Skip to content

Commit

Permalink
Reduce PE boilerplate
Browse files Browse the repository at this point in the history
  • Loading branch information
@mnadareski
mnadareski committed Dec 2, 2024
1 parent a6b4948 commit ff2b27c
Show file tree
Hide file tree
Showing 98 changed files with 33 additions and 518 deletions.
7 changes: 1 addition & 6 deletions BinaryObjectScanner/GameEngine/RenderWare.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,18 +20,13 @@ public class RenderWare : IExecutableCheck<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Found in Redump entries 20138, 55823, and 102493.
bool rwcsegSection = pex.ContainsSection("_rwcseg", exact: true);
// Found in Redump entry 20138.
bool rwdsegSection = pex.ContainsSection("_rwdseg", exact: true);

// TODO: Check if this indicates a specific version, or if these sections are present in multiple.
if (rwcsegSection || rwdsegSection)
if (rwcsegSection || rwdsegSection)
return "RenderWare";

return null;
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/ASPack.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,6 @@ public class ASPack : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the .aspack section, if it exists
if (pex.ContainsSection(".aspack", exact: true))
return "ASPack 2.29";
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/AdvancedInstaller.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,6 @@ public class AdvancedInstaller : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the .rdata section strings, if they exist
var strs = pex.GetFirstSectionStrings(".rdata");
if (strs != null)
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/AutoPlayMediaStudio.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,6 @@ public class AutoPlayMediaStudio : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Known to detect versions 5.0.0.3 - 8.1.0.0
var name = pex.ProductName;
if (name.OptionalStartsWith("AutoPlay Media Studio", StringComparison.OrdinalIgnoreCase))
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/CExe.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,6 @@ public class CExe : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// If there are exactly 2 resources with type 99
if (pex.FindResourceByNamedType("99, ").Count == 2)
return "CExe";
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/DotFuscator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,6 @@ public class DotFuscator : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the .text section strings, if they exist
var strs = pex.GetFirstSectionStrings(".text");
if (strs != null)
Expand Down
34 changes: 15 additions & 19 deletions BinaryObjectScanner/Packer/DotNetReactor.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,6 @@ public class DotNetReactor : IExtractableExecutable<PortableExecutable>
{
// TODO: Detect version
// TODO: Further refine checks using https://github.com/horsicq/Detect-It-Easy/blob/075a70b1484d1d84d1dc37c86aac16188d5a84e7/db/PE/NetReactor.2.sg and https://github.com/cod3nym/detection-rules/blob/main/yara/dotnet/obf_net_reactor.yar
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the .text section, if it exists
var textData = pex.GetFirstSectionData(".text");
Expand All @@ -38,9 +34,9 @@ public class DotNetReactor : IExtractableExecutable<PortableExecutable>
new(new byte?[]
{
0x3C, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65,
0x49, 0x6D, 0x70, 0x6C, 0x65, 0x6D, 0x65, 0x6E,
0x49, 0x6D, 0x70, 0x6C, 0x65, 0x6D, 0x65, 0x6E,
0x74, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x44, 0x65,
0x74, 0x61, 0x69, 0x6C, 0x73, 0x3E, 0x7B, null,
0x74, 0x61, 0x69, 0x6C, 0x73, 0x3E, 0x7B, null,
null, null, null, null, null, null, null, 0x2D,
null, null, null, null, 0x2D, null, null, null,
null, 0x2D, null, null, null, null, 0x2D, null,
Expand All @@ -54,7 +50,7 @@ public class DotNetReactor : IExtractableExecutable<PortableExecutable>
new(new byte?[]
{
0x3C, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65,
0x49, 0x6D, 0x70, 0x6C, 0x65, 0x6D, 0x65, 0x6E,
0x49, 0x6D, 0x70, 0x6C, 0x65, 0x6D, 0x65, 0x6E,
0x74, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x44, 0x65,
0x74, 0x61, 0x69, 0x6C, 0x73, 0x3E, 0x00, 0x52,
0x53, 0x41
Expand All @@ -64,24 +60,24 @@ public class DotNetReactor : IExtractableExecutable<PortableExecutable>
// 3{.[9].-.[9].-.[9].}
new(new byte?[]
{
0x33, 0x7B, 0x00, null, null, null, null, null,
null, null, null, null, 0x00, 0x2D, 0x00, null,
null, null, null, null, null, null, null, null,
0x00, 0x2D, 0x00, null, null, null, null, null,
null, null, null, null, 0x00, 0x2D, 0x00, null,
null, null, null, null, null, null, null, null,
0x00, 0x7D, 0x00
0x33, 0x7B, 0x00, null, null, null, null, null,
null, null, null, null, 0x00, 0x2D, 0x00, null,
null, null, null, null, null, null, null, null,
0x00, 0x2D, 0x00, null, null, null, null, null,
null, null, null, null, 0x00, 0x2D, 0x00, null,
null, null, null, null, null, null, null, null,
0x00, 0x7D, 0x00
}, ".NET Reactor (Unconfirmed - Please report to us on GitHub)"),

