diff --git a/BurnOutSharp/PackerType/AdvancedInstaller.cs b/BurnOutSharp/PackerType/AdvancedInstaller.cs
index 24706a3b..98e89df1 100644
--- a/BurnOutSharp/PackerType/AdvancedInstaller.cs
+++ b/BurnOutSharp/PackerType/AdvancedInstaller.cs
@@ -1,15 +1,14 @@
using System.Collections.Generic;
-using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
namespace BurnOutSharp.PackerType
{
// TODO: Add extraction and verify that all versions are detected
- public class AdvancedInstaller : IContentCheck
+ public class AdvancedInstaller : IPEContentCheck
{
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/Armadillo.cs b/BurnOutSharp/PackerType/Armadillo.cs
index fefbf3ac..0555c780 100644
--- a/BurnOutSharp/PackerType/Armadillo.cs
+++ b/BurnOutSharp/PackerType/Armadillo.cs
@@ -1,17 +1,16 @@
using System.Collections.Generic;
using System.Linq;
using System.Text;
-using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
namespace BurnOutSharp.PackerType
{
// TODO: Add version checking, if possible
- public class Armadillo : IContentCheck
+ public class Armadillo : IPEContentCheck
{
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/EXEStealth.cs b/BurnOutSharp/PackerType/EXEStealth.cs
index e84d4e7f..c602ed54 100644
--- a/BurnOutSharp/PackerType/EXEStealth.cs
+++ b/BurnOutSharp/PackerType/EXEStealth.cs
@@ -1,5 +1,4 @@
using System.Collections.Generic;
-using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
@@ -8,10 +7,10 @@ namespace BurnOutSharp.PackerType
// TODO: Figure out how to more granularly determine versions like PiD,
// at least for the 2.41 -> 2.75 range
// TODO: Detect 3.15 and up (maybe looking for `Metamorphism`)
- public class EXEStealth : IContentCheck
+ public class EXEStealth : IPEContentCheck
{
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/InnoSetup.cs b/BurnOutSharp/PackerType/InnoSetup.cs
index 4797885d..a6f1e9d4 100644
--- a/BurnOutSharp/PackerType/InnoSetup.cs
+++ b/BurnOutSharp/PackerType/InnoSetup.cs
@@ -10,73 +10,71 @@ using BurnOutSharp.Matching;
namespace BurnOutSharp.PackerType
{
- public class InnoSetup : IContentCheck, IScannable
+ public class InnoSetup : INEContentCheck, IPEContentCheck, IScannable
{
///
public bool ShouldScan(byte[] magic) => true;
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckNEContents(string file, byte[] fileContent, bool includeDebug, NewExecutable nex)
{
- // Try to read the contents as a PE executable
- if (pex != null)
+ // Get the DOS stub from the executable, if possible
+ var stub = nex?.DOSStubHeader;
+ if (stub == null)
+ return null;
+
+ // Check for "Inno" in the reserved words
+ if (stub.Reserved2[4] == 0x6E49 && stub.Reserved2[5] == 0x6F6E)
{
- var sections = pex?.SectionTable;
- if (sections == null)
- return null;
+ string version = GetOldVersion(file, fileContent);
+ if (!string.IsNullOrWhiteSpace(version))
+ return $"Inno Setup {version}";
- // Get the DATA/.data section, if it exists
- if (pex.DataSectionRaw != null)
- {
- var matchers = new List
- {
- // Inno Setup Setup Data (
- new ContentMatchSet(new byte?[]
- {
- 0x49, 0x6E, 0x6E, 0x6F, 0x20, 0x53, 0x65, 0x74,
- 0x75, 0x70, 0x20, 0x53, 0x65, 0x74, 0x75, 0x70,
- 0x20, 0x44, 0x61, 0x74, 0x61, 0x20, 0x28
- }, GetVersion, "Inno Setup"),
- };
-
- string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug);
- if (!string.IsNullOrWhiteSpace(match))
