1 // copyright (c) 2017-2021 hors<horsicq@gmail.com>
2 //
3 // Permission is hereby granted, free of charge, to any person obtaining a copy
4 // of this software and associated documentation files (the "Software"), to deal
5 // in the Software without restriction, including without limitation the rights
6 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
7 // copies of the Software, and to permit persons to whom the Software is
8 // furnished to do so, subject to the following conditions:
9
10 // The above copyright notice and this permission notice shall be included in all
11 // copies or substantial portions of the Software.
12
13 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
19 // SOFTWARE.
20 //
21
22 #include "specabstract.h"
23 #include "signatures.cpp"
24
SpecAbstract(QObject * pParent)25 SpecAbstract::SpecAbstract(QObject *pParent)
26 {
27 Q_UNUSED(pParent)
28 }
29
scan(QIODevice * pDevice,SpecAbstract::SCAN_RESULT * pScanResult,qint64 nOffset,qint64 nSize,SpecAbstract::ID parentId,SpecAbstract::SCAN_OPTIONS * pOptions,bool bInit,bool * pbIsStop)30 void SpecAbstract::scan(QIODevice *pDevice, SpecAbstract::SCAN_RESULT *pScanResult, qint64 nOffset, qint64 nSize, SpecAbstract::ID parentId, SpecAbstract::SCAN_OPTIONS *pOptions, bool bInit, bool *pbIsStop)
31 {
32 bool __bIsStop=false;
33
34 if(pbIsStop==nullptr)
35 {
36 pbIsStop=&__bIsStop;
37 }
38
39 QElapsedTimer scanTimer;
40
41 if(bInit)
42 {
43 scanTimer.start();
44 }
45
46 pScanResult->sFileName=XBinary::getDeviceFileName(pDevice);
47
48 SubDevice sd(pDevice,nOffset,nSize);
49
50 if(sd.open(QIODevice::ReadOnly)&&(!(*pbIsStop)))
51 {
52 QSet<XBinary::FT> stFileTypes=XBinary::getFileTypes(&sd,true);
53
54 if((pOptions->fileType!=XBinary::FT_UNKNOWN)&&(bInit))
55 {
56 XBinary::filterFileTypes(&stFileTypes,pOptions->fileType);
57 }
58
59 if(stFileTypes.contains(XBinary::FT_PE32)||stFileTypes.contains(XBinary::FT_PE64))
60 {
61 SpecAbstract::PEINFO_STRUCT pe_info=SpecAbstract::getPEInfo(&sd,parentId,pOptions,nOffset,pbIsStop);
62
63 pScanResult->listRecords.append(pe_info.basic_info.listDetects);
64 pScanResult->listHeurs.append(pe_info.basic_info.listHeurs);
65 }
66 else if(stFileTypes.contains(XBinary::FT_ELF32)||stFileTypes.contains(XBinary::FT_ELF64))
67 {
68 SpecAbstract::ELFINFO_STRUCT elf_info=SpecAbstract::getELFInfo(&sd,parentId,pOptions,nOffset,pbIsStop);
69
70 pScanResult->listRecords.append(elf_info.basic_info.listDetects);
71 pScanResult->listHeurs.append(elf_info.basic_info.listHeurs);
72 }
73 else if(stFileTypes.contains(XBinary::FT_MACHO32)||stFileTypes.contains(XBinary::FT_MACHO64))
74 {
75 SpecAbstract::MACHOINFO_STRUCT mach_info=SpecAbstract::getMACHOInfo(&sd,parentId,pOptions,nOffset,pbIsStop);
76
77 pScanResult->listRecords.append(mach_info.basic_info.listDetects);
78 pScanResult->listHeurs.append(mach_info.basic_info.listHeurs);
79 }
80 else if(stFileTypes.contains(XBinary::FT_LE)||stFileTypes.contains(XBinary::FT_LX))
81 {
82 SpecAbstract::LEINFO_STRUCT le_info=SpecAbstract::getLEInfo(&sd,parentId,pOptions,nOffset,pbIsStop);
83
84 pScanResult->listRecords.append(le_info.basic_info.listDetects);
85 pScanResult->listHeurs.append(le_info.basic_info.listHeurs);
86 }
87 else if(stFileTypes.contains(XBinary::FT_NE))
88 {
89 SpecAbstract::NEINFO_STRUCT ne_info=SpecAbstract::getNEInfo(&sd,parentId,pOptions,nOffset,pbIsStop);
90
91 pScanResult->listRecords.append(ne_info.basic_info.listDetects);
92 pScanResult->listHeurs.append(ne_info.basic_info.listHeurs);
93 }
94 else if(stFileTypes.contains(XBinary::FT_MSDOS))
95 {
96 SpecAbstract::MSDOSINFO_STRUCT msdos_info=SpecAbstract::getMSDOSInfo(&sd,parentId,pOptions,nOffset,pbIsStop);
97
98 pScanResult->listRecords.append(msdos_info.basic_info.listDetects);
99 pScanResult->listHeurs.append(msdos_info.basic_info.listHeurs);
100 }
101 else if(stFileTypes.contains(XBinary::FT_ZIP))
102 {
103 SpecAbstract::ZIPINFO_STRUCT zip_info=SpecAbstract::getZIPInfo(&sd,parentId,pOptions,nOffset,pbIsStop);
104
105 pScanResult->listRecords.append(zip_info.basic_info.listDetects);
106 pScanResult->listHeurs.append(zip_info.basic_info.listHeurs);
107 }
108 else if(stFileTypes.contains(XBinary::FT_MACHOFAT))
109 {
110 SpecAbstract::MACHOFATINFO_STRUCT zip_info=SpecAbstract::getMACHOFATInfo(&sd,parentId,pOptions,nOffset,pbIsStop);
111
112 pScanResult->listRecords.append(zip_info.basic_info.listDetects);
113 pScanResult->listHeurs.append(zip_info.basic_info.listHeurs);
114 }
115 else if(stFileTypes.contains(XBinary::FT_DEX))
116 {
117 SpecAbstract::DEXINFO_STRUCT dex_info=SpecAbstract::getDEXInfo(&sd,parentId,pOptions,nOffset,pbIsStop);
118
119 pScanResult->listRecords.append(dex_info.basic_info.listDetects);
120 pScanResult->listHeurs.append(dex_info.basic_info.listHeurs);
121 }
122 else
123 {
124 SpecAbstract::BINARYINFO_STRUCT binary_info=SpecAbstract::getBinaryInfo(&sd,parentId,pOptions,nOffset,pbIsStop);
125
126 pScanResult->listRecords.append(binary_info.basic_info.listDetects);
127 pScanResult->listHeurs.append(binary_info.basic_info.listHeurs);
128 }
129
130 sd.close();
131 }
132
133 // if(pOptions->bIsTest)
134 // {
135 // QList<SpecAbstract::SCAN_STRUCT> _listDetects;
136
137 // int nNumberOfRecords=pScanResult->listRecords.count();
138
139 // for(int i=0;i<nNumberOfRecords;i++)
140 // {
141 // if(pScanResult->listRecords.at(i).sInfo=="TEST")
142 // {
143 // _listDetects.append(pScanResult->listRecords.at(i));
144 // }
145 // }
146
147 // pScanResult->listRecords=_listDetects;
148 // }
149
150 if(bInit)
151 {
152 pScanResult->nScanTime=scanTimer.elapsed();
153 }
154 }
155
append(QString sResult,QString sString)156 QString SpecAbstract::append(QString sResult, QString sString)
157 {
158 return XBinary::appendText(sResult,sString,",");
159 }
160
recordFilePartIdToString(SpecAbstract::RECORD_FILEPART id)161 QString SpecAbstract::recordFilePartIdToString(SpecAbstract::RECORD_FILEPART id)
162 {
163 QString sResult=tr("Unknown");
164
165 switch(id)
166 {
167 // TODO more
168 case RECORD_FILEPART_UNKNOWN: sResult=tr("Unknown"); break;
169 case RECORD_FILEPART_HEADER: sResult=tr("Header"); break;
170 case RECORD_FILEPART_OVERLAY: sResult=tr("Overlay"); break;
171 case RECORD_FILEPART_ARCHIVERECORD: sResult=tr("Archive record"); break;
172 }
173
174 return sResult;
175 }
176
recordTypeIdToString(RECORD_TYPE id)177 QString SpecAbstract::recordTypeIdToString(RECORD_TYPE id)
178 {
179 QString sResult=tr("Unknown");
180
181 switch(id)
182 {
183 case RECORD_TYPE_UNKNOWN: sResult=tr("Unknown"); break;
184 case RECORD_TYPE_APKOBFUSCATOR: sResult=QString("APK %1").arg(tr("obfuscator")); break;
185 case RECORD_TYPE_APKTOOL: sResult=QString("APK %1").arg(tr("Tool")); break;
186 case RECORD_TYPE_CERTIFICATE: sResult=tr("Certificate"); break;
187 case RECORD_TYPE_COMPILER: sResult=tr("Compiler"); break;
188 case RECORD_TYPE_CONVERTER: sResult=tr("Converter"); break;
189 case RECORD_TYPE_CRYPTOR: sResult=tr("Cryptor"); break;
190 case RECORD_TYPE_DATABASE: sResult=tr("Database"); break;
191 case RECORD_TYPE_DEBUGDATA: sResult=tr("Debug data"); break;
192 case RECORD_TYPE_DONGLEPROTECTION: sResult=QString("Dongle %1").arg(tr("protection")); break;
193 case RECORD_TYPE_DOSEXTENDER: sResult=QString("DOS %1").arg(tr("extender")); break;
194 case RECORD_TYPE_FORMAT: sResult=tr("Format"); break;
195 case RECORD_TYPE_GENERIC: sResult=tr("Generic"); break;
196 case RECORD_TYPE_IMAGE: sResult=tr("Image"); break;
197 case RECORD_TYPE_INSTALLER: sResult=tr("Installer"); break;
198 case RECORD_TYPE_INSTALLERDATA: sResult=tr("Installer data"); break;
199 case RECORD_TYPE_JAROBFUSCATOR: sResult=QString("JAR %1").arg(tr("obfuscator")); break;
200 case RECORD_TYPE_JOINER: sResult=tr("Joiner"); break;
201 case RECORD_TYPE_LANGUAGE: sResult=tr("Language"); break;
202 case RECORD_TYPE_LIBRARY: sResult=tr("Library"); break;
203 case RECORD_TYPE_LINKER: sResult=tr("Linker"); break;
204 case RECORD_TYPE_NETCOMPRESSOR: sResult=QString(".NET %1").arg(tr("compressor")); break;
205 case RECORD_TYPE_NETOBFUSCATOR: sResult=QString(".NET %1").arg(tr("obfuscator")); break;
206 case RECORD_TYPE_OPERATIONSYSTEM: sResult=tr("Operation system"); break;
207 case RECORD_TYPE_PACKER: sResult=tr("Packer"); break;
208 case RECORD_TYPE_PETOOL: sResult=QString("PE %1").arg(tr("Tool")); break;
209 case RECORD_TYPE_PROTECTOR: sResult=tr("Protector"); break;
210 case RECORD_TYPE_PROTECTORDATA: sResult=tr("Protector data"); break;
211 case RECORD_TYPE_SFX: sResult=QString("SFX"); break;
212 case RECORD_TYPE_SFXDATA: sResult=QString("SFX %1").arg(tr("data")); break;
213 case RECORD_TYPE_SIGNTOOL: sResult=tr("Sign tool"); break;
214 case RECORD_TYPE_SOURCECODE: sResult=tr("Source code"); break;
215 case RECORD_TYPE_STUB: sResult=tr("Stub"); break;
216 case RECORD_TYPE_TOOL: sResult=tr("Tool"); break;
217 case RECORD_TYPE_VIRTUALMACHINE: sResult=tr("Virtual machine"); break;
218 }
219
220 return sResult;
221 }
222
recordNameIdToString(RECORD_NAME id)223 QString SpecAbstract::recordNameIdToString(RECORD_NAME id)
224 {
225 QString sResult=tr("Unknown");
226
227 switch(id)
228 {
229 case RECORD_NAME_UNKNOWN: sResult=QString("Unknown"); break;
230 case RECORD_NAME_12311134: sResult=QString("12311134"); break;
231 case RECORD_NAME_1337EXECRYPTER: sResult=QString("1337 Exe Crypter"); break;
232 case RECORD_NAME_32LITE: sResult=QString("32Lite"); break;
233 case RECORD_NAME_7Z: sResult=QString("7-Zip"); break;
234 case RECORD_NAME_AASE: sResult=QString("Aase"); break;
235 case RECORD_NAME_ABCCRYPTOR: sResult=QString("ABC Cryptor"); break;
236 case RECORD_NAME_ACPROTECT: sResult=QString("ACProtect"); break;
237 case RECORD_NAME_ACTIVEMARK: sResult=QString("ActiveMARK"); break;
238 case RECORD_NAME_ACTUALINSTALLER: sResult=QString("Actual Installer"); break;
239 case RECORD_NAME_ADVANCEDINSTALLER: sResult=QString("Advanced Installer"); break;
240 case RECORD_NAME_ADVANCEDUPXSCRAMMBLER: sResult=QString("Advanced UPX Scrammbler"); break;
241 case RECORD_NAME_AESOBFUSCATOR: sResult=QString("AESObfuscator"); break;
242 case RECORD_NAME_AFFILLIATEEXE: sResult=QString("AffilliateEXE"); break;
243 case RECORD_NAME_AGAINNATIVITYCRYPTER: sResult=QString("Again Nativity Crypter"); break;
244 case RECORD_NAME_AGILENET: sResult=QString("Agile .NET"); break;
245 case RECORD_NAME_AHPACKER: sResult=QString("AHPacker"); break;
246 case RECORD_NAME_AHTEAMEPPROTECTOR: sResult=QString("AHTeam EP Protector"); break;
247 case RECORD_NAME_AINEXE: sResult=QString("AINEXE"); break;
248 case RECORD_NAME_AIX: sResult=QString("AIX"); break;
249 case RECORD_NAME_ALCHEMYMINDWORKS: sResult=QString("Alchemy Mindworks"); break;
250 case RECORD_NAME_ALEXPROTECTOR: sResult=QString("Alex Protector"); break;
251 case RECORD_NAME_ALIASOBJ: sResult=QString("ALIASOBJ"); break;
252 case RECORD_NAME_ALIBABAPROTECTION: sResult=QString("Alibaba Protection"); break;
253 case RECORD_NAME_ALIPAYOBFUSCATOR: sResult=QString("Alipay Obfuscator"); break;
254 case RECORD_NAME_ALLATORIOBFUSCATOR: sResult=QString("Allatori Obfuscator"); break;
255 case RECORD_NAME_ALLOY: sResult=QString("Alloy"); break;
256 case RECORD_NAME_ALPINELINUX: sResult=QString("Alpine Linux"); break;
257 case RECORD_NAME_ANDPAKK2: sResult=QString("ANDpakk2"); break;
258 case RECORD_NAME_ANDROID: sResult=QString("Android"); break;
259 case RECORD_NAME_ANDROIDAPKSIGNER: sResult=QString("Android apksigner"); break;
260 case RECORD_NAME_ANDROIDARSC: sResult=QString("Android ARSC"); break;
261 case RECORD_NAME_ANDROIDCLANG: sResult=QString("Android clang"); break;
262 case RECORD_NAME_ANDROIDJETPACK: sResult=QString("Android Jetpack"); break;
263 case RECORD_NAME_ANDROIDGRADLE: sResult=QString("Android Gradle"); break;
264 case RECORD_NAME_ANDROIDMAVENPLUGIN: sResult=QString("Android Maven Plugin"); break;
265 case RECORD_NAME_ANDROIDNDK: sResult=QString("Android NDK"); break;
266 case RECORD_NAME_ANDROIDSDK: sResult=QString("Android SDK"); break;
267 case RECORD_NAME_ANDROIDSIGNAPK: sResult=QString("Android SignApk"); break;
268 case RECORD_NAME_ANDROIDXML: sResult=QString("Android XML"); break;
269 case RECORD_NAME_ANSKYAPOLYMORPHICPACKER: sResult=QString("Anskya Polymorphic Packer"); break;
270 case RECORD_NAME_ANSLYMPACKER: sResult=QString("AnslymPacker"); break;
271 case RECORD_NAME_ANTIDOTE: sResult=QString("AntiDote"); break;
272 case RECORD_NAME_ANTILVL: sResult=QString("AntiLVL"); break;
273 case RECORD_NAME_APACHEANT: sResult=QString("Apache Ant"); break;
274 case RECORD_NAME_APACK: sResult=QString("aPACK"); break;
275 case RECORD_NAME_APK_SIGNER: sResult=QString("apk-signer"); break;
276 case RECORD_NAME_APKEDITOR: sResult=QString("ApkEditor"); break;
277 case RECORD_NAME_APKENCRYPTOR: sResult=QString("ApkEncryptor"); break;
278 case RECORD_NAME_APKMODIFIERSIGNAPK: sResult=QString("ApkModifier SignApk"); break;
279 case RECORD_NAME_APKPROTECT: sResult=QString("APKProtect"); break;
280 case RECORD_NAME_APKPROTECTOR: sResult=QString("ApkProtector"); break;
281 case RECORD_NAME_APKSIGNATURESCHEME: sResult=QString("APK Signature Scheme"); break;
282 case RECORD_NAME_APKSIGNER: sResult=QString("ApkSigner"); break;
283 case RECORD_NAME_APKTOOLPLUS: sResult=QString("ApkToolPlus"); break;
284 case RECORD_NAME_APPGUARD: sResult=QString("AppGuard"); break;
285 case RECORD_NAME_APPIMAGE: sResult=QString("AppImage"); break;
286 case RECORD_NAME_APPLEJDK: sResult=QString("Apple JDK"); break;
287 case RECORD_NAME_APPLELLVM: sResult=QString("Apple LLVM"); break;
288 case RECORD_NAME_APPORTABLECLANG: sResult=QString("Apportable clang"); break;
289 case RECORD_NAME_APPSOLID: sResult=QString("AppSolid"); break;
290 case RECORD_NAME_ARCRYPT: sResult=QString("AR Crypt"); break;
291 case RECORD_NAME_ARJ: sResult=QString("ARJ"); break;
292 case RECORD_NAME_ARMADILLO: sResult=QString("Armadillo"); break;
293 case RECORD_NAME_ARMASSEMBLER: sResult=QString("ARM Assembler"); break;
294 case RECORD_NAME_ARMC: sResult=QString("ARM C"); break;
