From cc3f6622b45833d711f2c003fcda6572fdaeb91b Mon Sep 17 00:00:00 2001 From: Matt Nadareski Date: Mon, 30 Aug 2021 11:47:49 -0700 Subject: [PATCH] Improve IIF matching --- .../PackerType/IntelInstallationFramework.cs | 97 ++++++++++++------- 1 file changed, 61 insertions(+), 36 deletions(-) diff --git a/BurnOutSharp/PackerType/IntelInstallationFramework.cs b/BurnOutSharp/PackerType/IntelInstallationFramework.cs index a234a6aa..7871619a 100644 --- a/BurnOutSharp/PackerType/IntelInstallationFramework.cs +++ b/BurnOutSharp/PackerType/IntelInstallationFramework.cs @@ -1,5 +1,8 @@ using System; using System.Collections.Generic; +using System.Linq; +using System.Text; +using BurnOutSharp.ExecutableType.Microsoft; using BurnOutSharp.Matching; using BurnOutSharp.Tools; @@ -9,46 +12,11 @@ namespace BurnOutSharp.PackerType public class IntelInstallationFramework : IContentCheck { /// - public List GetContentMatchSets() - { - return new List - { - // I + (char)0x00 + n + (char)0x00 + t + (char)0x00 + e + (char)0x00 + l + (char)0x00 + ( + (char)0x00 + R + (char)0x00 + ) + (char)0x00 + + (char)0x00 + I + (char)0x00 + n + (char)0x00 + s + (char)0x00 + t + (char)0x00 + a + (char)0x00 + l + (char)0x00 + l + (char)0x00 + a + (char)0x00 + t + (char)0x00 + i + (char)0x00 + o + (char)0x00 + n + (char)0x00 + + (char)0x00 + F + (char)0x00 + r + (char)0x00 + a + (char)0x00 + m + (char)0x00 + e + (char)0x00 + w + (char)0x00 + o + (char)0x00 + r + (char)0x00 + k + (char)0x00 - new ContentMatchSet(new byte?[] - { - 0x49, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x65, 0x00, - 0x6C, 0x00, 0x28, 0x00, 0x52, 0x00, 0x29, 0x00, - 0x20, 0x00, 0x49, 0x00, 0x6E, 0x00, 0x73, 0x00, - 0x74, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x6C, 0x00, - 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, - 0x6E, 0x00, 0x20, 0x00, 0x46, 0x00, 0x72, 0x00, - 0x61, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x77, 0x00, - 0x6F, 0x00, 0x72, 0x00, 0x6B, 0x00, - }, Utilities.GetFileVersion, "Intel Installation Framework"), - - // I + (char)0x00 + n + (char)0x00 + t + (char)0x00 + e + (char)0x00 + l + (char)0x00 + + (char)0x00 + I + (char)0x00 + n + (char)0x00 + s + (char)0x00 + t + (char)0x00 + a + (char)0x00 + l + (char)0x00 + l + (char)0x00 + a + (char)0x00 + t + (char)0x00 + i + (char)0x00 + o + (char)0x00 + n + (char)0x00 + + (char)0x00 + F + (char)0x00 + r + (char)0x00 + a + (char)0x00 + m + (char)0x00 + e + (char)0x00 + w + (char)0x00 + o + (char)0x00 + r + (char)0x00 + k + (char)0x00 - new ContentMatchSet(new byte?[] - { - 0x49, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x65, 0x00, - 0x6C, 0x00, 0x20, 0x00, 0x49, 0x00, 0x6E, 0x00, - 0x73, 0x00, 0x74, 0x00, 0x61, 0x00, 0x6C, 0x00, - 0x6C, 0x00, 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, - 0x6F, 0x00, 0x6E, 0x00, 0x20, 0x00, 0x46, 0x00, - 0x72, 0x00, 0x61, 0x00, 0x6D, 0x00, 0x65, 0x00, - 0x77, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x6B, 0x00, - }, Utilities.GetFileVersion, "Intel Installation Framework"), - }; - } + public List GetContentMatchSets() => null; /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { - // Get the sections from the executable, if possible - // PortableExecutable pex = PortableExecutable.Deserialize(fileContent, 0); - // var sections = pex?.SectionTable; - // if (sections == null) - // return null; - // TODO: Implement resource finding instead of using the built in methods // Assembly information