mirror of
https://github.com/SabreTools/BinaryObjectScanner.git
synced 2026-02-13 05:35:24 +00:00
214e8d41c7
This also adds comprehensive notes around the sections used in various protections, how they're used, and what we can do with them. It also adds a couple of various notes based on the findings from the protection audit
43 lines
1.5 KiB
C#
43 lines
1.5 KiB
C#
using System.Collections.Generic;
|
|
using BurnOutSharp.ExecutableType.Microsoft;
|
|
using BurnOutSharp.Matching;
|
|
using BurnOutSharp.Tools;
|
|
|
|
namespace BurnOutSharp.PackerType
|
|
{
|
|
public class NSIS : IContentCheck
|
|
{
|
|
/// <inheritdoc/>
|
|
public string CheckContents(string file, byte[] fileContent, bool includeDebug, PortableExecutable pex, NewExecutable nex)
|
|
{
|
|
// Get the sections from the executable, if possible
|
|
var sections = pex?.SectionTable;
|
|
if (sections == null)
|
|
return null;
|
|
|
|
string description = Utilities.GetManifestDescription(pex);
|
|
if (!string.IsNullOrWhiteSpace(description) && description.StartsWith("Nullsoft Install System"))
|
|
return $"NSIS {description.Substring("Nullsoft Install System".Length).Trim()}";
|
|
|
|
// Get the .data section, if it exists
|
|
if (pex.DataSectionRaw != null)
|
|
{
|
|
var matchers = new List<ContentMatchSet>
|
|
{
|
|
// NullsoftInst
|
|
new ContentMatchSet(new byte?[]
|
|
{
|
|
0x4E, 0x75, 0x6C, 0x6C, 0x73, 0x6F, 0x66, 0x74,
|
|
0x49, 0x6E, 0x73, 0x74
|
|
}, "NSIS"),
|
|
};
|
|
|
|
string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug);
|
|
if (!string.IsNullOrWhiteSpace(match))
|
|
return match;
|
|
}
|
|
|
|
return null;
|
|
}
|
|
}
|
|
} |