From fcbf006e4e444979d41ce41897c0928239ac6a48 Mon Sep 17 00:00:00 2001 From: Matt Nadareski Date: Mon, 14 Mar 2022 11:00:17 -0700 Subject: [PATCH] Migrate packers to new interfaces --- BurnOutSharp/PackerType/AdvancedInstaller.cs | 5 +- BurnOutSharp/PackerType/Armadillo.cs | 5 +- BurnOutSharp/PackerType/EXEStealth.cs | 5 +- BurnOutSharp/PackerType/InnoSetup.cs | 108 +++++------ BurnOutSharp/PackerType/InstallAnywhere.cs | 5 +- BurnOutSharp/PackerType/InstallerVISE.cs | 5 +- .../PackerType/IntelInstallationFramework.cs | 5 +- BurnOutSharp/PackerType/MicrosoftCABSFX.cs | 5 +- BurnOutSharp/PackerType/NSIS.cs | 5 +- BurnOutSharp/PackerType/PECompact.cs | 7 +- BurnOutSharp/PackerType/Petite.cs | 7 +- BurnOutSharp/PackerType/SetupFactory.cs | 5 +- BurnOutSharp/PackerType/UPX.cs | 5 +- BurnOutSharp/PackerType/WinRARSFX.cs | 5 +- BurnOutSharp/PackerType/WinZipSFX.cs | 181 +++++++++--------- BurnOutSharp/PackerType/WiseInstaller.cs | 39 ++-- BurnOutSharp/PackerType/dotFuscator.cs | 5 +- 17 files changed, 196 insertions(+), 206 deletions(-) diff --git a/BurnOutSharp/PackerType/AdvancedInstaller.cs b/BurnOutSharp/PackerType/AdvancedInstaller.cs index 24706a3b..98e89df1 100644 --- a/BurnOutSharp/PackerType/AdvancedInstaller.cs +++ b/BurnOutSharp/PackerType/AdvancedInstaller.cs @@ -1,15 +1,14 @@ using System.Collections.Generic; -using BurnOutSharp.ExecutableType.Microsoft.NE; using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.Matching; namespace BurnOutSharp.PackerType { // TODO: Add extraction and verify that all versions are detected - public class AdvancedInstaller : IContentCheck + public class AdvancedInstaller : IPEContentCheck { /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/Armadillo.cs b/BurnOutSharp/PackerType/Armadillo.cs index fefbf3ac..0555c780 100644 --- a/BurnOutSharp/PackerType/Armadillo.cs +++ b/BurnOutSharp/PackerType/Armadillo.cs @@ -1,17 +1,16 @@ using System.Collections.Generic; using System.Linq; using System.Text; -using BurnOutSharp.ExecutableType.Microsoft.NE; using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.Matching; namespace BurnOutSharp.PackerType { // TODO: Add version checking, if possible - public class Armadillo : IContentCheck + public class Armadillo : IPEContentCheck { /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/EXEStealth.cs b/BurnOutSharp/PackerType/EXEStealth.cs index e84d4e7f..c602ed54 100644 --- a/BurnOutSharp/PackerType/EXEStealth.cs +++ b/BurnOutSharp/PackerType/EXEStealth.cs @@ -1,5 +1,4 @@ using System.Collections.Generic; -using BurnOutSharp.ExecutableType.Microsoft.NE; using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.Matching; @@ -8,10 +7,10 @@ namespace BurnOutSharp.PackerType // TODO: Figure out how to more granularly determine versions like PiD, // at least for the 2.41 -> 2.75 range // TODO: Detect 3.15 and up (maybe looking for `Metamorphism`) - public class EXEStealth : IContentCheck + public class EXEStealth : IPEContentCheck { /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/InnoSetup.cs b/BurnOutSharp/PackerType/InnoSetup.cs index 4797885d..a6f1e9d4 100644 --- a/BurnOutSharp/PackerType/InnoSetup.cs +++ b/BurnOutSharp/PackerType/InnoSetup.cs @@ -10,73 +10,71 @@ using BurnOutSharp.Matching; namespace BurnOutSharp.PackerType { - public class InnoSetup : IContentCheck, IScannable + public class InnoSetup : INEContentCheck, IPEContentCheck, IScannable { /// public bool ShouldScan(byte[] magic) => true; /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckNEContents(string file, byte[] fileContent, bool includeDebug, NewExecutable nex) { - // Try to read