Convert EXE Stealth to section based; add notes

2026-04-20 21:24:27 +00:00 · 2021-09-15 14:52:11 -07:00
parent a579bfea1f
commit a6e694fe5d
1 changed files with 40 additions and 17 deletions
--- a/BurnOutSharp/PackerType/EXEStealth.cs
+++ b/BurnOutSharp/PackerType/EXEStealth.cs
@@ -1,29 +1,52 @@
-using System.Collections.Generic;
-using BurnOutSharp.ExecutableType.Microsoft;
-using BurnOutSharp.Matching;
+using BurnOutSharp.ExecutableType.Microsoft;

 namespace BurnOutSharp.PackerType
 {
+    // TODO: Figure out how to more granularly determine versions like PiD,
+    // at least for the 2.41 -> 2.75 range
+    // TODO: Detect 3.15 and up (maybe looking for `Metamorphism`)
    public class EXEStealth : IContentCheck
    {
        /// <inheritdoc/>
        public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
        {
-            // TODO: Obtain a sample to find where this string is in a typical executable
-            var contentMatchSets = new List<ContentMatchSet>
-            {
-                // ??[[__[[_ + (char)0x00 + {{ + (char)0x0 + (char)0x00 + {{ + (char)0x00 + (char)0x00 + (char)0x00 + (char)0x00 + (char)0x0 + (char)0x00 + (char)0x00 + (char)0x00 + (char)0x00 + ?;??;??
-                new ContentMatchSet(new byte?[]
-                {
-                    0x3F, 0x3F, 0x5B, 0x5B, 0x5F, 0x5F, 0x5B, 0x5B,
-                    0x5F, 0x00, 0x7B, 0x7B, 0x00, 0x00, 0x7B, 0x7B,
-                    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-                    0x00, 0x20, 0x3F, 0x3B, 0x3F, 0x3F, 0x3B, 0x3F,
-                    0x3F
-                }, "EXE Stealth"),
-            };
+            // Get the sections from the executable, if possible
+            var sections = pex?.SectionTable;
+            if (sections == null)
+                return null;
+
+            // Get the ExeS/EXES section, if it exists
+            bool exesSection = pex.ContainsSection("ExeS", exact: true) || pex.ContainsSection("EXES", exact: true);
+            if (exesSection)
+                return "EXE Stealth 2.41-2.75";
+
+            // Get the mtw section, if it exists
+            bool mtwSection = pex.ContainsSection("mtw", exact: true);
+            if (mtwSection)
+                return "EXE Stealth 1.1";
+
+            // Get the rsrr section, if it exists
+            bool rsrrSection = pex.ContainsSection("rsrr", exact: true);
+            if (rsrrSection)
+                return "EXE Stealth 2.76";
+
+            return null;
+
+            // TODO: Could not be confirmed with any sample, so disabling for now
+            // var contentMatchSets = new List<ContentMatchSet>
+            // {
+            //     // ??[[__[[_ + (char)0x00 + {{ + (char)0x0 + (char)0x00 + {{ + (char)0x00 + (char)0x00 + (char)0x00 + (char)0x00 + (char)0x0 + (char)0x00 + (char)0x00 + (char)0x00 + (char)0x00 + ?;??;??
+            //     new ContentMatchSet(new byte?[]
+            //     {
+            //         0x3F, 0x3F, 0x5B, 0x5B, 0x5F, 0x5F, 0x5B, 0x5B,
+            //         0x5F, 0x00, 0x7B, 0x7B, 0x00, 0x00, 0x7B, 0x7B,
+            //         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            //         0x00, 0x20, 0x3F, 0x3B, 0x3F, 0x3F, 0x3B, 0x3F,
+            //         0x3F
+            //     }, "EXE Stealth"),
+            // };
            
-            return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug);
+            // return MatchUtil.GetFirstMatch(file, fileContent, contentMatchSets, includeDebug);
        }
    }
 }