295 case RECORD_NAME_ARMCCPP: sResult=QString("ARM C/C++"); break;
296 case RECORD_NAME_ARMLINKER: sResult=QString("ARM Linker"); break;
297 case RECORD_NAME_ARMNEONCCPP: sResult=QString("ARM NEON C/C++"); break;
298 case RECORD_NAME_ARMPROTECTOR: sResult=QString("ARM Protector"); break;
299 case RECORD_NAME_ARMTHUMBCCPP: sResult=QString("ARM/Thumb C/C++"); break;
300 case RECORD_NAME_ARMTHUMBMACROASSEMBLER: sResult=QString("ARM/Thumb Macro Assembler"); break;
301 case RECORD_NAME_AROS: sResult=QString("Amiga Research OS"); break;
302 case RECORD_NAME_ASDPACK: sResult=QString("ASDPack"); break;
303 case RECORD_NAME_ASSEMBLER: sResult=QString("Assembler"); break;
304 case RECORD_NAME_ASPACK: sResult=QString("ASPack"); break;
305 case RECORD_NAME_ASPLINUX: sResult=QString("ASPLinux"); break;
306 case RECORD_NAME_ASPROTECT: sResult=QString("ASProtect"); break;
307 case RECORD_NAME_ASSCRYPTER: sResult=QString("Ass Crypter"); break;
308 case RECORD_NAME_ASSEMBLYINVOKE: sResult=QString("AssemblyInvoke"); break;
309 case RECORD_NAME_AU: sResult=QString("AU"); break;
310 case RECORD_NAME_AUTOIT: sResult=QString("AutoIt"); break;
311 case RECORD_NAME_AVASTANTIVIRUS: sResult=QString("Avast Antivirus"); break;
312 case RECORD_NAME_AVERCRYPTOR: sResult=QString("AverCryptor"); break;
313 case RECORD_NAME_AVI: sResult=QString("AVI"); break;
314 case RECORD_NAME_AVPACK: sResult=QString("AVPACK"); break;
315 case RECORD_NAME_AZPROTECT: sResult=QString("AZProtect"); break;
316 case RECORD_NAME_BABELNET: sResult=QString("Babel .NET"); break;
317 case RECORD_NAME_BACKDOORPECOMPRESSPROTECTOR: sResult=QString("Backdoor PE Compress Protector"); break;
318 case RECORD_NAME_BAIDUSIGNATUREPLATFORM: sResult=QString("Baidu Signature platform"); break;
319 case RECORD_NAME_BAIDUPROTECTION: sResult=QString("Baidu Protection"); break;
320 case RECORD_NAME_BAMBAM: sResult=QString("bambam"); break;
321 case RECORD_NAME_BANGCLEPROTECTION: sResult=QString("Bangcle Protection"); break;
322 case RECORD_NAME_BASIC: sResult=QString("BASIC"); break;
323 case RECORD_NAME_BASIC4ANDROID: sResult=QString("Basic4Android"); break;
324 case RECORD_NAME_BAT2EXEC: sResult=QString("BAT2EXEC"); break;
325 case RECORD_NAME_BEAWEBLOGIC: sResult=QString("BEA WebLogic"); break;
326 case RECORD_NAME_BEROEXEPACKER: sResult=QString("BeRoEXEPacker"); break;
327 case RECORD_NAME_BIOHAZARDCRYPTER: sResult=QString("Biohazard Crypter"); break;
328 case RECORD_NAME_BITROCKINSTALLER: sResult=QString("BitRock Installer"); break;
329 case RECORD_NAME_BITSHAPEPECRYPT: sResult=QString("BitShape PE Crypt"); break;
330 case RECORD_NAME_BLADEJOINER: sResult=QString("Blade Joiner"); break;
331 case RECORD_NAME_BORLANDCCPP: sResult=QString("Borland C/C++"); break;
332 case RECORD_NAME_BORLANDCPP: sResult=QString("Borland C++"); break;
333 case RECORD_NAME_BORLANDCPPBUILDER: sResult=QString("Borland C++ Builder"); break;
334 case RECORD_NAME_BORLANDDELPHI: sResult=QString("Borland Delphi"); break;
335 case RECORD_NAME_BORLANDDELPHIDOTNET: sResult=QString("Borland Delphi .NET"); break;
336 case RECORD_NAME_BORLANDOBJECTPASCAL: sResult=QString("Borland Object Pascal"); break;
337 case RECORD_NAME_BREAKINTOPATTERN: sResult=QString("Break Into Pattern"); break;
338 case RECORD_NAME_BTWORKSCODEGUARD: sResult=QString("Btworks CodeGuard"); break;
339 case RECORD_NAME_BUNDLETOOL: sResult=QString("BundleTool"); break;
340 case RECORD_NAME_BYTEDANCESECCOMPILER: sResult=QString("ByteDance-SecCompiler"); break;
341 case RECORD_NAME_BYTEGUARD: sResult=QString("ByteGuard"); break;
342 case RECORD_NAME_BZIP2: sResult=QString("bzip2"); break;
343 case RECORD_NAME_C: sResult=QString("C"); break;
344 case RECORD_NAME_CAB: sResult=QString("CAB"); break;
345 case RECORD_NAME_CARBON: sResult=QString("Carbon"); break;
346 case RECORD_NAME_CAUSEWAY: sResult=QString("CauseWay"); break;
347 case RECORD_NAME_CCBYVORONTSOV: sResult=QString("CC by Vorontsov"); break;
348 case RECORD_NAME_CCBYUNIHACKERS: sResult=QString("CC by UniHackers"); break;
349 case RECORD_NAME_CCPP: sResult=QString("C/C++"); break;
350 case RECORD_NAME_CELESTYFILEBINDER: sResult=QString("Celesty File Binder"); break;
351 case RECORD_NAME_CEXE: sResult=QString("CExe"); break;
352 case RECORD_NAME_CIGICIGICRYPTER: sResult=QString("Cigicigi Crypter"); break;
353 case RECORD_NAME_CIL: sResult=QString("cil"); break;
354 case RECORD_NAME_CLANG: sResult=QString("clang"); break;
355 case RECORD_NAME_CLICKTEAM: sResult=QString("ClickTeam"); break;
356 case RECORD_NAME_CLISECURE: sResult=QString("CliSecure"); break;
357 case RECORD_NAME_COCOA: sResult=QString("Cocoa"); break;
358 case RECORD_NAME_CODEGEARCPP: sResult=QString("CodeGear C++"); break;
359 case RECORD_NAME_CODEGEARCPPBUILDER: sResult=QString("CodeGear C++ Builder"); break;
360 case RECORD_NAME_CODEGEARDELPHI: sResult=QString("CodeGear Delphi"); break;
361 case RECORD_NAME_CODEGEAROBJECTPASCAL: sResult=QString("Codegear Object Pascal"); break;
362 case RECORD_NAME_CODEVEIL: sResult=QString("CodeVeil"); break;
363 case RECORD_NAME_CODEWALL: sResult=QString("CodeWall"); break;
364 case RECORD_NAME_COFF: sResult=QString("COFF"); break;
365 case RECORD_NAME_COMEXSIGNAPK: sResult=QString("COMEX SignApk"); break;
366 case RECORD_NAME_COMPOUNDFILEBINARYFORMAT: sResult=QString("Compound File Binary Format"); break;
367 case RECORD_NAME_CONFUSER: sResult=QString("Confuser"); break;
368 case RECORD_NAME_CONFUSEREX: sResult=QString("ConfuserEx"); break;
369 case RECORD_NAME_COPYMINDER: sResult=QString("CopyMinder"); break;
370 case RECORD_NAME_CPP: sResult=QString("C++"); break;
371 case RECORD_NAME_CREATEINSTALL: sResult=QString("CreateInstall"); break;
372 case RECORD_NAME_CRINKLER: sResult=QString("Crinkler"); break;
373 case RECORD_NAME_CHROMIUMCRASHPAD: sResult=QString("Chromium Crashpad"); break;
374 case RECORD_NAME_CRUNCH: sResult=QString("Crunch"); break;
375 case RECORD_NAME_CRYEXE: sResult=QString("CryEXE"); break;
376 case RECORD_NAME_CRYPTABLESEDUCATION: sResult=QString("Cryptable Seduction"); break;
377 case RECORD_NAME_CRYPTCOM: sResult=QString("CryptCom"); break;
378 case RECORD_NAME_CRYPTDISMEMBER: sResult=QString("Crypt(Dismember)"); break;
379 case RECORD_NAME_CRYPTER: sResult=QString("Crypter"); break;
380 case RECORD_NAME_CRYPTIC: sResult=QString("Cryptic"); break;
381 case RECORD_NAME_CRYPTOCRACKPEPROTECTOR: sResult=QString("CrypToCrack Pe Protector"); break;
382 case RECORD_NAME_CRYPTOOBFUSCATORFORNET: sResult=QString("Crypto Obfuscator For .Net"); break;
383 case RECORD_NAME_CRYPTORBYDISMEMBER: sResult=QString("Cryptor by Dismember"); break;
384 case RECORD_NAME_CRYPTOZ: sResult=QString("CRyptOZ"); break;
385 case RECORD_NAME_CRYPTRROADS: sResult=QString("Crypt R.roads"); break;
386 case RECORD_NAME_CSHARP: sResult=QString("C#"); break;
387 case RECORD_NAME_CVTOMF: sResult=QString("CVTOMF"); break;
388 case RECORD_NAME_CVTPGD: sResult=QString("Cvtpgd"); break;
389 case RECORD_NAME_CVTRES: sResult=QString("CVTRES"); break;
390 case RECORD_NAME_CWSDPMI: sResult=QString("CWSDPMI"); break;
391 case RECORD_NAME_CYGWIN: sResult=QString("Cygwin"); break;
392 case RECORD_NAME_D: sResult=QString("D"); break;
393 case RECORD_NAME_D2JAPKSIGN: sResult=QString("d2j-apk-sign"); break;
394 case RECORD_NAME_DALKRYPT: sResult=QString("DalKrypt"); break;
395 case RECORD_NAME_DALVIK: sResult=QString("Dalvik"); break;
396 case RECORD_NAME_DBPE: sResult=QString("DBPE"); break;
397 case RECORD_NAME_DCRYPTPRIVATE: sResult=QString("DCrypt Private"); break;
398 case RECORD_NAME_DEB: sResult=QString("DEB"); break;
399 case RECORD_NAME_DEBIANLINUX: sResult=QString("Debian Linux"); break;
400 case RECORD_NAME_DEEPSEA: sResult=QString("DeepSea"); break;
401 case RECORD_NAME_DEPACK: sResult=QString("dePack"); break;
402 case RECORD_NAME_DEPLOYMASTER: sResult=QString("DeployMaster"); break;
403 case RECORD_NAME_DEX: sResult=QString("DEX"); break;
404 case RECORD_NAME_DEX2JAR: sResult=QString("dex2jar"); break;
405 case RECORD_NAME_DEXGUARD: sResult=QString("DexGuard"); break;
406 case RECORD_NAME_DEXLIB: sResult=QString("dexlib"); break;
407 case RECORD_NAME_DEXLIB2: sResult=QString("dexlib2"); break;
408 case RECORD_NAME_DEXMERGE: sResult=QString("DexMerge"); break;
409 case RECORD_NAME_DEXPROTECTOR: sResult=QString("DexProtector"); break;
410 case RECORD_NAME_DJVU: sResult=QString("DjVu"); break;
411 case RECORD_NAME_DIET: sResult=QString("DIET"); break;
412 case RECORD_NAME_DINGBAOZENGNATIVEOBFUSCATOR: sResult=QString("Dingbaozeng native obfuscator"); break;
413 case RECORD_NAME_DIRTYCRYPTOR: sResult=QString("DirTy Cryptor"); break;
414 case RECORD_NAME_DMD32D: sResult=QString("DMD32 D"); break;
415 case RECORD_NAME_DNGUARD: sResult=QString("DNGuard"); break;
416 case RECORD_NAME_DOS16M: sResult=QString("DOS/16M"); break;
417 case RECORD_NAME_DOS4G: sResult=QString("DOS/4G"); break;
418 case RECORD_NAME_DOTBJFNT: sResult=QString(".BJFnt"); break;
419 case RECORD_NAME_DOTFIXNICEPROTECT: sResult=QString("DotFix Nice Protect"); break;
420 case RECORD_NAME_DOTFUSCATOR: sResult=QString("Dotfuscator"); break;
421 case RECORD_NAME_DOTNET: sResult=QString(".NET"); break;
422 case RECORD_NAME_DOTNETREACTOR: sResult=QString(".NET Reactor"); break;
423 case RECORD_NAME_DOTNETSHRINK: sResult=QString(".netshrink"); break;
424 case RECORD_NAME_DOTNETSPIDER: sResult=QString(".NET Spider"); break;
425 case RECORD_NAME_DOTNETZ: sResult=QString(".NETZ"); break;
426 case RECORD_NAME_DOTOOLSSIGNAPK: sResult=QString("dotools sign apk"); break;
427 case RECORD_NAME_DRAGONARMOR: sResult=QString("DragonArmor"); break;
428 case RECORD_NAME_DROPBOX: sResult=QString("Dropbox"); break;
429 case RECORD_NAME_DVCLAL: sResult=QString("DVCLAL"); break;
430 case RECORD_NAME_DX: sResult=QString("dx"); break;
431 case RECORD_NAME_DXSHIELD: sResult=QString("DxShield"); break;
432 case RECORD_NAME_DYAMAR: sResult=QString("DYAMAR"); break;
433 case RECORD_NAME_DYNASM: sResult=QString("DynASM"); break;
434 case RECORD_NAME_EASYPROTECTOR: sResult=QString("EasyProtector"); break;
435 case RECORD_NAME_EAZFUSCATOR: sResult=QString("Eazfuscator"); break;
436 case RECORD_NAME_ECLIPSE: sResult=QString("Eclipse"); break;
437 case RECORD_NAME_EMBARCADEROCPP: sResult=QString("Embarcadero C++"); break;
438 case RECORD_NAME_EMBARCADEROCPPBUILDER: sResult=QString("Embarcadero C++ Builder"); break;
439 case RECORD_NAME_EMBARCADERODELPHI: sResult=QString("Embarcadero Delphi"); break;
440 case RECORD_NAME_EMBARCADERODELPHIDOTNET: sResult=QString("Embarcadero Delphi .NET"); break;
441 case RECORD_NAME_EMBARCADEROOBJECTPASCAL: sResult=QString("Embarcadero Object Pascal"); break;
442 case RECORD_NAME_EMPTYFILE: sResult=QString("Empty File"); break;
443 case RECORD_NAME_ENCRYPTPE: sResult=QString("EncryptPE"); break;
444 case RECORD_NAME_ENIGMA: sResult=QString("ENIGMA"); break;
445 case RECORD_NAME_ENIGMAVIRTUALBOX: sResult=QString("Enigma Virtual Box"); break;
446 case RECORD_NAME_EPEXEPACK: sResult=QString("!EP(EXE Pack)"); break;
447 case RECORD_NAME_EPROT: sResult=QString("!EProt"); break;
448 case RECORD_NAME_EXCELSIORJET: sResult=QString("Excelsior JET"); break;
449 case RECORD_NAME_EXE32PACK: sResult=QString("exe32pack"); break;
450 case RECORD_NAME_EXECRYPT: sResult=QString("EXECrypt"); break;
451 case RECORD_NAME_EXECRYPTOR: sResult=QString("EXECryptor"); break;
452 case RECORD_NAME_EXEFOG: sResult=QString("ExeFog"); break;
453 case RECORD_NAME_EXEJOINER: sResult=QString("ExeJoiner"); break;
454 case RECORD_NAME_EXEMPLARINSTALLER: sResult=QString("Exemplar Installer"); break;
455 case RECORD_NAME_EXEPACK: sResult=QString("EXEPACK"); break;
456 case RECORD_NAME_EXEPASSWORDPROTECTOR: sResult=QString("EXE Password Protector"); break;
457 case RECORD_NAME_EXESAX: sResult=QString("ExeSax"); break;
458 case RECORD_NAME_EXESHIELD: sResult=QString("Exe Shield"); break;
459 case RECORD_NAME_EXESTEALTH: sResult=QString("ExeStealth"); break;
460 case RECORD_NAME_EXPORT: sResult=QString("Export"); break;
461 case RECORD_NAME_EXPRESSOR: sResult=QString("eXPressor"); break;
462 case RECORD_NAME_EXPRESSOR_KERNEL32: sResult=QString("eXPressor[Kernel32]"); break;
463 case RECORD_NAME_EXPRESSOR_USER32: sResult=QString("eXPressor[User32]"); break;
464 case RECORD_NAME_EZIP: sResult=QString("EZIP"); break;
465 case RECORD_NAME_FAKESIGNATURE: sResult=QString("Fake signature"); break;
466 case RECORD_NAME_FAKUSCRYPTOR: sResult=QString("Fakus Cryptor"); break;
467 case RECORD_NAME_FASM: sResult=QString("FASM"); break;
468 case RECORD_NAME_FASTFILECRYPT: sResult=QString("Fast File Crypt"); break;
469 case RECORD_NAME_FASTPROXY: sResult=QString("fast-proxy"); break;
470 case RECORD_NAME_FEARZCRYPTER: sResult=QString("fEaRz Crypter"); break;
471 case RECORD_NAME_FEARZPACKER: sResult=QString("fEaRz Packer"); break;
472 case RECORD_NAME_FENIXOS: sResult=QString("FenixOS"); break;
473 case RECORD_NAME_FILESHIELD: sResult=QString("FileShield"); break;
474 case RECORD_NAME_FISHNET: sResult=QString("FISH .NET"); break;
475 case RECORD_NAME_FISHPEPACKER: sResult=QString("Fish PE Packer"); break; // TODO Check name
476 case RECORD_NAME_FISHPESHIELD: sResult=QString("FishPE Shield"); break;
477 case RECORD_NAME_FLASHVIDEO: sResult=QString("Flash Video"); break;
478 case RECORD_NAME_FLEXLM: sResult=QString("Flex License Manager"); break;
479 case RECORD_NAME_FLEXNET: sResult=QString("FlexNet Licensing"); break;
480 case RECORD_NAME_FORTRAN: sResult=QString("Fortran"); break;
481 case RECORD_NAME_FPC: sResult=QString("Free Pascal"); break;
482 case RECORD_NAME_FREEBSD: sResult=QString("FreeBSD"); break;
483 case RECORD_NAME_FREECRYPTOR: sResult=QString("FreeCryptor"); break;
484 case RECORD_NAME_FSG: sResult=QString("FSG"); break;
485 case RECORD_NAME_GCC: sResult=QString("GCC"); break;
486 case RECORD_NAME_GENERIC: sResult=QString("Generic"); break;
487 case RECORD_NAME_GENERICLINKER: sResult=QString("Generic Linker"); break;
