SabreTools/BinaryObjectScanner
1
0
Fork 0
mirror of https://github.com/SabreTools/BinaryObjectScanner.git synced 2026-02-12 21:31:30 +00:00
Code Issues 295 Packages Projects Releases 20 Wiki Activity

Migrate packers to new interfaces

Browse Source
This commit is contained in:
Matt Nadareski
2022-03-14 11:00:17 -07:00
parent bef26e0fd7
commit fcbf006e4e
17 changed files with 196 additions and 206 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
BurnOutSharp/PackerType/AdvancedInstaller.cs
View File

@@ -1,15 +1,14 @@
using System.Collections.Generic;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
namespace BurnOutSharp.PackerType
{
// TODO: Add extraction and verify that all versions are detected
public class AdvancedInstaller : IContentCheck
public class AdvancedInstaller : IPEContentCheck
{
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

5
BurnOutSharp/PackerType/Armadillo.cs
View File

@@ -1,17 +1,16 @@
using System.Collections.Generic;
using System.Linq;
using System.Text;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
namespace BurnOutSharp.PackerType
{
// TODO: Add version checking, if possible
public class Armadillo : IContentCheck
public class Armadillo : IPEContentCheck
{
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

5
BurnOutSharp/PackerType/EXEStealth.cs
View File

@@ -1,5 +1,4 @@
using System.Collections.Generic;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
@@ -8,10 +7,10 @@ namespace BurnOutSharp.PackerType
// TODO: Figure out how to more granularly determine versions like PiD,
// at least for the 2.41 -> 2.75 range
// TODO: Detect 3.15 and up (maybe looking for `Metamorphism`)
public class EXEStealth : IContentCheck
public class EXEStealth : IPEContentCheck
{
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

108
BurnOutSharp/PackerType/InnoSetup.cs
View File

@@ -10,73 +10,71 @@ using BurnOutSharp.Matching;
namespace BurnOutSharp.PackerType
{
public class InnoSetup : IContentCheck, IScannable
public class InnoSetup : INEContentCheck, IPEContentCheck, IScannable
{
/// <inheritdoc/>
public bool ShouldScan(byte[] magic) => true;
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckNEContents(string file, byte[] fileContent, bool includeDebug, NewExecutable nex)
{
// Try to read the contents as a PE executable
if (pex != null)
// Get the DOS stub from the executable, if possible
var stub = nex?.DOSStubHeader;
if (stub == null)
return null;
// Check for "Inno" in the reserved words
if (stub.Reserved2[4] == 0x6E49 && stub.Reserved2[5] == 0x6F6E)
{
var sections = pex?.SectionTable;
if (sections == null)
return null;
string version = GetOldVersion(file, fileContent);
if (!string.IsNullOrWhiteSpace(version))
return $"Inno Setup {version}";
// Get the DATA/.data section, if it exists
if (pex.DataSectionRaw != null)
{
var matchers = new List<ContentMatchSet>
{
// Inno Setup Setup Data (
new ContentMatchSet(new byte?[]
{
0x49, 0x6E, 0x6E, 0x6F, 0x20, 0x53, 0x65, 0x74,
0x75, 0x70, 0x20, 0x53, 0x65, 0x74, 0x75, 0x70,
0x20, 0x44, 0x61, 0x74, 0x61, 0x20, 0x28
}, GetVersion, "Inno Setup"),
};
string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug);
if (!string.IsNullOrWhiteSpace(match))
return match;
}
// Get the DOS stub from the executable, if possible
var stub = pex?.DOSStubHeader;
if (stub == null)
return null;
// Check for "Inno" in the reserved words
if (stub.Reserved2[4] == 0x6E49 && stub.Reserved2[5] == 0x6F6E)
{
string version = GetOldVersion(file, fileContent);
if (!string.IsNullOrWhiteSpace(version))
return $"Inno Setup {version}";
return "Inno Setup (Unknown Version)";
}
return "Inno Setup (Unknown Version)";
}
// Try to read the contents as an NE executable
if (nex != null)
return null;
}
/// <inheritdoc/>
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
var sections = pex?.SectionTable;
if (sections == null)
return null;
// Get the DATA/.data section, if it exists
if (pex.DataSectionRaw != null)
{
// Get the DOS stub from the executable, if possible
var stub = nex?.DOSStubHeader;
if (stub == null)
return null;
// Check for "Inno" in the reserved words
if (stub.Reserved2[4] == 0x6E49 && stub.Reserved2[5] == 0x6F6E)
var matchers = new List<ContentMatchSet>
{
string version = GetOldVersion(file, fileContent);
if (!string.IsNullOrWhiteSpace(version))
return $"Inno Setup {version}";
return "Inno Setup (Unknown Version)";
}
// Inno Setup Setup Data (
new ContentMatchSet(new byte?[]
{
0x49, 0x6E, 0x6E, 0x6F, 0x20, 0x53, 0x65, 0x74,
0x75, 0x70, 0x20, 0x53, 0x65, 0x74, 0x75, 0x70,
0x20, 0x44, 0x61, 0x74, 0x61, 0x20, 0x28
}, GetVersion, "Inno Setup"),
};
string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug);
if (!string.IsNullOrWhiteSpace(match))
return match;
}
// Get the DOS stub from the executable, if possible
var stub = pex?.DOSStubHeader;
if (stub == null)
return null;
// Check for "Inno" in the reserved words
if (stub.Reserved2[4] == 0x6E49 && stub.Reserved2[5] == 0x6F6E)
{
string version = GetOldVersion(file, fileContent);
if (!string.IsNullOrWhiteSpace(version))
return $"Inno Setup {version}";
return "Inno Setup (Unknown Version)";
}
return null;

