From b2ed69ab7842c04e71417bedc4e359f701c879b3 Mon Sep 17 00:00:00 2001
From: Matt Nadareski <mnadareski@outlook.com>
Date: Sun, 18 Dec 2022 14:18:35 -0800
Subject: [PATCH] Add 7-zip SFX detection

---
 BurnOutSharp/PackerType/SevenZipSFX.cs | 67 ++++++++++++++++++++++++++
 README.md                              |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 BurnOutSharp/PackerType/SevenZipSFX.cs

diff --git a/BurnOutSharp/PackerType/SevenZipSFX.cs b/BurnOutSharp/PackerType/SevenZipSFX.cs
new file mode 100644
index 00000000..81a9fa6b
--- /dev/null
+++ b/BurnOutSharp/PackerType/SevenZipSFX.cs
@@ -0,0 +1,67 @@
+using System.Collections.Concurrent;
+using System.IO;
+using System.Linq;
+using BurnOutSharp.Interfaces;
+using BurnOutSharp.Wrappers;
+
+namespace BurnOutSharp.PackerType
+{
+    // TODO: Add extraction
+    public class SevenZipSFX : IPortableExecutableCheck, IScannable
+    {
+        /// <inheritdoc/>
+        public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
+        {
+            // Get the sections from the executable, if possible
+            var sections = pex?.SectionTable;
+            if (sections == null)
+                return null;
+
+            // Get the assembly description, if possible
+            if (pex.AssemblyDescription?.StartsWith("7-Zip Self-extracting Archive") == true)
+                return $"7-Zip SFX {pex.AssemblyDescription.Substring("7-Zip Self-extracting Archive ".Length)}";
+            
+            // Get the file description, if it exists
+            if (pex.FileDescription?.Equals("7z SFX") == true)
+                return "7-Zip SFX";
+            if (pex.FileDescription?.Equals("7z Self-Extract Setup") == true)
+                return "7-Zip SFX";
+
+            // Get the original filename, if it exists
+            if (pex.OriginalFilename?.Equals("7z.sfx.exe") == true)
+                return "7-Zip SFX";
+            else if (pex.OriginalFilename?.Equals("7zS.sfx") == true)
+                return "7-Zip SFX";
+
+            // Get the internal name, if it exists
+            if (pex.InternalName?.Equals("7z.sfx") == true)
+                return "7-Zip SFX";
+            else if (pex.InternalName?.Equals("7zS.sfx") == true)
+                return "7-Zip SFX";
+
+            // If any dialog boxes match
+            if (pex.FindDialogByTitle("7-Zip self-extracting archive").Any())
+                return "7-Zip SFX";
+
+            return null;
+        }
+
+        /// <inheritdoc/>
+        public ConcurrentDictionary<string, ConcurrentQueue<string>> Scan(Scanner scanner, string file)
+        {
+            if (!File.Exists(file))
+                return null;
+
+            using (var fs = File.OpenRead(file))
+            {
+                return Scan(scanner, fs, file);
+            }
+        }
+
+        /// <inheritdoc/>
+        public ConcurrentDictionary<string, ConcurrentQueue<string>> Scan(Scanner scanner, Stream stream, string file)
+        {
+            return null;
+        }
+    }
+}
diff --git a/README.md b/README.md
index d01ae191..8c5389f5 100644
--- a/README.md
+++ b/README.md
@@ -132,6 +132,7 @@ Below is a list of executable packers detected by BurnOutSharp. The three column
 
 | Protection Name | Content Check | Path Check | Extractable |
 | --------------- | ------------- | ---------- | ----------- |
+| 7-zip SFX | Yes | No | No |
 | Advanced Installer / Caphyon Advanced Installer | Yes | No | No |
 | Armadillo | Yes | No | No |
 | ASPack | Yes | No | No |