488 case RECORD_NAME_GENTEEINSTALLER: sResult=QString("Gentee Installer"); break;
489 case RECORD_NAME_GENTOOLINUX: sResult=QString("Gentoo Linux"); break;
490 case RECORD_NAME_GHAZZACRYPTER: sResult=QString("GhaZza CryPter"); break; // st
491 case RECORD_NAME_GHOSTINSTALLER: sResult=QString("Ghost Installer"); break;
492 case RECORD_NAME_GIF: sResult=QString("GIF"); break;
493 case RECORD_NAME_GIXPROTECTOR: sResult=QString("G!X Protector"); break;
494 case RECORD_NAME_GKRIPTO: sResult=QString("GKripto"); break;
495 case RECORD_NAME_GKSETUPSFX: sResult=QString("GkSetup SFX"); break;
496 case RECORD_NAME_GNUASSEMBLER: sResult=QString("GNU Assembler"); break;
497 case RECORD_NAME_GNULINKER: sResult=QString("GNU ld"); break;
498 case RECORD_NAME_GO: sResult=QString("Go"); break;
499 case RECORD_NAME_GOASM: sResult=QString("GoAsm"); break;
500 case RECORD_NAME_GOATSPEMUTILATOR: sResult=QString("Goat's PE Mutilator"); break;
501 case RECORD_NAME_GOLD: sResult=QString("gold"); break;
502 case RECORD_NAME_GOLIATHNET: sResult=QString("Goliath .NET"); break;
503 case RECORD_NAME_GOLINK: sResult=QString("GoLink"); break;
504 case RECORD_NAME_GOOGLE: sResult=QString("Google"); break;
505 case RECORD_NAME_GOOGLEPLAY: sResult=QString("Google Play"); break;
506 case RECORD_NAME_GPINSTALL: sResult=QString("GP-Install"); break;
507 case RECORD_NAME_GUARDIANSTEALTH: sResult=QString("Guardian Stealth"); break;
508 case RECORD_NAME_GZIP: sResult=QString("GZIP"); break;
509 case RECORD_NAME_H4CKY0UORGCRYPTER: sResult=QString("H4ck-y0u.org Crypter"); break;
510 case RECORD_NAME_HACCREWCRYPTER: sResult=QString("HAC Crew Crypter"); break;
511 case RECORD_NAME_HACKSTOP: sResult=QString("HackStop"); break;
512 case RECORD_NAME_HALVCRYPTER: sResult=QString("HaLV Crypter"); break;
513 case RECORD_NAME_HANCOMLINUX: sResult=QString("Hancom Linux"); break;
514 case RECORD_NAME_HDUS_WJUS: sResult=QString("Hdus-Wjus"); break;
515 case RECORD_NAME_HIAPKCOM: sResult=QString("www.HiAPK.com"); break;
516 case RECORD_NAME_HIDEANDPROTECT: sResult=QString("Hide&Protect"); break;
517 case RECORD_NAME_HIDEPE: sResult=QString("HidePE"); break;
518 case RECORD_NAME_HIKARIOBFUSCATOR: sResult=QString("HikariObfuscator"); break;
519 case RECORD_NAME_HMIMYSPACKER: sResult=QString("Hmimys Packer"); break;
520 case RECORD_NAME_HMIMYSPROTECTOR: sResult=QString("Hmimys's Protector"); break;
521 case RECORD_NAME_HOODLUM: sResult=QString("HOODLUM"); break;
522 case RECORD_NAME_HOUNDHACKCRYPTER: sResult=QString("Hound Hack Crypter"); break;
523 case RECORD_NAME_HPUX: sResult=QString("Hewlett-Packard HP-UX"); break;
524 case RECORD_NAME_HTML: sResult=QString("HTML"); break;
525 case RECORD_NAME_HXS: sResult=QString("HXS"); break;
526 case RECORD_NAME_IBMJDK: sResult=QString("IBM JDK"); break;
527 case RECORD_NAME_IBMPCPASCAL: sResult=QString("IBM PC Pascal"); break;
528 case RECORD_NAME_ICE: sResult=QString("ICE"); break;
529 case RECORD_NAME_ICRYPT: sResult=QString("ICrypt"); break;
530 case RECORD_NAME_IJIAMI: sResult=QString("iJiami"); break;
531 case RECORD_NAME_IJIAMILLVM: sResult=QString("iJiami LLVM"); break;
532 case RECORD_NAME_IKVMDOTNET: sResult=QString("IKVM.NET"); break;
533 case RECORD_NAME_IL2CPP: sResult=QString("IL2CPP"); break;
534 case RECORD_NAME_ILASM: sResult=QString("ILAsm"); break;
535 case RECORD_NAME_IMPORT: sResult=QString("Import"); break;
536 case RECORD_NAME_INFCRYPTOR: sResult=QString("INF Cryptor"); break;
537 case RECORD_NAME_INNOSETUP: sResult=QString("Inno Setup"); break;
538 case RECORD_NAME_INQUARTOSOBFUSCATOR: sResult=QString("Inquartos Obfuscator"); break;
539 case RECORD_NAME_INSTALL4J: sResult=QString("install4j"); break;
540 case RECORD_NAME_INSTALLANYWHERE: sResult=QString("InstallAnywhere"); break;
541 case RECORD_NAME_INSTALLSHIELD: sResult=QString("InstallShield"); break;
542 case RECORD_NAME_IOS: sResult=QString("iOS"); break;
543 case RECORD_NAME_IPA: sResult=QString("iOS App Store Package"); break;
544 case RECORD_NAME_IPBPROTECT: sResult=QString("iPB Protect"); break;
545 case RECORD_NAME_IRIX: sResult=QString("IRIX"); break;
546 case RECORD_NAME_ISO9660: sResult=QString("ISO 9660"); break;
547 case RECORD_NAME_JACK: sResult=QString("Jack"); break;
548 case RECORD_NAME_JAM: sResult=QString("JAM"); break;
549 case RECORD_NAME_JAR: sResult=QString("JAR"); break;
550 case RECORD_NAME_JAVA: sResult=QString("Java"); break;
551 case RECORD_NAME_JAVACOMPILEDCLASS: sResult=QString("Java compiled class"); break;
552 case RECORD_NAME_JDK: sResult=QString("JDK"); break;
553 case RECORD_NAME_JDPACK: sResult=QString("JDPack"); break;
554 case RECORD_NAME_JETBRAINS: sResult=QString("JetBrains"); break;
555 case RECORD_NAME_JIAGU: sResult=QString("jiagu"); break;
556 case RECORD_NAME_JPEG: sResult=QString("JPEG"); break;
557 case RECORD_NAME_JVM: sResult=QString("JVM"); break;
558 case RECORD_NAME_KAOSPEDLLEXECUTABLEUNDETECTER: sResult=QString("KaOs PE-DLL eXecutable Undetecter"); break;
559 case RECORD_NAME_KBYS: sResult=QString("KByS"); break;
560 case RECORD_NAME_KCRYPTOR: sResult=QString("K!Cryptor"); break;
561 case RECORD_NAME_KGBCRYPTER: sResult=QString("KGB Crypter"); break;
562 case RECORD_NAME_KIAMSCRYPTOR: sResult=QString("KiAms Cryptor"); break;
563 case RECORD_NAME_KIRO: sResult=QString("Kiro"); break;
564 case RECORD_NAME_KIWIVERSIONOBFUSCATOR: sResult=QString("Kiwi Version Obfuscator"); break;
565 case RECORD_NAME_KKRUNCHY: sResult=QString("kkrunchy"); break;
566 case RECORD_NAME_KOTLIN: sResult=QString("Kotlin"); break;
567 case RECORD_NAME_KRATOSCRYPTER: sResult=QString("Kratos Crypter"); break;
568 case RECORD_NAME_KRYPTON: sResult=QString("Krypton"); break;
569 case RECORD_NAME_KUR0KX2TO: sResult=QString("Kur0k.X2.to"); break;
570 case RECORD_NAME_LAMECRYPT: sResult=QString("LameCrypt"); break;
571 case RECORD_NAME_LARP64: sResult=QString("lARP64"); break;
572 case RECORD_NAME_LAYHEYFORTRAN90: sResult=QString("Lahey Fortran 90"); break;
573 case RECORD_NAME_LAZARUS: sResult=QString("Lazarus"); break;
574 case RECORD_NAME_LCCLNK: sResult=QString("lcclnk"); break;
575 case RECORD_NAME_LCCWIN: sResult=QString("lcc-win"); break;
576 case RECORD_NAME_LGLZ: sResult=QString("LGLZ"); break;
577 case RECORD_NAME_LHA: sResult=QString("LHA"); break;
578 case RECORD_NAME_LHASSFX: sResult=QString("LHA's SFX"); break;
579 case RECORD_NAME_LIAPP: sResult=QString("LIAPP"); break;
580 case RECORD_NAME_LIGHTNINGCRYPTERPRIVATE: sResult=QString("Lightning Crypter Private"); break;
581 case RECORD_NAME_LIGHTNINGCRYPTERSCANTIME: sResult=QString("Lightning Crypter ScanTime"); break;
582 case RECORD_NAME_LINUX: sResult=QString("Linux"); break;
583 case RECORD_NAME_LLD: sResult=QString("LDD"); break;
584 case RECORD_NAME_LOCKTITE: sResult=QString("LockTite+"); break;
585 case RECORD_NAME_LSCRYPRT: sResult=QString("LSCRYPT"); break;
586 case RECORD_NAME_LUACOMPILED: sResult=QString("Lua compiled"); break;
587 case RECORD_NAME_LUCYPHER: sResult=QString("LuCypher"); break;
588 case RECORD_NAME_LZEXE: sResult=QString("LZEXE"); break;
589 case RECORD_NAME_LZFSE: sResult=QString("LZFSE"); break;
590 case RECORD_NAME_MACHOFAT: sResult=QString("Mach-O FAT"); break;
591 case RECORD_NAME_MACOS: sResult=QString("macOS"); break;
592 case RECORD_NAME_MACROBJECT: sResult=QString("Macrobject"); break;
593 case RECORD_NAME_MALPACKER: sResult=QString("Mal Packer"); break;
594 case RECORD_NAME_MANDRAKELINUX: sResult=QString("Mandrake Linux"); break;
595 case RECORD_NAME_MASKPE: sResult=QString("MaskPE"); break;
596 case RECORD_NAME_MASM: sResult=QString("MASM"); break;
597 case RECORD_NAME_MASM32: sResult=QString("MASM32"); break;
598 case RECORD_NAME_MAXTOCODE: sResult=QString("MaxtoCode"); break;
599 case RECORD_NAME_MEDUSAH: sResult=QString("Medusah"); break;
600 case RECORD_NAME_MEW10: sResult=QString("MEW10"); break;
601 case RECORD_NAME_MEW11SE: sResult=QString("MEW11 SE"); break;
602 case RECORD_NAME_MFC: sResult=QString("MFC"); break;
603 case RECORD_NAME_MICROSOFTACCESS: sResult=QString("Microsoft Access"); break;
604 case RECORD_NAME_MICROSOFTC: sResult=QString("Microsoft C"); break;
605 case RECORD_NAME_MICROSOFTCOMPILEDHTMLHELP: sResult=QString("Microsoft Compiled HTML Help"); break;
606 case RECORD_NAME_MICROSOFTCOMPOUND: sResult=QString("Microsoft Compound"); break;
607 case RECORD_NAME_MICROSOFTCPP: sResult=QString("Microsoft C++"); break;
608 case RECORD_NAME_MICROSOFTDOTNETFRAMEWORK: sResult=QString("Microsoft .NET Framework"); break;
609 case RECORD_NAME_MICROSOFTEXCEL: sResult=QString("Microsoft Excel"); break;
610 case RECORD_NAME_MICROSOFTLINKER: sResult=QString("Microsoft linker"); break;
611 case RECORD_NAME_MICROSOFTLINKERDATABASE: sResult=QString("Microsoft Linker Database"); break;
612 case RECORD_NAME_MICROSOFTOFFICE: sResult=QString("Microsoft Office"); break;
613 case RECORD_NAME_MICROSOFTOFFICEWORD: sResult=QString("Microsoft Office Word"); break;
614 case RECORD_NAME_MICROSOFTPHOENIX: sResult=QString("Microsoft Phoenix"); break;
615 case RECORD_NAME_MICROSOFTVISIO: sResult=QString("Microsoft Visio"); break;
616 case RECORD_NAME_MICROSOFTVISUALSTUDIO: sResult=QString("Microsoft Visual Studio"); break;
617 case RECORD_NAME_MICROSOFTWINHELP: sResult=QString("Microsoft WinHelp"); break;
618 case RECORD_NAME_MINGW: sResult=QString("MinGW"); break;
619 case RECORD_NAME_MINKE: sResult=QString("Minke"); break;
620 case RECORD_NAME_MKFPACK: sResult=QString("MKFPack"); break;
621 case RECORD_NAME_MOBILETENCENTPROTECT: sResult=QString("Mobile Tencent Protect"); break;
622 case RECORD_NAME_MODESTO: sResult=QString("Novell Modesto"); break;
623 case RECORD_NAME_MODGUARD: sResult=QString("ModGuard"); break;
624 case RECORD_NAME_MOLEBOX: sResult=QString("MoleBox"); break;
625 case RECORD_NAME_MOLEBOXULTRA: sResult=QString("MoleBox Ultra"); break;
626 case RECORD_NAME_MONEYCRYPTER: sResult=QString("Money Crypter"); break;
627 case RECORD_NAME_MORPHNAH: sResult=QString("Morphnah"); break;
628 case RECORD_NAME_MORTALTEAMCRYPTER: sResult=QString("Mortal Team Crypter"); break;
629 case RECORD_NAME_MORTALTEAMCRYPTER2: sResult=QString("Mortal Team Crypter 2"); break;
630 case RECORD_NAME_MORUKCREWCRYPTERPRIVATE: sResult=QString("MoruK creW Crypter Private"); break;
631 case RECORD_NAME_MOTODEVSTUDIOFORANDROID: sResult=QString("MOTODEV Studio for Android"); break;
632 case RECORD_NAME_MP3: sResult=QString("MP3"); break;
633 case RECORD_NAME_MP4: sResult=QString("MP4"); break;
634 case RECORD_NAME_MPACK: sResult=QString("mPack"); break;
635 case RECORD_NAME_MPRESS: sResult=QString("MPRESS"); break;
636 case RECORD_NAME_MRUNDECTETABLE: sResult=QString("Mr Undectetable"); break;
637 case RECORD_NAME_MSDOS: sResult=QString("MS-DOS"); break;
638 case RECORD_NAME_MSLRH: sResult=QString("MSLRH"); break;
639 case RECORD_NAME_MSYS: sResult=QString("Msys"); break;
640 case RECORD_NAME_MSYS2: sResult=QString("MSYS2"); break;
641 case RECORD_NAME_MZ0OPE: sResult=QString("MZ0oPE"); break;
642 case RECORD_NAME_NAGAINLLVM: sResult=QString("Nagain LLVM"); break;
643 case RECORD_NAME_NAGAPTPROTECTION: sResult=QString("Nagapt Protection"); break;
644 case RECORD_NAME_NAKEDPACKER: sResult=QString("NakedPacker"); break;
645 case RECORD_NAME_NASM: sResult=QString("NASM"); break;
646 case RECORD_NAME_NCODE: sResult=QString("N-Code"); break;
647 case RECORD_NAME_NEOLITE: sResult=QString("NeoLite"); break;
648 case RECORD_NAME_NETEASEAPKSIGNER: sResult=QString("NetEase ApkSigner"); break;
649 case RECORD_NAME_NETBSD: sResult=QString("NetBSD"); break;
650 case RECORD_NAME_NIDHOGG: sResult=QString("Nidhogg"); break;
651 case RECORD_NAME_NIM: sResult=QString("Nim"); break;
652 case RECORD_NAME_NJOINER: sResult=QString("N-Joiner"); break;
653 case RECORD_NAME_NJOY: sResult=QString("N-Joy"); break;
654 case RECORD_NAME_NME: sResult=QString("NME"); break;
655 case RECORD_NAME_NOOBYPROTECT: sResult=QString("NoobyProtect"); break;
656 case RECORD_NAME_NOODLECRYPT: sResult=QString("NoodleCrypt"); break;
657 case RECORD_NAME_NORTHSTARPESHRINKER: sResult=QString("North Star PE Shrinker"); break;
658 case RECORD_NAME_NOSINSTALLER: sResult=QString("NOS Installer"); break;
659 case RECORD_NAME_NOSTUBLINKER: sResult=QString("NOSTUBLINKER"); break;
660 case RECORD_NAME_NOXCRYPT: sResult=QString("noX Crypt"); break;
661 case RECORD_NAME_NPACK: sResult=QString("nPack"); break;
662 case RECORD_NAME_NQSHIELD: sResult=QString("NQ Shield"); break;
663 case RECORD_NAME_NSIS: sResult=QString("Nullsoft Scriptable Install System"); break;
664 case RECORD_NAME_NSK: sResult=QString("Hewlett-Packard Non-Stop Kernel"); break;
665 case RECORD_NAME_NSPACK: sResult=QString("NsPack"); break;
666 case RECORD_NAME_OBFUSCAR: sResult=QString("Obfuscar"); break;
667 case RECORD_NAME_OBFUSCATORLLVM: sResult=QString("Obfuscator-LLVM"); break;
668 case RECORD_NAME_OBFUSCATORNET2009: sResult=QString("Obfuscator.NET 2009"); break;
669 case RECORD_NAME_OBJECTIVEC: sResult=QString("Objective-C"); break;
670 case RECORD_NAME_OBJECTPASCAL: sResult=QString("Object Pascal"); break;
671 case RECORD_NAME_OBSIDIUM: sResult=QString("Obsidium"); break;
672 case RECORD_NAME_OLLVMTLL: sResult=QString("ollvm-tll(LLVM 6.0+Ollvm+Armariris)"); break;
673 case RECORD_NAME_ONESPANPROTECTION: sResult=QString("OneSpan Protection"); break;
674 case RECORD_NAME_OPENBSD: sResult=QString("OpenBSD"); break;
675 case RECORD_NAME_OPENDOCUMENT: sResult=QString("Open Document"); break;
676 case RECORD_NAME_OPENJDK: sResult=QString("OpenJDK"); break;
677 case RECORD_NAME_OPENSOURCECODECRYPTER: sResult=QString("Open Source Code Crypter"); break;
678 case RECORD_NAME_OPENVMS: sResult=QString("Open VMS"); break;
679 case RECORD_NAME_OPERA: sResult=QString("Opera"); break;
680 case RECORD_NAME_ORACLESOLARISLINKEDITORS: sResult=QString("Oracle Solaris Link Editors"); break;
681 case RECORD_NAME_ORIEN: sResult=QString("ORiEN"); break;
682 case RECORD_NAME_OSCCRYPTER: sResult=QString("OSC-Crypter"); break;
683 case RECORD_NAME_OSX: sResult=QString("OSX"); break;
