From f0b66d4bfb06d123743a689d79d8da360c1a0246 Mon Sep 17 00:00:00 2001 From: Matt Nadareski Date: Mon, 30 Aug 2021 11:40:14 -0700 Subject: [PATCH] Improve NSIS matching --- BurnOutSharp/PackerType/NSIS.cs | 84 +++++++++++++++++++++++---------- 1 file changed, 58 insertions(+), 26 deletions(-) diff --git a/BurnOutSharp/PackerType/NSIS.cs b/BurnOutSharp/PackerType/NSIS.cs index 221a8b02..5e30fec7 100644 --- a/BurnOutSharp/PackerType/NSIS.cs +++ b/BurnOutSharp/PackerType/NSIS.cs @@ -2,6 +2,7 @@ using System; using System.Collections.Generic; using System.Linq; using System.Text; +using BurnOutSharp.ExecutableType.Microsoft; using BurnOutSharp.Matching; namespace BurnOutSharp.PackerType @@ -9,36 +10,11 @@ namespace BurnOutSharp.PackerType public class NSIS : IContentCheck { /// - public List GetContentMatchSets() - { - return new List - { - // Nullsoft Install System - new ContentMatchSet(new byte?[] - { - 0x4e, 0x75, 0x6c, 0x6c, 0x73, 0x6f, 0x66, 0x74, - 0x20, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6c, 0x6c, - 0x20, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d - }, GetVersion, "NSIS"), - - // NullsoftInst - new ContentMatchSet(new byte?[] - { - 0x4e, 0x75, 0x6c, 0x6c, 0x73, 0x6f, 0x66, 0x74, - 0x49, 0x6e, 0x73, 0x74 - }, "NSIS"), - }; - } + public List GetContentMatchSets() => null; /// public string CheckContents(string file, byte[] fileContent, bool includeDebug = false) { - // Get the sections from the executable, if possible - // PortableExecutable pex = PortableExecutable.Deserialize(fileContent, 0); - // var sections = pex?.SectionTable; - // if (sections == null) - // return null; - // TODO: Implement resource finding instead of using the built in methods // Assembly information lives in the .rsrc section // I need to find out how to navigate the resources in general @@ -46,6 +22,62 @@ namespace BurnOutSharp.PackerType // file info and MUI (XML) info. Once I figure this out, // that also opens the doors to easier assembly XML checks. + // TODO: Use this instead of the seek inside of `.rsrc` when that's fixed + //string description = Utilities.GetManifestDescription(fileContent); + + // Get the sections from the executable, if possible + PortableExecutable pex = PortableExecutable.Deserialize(fileContent, 0); + var sections = pex?.SectionTable; + if (sections == null) + return null; + + // Get the .rsrc section, if it exists + var rsrcSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".rsrc")); + if (rsrcSection != null) + { + int sectionAddr = (int)rsrcSection.PointerToRawData; + int sectionEnd = sectionAddr + (int)rsrcSection.VirtualSize; + var matchers = new List + { + // Nullsoft Install System + new ContentMatchSet( + new ContentMatch(new byte?[] + { + 0x4e, 0x75, 0x6c, 0x6c, 0x73, 0x6f, 0x66, 0x74, + 0x20, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6c, 0x6c, + 0x20, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d + }, start: sectionAddr, end: sectionEnd), + GetVersion, "NSIS"), + }; + + string match = MatchUtil.GetFirstMatch(file, fileContent, matchers, includeDebug); + if (!string.IsNullOrWhiteSpace(match)) + return match; + } + + // Get the .data section, if it exists + var dataSection = sections.FirstOrDefault(s => Encoding.ASCII.GetString(s.Name).StartsWith(".data")); + if (dataSection != null) + { + int sectionAddr = (int)dataSection.PointerToRawData; + int sectionEnd = sectionAddr + (int)dataSection.VirtualSize; + var matchers = new List + { + // NullsoftInst + new ContentMatchSet( + new ContentMatch(new byte?[] + { + 0x4E, 0x75, 0x6C, 0x6C, 0x73, 0x6F, 0x66, 0x74, + 0x49, 0x6E, 0x73, 0x74 + }, start: sectionAddr, end: sectionEnd), + "NSIS"), + }; + + string match = MatchUtil.GetFirstMatch(file, fileContent, matchers, includeDebug); + if (!string.IsNullOrWhiteSpace(match)) + return match; + } + return null; }