5
BurnOutSharp/PackerType/InstallAnywhere.cs
View File

@@ -1,19 +1,18 @@
using System;
using System.Collections.Concurrent;
using System.IO;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Tools;
namespace BurnOutSharp.PackerType
{
public class InstallAnywhere : IContentCheck, IScannable
public class InstallAnywhere : IPEContentCheck, IScannable
{
/// <inheritdoc/>
public bool ShouldScan(byte[] magic) => true;
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

5
BurnOutSharp/PackerType/InstallerVISE.cs
View File

@@ -1,20 +1,19 @@
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
namespace BurnOutSharp.PackerType
{
public class InstallerVISE : IContentCheck, IScannable
public class InstallerVISE : IPEContentCheck, IScannable
{
/// <inheritdoc/>
public bool ShouldScan(byte[] magic) => true;
//TODO: Add exact version detection for Windows builds, make sure versions before 3.X are detected as well, and detect the Mac builds.
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

5
BurnOutSharp/PackerType/IntelInstallationFramework.cs
View File

@@ -1,15 +1,14 @@
using System;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Tools;
namespace BurnOutSharp.PackerType
{
// TODO: Add extraction, seems to primarily use MSZip compression.
public class IntelInstallationFramework : IContentCheck
public class IntelInstallationFramework : IPEContentCheck
{
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

5
BurnOutSharp/PackerType/MicrosoftCABSFX.cs
View File

@@ -2,7 +2,6 @@ using System;
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
using BurnOutSharp.Tools;
@@ -10,13 +9,13 @@ using BurnOutSharp.Tools;
namespace BurnOutSharp.PackerType
{
// TODO: Add extraction, which should be possible with LibMSPackN, but it refuses to extract due to SFX files lacking the typical CAB identifiers.
public class MicrosoftCABSFX : IContentCheck, IScannable
public class MicrosoftCABSFX : IPEContentCheck, IScannable
{
/// <inheritdoc/>
public bool ShouldScan(byte[] magic) => true;
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

5
BurnOutSharp/PackerType/NSIS.cs
View File

@@ -1,15 +1,14 @@
using System.Collections.Generic;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
using BurnOutSharp.Tools;
namespace BurnOutSharp.PackerType
{
public class NSIS : IContentCheck
public class NSIS : IPEContentCheck
{
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

7
BurnOutSharp/PackerType/PECompact.cs
View File

@@ -1,13 +1,12 @@
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
namespace BurnOutSharp.PackerType
{
// TODO: Add extraction and better version detection
public class PECompact : IContentCheck
public class PECompact : IPEContentCheck
{
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

7
BurnOutSharp/PackerType/Petite.cs
View File

@@ -1,12 +1,11 @@
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
namespace BurnOutSharp.PackerType
{
public class PEtite : IContentCheck
public class PEtite : IPEContentCheck
{
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

5
BurnOutSharp/PackerType/SetupFactory.cs
View File

@@ -1,19 +1,18 @@
using System;
using System.Collections.Concurrent;
using System.IO;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Tools;
namespace BurnOutSharp.PackerType
{
public class SetupFactory : IContentCheck, IScannable
public class SetupFactory : IPEContentCheck, IScannable
{
/// <inheritdoc/>
public bool ShouldScan(byte[] magic) => true;
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

5
BurnOutSharp/PackerType/UPX.cs
View File

@@ -1,15 +1,14 @@
using System.Collections.Generic;
using System.Text;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
namespace BurnOutSharp.PackerType
{
public class UPX : IContentCheck
public class UPX : IPEContentCheck
{
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