684 case RECORD_NAME_P0KESCRAMBLER: sResult=QString("p0ke Scrambler"); break;
685 case RECORD_NAME_PACKMAN: sResult=QString("Packman"); break;
686 case RECORD_NAME_PACKWIN: sResult=QString("PACKWIN"); break;
687 case RECORD_NAME_PANDORA: sResult=QString("Pandora"); break;
688 case RECORD_NAME_PANGXIE: sResult=QString("PangXie"); break;
689 case RECORD_NAME_PCGUARD: sResult=QString("PC Guard"); break;
690 case RECORD_NAME_PCOM: sResult=QString("PCOM"); break;
691 case RECORD_NAME_PCSHRINK: sResult=QString("PCShrink"); break;
692 case RECORD_NAME_PDB: sResult=QString("PDB"); break;
693 case RECORD_NAME_PDBFILELINK: sResult=QString("PDB file link"); break;
694 case RECORD_NAME_PDF: sResult=QString("PDF"); break;
695 case RECORD_NAME_PEARMOR: sResult=QString("PE-Armor"); break;
696 case RECORD_NAME_PEBUNDLE: sResult=QString("PEBundle"); break;
697 case RECORD_NAME_PECRYPT32: sResult=QString("PECRYPT32"); break;
698 case RECORD_NAME_PECOMPACT: sResult=QString("PECompact"); break;
699 case RECORD_NAME_PEDIMINISHER: sResult=QString("PE Diminisher"); break;
700 case RECORD_NAME_PEENCRYPT: sResult=QString("PE Encrypt"); break;
701 case RECORD_NAME_PELOCK: sResult=QString("PELock"); break;
702 case RECORD_NAME_PELOCKNT: sResult=QString("PELOCKnt"); break;
703 case RECORD_NAME_PENGUINCRYPT: sResult=QString("PEnguinCrypt"); break; // TODO Check name
704 case RECORD_NAME_PEPACK: sResult=QString("PE-PACK"); break;
705 case RECORD_NAME_PEPACKSPROTECT: sResult=QString("pepack's Protect"); break;
706 case RECORD_NAME_PEQUAKE: sResult=QString("PE Quake"); break;
707 case RECORD_NAME_PERL: sResult=QString("Perl"); break;
708 case RECORD_NAME_PESHIELD: sResult=QString("PE-SHiELD"); break; // TODO Check name
709 case RECORD_NAME_PESPIN: sResult=QString("PESpin"); break;
710 case RECORD_NAME_PETITE: sResult=QString("Petite"); break;
711 case RECORD_NAME_PETITE_KERNEL32: sResult=QString("Petite.kernel32"); break;
712 case RECORD_NAME_PETITE_USER32: sResult=QString("Petite.user32"); break;
713 case RECORD_NAME_PEX: sResult=QString("PeX"); break;
714 case RECORD_NAME_PFECX: sResult=QString("PFE CX"); break;
715 case RECORD_NAME_PGMPAK: sResult=QString("PGMPAK"); break;
716 case RECORD_NAME_PHOENIXPROTECTOR: sResult=QString("Phoenix Protector"); break;
717 case RECORD_NAME_PHP: sResult=QString("PHP"); break;
718 case RECORD_NAME_PICRYPTOR: sResult=QString("PI Cryptor"); break;
719 case RECORD_NAME_PKLITE: sResult=QString("PKLITE"); break;
720 case RECORD_NAME_PKLITE32: sResult=QString("PKLITE32"); break;
721 case RECORD_NAME_PKZIPMINISFX: sResult=QString("PKZIP mini-sfx"); break;
722 case RECORD_NAME_PLAIN: sResult=QString("Plain"); break;
723 case RECORD_NAME_PLEXCLANG: sResult=QString("Plex clang"); break;
724 case RECORD_NAME_PMODEW: sResult=QString("PMODE/W"); break;
725 case RECORD_NAME_PNG: sResult=QString("PNG"); break;
726 case RECORD_NAME_POKECRYPTER: sResult=QString("Poke Crypter"); break;
727 case RECORD_NAME_POLYCRYPTPE: sResult=QString("PolyCrypt PE"); break;
728 case RECORD_NAME_POWERBASIC: sResult=QString("PowerBASIC"); break;
729 case RECORD_NAME_PRIVATEEXEPROTECTOR: sResult=QString("Private EXE Protector"); break;
730 case RECORD_NAME_PROGUARD: sResult=QString("Proguard"); break;
731 case RECORD_NAME_PROPACK: sResult=QString("PRO-PACK"); break;
732 case RECORD_NAME_PROTECTEXE: sResult=QString("PROTECT! EXE"); break;
733 case RECORD_NAME_PSEUDOAPKSIGNER: sResult=QString("PseudoApkSigner"); break;
734 case RECORD_NAME_PUBCRYPTER: sResult=QString("Pub Crypter"); break;
735 case RECORD_NAME_PUNISHER: sResult=QString("PUNiSHER"); break;
736 case RECORD_NAME_PUREBASIC: sResult=QString("PureBasic"); break;
737 case RECORD_NAME_PUSSYCRYPTER: sResult=QString("PussyCrypter"); break;
738 case RECORD_NAME_PYINSTALLER: sResult=QString("PyInstaller"); break;
739 case RECORD_NAME_PYTHON: sResult=QString("Python"); break;
740 case RECORD_NAME_QDBH: sResult=QString("qdbh"); break;
741 case RECORD_NAME_QIHOO360PROTECTION: sResult=QString("Qihoo 360 Protection"); break;
742 case RECORD_NAME_QRYPT0R: sResult=QString("QrYPt0r"); break;
743 case RECORD_NAME_QT: sResult=QString("Qt"); break;
744 case RECORD_NAME_QTINSTALLER: sResult=QString("Qt Installer"); break;
745 case RECORD_NAME_QUICKPACKNT: sResult=QString("QuickPack NT"); break;
746 case RECORD_NAME_R8: sResult=QString("R8"); break;
747 case RECORD_NAME_RADIALIX: sResult=QString("Radialix"); break;
748 case RECORD_NAME_RAR: sResult=QString("RAR"); break;
749 case RECORD_NAME_RCRYPTOR: sResult=QString("RCryptor(Russian Cryptor)"); break;
750 case RECORD_NAME_RDGTEJONCRYPTER: sResult=QString("RDG Tejon Crypter"); break;
751 case RECORD_NAME_REDHATLINUX: sResult=QString("Red Hat Linux"); break;
752 case RECORD_NAME_RELPACK: sResult=QString("Relpack"); break;
753 case RECORD_NAME_RENETPACK: sResult=QString("ReNET-pack"); break;
754 case RECORD_NAME_RESOURCE: sResult=QString("Resource"); break;
755 case RECORD_NAME_REVPROT: sResult=QString("REVProt"); break;
756 case RECORD_NAME_RJCRUSH: sResult=QString("RJcrush"); break;
757 case RECORD_NAME_RLP: sResult=QString("RLP"); break;
758 case RECORD_NAME_RLPACK: sResult=QString("RLPack"); break;
759 case RECORD_NAME_ROGUEPACK: sResult=QString("RoguePack"); break;
760 case RECORD_NAME_ROSASM: sResult=QString("RosAsm"); break;
761 case RECORD_NAME_RTF: sResult=QString("Rich Text Format"); break;
762 case RECORD_NAME_RUBY: sResult=QString("Ruby"); break;
763 case RECORD_NAME_RUST: sResult=QString("Rust"); break;
764 case RECORD_NAME_SAFEENGINESHIELDEN: sResult=QString("Safengine Shielden"); break;
765 case RECORD_NAME_SAFEENGINELLVM: sResult=QString("Safengine LLVM"); break;
766 case RECORD_NAME_SANDHOOK: sResult=QString("SandHook"); break;
767 case RECORD_NAME_SCOBFUSCATOR: sResult=QString("SC Obfuscator"); break;
768 case RECORD_NAME_SCPACK: sResult=QString("SC Pack"); break;
769 case RECORD_NAME_SCRNCH: sResult=QString("SCRNCH"); break;
770 case RECORD_NAME_SDPROTECTORPRO: sResult=QString("SDProtector Pro"); break;
771 case RECORD_NAME_SECSHELL: sResult=QString("SecShell"); break;
772 case RECORD_NAME_SECNEO: sResult=QString("SecNeo"); break;
773 case RECORD_NAME_SECURESHADE: sResult=QString("Secure Shade"); break;
774 case RECORD_NAME_SECUROM: sResult=QString("SecuROM"); break;
775 case RECORD_NAME_SERGREENAPPACKER: sResult=QString("SerGreen Appacker"); break;
776 case RECORD_NAME_SETUPFACTORY: sResult=QString("Setup Factory"); break;
777 case RECORD_NAME_SEXECRYPTER: sResult=QString("Sexe Crypter"); break;
778 case RECORD_NAME_SHELL: sResult=QString("Shell"); break;
779 case RECORD_NAME_SHRINKER: sResult=QString("Shrinker"); break;
780 case RECORD_NAME_SIGNATORY: sResult=QString("signatory"); break;
781 case RECORD_NAME_SIGNUPDATE: sResult=QString("signupdate"); break;
782 case RECORD_NAME_SIMBIOZ: sResult=QString("SimbiOZ"); break;
783 case RECORD_NAME_SIMCRYPTER: sResult=QString("Sim Crypter"); break;
784 case RECORD_NAME_SIMPLECRYPTER: sResult=QString("Simple Crypter"); break;
785 case RECORD_NAME_SIMPLEPACK: sResult=QString("Simple Pack"); break;
786 case RECORD_NAME_SINGLEJAR: sResult=QString("SingleJar"); break;
787 case RECORD_NAME_SIXXPACK: sResult=QString("Sixxpack"); break;
788 case RECORD_NAME_SKATER: sResult=QString("Skater"); break;
789 case RECORD_NAME_SMARTASSEMBLY: sResult=QString("Smart Assembly"); break;
790 case RECORD_NAME_SMARTINSTALLMAKER: sResult=QString("Smart Install Maker"); break;
791 case RECORD_NAME_SMOKESCREENCRYPTER: sResult=QString("SmokeScreen Crypter"); break;
792 case RECORD_NAME_SNAPDRAGONLLVMARM: sResult=QString("Snapdragon LLVM ARM"); break;
793 case RECORD_NAME_SNAPPROTECT: sResult=QString("SnapProtect"); break;
794 case RECORD_NAME_SNOOPCRYPT: sResult=QString("Snoop Crypt"); break;
795 case RECORD_NAME_SOFTDEFENDER: sResult=QString("Soft Defender"); break;
796 case RECORD_NAME_SOFTSENTRY: sResult=QString("SoftSentry"); break;
797 case RECORD_NAME_SOFTWARECOMPRESS: sResult=QString("Software Compress"); break;
798 case RECORD_NAME_SOFTWAREZATOR: sResult=QString("SoftwareZator"); break;
799 case RECORD_NAME_SOLARIS: sResult=QString("Sun Solaris"); break;
800 case RECORD_NAME_SOURCERYCODEBENCH: sResult=QString("Sourcery CodeBench"); break;
801 case RECORD_NAME_SOURCERYCODEBENCHLITE: sResult=QString("Sourcery CodeBench Lite"); break;
802 case RECORD_NAME_SPICESNET: sResult=QString("Spices.Net"); break;
803 case RECORD_NAME_SPIRIT: sResult=QString("$pirit"); break;
804 case RECORD_NAME_SPOONINSTALLER: sResult=QString("Spoon Installer"); break;
805 case RECORD_NAME_SPOONSTUDIO: sResult=QString("Spoon Studio"); break;
806 case RECORD_NAME_SPOONSTUDIO2011: sResult=QString("Spoon Studio 2011"); break;
807 case RECORD_NAME_SQUEEZSFX: sResult=QString("Squeez Self Extractor"); break;
808 case RECORD_NAME_STARFORCE: sResult=QString("StarForce"); break;
809 case RECORD_NAME_STARTOSLINUX: sResult=QString("StartOS Linux"); break;
810 case RECORD_NAME_STASFODIDOCRYPTOR: sResult=QString("StasFodidoCryptor"); break;
811 case RECORD_NAME_STONESPEENCRYPTOR: sResult=QString("Stone's PE Encryptor"); break;
812 case RECORD_NAME_SUNOS: sResult=QString("SunOS"); break;
813 case RECORD_NAME_SUNWORKSHOP: sResult=QString("Sun WorkShop"); break;
814 case RECORD_NAME_SUSELINUX: sResult=QString("SUSE Linux"); break;
815 case RECORD_NAME_SVKPROTECTOR: sResult=QString("SVK Protector"); break;
816 case RECORD_NAME_SWF: sResult=QString("SWF"); break;
817 case RECORD_NAME_SWIFT: sResult=QString("Swift"); break;
818 case RECORD_NAME_TARMAINSTALLER: sResult=QString("Tarma Installer"); break;
819 case RECORD_NAME_TELOCK: sResult=QString("tElock"); break;
820 case RECORD_NAME_TENCENTLEGU: sResult=QString("Tencent Legu"); break;
821 case RECORD_NAME_TENCENTPROTECTION: sResult=QString("Tencent Protection"); break;
822 case RECORD_NAME_TGRCRYPTER: sResult=QString("TGR Crypter"); break;
823 case RECORD_NAME_THEBESTCRYPTORBYFSK: sResult=QString("The Best Cryptor [by FsK]"); break;
824 case RECORD_NAME_THEMIDAWINLICENSE: sResult=QString("Themida/Winlicense"); break;
825 case RECORD_NAME_THEZONECRYPTER: sResult=QString("The Zone Crypter"); break;
826 case RECORD_NAME_THINSTALL: sResult=QString("Thinstall(VMware ThinApp)"); break;
827 case RECORD_NAME_THUMBC: sResult=QString("Thumb C"); break;
828 case RECORD_NAME_TINYC: sResult=QString("Tiny C"); break;
829 case RECORD_NAME_TIFF: sResult=QString("TIFF"); break;
830 case RECORD_NAME_TINYPROG: sResult=QString("TinyProg"); break;
831 case RECORD_NAME_TINYSIGN: sResult=QString("tiny-sign"); break;
832 case RECORD_NAME_TOTALCOMMANDERINSTALLER: sResult=QString("Total Commander Installer"); break;
833 case RECORD_NAME_TPPPACK: sResult=QString("TTP Pack"); break;
834 case RECORD_NAME_TRU64: sResult=QString("Compaq TRU64 UNIX"); break;
835 case RECORD_NAME_TSTCRYPTER: sResult=QString("TsT Crypter"); break;
836 case RECORD_NAME_TTF: sResult=QString("True Type Font"); break;
837 case RECORD_NAME_TTPROTECT: sResult=QString("TTprotect"); break;
838 case RECORD_NAME_TURBOBASIC: sResult=QString("Turbo Basic"); break;
839 case RECORD_NAME_TURBOC: sResult=QString("Turbo C"); break;
840 case RECORD_NAME_TURBOCPP: sResult=QString("Turbo C++"); break;
841 case RECORD_NAME_TURBOLINKER: sResult=QString("Turbo linker"); break;
842 case RECORD_NAME_TURBOLINUX: sResult=QString("Turbolinux"); break;
843 case RECORD_NAME_TURBOSTUDIO: sResult=QString("Turbo Studio"); break;
844 case RECORD_NAME_TURKISHCYBERSIGNATURE: sResult=QString("Turkish Cyber Signature"); break;
845 case RECORD_NAME_TURKOJANCRYPTER: sResult=QString("Turkojan Crypter"); break;
846 case RECORD_NAME_TVOS: sResult=QString("tvOS"); break;
847 case RECORD_NAME_UBUNTUCLANG: sResult=QString("Ubuntu clang"); break;
848 case RECORD_NAME_UBUNTULINUX: sResult=QString("Ubuntu Linux"); break;
849 case RECORD_NAME_UCEXE: sResult=QString("UCEXE"); break;
850 case RECORD_NAME_UNDERGROUNDCRYPTER: sResult=QString("UnderGround Crypter"); break;
851 case RECORD_NAME_UNDOCRYPTER: sResult=QString("UnDo Crypter"); break;
852 case RECORD_NAME_UNICODE: sResult=QString("Unicode"); break;
853 case RECORD_NAME_UNICOMSDK: sResult=QString("Unicom SDK"); break;
854 case RECORD_NAME_UNILINK: sResult=QString("UniLink"); break;
855 case RECORD_NAME_UNITY: sResult=QString("Unity"); break;
856 case RECORD_NAME_UNIVERSALTUPLECOMPILER: sResult=QString("Universal Tuple Compiler"); break;
857 case RECORD_NAME_UNKOWNCRYPTER: sResult=QString("unkOwn Crypter"); break;
858 case RECORD_NAME_UNK_UPXLIKE: sResult=QString("(Unknown)UPX-like"); break;
859 case RECORD_NAME_UNOPIX: sResult=QString("Unopix"); break;
860 case RECORD_NAME_UPX: sResult=QString("UPX"); break;
861 case RECORD_NAME_UTF8: sResult=QString("UTF-8"); break;
862 case RECORD_NAME_VALVE: sResult=QString("Valve"); break;
863 case RECORD_NAME_VBNET: sResult=QString("VB .NET"); break;
864 case RECORD_NAME_VBSTOEXE: sResult=QString("Vbs To Exe"); break;
865 case RECORD_NAME_VCASMPROTECTOR: sResult=QString("VCasm-Protector"); break;
866 case RECORD_NAME_VCL: sResult=QString("Visual Component Library"); break;
867 case RECORD_NAME_VCLPACKAGEINFO: sResult=QString("VCL PackageInfo"); break;
868 case RECORD_NAME_VDOG: sResult=QString("VDog"); break;
869 case RECORD_NAME_VERACRYPT: sResult=QString("VeraCrypt"); break;
870 case RECORD_NAME_VINELINUX: sResult=QString("Vine Linux"); break;
871 case RECORD_NAME_VIRTUALIZEPROTECT: sResult=QString("VirtualizeProtect"); break;
872 case RECORD_NAME_VIRTUALPASCAL: sResult=QString("Virtual Pascal"); break;
873 case RECORD_NAME_VISE: sResult=QString("Vise"); break;
874 case RECORD_NAME_VISUALBASIC: sResult=QString("Visual Basic"); break;
875 case RECORD_NAME_VISUALCCPP: sResult=QString("Visual C/C++"); break;
876 case RECORD_NAME_VISUALCSHARP: sResult=QString("Visual C#"); break;
877 case RECORD_NAME_VISUALOBJECTS: sResult=QString("Visual Objects"); break;
878 case RECORD_NAME_VMPROTECT: sResult=QString("VMProtect"); break;
879 case RECORD_NAME_VMUNPACKER: sResult=QString("VMUnpacker"); break;