lives in the .rsrc section // I need to find out how to navigate the resources in general @@ -74,6 +42,63 @@ namespace BurnOutSharp.PackerType return $"Intel Installation Framework {Utilities.GetFileVersion(file)}"; } + // Get the sections from the executable, if possible + PortableExecutable pex = PortableExecutable.Deserialize(fileContent, 0); + var sections = pex?.SectionTable; + if (sections == null) + return null; + + foreach (var section in sections) + { + string sectionName = Encoding.ASCII.GetString(section.Name).Trim('\0'); + int sectionAddr = (int)section.PointerToRawData; + int sectionEnd = sectionAddr + (int)section.VirtualSize; + System.Console.WriteLine($"{sectionName}: {sectionAddr} -> {sectionEnd}"); + } + + // Get the .rsrc section, if it exists + var rsrcSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".rsrc")); + if (rsrcSection != null) + { + int sectionAddr = (int)rsrcSection.PointerToRawData; + int sectionEnd = sectionAddr + (int)rsrcSection.VirtualSize; + var matchers = new List + { + // I + (char)0x00 + n + (char)0x00 + t + (char)0x00 + e + (char)0x00 + l + (char)0x00 + ( + (char)0x00 + R + (char)0x00 + ) + (char)0x00 + + (char)0x00 + I + (char)0x00 + n + (char)0x00 + s + (char)0x00 + t + (char)0x00 + a + (char)0x00 + l + (char)0x00 + l + (char)0x00 + a + (char)0x00 + t + (char)0x00 + i + (char)0x00 + o + (char)0x00 + n + (char)0x00 + + (char)0x00 + F + (char)0x00 + r + (char)0x00 + a + (char)0x00 + m + (char)0x00 + e + (char)0x00 + w + (char)0x00 + o + (char)0x00 + r + (char)0x00 + k + (char)0x00 + new ContentMatchSet( + new ContentMatch(new byte?[] + { + 0x49, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x65, 0x00, + 0x6C, 0x00, 0x28, 0x00, 0x52, 0x00, 0x29, 0x00, + 0x20, 0x00, 0x49, 0x00, 0x6E, 0x00, 0x73, 0x00, + 0x74, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x6C, 0x00, + 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, + 0x6E, 0x00, 0x20, 0x00, 0x46, 0x00, 0x72, 0x00, + 0x61, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x77, 0x00, + 0x6F, 0x00, 0x72, 0x00, 0x6B, 0x00, + }, start: sectionAddr, end: sectionEnd), + Utilities.GetFileVersion, "Intel Installation Framework"), + + // I + (char)0x00 + n + (char)0x00 + t + (char)0x00 + e + (char)0x00 + l + (char)0x00 + ( + (char)0x00 + R + (char)0x00 + ) + (char)0x00 + + (char)0x00 + I + (char)0x00 + n + (char)0x00 + s + (char)0x00 + t + (char)0x00 + a + (char)0x00 + l + (char)0x00 + l + (char)0x00 + a + (char)0x00 + t + (char)0x00 + i + (char)0x00 + o + (char)0x00 + n + (char)0x00 + + (char)0x00 + F + (char)0x00 + r + (char)0x00 + a + (char)0x00 + m + (char)0x00 + e + (char)0x00 + w + (char)0x00 + o + (char)0x00 + r + (char)0x00 + k + (char)0x00 + new ContentMatchSet( + new ContentMatch(new byte?[] + { + 0x49, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x65, 0x00, + 0x6C, 0x00, 0x20, 0x00, 0x49, 0x00, 0x6E, 0x00, + 0x73, 0x00, 0x74, 0x00, 0x61, 0x00, 0x6C, 0x00, + 0x6C, 0x00, 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, + 0x6F, 0x00, 0x6E, 0x00, 0x20, 0x00, 0x46, 0x00, + 0x72, 0x00, 0x61, 0x00, 0x6D, 0x00, 0x65, 0x00, + 0x77, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x6B, 0x00, + }, start: sectionAddr, end: sectionEnd), + Utilities.GetFileVersion, "Intel Installation Framework"), + }; + + string match = MatchUtil.GetFirstMatch(file, fileContent, matchers, includeDebug); + if (!string.IsNullOrWhiteSpace(match)) + return match; + } + return null; } }