Add WinRAR SFX detection and extraction (#31)

2026-02-13 13:45:57 +00:00 · 2021-03-21 15:03:47 -06:00
parent fe106d23ec
commit fad7d87282
2 changed files with 86 additions and 0 deletions
--- a/BurnOutSharp/PackerType/WinRARSFX.cs
+++ b/BurnOutSharp/PackerType/WinRARSFX.cs
@@ -0,0 +1,85 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Text;
+using SharpCompress.Archives;
+using SharpCompress.Archives.Rar;
+
+namespace BurnOutSharp.PackerType
+{
+    public class WinRARSFX : IContentCheck, IScannable
+    {
+        /// <inheritdoc/>
+        public bool ShouldScan(byte[] magic) => true;
+
+        /// <inheritdoc/>
+        public string CheckContents(string file, byte[] fileContent, bool includePosition = false)
+        {
+            // "Software\WinRAR SFX"
+            byte?[] check = new byte?[] { 0x53, 0x6F, 0x66, 0x74, 0x77, 0x61, 0x72, 0x65, 0x5C, 0x57, 0x69, 0x6E, 0x52, 0x41, 0x52, 0x20, 0x53, 0x46, 0x58 };
+            if (fileContent.FirstPosition(check, out int position))
+                return "WinRAR SFX" + (includePosition ? $" (Index {position})" : string.Empty);
+
+            return null;
+        }
+
+        public Dictionary<string, List<string>> Scan(Scanner scanner, string file)
+        {
+            if (!File.Exists(file))
+                return null;
+
+            using (var fs = File.OpenRead(file))
+            {
+                return Scan(scanner, fs, file);
+            }
+        }
+
+        /// <inheritdoc/>
+        public Dictionary<string, List<string>> Scan(Scanner scanner, Stream stream, string file)
+        {
+            // If the rar file itself fails
+            try
+            {
+                string tempPath = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString());
+                Directory.CreateDirectory(tempPath);
+
+                // Should be using stream instead of file, but stream fails to extract anything. My guess is that the executable portion of the archive is causing stream to fail, but not file.
+                using (RarArchive zipFile = RarArchive.Open(file, new SharpCompress.Readers.ReaderOptions() {LookForHeader = true}))
+                {
+                    foreach (var entry in zipFile.Entries)
+                    {
+                        // If an individual entry fails
+                        try
+                        {
+                            // If we have a directory, skip it
+                            if (entry.IsDirectory)
+                                continue;
+
+                            string tempFile = Path.Combine(tempPath, entry.Key);
+                            entry.WriteToFile(tempFile);
+                        }
+                        catch { }
+                    }
+                }
+
+                // Collect and format all found protections
+                var protections = scanner.GetProtections(tempPath);
+
+                // If temp directory cleanup fails
+                try
+                {
+                    Directory.Delete(tempPath, true);
+                }
+                catch { }
+
+                // Remove temporary path references
+                Utilities.StripFromKeys(protections, tempPath);
+
+                return protections;
+            }
+            catch { }
+
+            return null;
+        }
+    }
+}
--- a/README.md
+++ b/README.md
@@ -96,6 +96,7 @@ Below is a list of the executable packers that can be detected using this code:
 - PECompact
 - Setup Factory
 - UPX
+- WinRAR SFX
 - WinZip SFX
 - WISE Installer