// Adapted from https://github.com/cod3nym/detection-rules/blob/main/yara/dotnet/obf_net_reactor.yar and confirmed to work with "KalypsoLauncher.dll" from Redump entry 95617.
// <Module>{[8]-[4]-[4]-[4]-[12]}
new(new byte?[]
{
0x3C, 0x4D, 0x6F, 0x64, 0x75, 0x6C, 0x65, 0x3E,
0x7B, null, null, null, null, null, null, null,
null, 0x2D, null, null, null, null, 0x2D, null,
null, null, null, 0x2D, null, null, null, null,
0x2D, null, null, null, null, null, null, null,
0x3C, 0x4D, 0x6F, 0x64, 0x75, 0x6C, 0x65, 0x3E,
0x7B, null, null, null, null, null, null, null,
null, 0x2D, null, null, null, null, 0x2D, null,
null, null, null, 0x2D, null, null, null, null,
0x2D, null, null, null, null, null, null, null,
null, null, null, null, null, 0x7D
}, ".NET Reactor (Unconfirmed - Please report to us on GitHub)")
};
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/EXEStealth.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,6 @@ public class EXEStealth : IContentCheck, IExtractableExecutable<PortableExecutab
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// The ExeS/EXES/*mtw sections seem to map to the Import Table
// 2.6/2.51
// `ExeStealth - www.webtoolmaster.com`
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/EmbeddedArchive.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,6 @@ public class EmbeddedArchive : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the resources that have a PKZIP signature
if (pex.ResourceData != null)
{
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/EmbeddedExecutable.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,6 @@ public class EmbeddedExecutable : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the resources that have an executable signature
if (pex.ResourceData != null)
{
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/GenteeInstaller.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,6 @@ public class GenteeInstaller : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the .data/DATA section strings, if they exist
var strs = pex.GetFirstSectionStrings(".data") ?? pex.GetFirstSectionStrings("DATA");
if (strs != null)
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/HyperTechCrackProof.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,6 @@ public class HyperTechCrackProof : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// This check may be overly limiting, as it excludes the sample provided to DiE (https://github.com/horsicq/Detect-It-Easy/issues/102).
// TODO: Find further samples and invesitgate if the "peC" section is only present on specific versions.
bool importTableMatch = Array.Exists(pex.Model.ImportTable?.ImportDirectoryTable ?? [],
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/InnoSetup.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,6 @@ public class InnoSetup : IExecutableCheck<NewExecutable>,
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the .data/DATA section strings, if they exist
var strs = pex.GetFirstSectionStrings(".data") ?? pex.GetFirstSectionStrings("DATA");
if (strs != null)
Expand Down
7 changes: 1 addition & 6 deletions BinaryObjectScanner/Packer/InstallAnywhere.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,7 @@ public class InstallAnywhere : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

var name= pex.FileDescription;
var name = pex.FileDescription;
if (name.OptionalStartsWith("InstallAnywhere Self Extractor", StringComparison.OrdinalIgnoreCase))
return $"InstallAnywhere {GetVersion(pex)}";