880 case RECORD_NAME_VMWARE: sResult=QString("VMware"); break;
881 case RECORD_NAME_VPACKER: sResult=QString("VPacker"); break;
882 case RECORD_NAME_WALLE: sResult=QString("Walle"); break;
883 case RECORD_NAME_WANGZEHUALLVM: sResult=QString("wangzehua LLVM"); break;
884 case RECORD_NAME_WATCHOS: sResult=QString("watchOS"); break;
885 case RECORD_NAME_WATCOMC: sResult=QString("Watcom C"); break;
886 case RECORD_NAME_WATCOMCCPP: sResult=QString("Watcom C/C++"); break;
887 case RECORD_NAME_WATCOMLINKER: sResult=QString("Watcom linker"); break;
888 case RECORD_NAME_WAV: sResult=QString("WAV"); break;
889 case RECORD_NAME_WDOSX: sResult=QString("WDOSX"); break;
890 case RECORD_NAME_WHITELLCRYPT: sResult=QString("Whitell Crypt"); break;
891 case RECORD_NAME_WINACE: sResult=QString("WinACE"); break;
892 case RECORD_NAME_WINAUTH: sResult=QString("Windows Authenticode"); break;
893 case RECORD_NAME_WINDOFCRYPT: sResult=QString("WindOfCrypt"); break;
894 case RECORD_NAME_WINDOWS: sResult=QString("Windows"); break;
895 case RECORD_NAME_WINDOWSBITMAP: sResult=QString("Windows Bitmap"); break;
896 case RECORD_NAME_WINDOWSICON: sResult=QString("Windows Icon"); break;
897 case RECORD_NAME_WINDOWSINSTALLER: sResult=QString("Windows Installer"); break;
898 case RECORD_NAME_WINDOWSMEDIA: sResult=QString("Windows Media"); break;
899 case RECORD_NAME_WINDRIVERLINUX: sResult=QString("Wind River Linux"); break;
900 case RECORD_NAME_WINGSCRYPT: sResult=QString("WingsCrypt"); break;
901 case RECORD_NAME_WINKRIPT: sResult=QString("WinKript"); break;
902 case RECORD_NAME_WINRAR: sResult=QString("WinRAR"); break;
903 case RECORD_NAME_WINUPACK: sResult=QString("(Win)Upack"); break;
904 case RECORD_NAME_WINZIP: sResult=QString("WinZip"); break;
905 case RECORD_NAME_WISE: sResult=QString("Wise"); break;
906 case RECORD_NAME_WIXTOOLSET: sResult=QString("WiX Toolset"); break;
907 case RECORD_NAME_WLCRYPT: sResult=QString("WL-Crypt"); break;
908 case RECORD_NAME_WLGROUPCRYPTER: sResult=QString("WL-Group Crypter"); break;
909 case RECORD_NAME_WOUTHRSEXECRYPTER: sResult=QString("WouThrs EXE Crypter"); break;
910 case RECORD_NAME_WWPACK: sResult=QString("WWPack"); break;
911 case RECORD_NAME_WWPACK32: sResult=QString("WWPack32"); break;
912 case RECORD_NAME_WXWIDGETS: sResult=QString("wxWidgets"); break;
913 case RECORD_NAME_XAR: sResult=QString("xar"); break;
914 case RECORD_NAME_XCODE: sResult=QString("Xcode"); break;
915 case RECORD_NAME_XENOCODE: sResult=QString("Xenocode"); break;
916 case RECORD_NAME_XENOCODEPOSTBUILD: sResult=QString("Xenocode Postbuild"); break;
917 case RECORD_NAME_XENOCODEPOSTBUILD2009FORDOTNET: sResult=QString("Xenocode Postbuild 2009 for .NET"); break;
918 case RECORD_NAME_XENOCODEPOSTBUILD2010FORDOTNET: sResult=QString("Xenocode Postbuild 2010 for .NET"); break;
919 case RECORD_NAME_XENOCODEVIRTUALAPPLICATIONSTUDIO2009: sResult=QString("Xenocode Virtual Application Studio 2009"); break;
920 case RECORD_NAME_XENOCODEVIRTUALAPPLICATIONSTUDIO2010: sResult=QString("Xenocode Virtual Application Studio 2010"); break;
921 case RECORD_NAME_XENOCODEVIRTUALAPPLICATIONSTUDIO2010ISVEDITION: sResult=QString("Xenocode Virtual Application Studio 2010 ISV Edition"); break;
922 case RECORD_NAME_XENOCODEVIRTUALAPPLICATIONSTUDIO2012ISVEDITION: sResult=QString("Xenocode Virtual Application Studio 2012 ISV Edition"); break;
923 case RECORD_NAME_XENOCODEVIRTUALAPPLICATIONSTUDIO2013ISVEDITION: sResult=QString("Xenocode Virtual Application Studio 2013 ISV Edition"); break;
924 case RECORD_NAME_XCOMP: sResult=QString("XComp"); break;
925 case RECORD_NAME_XML: sResult=QString("XML"); break;
926 case RECORD_NAME_XPACK: sResult=QString("XPack"); break;
927 case RECORD_NAME_XTREMEPROTECTOR: sResult=QString("Xtreme-Protector"); break;
928 case RECORD_NAME_XTREAMLOK: sResult=QString("Xtreamlok"); break;
929 case RECORD_NAME_XVOLKOLAK: sResult=QString("XVolkolak"); break;
930 case RECORD_NAME_XZ: sResult=QString("XZ"); break;
931 case RECORD_NAME_YANDEX: sResult=QString("Yandex"); break;
932 case RECORD_NAME_YANO: sResult=QString("Yano"); break;
933 case RECORD_NAME_YIDUN: sResult=QString("yidun"); break;
934 case RECORD_NAME_YODASCRYPTER: sResult=QString("Yoda's Crypter"); break;
935 case RECORD_NAME_YODASPROTECTOR: sResult=QString("Yoda's Protector"); break;
936 case RECORD_NAME_YZPACK: sResult=QString("YZPack"); break;
937 case RECORD_NAME_ZELDACRYPT: sResult=QString("ZeldaCrypt"); break;
938 case RECORD_NAME_ZIG: sResult=QString("Zig"); break;
939 case RECORD_NAME_ZIP: sResult=QString("ZIP"); break;
940 case RECORD_NAME_ZLIB: sResult=QString("zlib"); break;
941 case RECORD_NAME_ZPROTECT: sResult=QString("ZProtect"); break;
942 case RECORD_NAME_UNIX: sResult=QString("Unix"); break;
943 case RECORD_NAME_UNKNOWN0: sResult=QString("_Unknown"); break;
944 case RECORD_NAME_UNKNOWN1: sResult=QString("_Unknown"); break;
945 case RECORD_NAME_UNKNOWN2: sResult=QString("_Unknown"); break;
946 case RECORD_NAME_UNKNOWN3: sResult=QString("_Unknown"); break;
947 case RECORD_NAME_UNKNOWN4: sResult=QString("_Unknown"); break;
948 case RECORD_NAME_UNKNOWN5: sResult=QString("_Unknown"); break;
949 case RECORD_NAME_UNKNOWN6: sResult=QString("_Unknown"); break;
950 case RECORD_NAME_UNKNOWN7: sResult=QString("_Unknown"); break;
951 case RECORD_NAME_UNKNOWN8: sResult=QString("_Unknown"); break;
952 case RECORD_NAME_UNKNOWN9: sResult=QString("_Unknown"); break;
953 }
954 return sResult;
955 }
956
heurTypeIdToString(SpecAbstract::DETECTTYPE id)957 QString SpecAbstract::heurTypeIdToString(SpecAbstract::DETECTTYPE id)
958 {
959 QString sResult=tr("Unknown");
960
961 switch(id)
962 {
963 case DETECTTYPE_UNKNOWN: sResult=tr("Unknown"); break;
964 case DETECTTYPE_HEADER: sResult=tr("Header"); break;
965 case DETECTTYPE_OVERLAY: sResult=tr("Overlay"); break;
966 case DETECTTYPE_ENTRYPOINT: sResult=tr("Entry point"); break;
967 case DETECTTYPE_SECTIONNAME: sResult=tr("Section name"); break;
968 case DETECTTYPE_IMPORTHASH: sResult=QString("Import hash"); break;
969 case DETECTTYPE_CODESECTION: sResult=tr("Code section"); break;
970 case DETECTTYPE_ENTRYPOINTSECTION: sResult=tr("Entry point section"); break;
971 case DETECTTYPE_NETANSISTRING: sResult=QString(".NET ANSI %1").arg(tr("String")); break;
972 case DETECTTYPE_NETUNICODESTRING: sResult=QString(".NET Unicode %1").arg(tr("String")); break;
973 case DETECTTYPE_RICH: sResult=QString("RICH"); break;
974 case DETECTTYPE_ARCHIVE: sResult=tr("Archive"); break;
975 case DETECTTYPE_RESOURCES: sResult=tr("Resources"); break;
976 case DETECTTYPE_DEXSTRING: sResult=QString("DEX %1").arg(tr("String")); break;
977 case DETECTTYPE_DEXTYPE: sResult=QString("DEX %1").arg(tr("Type")); break;
978 }
979
980 return sResult;
981 }
982
getPossibleUnpackOptions(QIODevice * pDevice,bool bIsImage)983 SpecAbstract::UNPACK_OPTIONS SpecAbstract::getPossibleUnpackOptions(QIODevice *pDevice,bool bIsImage)
984 {
985 // TODO
986 UNPACK_OPTIONS result={};
987
988 QSet<XBinary::FT> stFileTypes=XBinary::getFileTypes(pDevice);
989
990 if(stFileTypes.contains(XBinary::FT_PE32)||stFileTypes.contains(XBinary::FT_PE64))
991 {
992 XPE pe(pDevice,bIsImage);
993
994 if(pe.isValid())
995 {
996 if(pe.isValid())
997 {
998 result.bCopyOverlay=pe.isOverlayPresent();
999 }
1000 }
1001 }
1002
1003 return result;
1004 }
1005
_SCANS_STRUCT_toString(const _SCANS_STRUCT * pScanStruct)1006 QString SpecAbstract::_SCANS_STRUCT_toString(const _SCANS_STRUCT *pScanStruct)
1007 {
1008 QString sResult;
1009
1010 if(pScanStruct->bIsHeuristic)
1011 {
1012 sResult+="(Heuristic)";
1013 }
1014
1015 sResult+=QString("%1: %2(%3)[%4]").arg(SpecAbstract::recordTypeIdToString(pScanStruct->type),SpecAbstract::recordNameIdToString(pScanStruct->name),pScanStruct->sVersion,pScanStruct->sInfo);
1016
1017 return sResult;
1018 }
1019
createResultString(const SpecAbstract::SCAN_STRUCT * pScanStruct)1020 QString SpecAbstract::createResultString(const SpecAbstract::SCAN_STRUCT *pScanStruct)
1021 {
1022 QString sResult;
1023
1024 if(pScanStruct->bIsHeuristic)
1025 {
1026 sResult+="(Heuristic)";
1027 }
1028
1029 sResult+=QString("%1: %2(%3)[%4]").arg(SpecAbstract::recordTypeIdToString(pScanStruct->type),SpecAbstract::recordNameIdToString(pScanStruct->name),pScanStruct->sVersion,pScanStruct->sInfo);
1030
1031 return sResult;
1032 }
1033
createResultString2(const SpecAbstract::SCAN_STRUCT * pScanStruct)1034 QString SpecAbstract::createResultString2(const SpecAbstract::SCAN_STRUCT *pScanStruct)
1035 {
1036 QString sResult;
1037
1038 if(pScanStruct->bIsHeuristic)
1039 {
1040 sResult+="(Heuristic)";
1041 }
1042
1043 sResult+=QString("%1: %2").arg(SpecAbstract::recordTypeIdToString(pScanStruct->type),SpecAbstract::recordNameIdToString(pScanStruct->name));
1044
1045 if(pScanStruct->sVersion!="")
1046 {
1047 sResult+=QString("(%1)").arg(pScanStruct->sVersion);
1048 }
1049
1050 if(pScanStruct->sInfo!="")
1051 {
1052 sResult+=QString("[%1]").arg(pScanStruct->sInfo);
1053 }
1054
1055 return sResult;
1056 }
1057
createFullResultString(const SpecAbstract::SCAN_STRUCT * pScanStruct)1058 QString SpecAbstract::createFullResultString(const SpecAbstract::SCAN_STRUCT *pScanStruct)
1059 {
1060 QString sResult;
1061
1062 if(pScanStruct->bIsHeuristic)
1063 {
1064 sResult+="(Heuristic)";
1065 }
1066
1067 sResult+=QString("%1: %2").arg(createTypeString(pScanStruct),createResultString(pScanStruct));
1068
1069 return sResult;
1070 }
1071
createFullResultString2(const SpecAbstract::SCAN_STRUCT * pScanStruct)1072 QString SpecAbstract::createFullResultString2(const SpecAbstract::SCAN_STRUCT *pScanStruct)
1073 {
1074 QString sResult;
1075
1076 if(pScanStruct->bIsHeuristic)
1077 {
1078 sResult+="(Heuristic)";
1079 }
1080
1081 sResult+=QString("%1: %2").arg(createTypeString(pScanStruct),createResultString2(pScanStruct));
1082
1083 return sResult;
1084 }
1085
createTypeString(const SpecAbstract::SCAN_STRUCT * pScanStruct)1086 QString SpecAbstract::createTypeString(const SpecAbstract::SCAN_STRUCT *pScanStruct)
1087 {
1088 QString sResult;
1089
1090 if(pScanStruct->parentId.filePart!=RECORD_FILEPART_HEADER)
1091 {
1092 sResult+=SpecAbstract::recordFilePartIdToString(pScanStruct->parentId.filePart);
1093
1094 if(pScanStruct->parentId.sVersion!="")
1095 {
1096 sResult+=QString("(%1)").arg(pScanStruct->parentId.sVersion);
1097 }
1098
1099 if(pScanStruct->parentId.sInfo!="")
1100 {
1101 sResult+=QString("[%1]").arg(pScanStruct->parentId.sInfo);
1102 }
1103
1104 sResult+=": ";
1105 }
1106
1107 sResult+=XBinary::fileTypeIdToString(pScanStruct->id.fileType);
1108
1109 return sResult;
1110 }
1111
createHeaderScanStruct(const SpecAbstract::SCAN_STRUCT * pScanStruct)1112 SpecAbstract::SCAN_STRUCT SpecAbstract::createHeaderScanStruct(const SpecAbstract::SCAN_STRUCT *pScanStruct)
1113 {
1114 SCAN_STRUCT result=*pScanStruct;
1115
1116 result.id.sUuid=XBinary::generateUUID();
1117 result.type=RECORD_TYPE_GENERIC;
1118 result.name=RECORD_NAME_GENERIC;
1119 result.sVersion="";
1120 result.sInfo="";
1121
1122 return result;
1123 }
1124
get_Enigma_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)1125 SpecAbstract::VI_STRUCT SpecAbstract::get_Enigma_vi(QIODevice *pDevice,bool bIsImage, qint64 nOffset, qint64 nSize)
1126 {
1127 VI_STRUCT result={};
1128
1129 XBinary binary(pDevice,bIsImage);
1130
1131 if(!result.bIsValid)
1132 {
1133 qint64 _nOffset=binary.find_array(nOffset,nSize,"\x00\x00\x00\x45\x4e\x49\x47\x4d\x41",9); // \x00\x00\x00ENIGMA
1134
1135 if(_nOffset!=-1)
1136 {
1137 quint8 nMajor=binary.read_uint8(_nOffset+9);
1138 quint8 nMinor=binary.read_uint8(_nOffset+10);
1139 quint16 nYear=binary.read_uint16(_nOffset+11);
1140 quint16 nMonth=binary.read_uint16(_nOffset+13);
1141 quint16 nDay=binary.read_uint16(_nOffset+15);
1142 quint16 nHour=binary.read_uint16(_nOffset+17);
1143 quint16 nMin=binary.read_uint16(_nOffset+19);
1144 quint16 nSec=binary.read_uint16(_nOffset+21);
1145
1146 result.sVersion=QString("%1.%2 build %3.%4.%5 %6:%7:%8").arg(nMajor).arg(nMinor,2,10,QChar('0')).arg(nYear,4,10,QChar('0')).arg(nMonth,2,10,QChar('0')).arg(nDay,2,10,QChar('0')).arg(nHour,2,10,QChar('0')).arg(nMin,2,10,QChar('0')).arg(nSec,2,10,QChar('0'));
1147
1148 result.bIsValid=true;
1149 }
1150 }
1151
1152 // 0 variant
1153 if(!result.bIsValid)
1154 {
1155 qint64 _nOffset=binary.find_ansiString(nOffset,nSize," *** Enigma protector v");
1156
1157 if(_nOffset!=-1)
1158 {
1159 result.sVersion=binary.read_ansiString(_nOffset+23).section(" ",0,0);
1160 result.bIsValid=true;
1161 }
1162 }
1163
1164 if(!result.bIsValid)
1165 {
1166 qint64 _nOffset=binary.find_ansiString(nOffset,nSize,"The Enigma Protector version");
1167
1168 if(_nOffset!=-1)
1169 {
1170 result.sVersion=binary.read_ansiString(_nOffset+23).section(" ",0,0);
1171 result.bIsValid=true;
1172 }
1173 }
1174
1175 return result;
1176 }
1177
get_DeepSea_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)1178 SpecAbstract::VI_STRUCT SpecAbstract::get_DeepSea_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
1179 {
1180 VI_STRUCT result={};
1181
1182 XBinary binary(pDevice,bIsImage);
1183
1184 qint64 _nOffset=binary.find_ansiString(nOffset,nSize,"DeepSeaObfuscator");
1185
1186 if(_nOffset!=-1)
1187 {
1188 // TODO Check
1189 result.bIsValid=true;
1190 result.sVersion="4.X";
1191
1192 QString sFullString=binary.read_ansiString(_nOffset+18);
1193
1194 if(sFullString.contains("Evaluation"))
1195 {
1196 result.sInfo="Evaluation";
1197 }
1198 }
1199
1200 return result;
1201 }
1202
get_SmartAssembly_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)1203 SpecAbstract::VI_STRUCT SpecAbstract::get_SmartAssembly_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
1204 {
1205 VI_STRUCT result={};
1206
1207 XBinary binary(pDevice,bIsImage);
1208
1209 qint64 _nOffset=binary.find_ansiString(nOffset,nSize,"Powered by SmartAssembly ");
1210
1211 if(_nOffset!=-1)
1212 {
1213 result.bIsValid=true;
1214 result.sVersion=binary.read_ansiString(_nOffset+25);
1215 // TODO more checks!