- return match;
- }
-
- // Get the DOS stub from the executable, if possible
- var stub = pex?.DOSStubHeader;
- if (stub == null)
- return null;
-
- // Check for "Inno" in the reserved words
- if (stub.Reserved2[4] == 0x6E49 && stub.Reserved2[5] == 0x6F6E)
- {
- string version = GetOldVersion(file, fileContent);
- if (!string.IsNullOrWhiteSpace(version))
- return $"Inno Setup {version}";
-
- return "Inno Setup (Unknown Version)";
- }
+ return "Inno Setup (Unknown Version)";
}
- // Try to read the contents as an NE executable
- if (nex != null)
+ return null;
+ }
+
+ ///
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
+ {
+ var sections = pex?.SectionTable;
+ if (sections == null)
+ return null;
+
+ // Get the DATA/.data section, if it exists
+ if (pex.DataSectionRaw != null)
{
- // Get the DOS stub from the executable, if possible
- var stub = nex?.DOSStubHeader;
- if (stub == null)
- return null;
-
- // Check for "Inno" in the reserved words
- if (stub.Reserved2[4] == 0x6E49 && stub.Reserved2[5] == 0x6F6E)
+ var matchers = new List
{
- string version = GetOldVersion(file, fileContent);
- if (!string.IsNullOrWhiteSpace(version))
- return $"Inno Setup {version}";
-
- return "Inno Setup (Unknown Version)";
- }
+ // Inno Setup Setup Data (
+ new ContentMatchSet(new byte?[]
+ {
+ 0x49, 0x6E, 0x6E, 0x6F, 0x20, 0x53, 0x65, 0x74,
+ 0x75, 0x70, 0x20, 0x53, 0x65, 0x74, 0x75, 0x70,
+ 0x20, 0x44, 0x61, 0x74, 0x61, 0x20, 0x28
+ }, GetVersion, "Inno Setup"),
+ };
+
+ string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug);
+ if (!string.IsNullOrWhiteSpace(match))
+ return match;
+ }
+
+ // Get the DOS stub from the executable, if possible
+ var stub = pex?.DOSStubHeader;
+ if (stub == null)
+ return null;
+
+ // Check for "Inno" in the reserved words
+ if (stub.Reserved2[4] == 0x6E49 && stub.Reserved2[5] == 0x6F6E)
+ {
+ string version = GetOldVersion(file, fileContent);
+ if (!string.IsNullOrWhiteSpace(version))
+ return $"Inno Setup {version}";
+
+ return "Inno Setup (Unknown Version)";
}
return null;
diff --git a/BurnOutSharp/PackerType/InstallAnywhere.cs b/BurnOutSharp/PackerType/InstallAnywhere.cs
index 7f913396..f6f86915 100644
--- a/BurnOutSharp/PackerType/InstallAnywhere.cs
+++ b/BurnOutSharp/PackerType/InstallAnywhere.cs
@@ -1,19 +1,18 @@
using System;
using System.Collections.Concurrent;
using System.IO;
-using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Tools;
namespace BurnOutSharp.PackerType
{
- public class InstallAnywhere : IContentCheck, IScannable
+ public class InstallAnywhere : IPEContentCheck, IScannable
{
///
public bool ShouldScan(byte[] magic) => true;
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/InstallerVISE.cs b/BurnOutSharp/PackerType/InstallerVISE.cs
index e60b5fac..f004e354 100644
--- a/BurnOutSharp/PackerType/InstallerVISE.cs
+++ b/BurnOutSharp/PackerType/InstallerVISE.cs
@@ -1,20 +1,19 @@
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
-using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
namespace BurnOutSharp.PackerType
{
- public class InstallerVISE : IContentCheck, IScannable
+ public class InstallerVISE : IPEContentCheck, IScannable
{
///
public bool ShouldScan(byte[] magic) => true;
//TODO: Add exact version detection for Windows builds, make sure versions before 3.X are detected as well, and detect the Mac builds.