5
BurnOutSharp/PackerType/WinRARSFX.cs
View File

@@ -2,7 +2,6 @@ using System;
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
using BurnOutSharp.Tools;
@@ -11,13 +10,13 @@ using SharpCompress.Archives.Rar;
namespace BurnOutSharp.PackerType
{
public class WinRARSFX : IContentCheck, IScannable
public class WinRARSFX : IPEContentCheck, IScannable
{
/// <inheritdoc/>
public bool ShouldScan(byte[] magic) => true;
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;

181
BurnOutSharp/PackerType/WinZipSFX.cs
View File

@@ -12,106 +12,109 @@ using SharpCompress.Archives.Zip;
namespace BurnOutSharp.PackerType
{
public class WinZipSFX : IContentCheck, IScannable
public class WinZipSFX : INEContentCheck, IPEContentCheck, IScannable
{
/// <inheritdoc/>
public bool ShouldScan(byte[] magic) => true;
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckNEContents(string file, byte[] fileContent, bool includeDebug, NewExecutable nex)
{
// Try to read the contents as a PE executable
if (pex != null)
// Get the DOS stub from the executable, if possible
var stub = nex?.DOSStubHeader;
if (stub == null)
return null;
string version = GetNEHeaderVersion(nex);
if (!string.IsNullOrWhiteSpace(version))
return $"WinZip SFX {version}";
version = GetNEUnknownHeaderVersion(nex, file, fileContent, includeDebug);
if (!string.IsNullOrWhiteSpace(version))
return $"WinZip SFX {version}";
return null;
}
/// <inheritdoc/>
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
var sections = pex?.SectionTable;
if (sections == null)
return null;
// Get the .rdata section, if it exists
if (pex.ResourceDataSectionRaw != null)
{
var sections = pex?.SectionTable;
if (sections == null)
return null;
// Get the .rdata section, if it exists
if (pex.ResourceDataSectionRaw != null)
{
string version = GetSFXSectionDataVersion(file, pex.ResourceDataSectionRaw, includeDebug);
if (!string.IsNullOrWhiteSpace(version))
return $"WinZip SFX {version}";
}
// Get the _winzip_ section, if it exists
bool winzipSection = pex.ContainsSection("_winzip_", exact: true);
if (winzipSection)
{
string version = GetPEHeaderVersion(pex);
if (!string.IsNullOrWhiteSpace(version))
return $"WinZip SFX {version}";
version = GetAdjustedManifestVersion(pex);
if (!string.IsNullOrWhiteSpace(version))
return $"WinZip SFX {version}";
return "WinZip SFX Unknown Version (32-bit)";
}
#region Unknown Version checks
// Get the .rdata section, if it exists
if (pex.ResourceDataSectionRaw != null)
{
string version = GetSFXSectionDataUnknownVersion(file, pex.ResourceDataSectionRaw, includeDebug);
if (!string.IsNullOrWhiteSpace(version))
return $"WinZip SFX {version}";
}
// Get the .data section, if it exists
if (pex.DataSectionRaw != null)
{
var matchers = new List<ContentMatchSet>
{
// WinZip Self-Extractor header corrupt.
new ContentMatchSet(new byte?[]
{
0x57, 0x69, 0x6E, 0x5A, 0x69, 0x70, 0x20, 0x53,
0x65, 0x6C, 0x66, 0x2D, 0x45, 0x78, 0x74, 0x72,
0x61, 0x63, 0x74, 0x6F, 0x72, 0x20, 0x68, 0x65,
0x61, 0x64, 0x65, 0x72, 0x20, 0x63, 0x6F, 0x72,
0x72, 0x75, 0x70, 0x74, 0x2E,
}, "Unknown Version (32-bit)"),
// winzip\shell\open\command
new ContentMatchSet(new byte?[]
{
0x77, 0x69, 0x6E, 0x7A, 0x69, 0x70, 0x5C, 0x73,
0x68, 0x65, 0x6C, 0x6C, 0x5C, 0x6F, 0x70, 0x65,
0x6E, 0x5C, 0x63, 0x6F, 0x6D, 0x6D, 0x61, 0x6E,
0x64,
}, "Unknown Version (32-bit)"),
};
string version = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, false);
if (!string.IsNullOrWhiteSpace(version))
{
// Try to grab the value from the manifest, if possible
string manifestVersion = GetAdjustedManifestVersion(pex);
if (!string.IsNullOrWhiteSpace(manifestVersion))
return $"WinZip SFX {manifestVersion}";
return $"WinZip SFX {version}";
}
}
#endregion
}
// Try to read the contents as an NE executable
if (nex != null)
{
string version = GetNEHeaderVersion(nex);
if (!string.IsNullOrWhiteSpace(version))
return $"WinZip SFX {version}";
version = GetNEUnknownHeaderVersion(nex, file, fileContent, includeDebug);
string version = GetSFXSectionDataVersion(file, pex.ResourceDataSectionRaw, includeDebug);
if (!string.IsNullOrWhiteSpace(version))
return $"WinZip SFX {version}";
}
// Get the _winzip_ section, if it exists
bool winzipSection = pex.ContainsSection("_winzip_", exact: true);
if (winzipSection)
{
string version = GetPEHeaderVersion(pex);
if (!string.IsNullOrWhiteSpace(version))
return $"WinZip SFX {version}";
version = GetAdjustedManifestVersion(pex);
if (!string.IsNullOrWhiteSpace(version))
return $"WinZip SFX {version}";
return "WinZip SFX Unknown Version (32-bit)";
}
#region Unknown Version checks
// Get the .rdata section, if it exists
if (pex.ResourceDataSectionRaw != null)
{
string version = GetSFXSectionDataUnknownVersion(file, pex.ResourceDataSectionRaw, includeDebug);
if (!string.IsNullOrWhiteSpace(version))
return $"WinZip SFX {version}";
}
// Get the .data section, if it exists
if (pex.DataSectionRaw != null)
{
var matchers = new List<ContentMatchSet>
{
// WinZip Self-Extractor header corrupt.
new ContentMatchSet(new byte?[]
{
0x57, 0x69, 0x6E, 0x5A, 0x69, 0x70, 0x20, 0x53,
0x65, 0x6C, 0x66, 0x2D, 0x45, 0x78, 0x74, 0x72,
0x61, 0x63, 0x74, 0x6F, 0x72, 0x20, 0x68, 0x65,
0x61, 0x64, 0x65, 0x72, 0x20, 0x63, 0x6F, 0x72,
0x72, 0x75, 0x70, 0x74, 0x2E,
}, "Unknown Version (32-bit)"),
// winzip\shell\open\command
new ContentMatchSet(new byte?[]
{
0x77, 0x69, 0x6E, 0x7A, 0x69, 0x70, 0x5C, 0x73,
0x68, 0x65, 0x6C, 0x6C, 0x5C, 0x6F, 0x70, 0x65,
0x6E, 0x5C, 0x63, 0x6F, 0x6D, 0x6D, 0x61, 0x6E,
0x64,
}, "Unknown Version (32-bit)"),
};
string version = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, false);
if (!string.IsNullOrWhiteSpace(version))
{
// Try to grab the value from the manifest, if possible
string manifestVersion = GetAdjustedManifestVersion(pex);
if (!string.IsNullOrWhiteSpace(manifestVersion))
return $"WinZip SFX {manifestVersion}";
return $"WinZip SFX {version}";
}
}
#endregion
return null;
}

