SabreTools/BinaryObjectScanner
1
0
Fork 0
mirror of https://github.com/SabreTools/BinaryObjectScanner.git synced 2026-05-21 15:46:30 +00:00
Code Issues 295 Packages Projects Releases 20 Wiki Activity

Improve SolidShield detection

Browse Source 
- Add new SolidShield executable and file checks.
- Fix false positives in file name checks due to not using a directory separator in the check.
- Add a few notes and reorganize slightly.
This commit is contained in:
Matt Nadareski
2022-12-02 15:02:45 -08:00
parent a915980187
commit 64334d72ea
1 changed files with 30 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
BurnOutSharp/ProtectionType/SolidShield.cs
View File

@@ -1,6 +1,7 @@
using System; using System;
using System.Collections.Concurrent; using System.Collections.Concurrent;
using System.Collections.Generic; using System.Collections.Generic;
using System.IO;
using System.Linq; using System.Linq;
using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Interfaces; using BurnOutSharp.Interfaces;
@@ -16,6 +17,8 @@ namespace BurnOutSharp.ProtectionType
/// <inheritdoc/> /// <inheritdoc/>
public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug) public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
{ {
// TODO: Investigate ".pseudo" section found in "tvdm.dll" in Redump entry 68166.
// Get the sections from the executable, if possible // Get the sections from the executable, if possible
var sections = pex?.SectionTable; var sections = pex?.SectionTable;
if (sections == null) if (sections == null)
@@ -24,19 +27,31 @@ namespace BurnOutSharp.ProtectionType
string name = pex.FileDescription; string name = pex.FileDescription;
if (name?.StartsWith("DVM Library", StringComparison.OrdinalIgnoreCase) == true) if (name?.StartsWith("DVM Library", StringComparison.OrdinalIgnoreCase) == true)
return $"SolidShield {Utilities.GetInternalVersion(pex)}"; return $"SolidShield {Utilities.GetInternalVersion(pex)}";
else if (name?.StartsWith("Solidshield Activation Library", StringComparison.OrdinalIgnoreCase) == true) else if (name?.StartsWith("Solidshield Activation Library", StringComparison.OrdinalIgnoreCase) == true)
return $"SolidShield Core.dll {Utilities.GetInternalVersion(pex)}"; return $"SolidShield Core.dll {Utilities.GetInternalVersion(pex)}";
else if (name?.StartsWith("Activation Manager", StringComparison.OrdinalIgnoreCase) == true) else if (name?.StartsWith("Activation Manager", StringComparison.OrdinalIgnoreCase) == true)
return $"SolidShield Activation Manager Module {GetInternalVersion(pex)}"; return $"SolidShield Activation Manager Module {GetInternalVersion(pex)}";
// Found in "tvdm.dll" in Redump entry 68166.
else if (name?.StartsWith("Solidshield Library", StringComparison.OrdinalIgnoreCase) == true)
return $"SolidShield {GetInternalVersion(pex)}";
name = pex.ProductName; name = pex.ProductName;
if (name?.StartsWith("Solidshield Activation Library", StringComparison.OrdinalIgnoreCase) == true) if (name?.StartsWith("Solidshield Activation Library", StringComparison.OrdinalIgnoreCase) == true)
return $"SolidShield Core.dll {Utilities.GetInternalVersion(pex)}"; return $"SolidShield Core.dll {Utilities.GetInternalVersion(pex)}";
else if (name?.StartsWith("Solidshield Library", StringComparison.OrdinalIgnoreCase) == true) else if (name?.StartsWith("Solidshield Library", StringComparison.OrdinalIgnoreCase) == true)
return $"SolidShield Core.dll {Utilities.GetInternalVersion(pex)}"; return $"SolidShield Core.dll {Utilities.GetInternalVersion(pex)}";
else if (name?.StartsWith("Activation Manager", StringComparison.OrdinalIgnoreCase) == true) else if (name?.StartsWith("Activation Manager", StringComparison.OrdinalIgnoreCase) == true)
return $"SolidShield Activation Manager Module {GetInternalVersion(pex)}"; return $"SolidShield Activation Manager Module {GetInternalVersion(pex)}";
// Found in "tvdm.dll" in Redump entry 68166.
else if (name?.StartsWith("Solidshield Library", StringComparison.OrdinalIgnoreCase) == true)
return $"SolidShield {GetInternalVersion(pex)}";
// Get the .init section, if it exists // Get the .init section, if it exists
var initSectionRaw = pex.ReadRawSection(".init", first: true); var initSectionRaw = pex.ReadRawSection(".init", first: true);
if (initSectionRaw != null) if (initSectionRaw != null)
@@ -94,8 +109,13 @@ namespace BurnOutSharp.ProtectionType
{ {
var matchers = new List<PathMatchSet> var matchers = new List<PathMatchSet>
{ {
new PathMatchSet(new PathMatch("dvm.dll", useEndsWith: true), "SolidShield"), // Found in Redump entry 68166.
new PathMatchSet(new PathMatch("hc.dll", useEndsWith: true), "SolidShield"), new PathMatchSet(new PathMatch($"{Path.DirectorySeparatorChar}tdvm.dll", useEndsWith: true), "SolidShield"),
new PathMatchSet(new PathMatch($"{Path.DirectorySeparatorChar}tdvm.vds", useEndsWith: true), "SolidShield"),
new PathMatchSet(new PathMatch("vfs20.dll", useEndsWith: true), "SolidShield"),
new PathMatchSet(new PathMatch($"{Path.DirectorySeparatorChar}dvm.dll", useEndsWith: true), "SolidShield"),
new PathMatchSet(new PathMatch($"{Path.DirectorySeparatorChar}hc.dll", useEndsWith: true), "SolidShield"),
new PathMatchSet(new PathMatch("solidshield-cd.dll", useEndsWith: true), "SolidShield"), new PathMatchSet(new PathMatch("solidshield-cd.dll", useEndsWith: true), "SolidShield"),
new PathMatchSet(new PathMatch("c11prot.dll", useEndsWith: true), "SolidShield"), new PathMatchSet(new PathMatch("c11prot.dll", useEndsWith: true), "SolidShield"),
}; };
@@ -109,8 +129,8 @@ namespace BurnOutSharp.ProtectionType
{ {
var matchers = new List<PathMatchSet> var matchers = new List<PathMatchSet>
{ {
new PathMatchSet(new PathMatch("dvm.dll", useEndsWith: true), "SolidShield"), new PathMatchSet(new PathMatch($"{Path.DirectorySeparatorChar}dvm.dll", useEndsWith: true), "SolidShield"),
new PathMatchSet(new PathMatch("hc.dll", useEndsWith: true), "SolidShield"), new PathMatchSet(new PathMatch($"{Path.DirectorySeparatorChar}hc.dll", useEndsWith: true), "SolidShield"),
new PathMatchSet(new PathMatch("solidshield-cd.dll", useEndsWith: true), "SolidShield"), new PathMatchSet(new PathMatch("solidshield-cd.dll", useEndsWith: true), "SolidShield"),
new PathMatchSet(new PathMatch("c11prot.dll", useEndsWith: true), "SolidShield"), new PathMatchSet(new PathMatch("c11prot.dll", useEndsWith: true), "SolidShield"),
}; };