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/IntelInstallationFramework.cs b/BurnOutSharp/PackerType/IntelInstallationFramework.cs
index f852170b..544919dc 100644
--- a/BurnOutSharp/PackerType/IntelInstallationFramework.cs
+++ b/BurnOutSharp/PackerType/IntelInstallationFramework.cs
@@ -1,15 +1,14 @@
using System;
-using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Tools;
namespace BurnOutSharp.PackerType
{
// TODO: Add extraction, seems to primarily use MSZip compression.
- public class IntelInstallationFramework : IContentCheck
+ public class IntelInstallationFramework : IPEContentCheck
{
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/MicrosoftCABSFX.cs b/BurnOutSharp/PackerType/MicrosoftCABSFX.cs
index e22fa552..f88b84d0 100644
--- a/BurnOutSharp/PackerType/MicrosoftCABSFX.cs
+++ b/BurnOutSharp/PackerType/MicrosoftCABSFX.cs
@@ -2,7 +2,6 @@ using System;
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
-using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
using BurnOutSharp.Tools;
@@ -10,13 +9,13 @@ using BurnOutSharp.Tools;
namespace BurnOutSharp.PackerType
{
// TODO: Add extraction, which should be possible with LibMSPackN, but it refuses to extract due to SFX files lacking the typical CAB identifiers.
- public class MicrosoftCABSFX : IContentCheck, IScannable
+ public class MicrosoftCABSFX : IPEContentCheck, IScannable
{
///
public bool ShouldScan(byte[] magic) => true;
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/NSIS.cs b/BurnOutSharp/PackerType/NSIS.cs
index 9f7445a4..732c732e 100644
--- a/BurnOutSharp/PackerType/NSIS.cs
+++ b/BurnOutSharp/PackerType/NSIS.cs
@@ -1,15 +1,14 @@
using System.Collections.Generic;
-using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
using BurnOutSharp.Tools;
namespace BurnOutSharp.PackerType
{
- public class NSIS : IContentCheck
+ public class NSIS : IPEContentCheck
{
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/PECompact.cs b/BurnOutSharp/PackerType/PECompact.cs
index 7a3cd83f..5a0efa67 100644
--- a/BurnOutSharp/PackerType/PECompact.cs
+++ b/BurnOutSharp/PackerType/PECompact.cs
@@ -1,13 +1,12 @@
-using BurnOutSharp.ExecutableType.Microsoft.NE;
-using BurnOutSharp.ExecutableType.Microsoft.PE;
+using BurnOutSharp.ExecutableType.Microsoft.PE;
namespace BurnOutSharp.PackerType
{
// TODO: Add extraction and better version detection
- public class PECompact : IContentCheck
+ public class PECompact : IPEContentCheck
{
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/Petite.cs b/BurnOutSharp/PackerType/Petite.cs
index 61b421ab..a9b92eea 100644
--- a/BurnOutSharp/PackerType/Petite.cs
+++ b/BurnOutSharp/PackerType/Petite.cs
@@ -1,12 +1,11 @@
-using BurnOutSharp.ExecutableType.Microsoft.NE;
-using BurnOutSharp.ExecutableType.Microsoft.PE;
+using BurnOutSharp.ExecutableType.Microsoft.PE;
namespace BurnOutSharp.PackerType
{
- public class PEtite : IContentCheck
+ public class PEtite : IPEContentCheck
{
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/SetupFactory.cs b/BurnOutSharp/PackerType/SetupFactory.cs
index 2740686f..de805404 100644
--- a/BurnOutSharp/PackerType/SetupFactory.cs
+++ b/BurnOutSharp/PackerType/SetupFactory.cs
@@ -1,19 +1,18 @@
using System;
using System.Collections.Concurrent;
using System.IO;
-using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Tools;
namespace BurnOutSharp.PackerType
{
- public class SetupFactory : IContentCheck, IScannable
+ public class SetupFactory : IPEContentCheck, IScannable
{
///
public bool ShouldScan(byte[] magic) => true;
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/UPX.cs b/BurnOutSharp/PackerType/UPX.cs