the contents as a PE executable - if (pex != null) + // Get the DOS stub from the executable, if possible + var stub = nex?.DOSStubHeader; + if (stub == null) + return null; + + // Check for "Inno" in the reserved words + if (stub.Reserved2[4] == 0x6E49 && stub.Reserved2[5] == 0x6F6E) { - var sections = pex?.SectionTable; - if (sections == null) - return null; + string version = GetOldVersion(file, fileContent); + if (!string.IsNullOrWhiteSpace(version)) + return $"Inno Setup {version}"; - // Get the DATA/.data section, if it exists - if (pex.DataSectionRaw != null) - { - var matchers = new List - { - // Inno Setup Setup Data ( - new ContentMatchSet(new byte?[] - { - 0x49, 0x6E, 0x6E, 0x6F, 0x20, 0x53, 0x65, 0x74, - 0x75, 0x70, 0x20, 0x53, 0x65, 0x74, 0x75, 0x70, - 0x20, 0x44, 0x61, 0x74, 0x61, 0x20, 0x28 - }, GetVersion, "Inno Setup"), - }; - - string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug); - if (!string.IsNullOrWhiteSpace(match)) - return match; - } - - // Get the DOS stub from the executable, if possible - var stub = pex?.DOSStubHeader; - if (stub == null) - return null; - - // Check for "Inno" in the reserved words - if (stub.Reserved2[4] == 0x6E49 && stub.Reserved2[5] == 0x6F6E) - { - string version = GetOldVersion(file, fileContent); - if (!string.IsNullOrWhiteSpace(version)) - return $"Inno Setup {version}"; - - return "Inno Setup (Unknown Version)"; - } + return "Inno Setup (Unknown Version)"; } - // Try to read the contents as an NE executable - if (nex != null) + return null; + } + + /// + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) + { + var sections = pex?.SectionTable; + if (sections == null) + return null; + + // Get the DATA/.data section, if it exists + if (pex.DataSectionRaw != null) { - // Get the DOS stub from the executable, if possible - var stub = nex?.DOSStubHeader; - if (stub == null) - return null; - - // Check for "Inno" in the reserved words - if (stub.Reserved2[4] == 0x6E49 && stub.Reserved2[5] == 0x6F6E) + var matchers = new List { - string version = GetOldVersion(file, fileContent); - if (!string.IsNullOrWhiteSpace(version)) - return $"Inno Setup {version}"; - - return "Inno Setup (Unknown Version)"; - } + // Inno Setup Setup Data ( + new ContentMatchSet(new byte?[] + { + 0x49, 0x6E, 0x6E, 0x6F, 0x20, 0x53, 0x65, 0x74, + 0x75, 0x70, 0x20, 0x53, 0x65, 0x74, 0x75, 0x70, + 0x20, 0x44, 0x61, 0x74, 0x61, 0x20, 0x28 + }, GetVersion, "Inno Setup"), + }; + + string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug); + if (!string.IsNullOrWhiteSpace(match)) + return match; + } + + // Get the DOS stub from the executable, if possible + var stub = pex?.DOSStubHeader; + if (stub == null) + return null; + + // Check for "Inno" in the reserved words + if (stub.Reserved2[4] == 0x6E49 && stub.Reserved2[5] == 0x6F6E) + { + string version = GetOldVersion(file, fileContent); + if (!string.IsNullOrWhiteSpace(version)) + return $"Inno Setup {version}"; + + return "Inno Setup (Unknown Version)"; } return null; diff --git a/BurnOutSharp/PackerType/InstallAnywhere.cs b/BurnOutSharp/PackerType/InstallAnywhere.cs index 7f913396..f6f86915 100644 --- a/BurnOutSharp/PackerType/InstallAnywhere.cs +++ b/BurnOutSharp/PackerType/InstallAnywhere.cs @@ -1,19 +1,18 @@ using System; using System.Collections.Concurrent; using System.IO; -using BurnOutSharp.ExecutableType.Microsoft.NE; using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.Tools; namespace BurnOutSharp.PackerType { - public class InstallAnywhere : IContentCheck, IScannable + public class InstallAnywhere : IPEContentCheck, IScannable { /// public bool