1216 }
1217
1218 return result;
1219 }
1220
get_R8_marker_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)1221 SpecAbstract::VI_STRUCT SpecAbstract::get_R8_marker_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
1222 {
1223 VI_STRUCT result={};
1224
1225 XBinary binary(pDevice,bIsImage);
1226
1227 // https://r8.googlesource.com/r8/+/refs/heads/master/src/main/java/com/android/tools/r8/dex/Marker.java
1228 // X~~D8{"compilation-mode":"release","has-checksums":false,"min-api":14,"version":"2.0.88"}
1229 qint64 _nOffset=binary.find_ansiString(nOffset,nSize,"\"compilation-mode\":\"");
1230
1231 if(_nOffset>20) // TODO rewrite
1232 {
1233 _nOffset=binary.find_ansiString(_nOffset-5,20,"~~");
1234
1235 if(_nOffset!=-1)
1236 {
1237 result.bIsValid=true;
1238 QString sString=binary.read_ansiString(_nOffset);
1239
1240 result.sVersion=XBinary::regExp("\"version\":\"(.*?)\"",sString,1);
1241
1242 if(sString.contains("~~D8")||sString.contains("~~R8"))
1243 {
1244 result.sInfo=XBinary::regExp("\"compilation-mode\":\"(.*?)\"",sString,1);
1245 }
1246 else
1247 {
1248 result.sInfo="CHECK D8: "+sString;
1249 }
1250 }
1251 }
1252
1253 return result;
1254 }
1255
get_Go_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)1256 SpecAbstract::VI_STRUCT SpecAbstract::get_Go_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
1257 {
1258 VI_STRUCT result={};
1259
1260 XBinary binary(pDevice,bIsImage);
1261
1262 qint64 _nOffset=nOffset;
1263 qint64 _nSize=nSize;
1264
1265 QString sVersion;
1266
1267 qint64 nMaxVersion=0;
1268
1269 while(_nSize>0)
1270 {
1271 _nOffset=binary.find_ansiString(_nOffset,_nSize,"go1.");
1272
1273 if(_nOffset==-1)
1274 {
1275 break;
1276 }
1277
1278 QString _sVersion=XBinary::getVersionString(binary.read_ansiString(_nOffset+2,10));
1279
1280 qint64 nVersionValue=XBinary::getVersionIntValue(_sVersion);
1281
1282 if(nVersionValue>nMaxVersion)
1283 {
1284 nMaxVersion=nVersionValue;
1285
1286 sVersion=_sVersion;
1287 }
1288
1289 _nOffset++;
1290
1291 _nSize=nSize-(_nOffset-nOffset)-1;
1292 }
1293
1294 if(sVersion!="")
1295 {
1296 result.bIsValid=true;
1297 result.sVersion=sVersion;
1298 }
1299
1300 return result;
1301 }
1302
get_Rust_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)1303 SpecAbstract::VI_STRUCT SpecAbstract::get_Rust_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
1304 {
1305 VI_STRUCT result={};
1306
1307 XBinary binary(pDevice,bIsImage);
1308
1309 // TODO version
1310 qint64 nOffset_Version=-1;
1311
1312 if(nOffset_Version==-1)
1313 {
1314 nOffset_Version=binary.find_ansiString(nOffset,nSize,"Local\\RustBacktraceMutex");
1315
1316 if(nOffset_Version!=-1)
1317 {
1318 result.bIsValid=true;
1319 }
1320 }
1321
1322 return result;
1323 }
1324
get_ObfuscatorLLVM_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)1325 SpecAbstract::VI_STRUCT SpecAbstract::get_ObfuscatorLLVM_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
1326 {
1327 VI_STRUCT result={};
1328
1329 XBinary binary(pDevice,bIsImage);
1330
1331 // TODO get max version
1332 qint64 nOffset_Version=-1;
1333
1334 if(nOffset_Version==-1)
1335 {
1336 nOffset_Version=binary.find_ansiString(nOffset,nSize,"Obfuscator-"); // 3.4 - 6.0.0
1337
1338 if(nOffset_Version!=-1)
1339 {
1340 QString sVersionString=binary.read_ansiString(nOffset_Version);
1341
1342 result=_get_ObfuscatorLLVM_string(sVersionString);
1343 }
1344 }
1345
1346 return result;
1347 }
1348
_get_ObfuscatorLLVM_string(QString sString)1349 SpecAbstract::VI_STRUCT SpecAbstract::_get_ObfuscatorLLVM_string(QString sString)
1350 {
1351 VI_STRUCT result={};
1352
1353 if( sString.contains("Obfuscator-clang version")|| // 3.4
1354 sString.contains("Obfuscator- clang version")|| // 3.51
1355 sString.contains("Obfuscator-LLVM clang version")) // 3.6.1 - 6.0.0
1356 {
1357 result.bIsValid=true;
1358
1359 result.sVersion=sString.section("version ",1,1).section("(",0,0).section(" ",0,0);
1360 // result.sVersion=sString.section("version ",1,1);
1361 }
1362
1363 return result;
1364 }
1365
get_AndroidClang_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)1366 SpecAbstract::VI_STRUCT SpecAbstract::get_AndroidClang_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
1367 {
1368 VI_STRUCT result={};
1369
1370 XBinary binary(pDevice,bIsImage);
1371
1372 qint64 nOffset_Version=binary.find_ansiString(nOffset,nSize,"Android clang");
1373
1374 if(nOffset_Version!=-1)
1375 {
1376 QString sVersionString=binary.read_ansiString(nOffset_Version);
1377
1378 result=_get_AndroidClang_string(sVersionString);
1379 }
1380
1381 return result;
1382 }
1383
_get_AndroidClang_string(QString sString)1384 SpecAbstract::VI_STRUCT SpecAbstract::_get_AndroidClang_string(QString sString)
1385 {
1386 VI_STRUCT result={};
1387
1388 if(sString.contains("Android clang"))
1389 {
1390 result.bIsValid=true;
1391
1392 result.sVersion=sString.section(" ",3,3);
1393 }
1394 else if(sString.contains("Android (")&&sString.contains(" clang version "))
1395 {
1396 result.bIsValid=true;
1397
1398 result.sVersion=sString.section(" clang version ",1,1).section(" ",0,0);
1399 }
1400
1401 return result;
1402 }
1403
_get_PlexClang_string(QString sString)1404 SpecAbstract::VI_STRUCT SpecAbstract::_get_PlexClang_string(QString sString)
1405 {
1406 VI_STRUCT result={};
1407
1408 if(sString.contains("Plex clang"))
1409 {
1410 result.bIsValid=true;
1411
1412 result.sVersion=sString.section(" ",3,3);
1413 }
1414
1415 return result;
1416 }
1417
_get_UbuntuClang_string(QString sString)1418 SpecAbstract::VI_STRUCT SpecAbstract::_get_UbuntuClang_string(QString sString)
1419 {
1420 VI_STRUCT result={};
1421
1422 if(sString.contains("Ubuntu clang"))
1423 {
1424 result.bIsValid=true;
1425
1426 result.sVersion=sString.section(" ",3,3);
1427 }
1428
1429 return result;
1430 }
1431
_get_AlipayObfuscator_string(QString sString)1432 SpecAbstract::VI_STRUCT SpecAbstract::_get_AlipayObfuscator_string(QString sString)
1433 {
1434 VI_STRUCT result={};
1435
1436 if(sString.contains("Alipay"))
1437 {
1438 result.bIsValid=true;
1439
1440 result.sVersion=sString.section(" ",3,3);
1441
1442 if(sString.contains("Trial"))
1443 {
1444 result.sInfo="Trial";
1445 }
1446 }
1447
1448 return result;
1449 }
1450
_get_wangzehuaLLVM_string(QString sString)1451 SpecAbstract::VI_STRUCT SpecAbstract::_get_wangzehuaLLVM_string(QString sString)
1452 {
1453 VI_STRUCT result={};
1454
1455 if(sString.contains("wangzehua clang version"))
1456 {
1457 result.bIsValid=true;
1458
1459 result.sVersion=sString.section("wangzehua clang version",1,1);
1460 }
1461
1462 return result;
1463 }
1464
_get_ByteGuard_string(QString sString)1465 SpecAbstract::VI_STRUCT SpecAbstract::_get_ByteGuard_string(QString sString)
1466 {
1467 VI_STRUCT result={};
1468
1469 if(sString.contains("ByteGuard"))
1470 {
1471 result.bIsValid=true;
1472
1473 result.sVersion=sString.section("ByteGuard ",1,1).section("-",0,0).section(")",0,0);
1474 }
1475 else if(sString.contains("Byteguard"))
1476 {
1477 result.bIsValid=true;
1478
1479 result.sVersion=sString.section("Byteguard ",1,1).section("-",0,0).section(")",0,0);
1480 }
1481
1482 return result;
1483 }
1484
_get_TencentObfuscation_string(QString sString)1485 SpecAbstract::VI_STRUCT SpecAbstract::_get_TencentObfuscation_string(QString sString)
1486 {
1487 VI_STRUCT result={};
1488
1489 if(sString.contains("Tencent-Obfuscation Compiler"))
1490 {
1491 // TODO Version
1492 result.bIsValid=true;
1493 }
1494
1495 return result;
1496 }
1497
_get_AppImage_string(QString sString)1498 SpecAbstract::VI_STRUCT SpecAbstract::_get_AppImage_string(QString sString)
1499 {
1500 VI_STRUCT result={};
1501
1502 if(sString.contains("AppImage by Simon Peter, http://appimage.org/"))
1503 {
1504 // TODO Version
1505 result.bIsValid=true;
1506 }
1507
1508 return result;
1509 }
1510
_get_HikariObfuscator_string(QString sString)1511 SpecAbstract::VI_STRUCT SpecAbstract::_get_HikariObfuscator_string(QString sString)
1512 {
1513 VI_STRUCT result={};
1514
1515 if(sString.contains("HikariObfuscator")||sString.contains("_Hikari")||sString.contains("Hikari.git"))
1516 {
1517 // TODO Version
1518 result.bIsValid=true;
1519 }
1520
1521 return result;
1522 }
1523
_get_SnapProtect_string(QString sString)1524 SpecAbstract::VI_STRUCT SpecAbstract::_get_SnapProtect_string(QString sString)
1525 {
1526 VI_STRUCT result={};
1527
1528 if(sString.contains("snap.protect version "))
1529 {
1530 result.sVersion=sString.section("snap.protect version ",1,1).section(" ",0,0);
1531 result.bIsValid=true;
1532 }
1533
1534 return result;
1535 }
1536
_get_ByteDanceSecCompiler_string(QString sString)1537 SpecAbstract::VI_STRUCT SpecAbstract::_get_ByteDanceSecCompiler_string(QString sString)
1538 {
1539 VI_STRUCT result={};
1540
1541 if(sString.contains("ByteDance-SecCompiler"))
1542 {
1543 // TODO Version
1544 result.bIsValid=true;
1545 }
1546
1547 return result;
1548 }
1549
_get_DingbaozengNativeObfuscator_string(QString sString)1550 SpecAbstract::VI_STRUCT SpecAbstract::_get_DingbaozengNativeObfuscator_string(QString sString)
1551 {
1552 VI_STRUCT result={};
1553
1554 if(sString.contains("dingbaozeng/native_obfuscator.git"))
1555 {
1556 // TODO Version
1557 result.bIsValid=true;
1558 }
1559
1560 return result;
1561 }
1562
_get_SafeengineLLVM_string(QString sString)1563 SpecAbstract::VI_STRUCT SpecAbstract::_get_SafeengineLLVM_string(QString sString)
1564 {
1565 VI_STRUCT result={};
1566
1567 if(sString.contains("Safengine clang version"))
1568 {
1569 result.bIsValid=true;
1570
1571 result.sVersion=sString.section(" ",3,3);
1572 }
1573
1574 return result;
1575 }
1576
_get_NagainLLVM_string(QString sString)1577 SpecAbstract::VI_STRUCT SpecAbstract::_get_NagainLLVM_string(QString sString)
1578 {
1579 VI_STRUCT result={};
1580 // http://www.nagain.com/
1581 if(sString.contains("Nagain-LLVM clang version"))
1582 {
1583 result.bIsValid=true;
1584
1585 result.sVersion=sString.section(" ",3,3);
1586 }
1587
1588 return result;
1589 }
1590
_get_iJiami_string(QString sString)1591 SpecAbstract::VI_STRUCT SpecAbstract::_get_iJiami_string(QString sString)
1592 {
1593 VI_STRUCT result={};
1594 // https://www.ijiami.cn/
1595 if(sString.contains("ijiami LLVM Compiler- clang version"))
1596 {
1597 result.bIsValid=true;
1598
1599 result.sVersion=sString.section(" ",5,5);
1600 }
1601
1602 return result;
1603 }
1604
_get_AppleLLVM_string(QString sString)1605 SpecAbstract::VI_STRUCT SpecAbstract::_get_AppleLLVM_string(QString sString)
1606 {
1607 VI_STRUCT result={};
1608
1609 if(sString.contains("Apple LLVM version"))
1610 {
1611 result.bIsValid=true;
1612
1613 result.sVersion=sString.section("Apple LLVM version ",1,1).section(" ",0,0);
1614 }
1615
1616 return result;
1617 }
1618
_get_ApportableClang_string(QString sString)1619 SpecAbstract::VI_STRUCT SpecAbstract::_get_ApportableClang_string(QString sString)
1620 {
1621 VI_STRUCT result={};
1622
1623 if(sString.contains("Apportable clang version"))
1624 {
1625 result.bIsValid=true;
1626
1627 result.sVersion=sString.section(" ",3,3);
1628 }
1629
1630 return result;
1631 }
1632
_get_ARMAssembler_string(QString sString)1633 SpecAbstract::VI_STRUCT SpecAbstract::_get_ARMAssembler_string(QString sString)
1634 {
1635 VI_STRUCT result={};
1636
1637 if(sString.contains("ARM Assembler,"))
1638 {
1639 result.bIsValid=true;
1640
1641 result.sVersion=sString.section(", ",1,-1);
1642 }
1643
1644 return result;
1645 }
1646
_get_ARMLinker_string(QString sString)1647 SpecAbstract::VI_STRUCT SpecAbstract::_get_ARMLinker_string(QString sString)
1648 {
1649 VI_STRUCT result={};
1650
1651 if(sString.contains("ARM Linker,"))
1652 {
1653 result.bIsValid=true;
1654
1655 result.sVersion=sString.section(", ",1,-1).section("]",0,0)+"]";
1656 }
1657
1658 return result;
1659 }
1660
_get_ARMC_string(QString sString)1661 SpecAbstract::VI_STRUCT SpecAbstract::_get_ARMC_string(QString sString)
1662 {
1663 VI_STRUCT result={};
1664
1665 if(sString.contains("ARM C Compiler,"))
1666 {
1667 result.bIsValid=true;
1668
1669 result.sVersion=sString.section(", ",1,-1);
1670 }
1671
1672 return result;
1673 }
1674
_get_ARMCCPP_string(QString sString)1675 SpecAbstract::VI_STRUCT SpecAbstract::_get_ARMCCPP_string(QString sString)
1676 {
1677 VI_STRUCT result={};
1678
1679 if(sString.contains("ARM C/C++ Compiler,"))
1680 {
1681 result.bIsValid=true;
1682
1683 result.sVersion=sString.section(", ",1,-1);
1684 }
1685
1686 return result;
1687 }
1688
_get_ARMNEONCCPP_string(QString sString)1689 SpecAbstract::VI_STRUCT SpecAbstract::_get_ARMNEONCCPP_string(QString sString)
1690 {
1691 VI_STRUCT result={};
1692
1693 if(sString.contains("ARM NEON C/C++ Compiler,"))
1694 {
1695 result.bIsValid=true;
1696
1697 result.sVersion=sString.section(", ",1,-1);
1698 }
1699
1700 return result;
1701 }
1702
_get_ARMThumbCCPP_string(QString sString)1703 SpecAbstract::VI_STRUCT SpecAbstract::_get_ARMThumbCCPP_string(QString sString)
1704 {
1705 VI_STRUCT result={};
1706
1707 if(sString.contains("ARM/Thumb C/C++ Compiler,"))
1708 {
1709 result.bIsValid=true;
1710
1711 result.sVersion=sString.section(", ",1,-1);
1712 }
1713
1714 return result;
1715 }
1716
_get_ARMThumbMacroAssembler_string(QString sString)1717 SpecAbstract::VI_STRUCT SpecAbstract::_get_ARMThumbMacroAssembler_string(QString sString)
1718 {
1719 VI_STRUCT result={};
1720
1721 if(sString.contains("ARM/Thumb Macro Assembler"))
1722 {
1723 result.bIsValid=true;
1724
1725 if(sString.contains("vsn "))
1726 {
1727 result.sVersion=sString.section("vsn ",1,-1);
1728 }
1729 else
1730 {
1731 result.sVersion=sString.section(", ",1,-1);
1732 }
1733 }
1734
1735 return result;
1736 }
1737
_get_ThumbC_string(QString sString)1738 SpecAbstract::VI_STRUCT SpecAbstract::_get_ThumbC_string(QString sString)
1739 {
1740 VI_STRUCT result={};
1741
1742 if(sString.contains("Thumb C Compiler,"))
1743 {
1744 result.bIsValid=true;
1745
1746 result.sVersion=sString.section(", ",1,-1);
1747 }
1748
1749 return result;
1750 }
1751
_get_clang_string(QString sString)1752 SpecAbstract::VI_STRUCT SpecAbstract::_get_clang_string(QString sString)
1753 {
1754 VI_STRUCT result={};
1755
1756 if(XBinary::isRegExpPresent("^clang version",sString))
1757 {
1758 result.bIsValid=true;
1759
1760 result.sVersion=sString.section(" ",2,2);
1761 }
1762
1763 return result;
1764 }
1765
_get_DynASM_string(QString sString)1766 SpecAbstract::VI_STRUCT SpecAbstract::_get_DynASM_string(QString sString)
1767 {
1768 VI_STRUCT result={};
1769
1770 if(sString.contains("DynASM"))
1771 {
1772 result.bIsValid=true;
1773
1774 result.sVersion=sString.section(" ",1,1);
1775 }
1776
1777 return result;
1778 }
1779
_get_Delphi_string(QString sString)1780 SpecAbstract::VI_STRUCT SpecAbstract::_get_Delphi_string(QString sString)
1781 {
1782 VI_STRUCT result={};
1783
1784 // Embarcadero Delphi for Android compiler version
1785 if(XBinary::isRegExpPresent("^Embarcadero Delphi for",sString))
1786 {
1787 result.bIsValid=true;
1788
1789 result.sVersion=sString.section("version ",1,1);
1790 }
1791
1792 return result;
1793 }
1794
_get_LLD_string(QString sString)1795 SpecAbstract::VI_STRUCT SpecAbstract::_get_LLD_string(QString sString)
1796 {
1797 VI_STRUCT result={};
1798
1799 if(XBinary::isRegExpPresent("^Linker: LLD",sString))
1800 {
1801 result.bIsValid=true;
1802
1803 result.sVersion=sString.section("Linker: LLD ",1,1).section("(",0,0);
1804 }
1805
1806 return result;
1807 }
1808
_get_OracleSolarisLinkEditors_string(QString sString)1809 SpecAbstract::VI_STRUCT SpecAbstract::_get_OracleSolarisLinkEditors_string(QString sString)
1810 {
1811 VI_STRUCT result={};
1812
1813 if(XBinary::isRegExpPresent("^ld: Software Generation Utilities - Solaris Link Editors:",sString))
1814 {
1815 result.bIsValid=true;
1816
1817 result.sVersion=sString.section("Solaris Link Editors: ",1,1);
1818 }
1819
1820 return result;
1821 }
1822
_get_SunWorkShop_string(QString sString)1823 SpecAbstract::VI_STRUCT SpecAbstract::_get_SunWorkShop_string(QString sString)
1824 {
1825 VI_STRUCT result={};
1826
1827 if(XBinary::isRegExpPresent("Sun WorkShop",sString))
1828 {
1829 result.bIsValid=true;
1830
1831 result.sVersion=sString.section("Sun WorkShop ",1,1).section(" ",0,1).section("\r",0,0).section("\n",0,0);
1832 }
1833
1834 return result;
1835 }
1836
_get_SnapdragonLLVMARM_string(QString sString)1837 SpecAbstract::VI_STRUCT SpecAbstract::_get_SnapdragonLLVMARM_string(QString sString)
1838 {
1839 VI_STRUCT result={};
1840
1841 if(XBinary::isRegExpPresent("^Snapdragon LLVM ARM Compiler",sString))
1842 {
1843 result.bIsValid=true;
1844
1845 result.sVersion=sString.section(" ",4,4);
1846 }
1847
1848 return result;
1849 }
1850
_get_NASM_string(QString sString)1851 SpecAbstract::VI_STRUCT SpecAbstract::_get_NASM_string(QString sString)
1852 {
1853 VI_STRUCT result={};
1854
1855 if(XBinary::isRegExpPresent("^The Netwide Assembler",sString))
1856 {
1857 result.bIsValid=true;
1858
1859 result.sVersion=sString.section("The Netwide Assembler ",1,1);
1860 }
1861
1862 return result;
1863 }
1864
_get_TencentLegu_string(QString sString)1865 SpecAbstract::VI_STRUCT SpecAbstract::_get_TencentLegu_string(QString sString)
1866 {
1867 VI_STRUCT result={};
1868
1869 if(XBinary::isRegExpPresent("^legu",sString))
1870 {
1871 result.bIsValid=true;
1872 // TODO Version
1873 }
1874
1875 return result;
1876 }
1877
_get_OllvmTll_string(QString sString)1878 SpecAbstract::VI_STRUCT SpecAbstract::_get_OllvmTll_string(QString sString)
1879 {
1880 VI_STRUCT result={};
1881
1882 if(sString.contains("ollvm-tll.git"))
1883 {
1884 result.bIsValid=true;
1885 // TODO Version
1886 }
1887
1888 return result;
1889 }
1890
_get_DelphiVersionFromCompiler(QString sString)1891 SpecAbstract::VI_STRUCT SpecAbstract::_get_DelphiVersionFromCompiler(QString sString)
1892 {
1893 VI_STRUCT result={};
1894
1895 sString=sString.section(" ",0,0);
1896
1897 if(sString!="")
1898 {
1899 result.bIsValid=true;
1900
1901 result.sVersion="XE7+";
1902
1903 if(sString=="28.0")
1904 {
1905 result.sVersion="XE7";
1906 }
1907 else if(sString=="29.0")
1908 {
1909 result.sVersion="XE8";
1910 }
1911 else if(sString=="30.0")
1912 {
1913 result.sVersion="10 Seattle";
1914 }
1915 else if(sString=="31.0")
1916 {
1917 result.sVersion="10.1 Berlin";
1918 }
1919 else if(sString=="32.0")
1920 {
1921 result.sVersion="10.2 Tokyo";
1922 }
1923 else if(sString=="33.0")
1924 {
1925 result.sVersion="10.3 Rio";
1926 }
1927 else if(sString=="34.0")
1928 {
1929 result.sVersion="10.4 Sydney";
1930 }
1931 }
1932
1933 return result;
1934 }
1935
_get_SourceryCodeBench_string(QString sString)1936 SpecAbstract::VI_STRUCT SpecAbstract::_get_SourceryCodeBench_string(QString sString)
1937 {
1938 VI_STRUCT result={};
1939
1940 if(XBinary::isRegExpPresent("Sourcery CodeBench Lite ",sString))
1941 {
1942 result.bIsValid=true;
1943
1944 result.sVersion=sString.section("Sourcery CodeBench Lite ",1,1).section(")",0,0);
1945 result.sInfo="lite";
1946 }
1947 else if(XBinary::isRegExpPresent("Sourcery CodeBench ",sString))
1948 {
1949 result.bIsValid=true;
1950
1951 result.sVersion=sString.section("Sourcery CodeBench ",1,1).section(")",0,0);
1952 }
1953
1954 return result;
1955 }
1956
getBinaryInfo(QIODevice * pDevice,SpecAbstract::ID parentId,SCAN_OPTIONS * pOptions,qint64 nOffset,bool * pbIsStop)1957 SpecAbstract::BINARYINFO_STRUCT SpecAbstract::getBinaryInfo(QIODevice *pDevice, SpecAbstract::ID parentId, SCAN_OPTIONS *pOptions, qint64 nOffset, bool *pbIsStop)
1958 {
1959 QElapsedTimer timer;
1960 timer.start();
1961
1962 BINARYINFO_STRUCT result={};
1963
1964 XBinary binary(pDevice,pOptions->bIsImage);
1965
1966 if(binary.isValid()&&(!(*pbIsStop)))
1967 {
1968 result.basic_info.parentId=parentId;
1969 result.basic_info.id.fileType=XBinary::FT_BINARY;
1970 result.basic_info.id.filePart=RECORD_FILEPART_HEADER;
1971 result.basic_info.id.sUuid=XBinary::generateUUID();
1972 result.basic_info.nOffset=nOffset;
1973 result.basic_info.nSize=pDevice->size();
1974 result.basic_info.sHeaderSignature=binary.getSignature(0,150);
1975 result.basic_info.bIsDeepScan=pOptions->bDeepScan;
1976 result.basic_info.bIsHeuristicScan=pOptions->bHeuristicScan;
1977 result.basic_info.bShowDetects=pOptions->bShowDetects;
1978 result.basic_info.bIsTest=pOptions->bIsTest;
1979 result.basic_info.memoryMap=binary.getMemoryMap();
1980
1981 // Scan Header
1982 signatureScan(&result.basic_info.mapHeaderDetects,result.basic_info.sHeaderSignature,_binary_records,sizeof(_binary_records),result.basic_info.id.fileType,XBinary::FT_BINARY,&(result.basic_info),DETECTTYPE_HEADER,pbIsStop);
1983 signatureScan(&result.basic_info.mapHeaderDetects,result.basic_info.sHeaderSignature,_archive_records,sizeof(_archive_records),result.basic_info.id.fileType,XBinary::FT_ARCHIVE,&(result.basic_info),DETECTTYPE_HEADER,pbIsStop);
1984 signatureScan(&result.basic_info.mapHeaderDetects,result.basic_info.sHeaderSignature,_COM_records,sizeof(_COM_records),result.basic_info.id.fileType,XBinary::FT_COM,&(result.basic_info),DETECTTYPE_HEADER,pbIsStop);
1985 signatureExpScan(&binary,&(result.basic_info.memoryMap),&result.basic_info.mapHeaderDetects,0,_COM_Exp_records,sizeof(_COM_Exp_records),result.basic_info.id.fileType,XBinary::FT_COM,&(result.basic_info),DETECTTYPE_HEADER,pbIsStop);
1986
1987 if(result.basic_info.parentId.fileType!=XBinary::FT_UNKNOWN)
1988 {
1989 signatureScan(&result.basic_info.mapHeaderDetects,result.basic_info.sHeaderSignature,_PE_overlay_records,sizeof(_PE_overlay_records),result.basic_info.id.fileType,XBinary::FT_BINARY,&(result.basic_info),DETECTTYPE_HEADER,pbIsStop);
1990 }
1991
1992 // TODO header data!