index aab1fbeb..ec7dfa81 100644
--- a/BurnOutSharp/PackerType/UPX.cs
+++ b/BurnOutSharp/PackerType/UPX.cs
@@ -1,15 +1,14 @@
using System.Collections.Generic;
using System.Text;
-using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
namespace BurnOutSharp.PackerType
{
- public class UPX : IContentCheck
+ public class UPX : IPEContentCheck
{
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/WinRARSFX.cs b/BurnOutSharp/PackerType/WinRARSFX.cs
index e0bf466b..d41da8c4 100644
--- a/BurnOutSharp/PackerType/WinRARSFX.cs
+++ b/BurnOutSharp/PackerType/WinRARSFX.cs
@@ -2,7 +2,6 @@ using System;
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
-using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
using BurnOutSharp.Tools;
@@ -11,13 +10,13 @@ using SharpCompress.Archives.Rar;
namespace BurnOutSharp.PackerType
{
- public class WinRARSFX : IContentCheck, IScannable
+ public class WinRARSFX : IPEContentCheck, IScannable
{
///
public bool ShouldScan(byte[] magic) => true;
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;
diff --git a/BurnOutSharp/PackerType/WinZipSFX.cs b/BurnOutSharp/PackerType/WinZipSFX.cs
index 7c6e1de8..6b51dbb1 100644
--- a/BurnOutSharp/PackerType/WinZipSFX.cs
+++ b/BurnOutSharp/PackerType/WinZipSFX.cs
@@ -12,106 +12,109 @@ using SharpCompress.Archives.Zip;
namespace BurnOutSharp.PackerType
{
- public class WinZipSFX : IContentCheck, IScannable
+ public class WinZipSFX : INEContentCheck, IPEContentCheck, IScannable
{
///
public bool ShouldScan(byte[] magic) => true;
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckNEContents(string file, byte[] fileContent, bool includeDebug, NewExecutable nex)
{
- // Try to read the contents as a PE executable
- if (pex != null)
+ // Get the DOS stub from the executable, if possible
+ var stub = nex?.DOSStubHeader;
+ if (stub == null)
+ return null;
+
+ string version = GetNEHeaderVersion(nex);
+ if (!string.IsNullOrWhiteSpace(version))
+ return $"WinZip SFX {version}";
+
+ version = GetNEUnknownHeaderVersion(nex, file, fileContent, includeDebug);
+ if (!string.IsNullOrWhiteSpace(version))
+ return $"WinZip SFX {version}";
+
+ return null;
+ }
+
+ ///
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
+ {
+ var sections = pex?.SectionTable;
+ if (sections == null)
+ return null;
+
+ // Get the .rdata section, if it exists
+ if (pex.ResourceDataSectionRaw != null)
{
- var sections = pex?.SectionTable;
- if (sections == null)
- return null;
-
- // Get the .rdata section, if it exists
- if (pex.ResourceDataSectionRaw != null)
- {
- string version = GetSFXSectionDataVersion(file, pex.ResourceDataSectionRaw, includeDebug);
- if (!string.IsNullOrWhiteSpace(version))
- return $"WinZip SFX {version}";
- }
-
- // Get the _winzip_ section, if it exists
- bool winzipSection = pex.ContainsSection("_winzip_", exact: true);
- if (winzipSection)
- {
- string version = GetPEHeaderVersion(pex);
- if (!string.IsNullOrWhiteSpace(version))
- return $"WinZip SFX {version}";
-
- version = GetAdjustedManifestVersion(pex);
- if (!string.IsNullOrWhiteSpace(version))
- return $"WinZip SFX {version}";
-
- return "WinZip SFX Unknown Version (32-bit)";
- }
-
- #region Unknown Version checks
-
- // Get the .rdata section, if it exists
- if (pex.ResourceDataSectionRaw != null)
- {
- string version = GetSFXSectionDataUnknownVersion(file, pex.ResourceDataSectionRaw, includeDebug);
- if (!string.IsNullOrWhiteSpace(version))
- return $"WinZip SFX {version}";
- }
-
- // Get the .data section, if it exists
- if (pex.DataSectionRaw != null)
- {
- var matchers = new List
- {
- // WinZip Self-Extractor header corrupt.