ShouldScan(byte[] magic) => true; /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/InstallerVISE.cs b/BurnOutSharp/PackerType/InstallerVISE.cs index e60b5fac..f004e354 100644 --- a/BurnOutSharp/PackerType/InstallerVISE.cs +++ b/BurnOutSharp/PackerType/InstallerVISE.cs @@ -1,20 +1,19 @@ using System.Collections.Concurrent; using System.Collections.Generic; using System.IO; -using BurnOutSharp.ExecutableType.Microsoft.NE; using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.Matching; namespace BurnOutSharp.PackerType { - public class InstallerVISE : IContentCheck, IScannable + public class InstallerVISE : IPEContentCheck, IScannable { /// public bool ShouldScan(byte[] magic) => true; //TODO: Add exact version detection for Windows builds, make sure versions before 3.X are detected as well, and detect the Mac builds. /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/IntelInstallationFramework.cs b/BurnOutSharp/PackerType/IntelInstallationFramework.cs index f852170b..544919dc 100644 --- a/BurnOutSharp/PackerType/IntelInstallationFramework.cs +++ b/BurnOutSharp/PackerType/IntelInstallationFramework.cs @@ -1,15 +1,14 @@ using System; -using BurnOutSharp.ExecutableType.Microsoft.NE; using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.Tools; namespace BurnOutSharp.PackerType { // TODO: Add extraction, seems to primarily use MSZip compression. - public class IntelInstallationFramework : IContentCheck + public class IntelInstallationFramework : IPEContentCheck { /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/MicrosoftCABSFX.cs b/BurnOutSharp/PackerType/MicrosoftCABSFX.cs index e22fa552..f88b84d0 100644 --- a/BurnOutSharp/PackerType/MicrosoftCABSFX.cs +++ b/BurnOutSharp/PackerType/MicrosoftCABSFX.cs @@ -2,7 +2,6 @@ using System; using System.Collections.Concurrent; using System.Collections.Generic; using System.IO; -using BurnOutSharp.ExecutableType.Microsoft.NE; using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.Matching; using BurnOutSharp.Tools; @@ -10,13 +9,13 @@ using BurnOutSharp.Tools; namespace BurnOutSharp.PackerType { // TODO: Add extraction, which should be possible with LibMSPackN, but it refuses to extract due to SFX files lacking the typical CAB identifiers. - public class MicrosoftCABSFX : IContentCheck, IScannable + public class MicrosoftCABSFX : IPEContentCheck, IScannable { /// public bool ShouldScan(byte[] magic) => true; /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/NSIS.cs b/BurnOutSharp/PackerType/NSIS.cs index 9f7445a4..732c732e 100644 --- a/BurnOutSharp/PackerType/NSIS.cs +++ b/BurnOutSharp/PackerType/NSIS.cs @@ -1,15 +1,14 @@ using System.Collections.Generic; -using BurnOutSharp.ExecutableType.Microsoft.NE; using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.Matching; using BurnOutSharp.Tools; namespace BurnOutSharp.PackerType { - public class NSIS : IContentCheck + public class NSIS : IPEContentCheck { /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/PECompact.cs b/BurnOutSharp/PackerType/PECompact.cs index 7a3cd83f..5a0efa67 100644 --- a/BurnOutSharp/PackerType/PECompact.cs +++ b/BurnOutSharp/PackerType/PECompact.cs @@ -1,13 +1,12 @@ -using BurnOutSharp.ExecutableType.Microsoft.NE; -using BurnOutSharp.ExecutableType.Microsoft.PE; +using BurnOutSharp.ExecutableType.Microsoft.PE; namespace BurnOutSharp.PackerType { // TODO: Add extraction and better version detection - public class PECompact : IContentCheck + public class PECompact : IPEContentCheck { /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/Petite.cs b/BurnOutSharp/PackerType/Petite.cs index 61b421ab..a9b92eea 