1993 result.bIsPlainText=binary.isPlainTextType();
1994 result.bIsUTF8=binary.isUTF8TextType();
1995 result.unicodeType=binary.getUnicodeType();
1996
1997 // TODO Try QTextStream functions!
1998 if(result.unicodeType!=XBinary::UNICODE_TYPE_NONE)
1999 {
2000 result.sHeaderText=binary.read_unicodeString(2,qMin(result.basic_info.nSize,(qint64)0x1000),(result.unicodeType==XBinary::UNICODE_TYPE_BE));
2001 result.basic_info.id.fileType=XBinary::FT_UNICODE;
2002 }
2003 else if(result.bIsUTF8)
2004 {
2005 result.sHeaderText=binary.read_utf8String(3,qMin(result.basic_info.nSize,(qint64)0x1000));
2006 result.basic_info.id.fileType=XBinary::FT_UTF8;
2007 }
2008 else if(result.bIsPlainText)
2009 {
2010 result.sHeaderText=binary.read_ansiString(0,qMin(result.basic_info.nSize,(qint64)0x1000));
2011 result.basic_info.id.fileType=XBinary::FT_PLAINTEXT;
2012 }
2013
2014 Binary_handle_Texts(pDevice,pOptions->bIsImage,&result);
2015 Binary_handle_COM(pDevice,pOptions->bIsImage,&result);
2016 Binary_handle_Formats(pDevice,pOptions->bIsImage,&result);
2017 Binary_handle_Databases(pDevice,pOptions->bIsImage,&result);
2018 Binary_handle_Images(pDevice,pOptions->bIsImage,&result);
2019 Binary_handle_Archives(pDevice,pOptions->bIsImage,&result);
2020 Binary_handle_Certificates(pDevice,pOptions->bIsImage,&result);
2021 Binary_handle_DebugData(pDevice,pOptions->bIsImage,&result);
2022 Binary_handle_InstallerData(pDevice,pOptions->bIsImage,&result);
2023 Binary_handle_SFXData(pDevice,pOptions->bIsImage,&result);
2024 Binary_handle_ProtectorData(pDevice,pOptions->bIsImage,&result);
2025 Binary_handle_LibraryData(pDevice,pOptions->bIsImage,&result);
2026
2027 Binary_handle_FixDetects(pDevice,pOptions->bIsImage,&result);
2028
2029 Binary_handleLanguages(pDevice,pOptions->bIsImage,&result);
2030
2031 result.basic_info.listDetects.append(result.mapResultOperationSystems.values());
2032 result.basic_info.listDetects.append(result.mapResultTexts.values());
2033 result.basic_info.listDetects.append(result.mapResultArchives.values());
2034 result.basic_info.listDetects.append(result.mapResultCertificates.values());
2035 result.basic_info.listDetects.append(result.mapResultDebugData.values());
2036 result.basic_info.listDetects.append(result.mapResultFormats.values());
2037 result.basic_info.listDetects.append(result.mapResultInstallerData.values());
2038 result.basic_info.listDetects.append(result.mapResultSFXData.values());
2039 result.basic_info.listDetects.append(result.mapResultProtectorData.values());
2040 result.basic_info.listDetects.append(result.mapResultLibraryData.values());
2041 result.basic_info.listDetects.append(result.mapResultDatabases.values());
2042 result.basic_info.listDetects.append(result.mapResultImages.values());
2043 result.basic_info.listDetects.append(result.mapResultTools.values());
2044 result.basic_info.listDetects.append(result.mapResultLibraries.values());
2045 result.basic_info.listDetects.append(result.mapResultLanguages.values());
2046 result.basic_info.listDetects.append(result.mapResultCOMPackers.values());
2047 result.basic_info.listDetects.append(result.mapResultCOMProtectors.values());
2048
2049 if(!result.basic_info.listDetects.count())
2050 {
2051 _SCANS_STRUCT ssUnknown={};
2052
2053 ssUnknown.type=SpecAbstract::RECORD_TYPE_UNKNOWN;
2054 ssUnknown.name=SpecAbstract::RECORD_NAME_UNKNOWN;
2055
2056 result.basic_info.listDetects.append(scansToScan(&(result.basic_info),&ssUnknown));
2057
2058 result.basic_info.bIsUnknown=true;
2059 }
2060
2061 result.basic_info.listDetects.append(result.listRecursiveDetects);
2062 }
2063
2064 result.basic_info.nElapsedTime=timer.elapsed();
2065
2066 return result;
2067 }
2068
getMSDOSInfo(QIODevice * pDevice,SpecAbstract::ID parentId,SpecAbstract::SCAN_OPTIONS * pOptions,qint64 nOffset,bool * pbIsStop)2069 SpecAbstract::MSDOSINFO_STRUCT SpecAbstract::getMSDOSInfo(QIODevice *pDevice, SpecAbstract::ID parentId, SpecAbstract::SCAN_OPTIONS *pOptions, qint64 nOffset, bool *pbIsStop)
2070 {
2071 QElapsedTimer timer;
2072 timer.start();
2073
2074 MSDOSINFO_STRUCT result={};
2075
2076 XMSDOS msdos(pDevice,pOptions->bIsImage);
2077
2078 if(msdos.isValid()&&(!(*pbIsStop)))
2079 {
2080 result.basic_info.parentId=parentId;
2081 result.basic_info.id.fileType=XBinary::FT_MSDOS;
2082 result.basic_info.id.filePart=RECORD_FILEPART_HEADER;
2083 result.basic_info.id.sUuid=XBinary::generateUUID();
2084 result.basic_info.nOffset=nOffset;
2085 result.basic_info.nSize=pDevice->size();
2086 result.basic_info.sHeaderSignature=msdos.getSignature(0,150);
2087 result.basic_info.bIsDeepScan=pOptions->bDeepScan;
2088 result.basic_info.bIsHeuristicScan=pOptions->bHeuristicScan;
2089 result.basic_info.bShowDetects=pOptions->bShowDetects;
2090 result.basic_info.bIsTest=pOptions->bIsTest;
2091 result.basic_info.memoryMap=msdos.getMemoryMap();
2092
2093 result.nOverlayOffset=msdos.getOverlayOffset(&(result.basic_info.memoryMap));
2094 result.nOverlaySize=msdos.getOverlaySize(&(result.basic_info.memoryMap));
2095
2096 if(result.nOverlaySize)
2097 {
2098 result.sOverlaySignature=msdos.getSignature(result.nOverlayOffset,150);
2099 }
2100
2101 result.nEntryPointOffset=msdos.getEntryPointOffset(&(result.basic_info.memoryMap));
2102 result.sEntryPointSignature=msdos.getSignature(msdos.getEntryPointOffset(&(result.basic_info.memoryMap)),150);
2103
2104 signatureScan(&result.basic_info.mapHeaderDetects,result.basic_info.sHeaderSignature,_MSDOS_linker_header_records,sizeof(_MSDOS_linker_header_records),result.basic_info.id.fileType,XBinary::FT_MSDOS,&(result.basic_info),DETECTTYPE_HEADER,pbIsStop);
2105 signatureScan(&result.basic_info.mapHeaderDetects,result.basic_info.sHeaderSignature,_MSDOS_header_records,sizeof(_MSDOS_header_records),result.basic_info.id.fileType,XBinary::FT_MSDOS,&(result.basic_info),DETECTTYPE_HEADER,pbIsStop);
2106 signatureScan(&result.mapEntryPointDetects,result.sEntryPointSignature,_MSDOS_entrypoint_records,sizeof(_MSDOS_entrypoint_records),result.basic_info.id.fileType,XBinary::FT_MSDOS,&(result.basic_info),DETECTTYPE_ENTRYPOINT,pbIsStop);
2107
2108 signatureExpScan(&msdos,&(result.basic_info.memoryMap),&result.mapEntryPointDetects,result.nEntryPointOffset,_MSDOS_entrypointExp_records,sizeof(_MSDOS_entrypointExp_records),result.basic_info.id.fileType,XBinary::FT_MSDOS,&(result.basic_info),DETECTTYPE_ENTRYPOINT,pbIsStop);
2109
2110 MSDOS_handle_OperationSystems(pDevice,pOptions->bIsImage,&result);
2111 MSDOS_handle_Borland(pDevice,pOptions->bIsImage,&result);
2112 MSDOS_handle_Tools(pDevice,pOptions->bIsImage,&result);
2113 MSDOS_handle_Protection(pDevice,pOptions->bIsImage,&result);
2114 MSDOS_handle_SFX(pDevice,pOptions->bIsImage,&result);
2115 MSDOS_handle_DosExtenders(pDevice,pOptions->bIsImage,&result);
2116
2117 MSDOS_handleLanguages(pDevice,pOptions->bIsImage,&result);
2118
2119 MSDOS_handle_Recursive(pDevice,pOptions->bIsImage,&result,pOptions,pbIsStop);
2120
2121 result.basic_info.listDetects.append(result.mapResultOperationSystems.values());
2122 result.basic_info.listDetects.append(result.mapResultDosExtenders.values());
2123 result.basic_info.listDetects.append(result.mapResultLinkers.values());
2124 result.basic_info.listDetects.append(result.mapResultCompilers.values());
2125 result.basic_info.listDetects.append(result.mapResultLanguages.values());
2126 result.basic_info.listDetects.append(result.mapResultLibraries.values());
2127 result.basic_info.listDetects.append(result.mapResultTools.values());
2128 result.basic_info.listDetects.append(result.mapResultPackers.values());
2129 result.basic_info.listDetects.append(result.mapResultSFX.values());
2130 result.basic_info.listDetects.append(result.mapResultProtectors.values());
2131
2132 if(!result.basic_info.listDetects.count())
2133 {
2134 _SCANS_STRUCT ssUnknown={};
2135
2136 ssUnknown.type=SpecAbstract::RECORD_TYPE_UNKNOWN;
2137 ssUnknown.name=SpecAbstract::RECORD_NAME_UNKNOWN;
2138
2139 result.basic_info.listDetects.append(scansToScan(&(result.basic_info),&ssUnknown));
2140
2141 result.basic_info.bIsUnknown=true;
2142 }
2143
2144 result.basic_info.listDetects.append(result.listRecursiveDetects);
2145 }
2146
2147 result.basic_info.nElapsedTime=timer.elapsed();
2148
2149 return result;
2150 }
2151
getELFInfo(QIODevice * pDevice,SpecAbstract::ID parentId,SpecAbstract::SCAN_OPTIONS * pOptions,qint64 nOffset,bool * pbIsStop)2152 SpecAbstract::ELFINFO_STRUCT SpecAbstract::getELFInfo(QIODevice *pDevice, SpecAbstract::ID parentId, SpecAbstract::SCAN_OPTIONS *pOptions, qint64 nOffset, bool *pbIsStop)
2153 {
2154 QElapsedTimer timer;
2155 timer.start();
2156
2157 ELFINFO_STRUCT result={};
2158
2159 XELF elf(pDevice,pOptions->bIsImage);
2160
2161 if(elf.isValid()&&(!(*pbIsStop)))
2162 {
2163 result.bIs64=elf.is64();
2164 result.bIsBigEndian=elf.isBigEndian();
2165
2166 result.basic_info.parentId=parentId;
2167 result.basic_info.id.fileType=result.bIs64?XBinary::FT_ELF64:XBinary::FT_ELF32;
2168 result.basic_info.id.filePart=RECORD_FILEPART_HEADER;
2169 result.basic_info.id.sUuid=XBinary::generateUUID();
2170 result.basic_info.nOffset=nOffset;
2171 result.basic_info.nSize=pDevice->size();
2172 result.basic_info.sHeaderSignature=elf.getSignature(0,150);
2173 result.basic_info.bIsDeepScan=pOptions->bDeepScan;
2174 result.basic_info.bIsHeuristicScan=pOptions->bHeuristicScan;
2175 result.basic_info.bShowDetects=pOptions->bShowDetects;
2176 result.basic_info.bIsTest=pOptions->bIsTest;
2177 result.basic_info.memoryMap=elf.getMemoryMap();
2178
2179 result.sEntryPointSignature=elf.getSignature(elf.getEntryPointOffset(&(result.basic_info.memoryMap)),150);
2180
2181 result.nStringTableSection=elf.getSectionStringTable(result.bIs64);
2182 result.baStringTable=elf.getSection(result.nStringTableSection);
2183
2184 result.listTags=elf.getTagStructs();
2185 result.listLibraries=elf.getLibraries(&(result.basic_info.memoryMap),&result.listTags);
2186
2187 result.listSectionHeaders=elf.getElf_ShdrList();
2188 result.listProgramHeaders=elf.getElf_PhdrList();
2189
2190 result.listSectionRecords=XELF::getSectionRecords(&result.listSectionHeaders,pOptions->bIsImage,&result.baStringTable);
2191 result.listNotes=elf.getNotes(&result.listProgramHeaders);
2192
2193 result.nCommentSection=XELF::getSectionNumber(".comment",&result.listSectionRecords);
2194
2195 if(result.nCommentSection!=-1)
2196 {
2197 result.osCommentSection.nOffset=result.listSectionRecords.at(result.nCommentSection).nOffset;
2198 result.osCommentSection.nSize=result.listSectionRecords.at(result.nCommentSection).nSize;
2199
2200 result.listComments=elf.getStringsFromSection(result.nCommentSection).values();
2201 }
2202
2203 ELF_handle_CommentSection(pDevice,pOptions->bIsImage,&result);
2204
2205 ELF_handle_OperationSystems(pDevice,pOptions->bIsImage,&result);
2206 ELF_handle_GCC(pDevice,pOptions->bIsImage,&result);
2207 ELF_handle_Tools(pDevice,pOptions->bIsImage,&result);
2208 ELF_handle_Protection(pDevice,pOptions->bIsImage,&result);
2209
2210 ELF_handle_UnknownProtection(pDevice,pOptions->bIsImage,&result);
2211
2212 ELF_handle_FixDetects(pDevice,pOptions->bIsImage,&result);
2213
2214 ELF_handleLanguages(pDevice,pOptions->bIsImage,&result);
2215
2216 result.basic_info.listDetects.append(result.mapResultOperationSystems.values());
2217 result.basic_info.listDetects.append(result.mapResultLinkers.values());
2218 result.basic_info.listDetects.append(result.mapResultCompilers.values());
2219 result.basic_info.listDetects.append(result.mapResultLanguages.values());
2220 result.basic_info.listDetects.append(result.mapResultLibraries.values());
2221 result.basic_info.listDetects.append(result.mapResultTools.values());
2222 result.basic_info.listDetects.append(result.mapResultPackers.values());
2223 result.basic_info.listDetects.append(result.mapResultProtectors.values());
2224
2225 if(!result.basic_info.listDetects.count())
2226 {
2227 _SCANS_STRUCT ssUnknown={};
2228
2229 ssUnknown.type=SpecAbstract::RECORD_TYPE_UNKNOWN;
2230 ssUnknown.name=SpecAbstract::RECORD_NAME_UNKNOWN;
2231
2232 result.basic_info.listDetects.append(scansToScan(&(result.basic_info),&ssUnknown));
2233
2234 result.basic_info.bIsUnknown=true;
2235 }
2236 }
2237
2238 result.basic_info.nElapsedTime=timer.elapsed();
2239
2240 return result;
2241 }
2242
getMACHOInfo(QIODevice * pDevice,SpecAbstract::ID parentId,SpecAbstract::SCAN_OPTIONS * pOptions,qint64 nOffset,bool * pbIsStop)2243 SpecAbstract::MACHOINFO_STRUCT SpecAbstract::getMACHOInfo(QIODevice *pDevice, SpecAbstract::ID parentId, SpecAbstract::SCAN_OPTIONS *pOptions, qint64 nOffset, bool *pbIsStop)
2244 {
2245 QElapsedTimer timer;
2246 timer.start();
2247
2248 MACHOINFO_STRUCT result={};
2249
2250 XMACH mach(pDevice,pOptions->bIsImage);
2251
2252 if(mach.isValid()&&(!(*pbIsStop)))
2253 {
2254 result.bIs64=mach.is64();
2255 result.bIsBigEndian=mach.isBigEndian();
2256
2257 result.basic_info.parentId=parentId;
2258 result.basic_info.id.fileType=result.bIs64?XBinary::FT_MACHO64:XBinary::FT_MACHO32;
2259 result.basic_info.id.filePart=RECORD_FILEPART_HEADER;
2260 result.basic_info.id.sUuid=XBinary::generateUUID();
2261 result.basic_info.nOffset=nOffset;
2262 result.basic_info.nSize=pDevice->size();
2263 result.basic_info.sHeaderSignature=mach.getSignature(0,150);
2264 result.basic_info.bIsDeepScan=pOptions->bDeepScan;
2265 result.basic_info.bIsHeuristicScan=pOptions->bHeuristicScan;
2266 result.basic_info.bShowDetects=pOptions->bShowDetects;
2267 result.basic_info.bIsTest=pOptions->bIsTest;
2268 result.basic_info.memoryMap=mach.getMemoryMap();
2269
2270 result.sEntryPointSignature=mach.getSignature(mach.getEntryPointOffset(&(result.basic_info.memoryMap)),150);
2271
2272 result.listCommandRecords=mach.getCommandRecords();
2273
2274 result.listLibraryRecords=mach.getLibraryRecords(&result.listCommandRecords);
2275 result.listSegmentRecords=mach.getSegmentRecords(&result.listCommandRecords);
2276 result.listSectionRecords=mach.getSectionRecords(&result.listCommandRecords);
2277
2278 // TODO Segments
2279 // TODO Sections
2280
2281 MACHO_handle_Tools(pDevice,pOptions->bIsImage,&result);
2282 MACHO_handle_Protection(pDevice,pOptions->bIsImage,&result);
2283
2284 MACHO_handle_FixDetects(pDevice,pOptions->bIsImage,&result);
2285
2286 MACHO_handleLanguages(pDevice,pOptions->bIsImage,&result);
2287
2288 result.basic_info.listDetects.append(result.mapResultOperationSystems.values());
