path>` | Running `Test.exe` without any options runs the existing set of packer and protection checks. The output of this will be all detected packers and protections on the given file, with optional debug information where applicable. This is helpful in research because a protection you are investigating may be related to (or obscured by) another existing packer or protection. Having this information will make it easier to filter the results of `Test.exe --info <path>` as well. |
| `InfoPrint.exe [--json] <path>` | The `--info` option on the test executable is a really good way of getting started with investigation. The output of `InfoPrint` contains nearly all immediately parsable information from any executable that has a wrapper defined in `BinaryObjectScanner.Wrappers`. In general, the newer the executable format, the more information will be immediately available. For the most basic of protections and packers, this may be as far as you need to go for your research. Additionally, the `--json` flag allows for a formatted JSON output of the information for later parsing. This is only available in .NET 6+ builds. |
| `ProtectionScan.exe [--debug] <path>` | Running `ProtectionScan.exe` without any options runs the existing set of packer and protection checks. The output of this will be all detected packers and protections on the given file, with optional debug information where applicable. This is helpful in research because a protection you are investigating may be related to (or obscured by) another existing packer or protection. Having this information will make it easier to filter the results of `InfoPrint.exe <path>` as well. |
| **Add and debug** | This starts getting into more serious territory. Creating a skeleton for the packer or protection that you want to add and then messing around in code is a great way to start seeing what sort of stuff the library can see that's not normally output. See the table below for extension properties and methods that you may use in addition to the models defined in `BinaryObjectScanner.Models`. |
| **Hex Editor / External Programs** | As an advanced port of call, using a hex editor and external protection scanning programs (sometimes in conjunction) can help you get a better idea of the protection you're looking into. For example, **TheRogueArchivist** used that combination to narrow down the exact check for a very stubborn protection. |