100644 --- a/BurnOutSharp/PackerType/Petite.cs +++ b/BurnOutSharp/PackerType/Petite.cs @@ -1,12 +1,11 @@ -using BurnOutSharp.ExecutableType.Microsoft.NE; -using BurnOutSharp.ExecutableType.Microsoft.PE; +using BurnOutSharp.ExecutableType.Microsoft.PE; namespace BurnOutSharp.PackerType { - public class PEtite : IContentCheck + public class PEtite : IPEContentCheck { /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/SetupFactory.cs b/BurnOutSharp/PackerType/SetupFactory.cs index 2740686f..de805404 100644 --- a/BurnOutSharp/PackerType/SetupFactory.cs +++ b/BurnOutSharp/PackerType/SetupFactory.cs @@ -1,19 +1,18 @@ using System; using System.Collections.Concurrent; using System.IO; -using BurnOutSharp.ExecutableType.Microsoft.NE; using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.Tools; namespace BurnOutSharp.PackerType { - public class SetupFactory : IContentCheck, IScannable + public class SetupFactory : IPEContentCheck, IScannable { /// public bool ShouldScan(byte[] magic) => true; /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/UPX.cs b/BurnOutSharp/PackerType/UPX.cs index aab1fbeb..ec7dfa81 100644 --- a/BurnOutSharp/PackerType/UPX.cs +++ b/BurnOutSharp/PackerType/UPX.cs @@ -1,15 +1,14 @@ using System.Collections.Generic; using System.Text; -using BurnOutSharp.ExecutableType.Microsoft.NE; using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.Matching; namespace BurnOutSharp.PackerType { - public class UPX : IContentCheck + public class UPX : IPEContentCheck { /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/WinRARSFX.cs b/BurnOutSharp/PackerType/WinRARSFX.cs index e0bf466b..d41da8c4 100644 --- a/BurnOutSharp/PackerType/WinRARSFX.cs +++ b/BurnOutSharp/PackerType/WinRARSFX.cs @@ -2,7 +2,6 @@ using System; using System.Collections.Concurrent; using System.Collections.Generic; using System.IO; -using BurnOutSharp.ExecutableType.Microsoft.NE; using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.Matching; using BurnOutSharp.Tools; @@ -11,13 +10,13 @@ using SharpCompress.Archives.Rar; namespace BurnOutSharp.PackerType { - public class WinRARSFX : IContentCheck, IScannable + public class WinRARSFX : IPEContentCheck, IScannable { /// public bool ShouldScan(byte[] magic) => true; /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable; diff --git a/BurnOutSharp/PackerType/WinZipSFX.cs b/BurnOutSharp/PackerType/WinZipSFX.cs index 7c6e1de8..6b51dbb1 100644 --- a/BurnOutSharp/PackerType/WinZipSFX.cs +++ b/BurnOutSharp/PackerType/WinZipSFX.cs @@ -12,106 +12,109 @@ using SharpCompress.Archives.Zip; namespace BurnOutSharp.PackerType { - public class WinZipSFX : IContentCheck, IScannable + public class WinZipSFX : INEContentCheck, IPEContentCheck, IScannable { /// public bool ShouldScan(byte[] magic) => true; /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckNEContents(string file, byte[] fileContent, bool includeDebug, NewExecutable nex) { - // Try to read the contents as a PE executable - if (pex != null) + // Get the DOS stub from the executable, if possible + var stub = nex?.DOSStubHeader; + if (stub == null) + return null; + + string version = GetNEHeaderVersion(nex); + if (!string.IsNullOrWhiteSpace(version)) + return $"WinZip SFX {version}"; + + version = GetNEUnknownHeaderVersion(nex, file, fileContent, includeDebug); + if (!string.IsNullOrWhiteSpace(version)) + return $"WinZip SFX {version}"; + + return null; + } + + /// + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) + { + var sections = pex?.SectionTable; + if (sections == null) + return null; + + // Get the .rdata section, if it exists + if (pex.ResourceDataSectionRaw != null) { - var sections = pex?.SectionTable; - if (sections == null) - return null; - - // Get the .rdata section, if it exists - if (pex.ResourceDataSectionRaw != null) - { - string version = GetSFXSectionDataVersion(file, pex.ResourceDataSectionRaw, includeDebug); - if (!string.IsNullOrWhiteSpace(version)) - return $"WinZip SFX {version}"; - } - - // Get the _winzip_ section, if it exists - bool winzipSection = pex.ContainsSection("_winzip_", exact: true); - if (winzipSection) - { - string version = GetPEHeaderVersion(pex); - if (!string.IsNullOrWhiteSpace(version)) - return $"WinZip SFX {version}"; - - version = GetAdjustedManifestVersion(pex); - if (!string.IsNullOrWhiteSpace(version)) - return $"WinZip SFX {version}"; - - return "WinZip SFX Unknown Version (32-bit)"; - } - - #region Unknown Version checks - - // Get the .rdata section, if it exists - if (pex.ResourceDataSectionRaw != null) - { - string version = GetSFXSectionDataUnknownVersion(file, pex.ResourceDataSectionRaw, includeDebug); - if (!string.IsNullOrWhiteSpace(version)) - return $"WinZip SFX {version}"; - } - - // Get the .data section, if it exists - if (pex.DataSectionRaw != null) - { - var matchers = new List - { - // WinZip Self-Extractor header corrupt. - new ContentMatchSet(new byte?[] - { - 0x57, 0x69, 0x6E, 0x5A, 0x69, 0x70, 0x20, 0x53, - 0x65, 0x6C, 0x66, 0x2D, 0x45, 0x78, 0x74, 0x72, - 0x61, 0x63, 0x74, 0x6F, 0x72, 0x20, 0x68, 0x65, - 0x61, 0x64, 0x65, 0x72, 0x20, 0x63, 0x6F, 0x72, - 0x72, 0x75, 0x70, 0x74, 0x2E, - }, "Unknown Version (32-bit)"), - - // winzip\shell\open\command - new ContentMatchSet(new byte?[] - { - 0x77, 0x69, 0x6E, 0x7A, 0x69, 0x70, 0x5C, 0x73, - 0x68, 0x65, 0x6C, 0x6C, 0x5C, 0x6F, 0x70, 0x65, - 0x6E, 0x5C, 0x63, 0x6F, 0x6D, 0x6D, 0x61, 0x6E, - 0x64, - }, "Unknown Version (32-bit)"), - }; - - string version = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, false); - if (!string.IsNullOrWhiteSpace(version)) - { - // Try to grab the value from the manifest, if possible - string manifestVersion = GetAdjustedManifestVersion(pex); - if (!string.IsNullOrWhiteSpace(manifestVersion)) - return $"WinZip SFX {manifestVersion}"; - - return $"WinZip SFX {version}"; - } - } - - #endregion - } - - // Try to read the contents as an NE executable - if (nex != null) - { - string version = GetNEHeaderVersion(nex); - if (!string.IsNullOrWhiteSpace(version)) - return $"WinZip SFX {version}"; - - version = GetNEUnknownHeaderVersion(nex, file, fileContent, includeDebug); + string version = GetSFXSectionDataVersion(file, pex.ResourceDataSectionRaw, includeDebug); if (!string.IsNullOrWhiteSpace(version)) return $"WinZip SFX {version}"; } + // Get the _winzip_ section, if it exists + bool winzipSection = pex.ContainsSection("_winzip_", exact: true); + if (winzipSection) + { + string version = GetPEHeaderVersion(pex); + if (!string.IsNullOrWhiteSpace(version)) + return $"WinZip SFX {version}"; + + version = GetAdjustedManifestVersion(pex); + if (!string.IsNullOrWhiteSpace(version)) + return $"WinZip SFX {version}"; + + return "WinZip SFX Unknown Version (32-bit)"; + } + + #region Unknown Version checks + + // Get the .rdata section, if it exists + if (pex.ResourceDataSectionRaw != null) + { + string version = GetSFXSectionDataUnknownVersion(file, pex.ResourceDataSectionRaw, includeDebug); + if (!string.IsNullOrWhiteSpace(version)) + return $"WinZip SFX {version}"; + } + + // Get the .data section, if it exists + if (pex.DataSectionRaw != null) + { + var matchers = new List + { + // WinZip Self-Extractor header corrupt. + new ContentMatchSet(new byte?