Expand Down
7 changes: 1 addition & 6 deletions BinaryObjectScanner/Packer/InstallerVISE.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,19 +11,14 @@ public class InstallerVISE : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the .data/DATA section strings, if they exist
var strs = pex.GetFirstSectionStrings(".data") ?? pex.GetFirstSectionStrings("DATA");
if (strs != null)
{
if (strs.Exists(s => s.Contains("ViseMain")))
return "Installer VISE";
}

return null;
}

Expand Down
7 changes: 1 addition & 6 deletions BinaryObjectScanner/Packer/IntelInstallationFramework.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,7 @@ public class IntelInstallationFramework : IExtractableExecutable<PortableExecuta
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

var name= pex.FileDescription;
var name = pex.FileDescription;
if (name.OptionalEquals("Intel(R) Installation Framework", StringComparison.OrdinalIgnoreCase)
|| name.OptionalEquals("Intel Installation Framework", StringComparison.OrdinalIgnoreCase))
{
Expand Down
7 changes: 1 addition & 6 deletions BinaryObjectScanner/Packer/MicrosoftCABSFX.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,7 @@ public class MicrosoftCABSFX : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

var name= pex.InternalName;
var name = pex.InternalName;
if (name.OptionalEquals("Wextract", StringComparison.OrdinalIgnoreCase))
return $"Microsoft CAB SFX {GetVersion(pex)}";

Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/NSIS.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,6 @@ public class NSIS : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

var name = pex.AssemblyDescription;
if (name.OptionalStartsWith("Nullsoft Install System"))
return $"NSIS {name!.Substring("Nullsoft Install System".Length).Trim()}";
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/NeoLite.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,6 @@ public class NeoLite : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the .neolit section, if it exists.
// TODO: Check if this section is also present in NeoLite 1.X.
if (pex.ContainsSection(".neolit", exact: true))
Expand Down
7 changes: 1 addition & 6 deletions BinaryObjectScanner/Packer/PECompact.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,6 @@ public class PECompact : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// 0x4F434550 is "PECO"
if (pex.Model.COFFFileHeader?.PointerToSymbolTable == 0x4F434550)
return "PE Compact v1.x";
Expand All @@ -32,7 +27,7 @@ public class PECompact : IExtractableExecutable<PortableExecutable>
{
if (textSection.PointerToLinenumbers != 0)
return $"PE Compact v{textSection.PointerToLinenumbers} (internal version)";

return "PE Compact v2.x (or newer)";
}

Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/Petite.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,6 @@ public class PEtite : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the .petite section, if it exists -- TODO: Is there a version number that can be found?
if (pex.ContainsSection(".petite", exact: true))
return "PEtite";
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/SetupFactory.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,6 @@ public class SetupFactory : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Known to detect versions 7.0.5.1 - 9.1.0.0
var name = pex.LegalCopyright;
if (name.OptionalStartsWith("Setup Engine", StringComparison.OrdinalIgnoreCase))
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/SevenZipSFX.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,6 @@ public class SevenZipSFX : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the assembly description, if possible
if (pex.AssemblyDescription.OptionalStartsWith("7-Zip Self-extracting Archive"))
return $"7-Zip SFX {pex.AssemblyDescription!.Substring("7-Zip Self-extracting Archive ".Length)}";
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/Shrinker.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,6 @@ public class Shrinker : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Get the .shrink0 and .shrink2 sections, if they exist -- TODO: Confirm if both are needed or either/or is fine
if (pex.ContainsSection(".shrink0", true) || pex.ContainsSection(".shrink2", true))
return "Shrinker";
Expand Down
5 changes: 0 additions & 5 deletions BinaryObjectScanner/Packer/UPX.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,6 @@ public class UPX : IExtractableExecutable<PortableExecutable>
/// <inheritdoc/>
public string? CheckExecutable(string file, PortableExecutable pex, bool includeDebug)
{
// Get the sections from the executable, if possible
var sections = pex.Model.SectionTable;
if (sections == null)
return null;

// Check header padding strings
if (pex.HeaderPaddingStrings != null && pex.HeaderPaddingStrings.Count > 0)
{
Expand Down
Loading

0 comments on commit ff2b27c

Please sign in to comment.