39
BurnOutSharp/PackerType/WiseInstaller.cs
View File

@@ -10,33 +10,36 @@ using Wise = WiseUnpacker.WiseUnpacker;
namespace BurnOutSharp.PackerType
{
public class WiseInstaller : IContentCheck, IScannable
public class WiseInstaller : INEContentCheck, IPEContentCheck, IScannable
{
/// <inheritdoc/>
public bool ShouldScan(byte[] magic) => true;
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckNEContents(string file, byte[] fileContent, bool includeDebug, NewExecutable nex)
{
// Get the DOS stub from the executable, if possible
var stub = nex?.DOSStubHeader;
if (stub == null)
return null;
// TODO: Keep this around until it can be confirmed with NE checks as well
// TODO: This _may_ actually over-match. See msvbvm50.exe for an example
var neMatchSets = new List<ContentMatchSet>
{
// WiseMain
new ContentMatchSet(new byte?[] { 0x57, 0x69, 0x73, 0x65, 0x4D, 0x61, 0x69, 0x6E }, "Wise Installation Wizard Module"),
};
return MatchUtil.GetFirstMatch(file, fileContent, neMatchSets, includeDebug);
}
/// <inheritdoc/>
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
if (sections == null)
{
if (nex != null)
{
// TODO: Keep this around until it can be confirmed with NE checks as well
// TODO: This _may_ actually over-match. See msvbvm50.exe for an example
var neMatchSets = new List<ContentMatchSet>
{
// WiseMain
new ContentMatchSet(new byte?[] { 0x57, 0x69, 0x73, 0x65, 0x4D, 0x61, 0x69, 0x6E }, "Wise Installation Wizard Module"),
};
return MatchUtil.GetFirstMatch(file, fileContent, neMatchSets, includeDebug);
}
return null;
}
// Get the .data section, if it exists
if (pex.DataSectionRaw != null)

5
BurnOutSharp/PackerType/dotFuscator.cs
View File

@@ -1,14 +1,13 @@
using System.Collections.Generic;
using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
namespace BurnOutSharp.PackerType
{
public class dotFuscator : IContentCheck
public class dotFuscator : IPEContentCheck
{
/// <inheritdoc/>
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;