mirror of
https://github.com/SabreTools/BinaryObjectScanner.git
synced 2026-02-08 05:37:43 +00:00
118 lines
4.0 KiB
C#
118 lines
4.0 KiB
C#
using System;
|
|
using System.Collections.Concurrent;
|
|
using System.Collections.Generic;
|
|
using System.IO;
|
|
using BurnOutSharp.ExecutableType.Microsoft.PE;
|
|
using BurnOutSharp.Interfaces;
|
|
using BurnOutSharp.Matching;
|
|
using BurnOutSharp.Tools;
|
|
using SharpCompress.Archives;
|
|
using SharpCompress.Archives.Rar;
|
|
|
|
namespace BurnOutSharp.PackerType
|
|
{
|
|
public class WinRARSFX : IPortableExecutableCheck, IScannable
|
|
{
|
|
/// <inheritdoc/>
|
|
public bool ShouldScan(byte[] magic) => true;
|
|
|
|
/// <inheritdoc/>
|
|
public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
|
|
{
|
|
// Get the sections from the executable, if possible
|
|
var sections = pex?.SectionTable;
|
|
if (sections == null)
|
|
return null;
|
|
|
|
// Get the .data section, if it exists
|
|
if (pex.DataSectionRaw != null)
|
|
{
|
|
var matchers = new List<ContentMatchSet>
|
|
{
|
|
// Software\WinRAR SFX
|
|
new ContentMatchSet(new byte?[]
|
|
{
|
|
0x53, 0x6F, 0x66, 0x74, 0x77, 0x61, 0x72, 0x65,
|
|
0x5C, 0x57, 0x69, 0x6E, 0x52, 0x41, 0x52, 0x20,
|
|
0x53, 0x46, 0x58
|
|
}, "WinRAR SFX"),
|
|
};
|
|
|
|
string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug);
|
|
if (!string.IsNullOrWhiteSpace(match))
|
|
return match;
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
public ConcurrentDictionary<string, ConcurrentQueue<string>> Scan(Scanner scanner, string file)
|
|
{
|
|
if (!File.Exists(file))
|
|
return null;
|
|
|
|
using (var fs = File.OpenRead(file))
|
|
{
|
|
return Scan(scanner, fs, file);
|
|
}
|
|
}
|
|
|
|
/// <inheritdoc/>
|
|
public ConcurrentDictionary<string, ConcurrentQueue<string>> Scan(Scanner scanner, Stream stream, string file)
|
|
{
|
|
// If the rar file itself fails
|
|
try
|
|
{
|
|
string tempPath = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString());
|
|
Directory.CreateDirectory(tempPath);
|
|
|
|
// Should be using stream instead of file, but stream fails to extract anything. My guess is that the executable portion of the archive is causing stream to fail, but not file.
|
|
using (RarArchive zipFile = RarArchive.Open(file, new SharpCompress.Readers.ReaderOptions() {LookForHeader = true}))
|
|
{
|
|
foreach (var entry in zipFile.Entries)
|
|
{
|
|
// If an individual entry fails
|
|
try
|
|
{
|
|
// If we have a directory, skip it
|
|
if (entry.IsDirectory)
|
|
continue;
|
|
|
|
string tempFile = Path.Combine(tempPath, entry.Key);
|
|
entry.WriteToFile(tempFile);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
if (scanner.IncludeDebug) Console.WriteLine(ex);
|
|
}
|
|
}
|
|
}
|
|
|
|
// Collect and format all found protections
|
|
var protections = scanner.GetProtections(tempPath);
|
|
|
|
// If temp directory cleanup fails
|
|
try
|
|
{
|
|
Directory.Delete(tempPath, true);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
if (scanner.IncludeDebug) Console.WriteLine(ex);
|
|
}
|
|
|
|
// Remove temporary path references
|
|
Utilities.StripFromKeys(protections, tempPath);
|
|
|
|
return protections;
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
if (scanner.IncludeDebug) Console.WriteLine(ex);
|
|
}
|
|
|
|
return null;
|
|
}
|
|
}
|
|
}
|