[] + { + 0x57, 0x69, 0x6E, 0x5A, 0x69, 0x70, 0x20, 0x53, + 0x65, 0x6C, 0x66, 0x2D, 0x45, 0x78, 0x74, 0x72, + 0x61, 0x63, 0x74, 0x6F, 0x72, 0x20, 0x68, 0x65, + 0x61, 0x64, 0x65, 0x72, 0x20, 0x63, 0x6F, 0x72, + 0x72, 0x75, 0x70, 0x74, 0x2E, + }, "Unknown Version (32-bit)"), + + // winzip\shell\open\command + new ContentMatchSet(new byte?[] + { + 0x77, 0x69, 0x6E, 0x7A, 0x69, 0x70, 0x5C, 0x73, + 0x68, 0x65, 0x6C, 0x6C, 0x5C, 0x6F, 0x70, 0x65, + 0x6E, 0x5C, 0x63, 0x6F, 0x6D, 0x6D, 0x61, 0x6E, + 0x64, + }, "Unknown Version (32-bit)"), + }; + + string version = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, false); + if (!string.IsNullOrWhiteSpace(version)) + { + // Try to grab the value from the manifest, if possible + string manifestVersion = GetAdjustedManifestVersion(pex); + if (!string.IsNullOrWhiteSpace(manifestVersion)) + return $"WinZip SFX {manifestVersion}"; + + return $"WinZip SFX {version}"; + } + } + + #endregion + return null; } diff --git a/BurnOutSharp/PackerType/WiseInstaller.cs b/BurnOutSharp/PackerType/WiseInstaller.cs index b8efb611..1f63a2b3 100644 --- a/BurnOutSharp/PackerType/WiseInstaller.cs +++ b/BurnOutSharp/PackerType/WiseInstaller.cs @@ -10,33 +10,36 @@ using Wise = WiseUnpacker.WiseUnpacker; namespace BurnOutSharp.PackerType { - public class WiseInstaller : IContentCheck, IScannable + public class WiseInstaller : INEContentCheck, IPEContentCheck, IScannable { /// public bool ShouldScan(byte[] magic) => true; /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckNEContents(string file, byte[] fileContent, bool includeDebug, NewExecutable nex) + { + // Get the DOS stub from the executable, if possible + var stub = nex?.DOSStubHeader; + if (stub == null) + return null; + + // TODO: Keep this around until it can be confirmed with NE checks as well + // TODO: This _may_ actually over-match. See msvbvm50.exe for an example + var neMatchSets = new List + { + // WiseMain + new ContentMatchSet(new byte?[] { 0x57, 0x69, 0x73, 0x65, 0x4D, 0x61, 0x69, 0x6E }, "Wise Installation Wizard Module"), + }; + + return MatchUtil.GetFirstMatch(file, fileContent, neMatchSets, includeDebug); + } + + /// + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { - // Get the sections from the executable, if possible var sections = pex?.SectionTable; if (sections == null) - { - if (nex != null) - { - // TODO: Keep this around until it can be confirmed with NE checks as well - // TODO: This _may_ actually over-match. See msvbvm50.exe for an example - var neMatchSets = new List - { - // WiseMain - new ContentMatchSet(new byte?[] { 0x57, 0x69, 0x73, 0x65, 0x4D, 0x61, 0x69, 0x6E }, "Wise Installation Wizard Module"), - }; - - return MatchUtil.GetFirstMatch(file, fileContent, neMatchSets, includeDebug); - } - return null; - } // Get the .data section, if it exists if (pex.DataSectionRaw != null) diff --git a/BurnOutSharp/PackerType/dotFuscator.cs b/BurnOutSharp/PackerType/dotFuscator.cs index f9ece12e..a27f2ecc 100644 --- a/BurnOutSharp/PackerType/dotFuscator.cs +++ b/BurnOutSharp/PackerType/dotFuscator.cs @@ -1,14 +1,13 @@ using System.Collections.Generic; -using BurnOutSharp.ExecutableType.Microsoft.NE; using BurnOutSharp.ExecutableType.Microsoft.PE; using BurnOutSharp.Matching; namespace BurnOutSharp.PackerType { - public class dotFuscator : IContentCheck + public class dotFuscator : IPEContentCheck { /// - public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex) + public string CheckPEContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex) { // Get the sections from the executable, if possible var sections = pex?.SectionTable;