- new ContentMatchSet(new byte?[]
- {
- 0x57, 0x69, 0x6E, 0x5A, 0x69, 0x70, 0x20, 0x53,
- 0x65, 0x6C, 0x66, 0x2D, 0x45, 0x78, 0x74, 0x72,
- 0x61, 0x63, 0x74, 0x6F, 0x72, 0x20, 0x68, 0x65,
- 0x61, 0x64, 0x65, 0x72, 0x20, 0x63, 0x6F, 0x72,
- 0x72, 0x75, 0x70, 0x74, 0x2E,
- }, "Unknown Version (32-bit)"),
-
- // winzip\shell\open\command
- new ContentMatchSet(new byte?[]
- {
- 0x77, 0x69, 0x6E, 0x7A, 0x69, 0x70, 0x5C, 0x73,
- 0x68, 0x65, 0x6C, 0x6C, 0x5C, 0x6F, 0x70, 0x65,
- 0x6E, 0x5C, 0x63, 0x6F, 0x6D, 0x6D, 0x61, 0x6E,
- 0x64,
- }, "Unknown Version (32-bit)"),
- };
-
- string version = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, false);
- if (!string.IsNullOrWhiteSpace(version))
- {
- // Try to grab the value from the manifest, if possible
- string manifestVersion = GetAdjustedManifestVersion(pex);
- if (!string.IsNullOrWhiteSpace(manifestVersion))
- return $"WinZip SFX {manifestVersion}";
-
- return $"WinZip SFX {version}";
- }
- }
-
- #endregion
- }
-
- // Try to read the contents as an NE executable
- if (nex != null)
- {
- string version = GetNEHeaderVersion(nex);
- if (!string.IsNullOrWhiteSpace(version))
- return $"WinZip SFX {version}";
-
- version = GetNEUnknownHeaderVersion(nex, file, fileContent, includeDebug);
+ string version = GetSFXSectionDataVersion(file, pex.ResourceDataSectionRaw, includeDebug);
if (!string.IsNullOrWhiteSpace(version))
return $"WinZip SFX {version}";
}
+ // Get the _winzip_ section, if it exists
+ bool winzipSection = pex.ContainsSection("_winzip_", exact: true);
+ if (winzipSection)
+ {
+ string version = GetPEHeaderVersion(pex);
+ if (!string.IsNullOrWhiteSpace(version))
+ return $"WinZip SFX {version}";
+
+ version = GetAdjustedManifestVersion(pex);
+ if (!string.IsNullOrWhiteSpace(version))
+ return $"WinZip SFX {version}";
+
+ return "WinZip SFX Unknown Version (32-bit)";
+ }
+
+ #region Unknown Version checks
+
+ // Get the .rdata section, if it exists
+ if (pex.ResourceDataSectionRaw != null)
+ {
+ string version = GetSFXSectionDataUnknownVersion(file, pex.ResourceDataSectionRaw, includeDebug);
+ if (!string.IsNullOrWhiteSpace(version))
+ return $"WinZip SFX {version}";
+ }
+
+ // Get the .data section, if it exists
+ if (pex.DataSectionRaw != null)
+ {
+ var matchers = new List
+ {
+ // WinZip Self-Extractor header corrupt.
+ new ContentMatchSet(new byte?[]
+ {
+ 0x57, 0x69, 0x6E, 0x5A, 0x69, 0x70, 0x20, 0x53,
+ 0x65, 0x6C, 0x66, 0x2D, 0x45, 0x78, 0x74, 0x72,
+ 0x61, 0x63, 0x74, 0x6F, 0x72, 0x20, 0x68, 0x65,
+ 0x61, 0x64, 0x65, 0x72, 0x20, 0x63, 0x6F, 0x72,
+ 0x72, 0x75, 0x70, 0x74, 0x2E,
+ }, "Unknown Version (32-bit)"),
+
+ // winzip\shell\open\command
+ new ContentMatchSet(new byte?[]
+ {
+ 0x77, 0x69, 0x6E, 0x7A, 0x69, 0x70, 0x5C, 0x73,
+ 0x68, 0x65, 0x6C, 0x6C, 0x5C, 0x6F, 0x70, 0x65,
+ 0x6E, 0x5C, 0x63, 0x6F, 0x6D, 0x6D, 0x61, 0x6E,
+ 0x64,
+ }, "Unknown Version (32-bit)"),
+ };
+
+ string version = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, false);
+ if (!string.IsNullOrWhiteSpace(version))
+ {
+ // Try to grab the value from the manifest, if possible
+ string manifestVersion = GetAdjustedManifestVersion(pex);
+ if (!string.IsNullOrWhiteSpace(manifestVersion))
+ return $"WinZip SFX {manifestVersion}";
+
+ return $"WinZip SFX {version}";
+ }
+ }
+
+ #endregion
+
return null;
}
diff --git a/BurnOutSharp/PackerType/WiseInstaller.cs b/BurnOutSharp/PackerType/WiseInstaller.cs
index b8efb611..1f63a2b3 100644
--- a/BurnOutSharp/PackerType/WiseInstaller.cs
+++ b/BurnOutSharp/PackerType/WiseInstaller.cs
@@ -10,33 +10,36 @@ using Wise = WiseUnpacker.WiseUnpacker;
namespace BurnOutSharp.PackerType
{
- public class WiseInstaller : IContentCheck, IScannable
+ public class WiseInstaller : INEContentCheck, IPEContentCheck, IScannable
{
///
public bool ShouldScan(byte[] magic) => true;
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckNEContents(string file, byte[] fileContent, bool includeDebug, NewExecutable nex)
+ {
+ // Get the DOS stub from the executable, if possible
+ var stub = nex?.DOSStubHeader;
+ if (stub == null)
+ return null;
+
+ // TODO: Keep this around until it can be confirmed with NE checks as well
+ // TODO: This _may_ actually over-match. See msvbvm50.exe for an example
+ var neMatchSets = new List
+ {
+ // WiseMain
+ new ContentMatchSet(new byte?[] { 0x57, 0x69, 0x73, 0x65, 0x4D, 0x61, 0x69, 0x6E }, "Wise Installation Wizard Module"),
+ };
+
+ return MatchUtil.GetFirstMatch(file, fileContent, neMatchSets, includeDebug);
+ }
+
+ ///
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
- // Get the sections from the executable, if possible
var sections = pex?.SectionTable;
if (sections == null)
- {
- if (nex != null)
- {
- // TODO: Keep this around until it can be confirmed with NE checks as well
- // TODO: This _may_ actually over-match. See msvbvm50.exe for an example
- var neMatchSets = new List
- {
- // WiseMain
- new ContentMatchSet(new byte?[] { 0x57, 0x69, 0x73, 0x65, 0x4D, 0x61, 0x69, 0x6E }, "Wise Installation Wizard Module"),
- };
-
- return MatchUtil.GetFirstMatch(file, fileContent, neMatchSets, includeDebug);
- }
-
return null;
- }
// Get the .data section, if it exists
if (pex.DataSectionRaw != null)
diff --git a/BurnOutSharp/PackerType/dotFuscator.cs b/BurnOutSharp/PackerType/dotFuscator.cs
index f9ece12e..a27f2ecc 100644
--- a/BurnOutSharp/PackerType/dotFuscator.cs
+++ b/BurnOutSharp/PackerType/dotFuscator.cs
@@ -1,14 +1,13 @@
using System.Collections.Generic;
-using BurnOutSharp.ExecutableType.Microsoft.NE;
using BurnOutSharp.ExecutableType.Microsoft.PE;
using BurnOutSharp.Matching;
namespace BurnOutSharp.PackerType
{
- public class dotFuscator : IContentCheck
+ public class dotFuscator : IPEContentCheck
{
///
- public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
+ public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex)
{
// Get the sections from the executable, if possible
var sections = pex?.SectionTable;