2289 result.basic_info.listDetects.append(result.mapResultLinkers.values());
2290 result.basic_info.listDetects.append(result.mapResultCompilers.values());
2291 result.basic_info.listDetects.append(result.mapResultLanguages.values());
2292 result.basic_info.listDetects.append(result.mapResultLibraries.values());
2293 result.basic_info.listDetects.append(result.mapResultTools.values());
2294 result.basic_info.listDetects.append(result.mapResultProtectors.values());
2295
2296 if(!result.basic_info.listDetects.count())
2297 {
2298 _SCANS_STRUCT ssUnknown={};
2299
2300 ssUnknown.type=SpecAbstract::RECORD_TYPE_UNKNOWN;
2301 ssUnknown.name=SpecAbstract::RECORD_NAME_UNKNOWN;
2302
2303 result.basic_info.listDetects.append(scansToScan(&(result.basic_info),&ssUnknown));
2304
2305 result.basic_info.bIsUnknown=true;
2306 }
2307 }
2308
2309 result.basic_info.nElapsedTime=timer.elapsed();
2310
2311 return result;
2312 }
2313
getLEInfo(QIODevice * pDevice,SpecAbstract::ID parentId,SpecAbstract::SCAN_OPTIONS * pOptions,qint64 nOffset,bool * pbIsStop)2314 SpecAbstract::LEINFO_STRUCT SpecAbstract::getLEInfo(QIODevice *pDevice, SpecAbstract::ID parentId, SpecAbstract::SCAN_OPTIONS *pOptions, qint64 nOffset, bool *pbIsStop)
2315 {
2316 QElapsedTimer timer;
2317 timer.start();
2318
2319 LEINFO_STRUCT result={};
2320
2321 XLE le(pDevice,pOptions->bIsImage);
2322
2323 if(le.isValid()&&(!(*pbIsStop)))
2324 {
2325 result.basic_info.parentId=parentId;
2326
2327 if(le.isLX()) // TODO bLX
2328 {
2329 result.basic_info.id.fileType=XBinary::FT_LX;
2330 }
2331 else
2332 {
2333 result.basic_info.id.fileType=XBinary::FT_LE;
2334 }
2335
2336 result.basic_info.id.filePart=RECORD_FILEPART_HEADER;
2337 result.basic_info.id.sUuid=XBinary::generateUUID();
2338 result.basic_info.nOffset=nOffset;
2339 result.basic_info.nSize=pDevice->size();
2340 result.basic_info.sHeaderSignature=le.getSignature(0,150);
2341 result.basic_info.bIsDeepScan=pOptions->bDeepScan;
2342 result.basic_info.bIsHeuristicScan=pOptions->bHeuristicScan;
2343 result.basic_info.bShowDetects=pOptions->bShowDetects;
2344 result.basic_info.bIsTest=pOptions->bIsTest;
2345 result.basic_info.memoryMap=le.getMemoryMap();
2346
2347 result.sEntryPointSignature=le.getSignature(le.getEntryPointOffset(&(result.basic_info.memoryMap)),150);
2348
2349 result.listRichSignatures=le.getRichSignatureRecords();
2350
2351 signatureScan(&result.basic_info.mapHeaderDetects,result.basic_info.sHeaderSignature,_MSDOS_linker_header_records,sizeof(_MSDOS_linker_header_records),result.basic_info.id.fileType,XBinary::FT_MSDOS,&(result.basic_info),DETECTTYPE_HEADER,pbIsStop);
2352
2353 LE_handle_Microsoft(pDevice,pOptions->bIsImage,&result,pbIsStop);
2354 LE_handle_Borland(pDevice,pOptions->bIsImage,&result);
2355
2356 LE_handleLanguages(pDevice,pOptions->bIsImage,&result);
2357
2358 result.basic_info.listDetects.append(result.mapResultLinkers.values());
2359 result.basic_info.listDetects.append(result.mapResultCompilers.values());
2360 result.basic_info.listDetects.append(result.mapResultLanguages.values());
2361 result.basic_info.listDetects.append(result.mapResultLibraries.values());
2362 result.basic_info.listDetects.append(result.mapResultTools.values());
2363
2364 if(!result.basic_info.listDetects.count())
2365 {
2366 _SCANS_STRUCT ssUnknown={};
2367
2368 ssUnknown.type=SpecAbstract::RECORD_TYPE_UNKNOWN;
2369 ssUnknown.name=SpecAbstract::RECORD_NAME_UNKNOWN;
2370
2371 result.basic_info.listDetects.append(scansToScan(&(result.basic_info),&ssUnknown));
2372
2373 result.basic_info.bIsUnknown=true;
2374 }
2375 }
2376
2377 result.basic_info.nElapsedTime=timer.elapsed();
2378
2379 return result;
2380 }
2381
getNEInfo(QIODevice * pDevice,SpecAbstract::ID parentId,SpecAbstract::SCAN_OPTIONS * pOptions,qint64 nOffset,bool * pbIsStop)2382 SpecAbstract::NEINFO_STRUCT SpecAbstract::getNEInfo(QIODevice *pDevice, SpecAbstract::ID parentId, SpecAbstract::SCAN_OPTIONS *pOptions, qint64 nOffset, bool *pbIsStop)
2383 {
2384 QElapsedTimer timer;
2385 timer.start();
2386
2387 NEINFO_STRUCT result={};
2388
2389 XNE ne(pDevice,pOptions->bIsImage);
2390
2391 if(ne.isValid()&&(!(*pbIsStop)))
2392 {
2393 result.basic_info.parentId=parentId;
2394 result.basic_info.id.fileType=XBinary::FT_NE;
2395 result.basic_info.id.filePart=RECORD_FILEPART_HEADER;
2396 result.basic_info.id.sUuid=XBinary::generateUUID();
2397 result.basic_info.nOffset=nOffset;
2398 result.basic_info.nSize=pDevice->size();
2399 result.basic_info.sHeaderSignature=ne.getSignature(0,150);
2400 result.basic_info.bIsDeepScan=pOptions->bDeepScan;
2401 result.basic_info.bIsHeuristicScan=pOptions->bHeuristicScan;
2402 result.basic_info.bShowDetects=pOptions->bShowDetects;
2403 result.basic_info.bIsTest=pOptions->bIsTest;
2404 result.basic_info.memoryMap=ne.getMemoryMap();
2405
2406 result.sEntryPointSignature=ne.getSignature(ne.getEntryPointOffset(&(result.basic_info.memoryMap)),150);
2407
2408 signatureScan(&result.basic_info.mapHeaderDetects,result.basic_info.sHeaderSignature,_MSDOS_linker_header_records,sizeof(_MSDOS_linker_header_records),result.basic_info.id.fileType,XBinary::FT_MSDOS,&(result.basic_info),DETECTTYPE_HEADER,pbIsStop);
2409
2410 NE_handle_Borland(pDevice,pOptions->bIsImage,&result);
2411
2412 NE_handleLanguages(pDevice,pOptions->bIsImage,&result);
2413
2414 result.basic_info.listDetects.append(result.mapResultLinkers.values());
2415 result.basic_info.listDetects.append(result.mapResultCompilers.values());
2416 result.basic_info.listDetects.append(result.mapResultLanguages.values());
2417 result.basic_info.listDetects.append(result.mapResultLibraries.values());
2418 result.basic_info.listDetects.append(result.mapResultTools.values());
2419
2420 if(!result.basic_info.listDetects.count())
2421 {
2422 _SCANS_STRUCT ssUnknown={};
2423
2424 ssUnknown.type=SpecAbstract::RECORD_TYPE_UNKNOWN;
2425 ssUnknown.name=SpecAbstract::RECORD_NAME_UNKNOWN;
2426
2427 result.basic_info.listDetects.append(scansToScan(&(result.basic_info),&ssUnknown));
2428
2429 result.basic_info.bIsUnknown=true;
2430 }
2431 }
2432
2433 result.basic_info.nElapsedTime=timer.elapsed();
2434
2435 return result;
2436 }
2437
getPEInfo(QIODevice * pDevice,SpecAbstract::ID parentId,SpecAbstract::SCAN_OPTIONS * pOptions,qint64 nOffset,bool * pbIsStop)2438 SpecAbstract::PEINFO_STRUCT SpecAbstract::getPEInfo(QIODevice *pDevice, SpecAbstract::ID parentId, SpecAbstract::SCAN_OPTIONS *pOptions, qint64 nOffset, bool *pbIsStop)
2439 {
2440 QElapsedTimer timer;
2441 timer.start();
2442
2443 PEINFO_STRUCT result={};
2444
2445 XPE pe(pDevice,pOptions->bIsImage);
2446
2447 if(pe.isValid()&&(!(*pbIsStop)))
2448 {
2449 result.bIs64=pe.is64();
2450
2451 result.basic_info.parentId=parentId;
2452 result.basic_info.id.fileType=result.bIs64?XBinary::FT_PE64:XBinary::FT_PE32;
2453 result.basic_info.id.filePart=RECORD_FILEPART_HEADER;
2454 result.basic_info.id.sUuid=XBinary::generateUUID();
2455 result.basic_info.nOffset=nOffset;
2456 result.basic_info.nSize=pDevice->size();
2457 result.basic_info.sHeaderSignature=pe.getSignature(0,150);
2458 result.basic_info.bIsDeepScan=pOptions->bDeepScan;
2459 result.basic_info.bIsHeuristicScan=pOptions->bHeuristicScan;
2460 result.basic_info.bShowDetects=pOptions->bShowDetects;
2461 result.basic_info.bIsTest=pOptions->bIsTest;
2462 result.basic_info.memoryMap=pe.getMemoryMap();
2463
2464 result.nEntryPointOffset=pe.getEntryPointOffset(&(result.basic_info.memoryMap));
2465 result.sEntryPointSignature=pe.getSignature(result.nEntryPointOffset,150);
2466
2467 result.dosHeader=pe.getDosHeaderEx();
2468 result.fileHeader=pe.getFileHeader();
2469 result.nOverlayOffset=pe.getOverlayOffset();
2470 result.nOverlaySize=pe.getOverlaySize();
2471
2472 if(result.nOverlaySize)
2473 {
2474 result.sOverlaySignature=pe.getSignature(result.nOverlayOffset,150);
2475 }
2476
2477 if(result.bIs64)
2478 {
2479 result.optional_header.optionalHeader64=pe.getOptionalHeader64();
2480 }
2481 else
2482 {
2483 result.optional_header.optionalHeader32=pe.getOptionalHeader32();
2484 }
2485
2486 result.listSectionHeaders=pe.getSectionHeaders();
2487 result.listSectionRecords=XPE::getSectionRecords(&result.listSectionHeaders,pe.isImage());
2488 result.listSectionNames=XPE::getSectionNames(&(result.listSectionRecords));
2489
2490 result.listImports=pe.getImports(&(result.basic_info.memoryMap));
2491 // for(int i=0;i<result.listImports.count();i++)
2492 // {
2493 // qDebug(result.listImports.at(i).sName.toLatin1().data());
2494 // for(int j=0;j<result.listImports.at(i).listPositions.count();j++)
2495 // {
2496 // qDebug("%d %s",j,result.listImports.at(i).listPositions.at(j).sFunction.toLatin1().data());
2497 // }
2498 // }
2499 result.nImportHash64=pe.getImportHash64(&(result.basic_info.memoryMap));
2500 result.nImportHash32=pe.getImportHash32(&(result.basic_info.memoryMap));
2501 result.listImportPositionHashes=pe.getImportPositionHashes(&(result.listImports));
2502
2503 #ifdef QT_DEBUG
2504 QString sDebugString=QString::number(result.nImportHash64,16)+" "+QString::number(result.nImportHash32,16);
2505 qDebug("Import hash: %s",sDebugString.toLatin1().data());
2506
2507 QList<XPE::IMPORT_RECORD> listImports=pe.getImportRecords(&(result.basic_info.memoryMap));
2508
2509 int _nNumberOfImports=listImports.count();
2510
2511 for(int i=0;i<_nNumberOfImports; i++)
2512 {
2513 QString sRecord=listImports.at(i).sLibrary+" "+listImports.at(i).sFunction;
2514
2515 qDebug("%s",sRecord.toLatin1().data());
2516 }
2517
2518 qDebug("=====================================================================");
2519
2520 QList<XPE::IMPORT_HEADER> listImportHeaders=pe.getImports(&(result.basic_info.memoryMap));
2521
2522 for(int i=0;i<listImportHeaders.count();i++)
2523 {
2524 qDebug("Import hash: %x",result.listImportPositionHashes.at(i));
2525 for(int j=0;j<listImportHeaders.at(i).listPositions.count();j++)
2526 {
2527 qDebug("%s %s",listImportHeaders.at(i).sName.toLatin1().data(),
2528 listImportHeaders.at(i).listPositions.at(j).sFunction.toLatin1().data());
2529 }
2530 }
2531 #endif
2532 result.exportHeader=pe.getExport(&(result.basic_info.memoryMap));
2533 result.listExportFunctionNames=pe.getExportFunctionsList(&(result.exportHeader));
2534 result.listResources=pe.getResources(&(result.basic_info.memoryMap));
2535 result.listRichSignatures=pe.getRichSignatureRecords();
2536 result.cliInfo=pe.getCliInfo(true,&(result.basic_info.memoryMap));
2537 result.sResourceManifest=pe.getResourceManifest(&result.listResources);
2538 result.resVersion=pe.getResourceVersion(&result.listResources);
2539
2540 result.nEntryPointAddress=result.bIs64?result.optional_header.optionalHeader64.AddressOfEntryPoint:result.optional_header.optionalHeader32.AddressOfEntryPoint;
2541 result.nImageBaseAddress=result.bIs64?result.optional_header.optionalHeader64.ImageBase:result.optional_header.optionalHeader32.ImageBase;
2542 result.nMinorLinkerVersion=result.bIs64?result.optional_header.optionalHeader64.MinorLinkerVersion:result.optional_header.optionalHeader32.MinorLinkerVersion;
2543 result.nMajorLinkerVersion=result.bIs64?result.optional_header.optionalHeader64.MajorLinkerVersion:result.optional_header.optionalHeader32.MajorLinkerVersion;
2544 result.nMinorImageVersion=result.bIs64?result.optional_header.optionalHeader64.MinorImageVersion:result.optional_header.optionalHeader32.MinorImageVersion;
2545 result.nMajorImageVersion=result.bIs64?result.optional_header.optionalHeader64.MajorImageVersion:result.optional_header.optionalHeader32.MajorImageVersion;
2546
2547 result.nEntryPointSection=pe.getEntryPointSection(&(result.basic_info.memoryMap));
2548 result.nResourceSection=pe.getResourcesSection(&(result.basic_info.memoryMap));
2549 result.nImportSection=pe.getImportSection(&(result.basic_info.memoryMap));
2550 result.nCodeSection=pe.getNormalCodeSection(&(result.basic_info.memoryMap));
2551 result.nDataSection=pe.getNormalDataSection(&(result.basic_info.memoryMap));
2552 result.nConstDataSection=pe.getConstDataSection(&(result.basic_info.memoryMap));
2553 result.nRelocsSection=pe.getRelocsSection(&(result.basic_info.memoryMap));
2554 result.nTLSSection=pe.getTLSSection(&(result.basic_info.memoryMap));
2555
2556 result.bIsNetPresent=((result.cliInfo.bValid)||(pe.isNETPresent()&&(result.basic_info.bIsDeepScan)));
2557 result.bIsTLSPresent=(result.nTLSSection!=-1);
2558
2559 if(result.nEntryPointSection!=-1)
2560 {
2561 result.sEntryPointSectionName=result.listSectionRecords.at(result.nEntryPointSection).sName;
2562 }
2563
2564 // result.mmCodeSectionSignatures=memoryScan(pDevice,nFirstSectionOffset,qMin((qint64)0x10000,nFirstSectionSize),_memory_records,sizeof(_memory_records),_filetype,SpecAbstract::XBinary::FT_PE);
2565 // if(result.nCodeSection!=-1)
2566 // {
2567 // memoryScan(&result.mapCodeSectionScanDetects,pDevice,result.listSections.at(result.nCodeSection).PointerToRawData,result.listSections.at(result.nCodeSection).SizeOfRawData,_codesectionscan_records,sizeof(_codesectionscan_records),result.basic_info.id.filetype,SpecAbstract::XBinary::FT_PE);
2568 // }
2569
2570 result.osHeader.nOffset=0;
2571 result.osHeader.nSize=qMin(result.basic_info.nSize,(qint64)2048);
2572
2573 if(result.nCodeSection!=-1)
2574 {
2575 result.osCodeSection.nOffset=result.listSectionRecords.at(result.nCodeSection).nOffset;
2576 result.osCodeSection.nSize=result.listSectionRecords.at(result.nCodeSection).nSize; // TODO limit?
2577 }
2578
2579 if(result.nDataSection!=-1)
2580 {
2581 result.osDataSection.nOffset=result.listSectionRecords.at(result.nDataSection).nOffset;
2582 result.osDataSection.nSize=result.listSectionRecords.at(result.nDataSection).nSize;
2583 }
2584
2585 if(result.nConstDataSection!=-1)
2586 {
2587 result.osConstDataSection.nOffset=result.listSectionRecords.at(result.nConstDataSection).nOffset;
2588 result.osConstDataSection.nSize=result.listSectionRecords.at(result.nConstDataSection).nSize;
2589 }
2590
2591 if(result.nEntryPointSection!=-1)
2592 {
2593 result.osEntryPointSection.nOffset=result.listSectionRecords.at(result.nEntryPointSection).nOffset;
2594 result.osEntryPointSection.nSize=result.listSectionRecords.at(result.nEntryPointSection).nSize;
2595 }
2596
2597 if(result.nImportSection!=-1)
2598 {
2599 result.osImportSection.nOffset=result.listSectionRecords.at(result.nImportSection).nOffset;
2600 result.osImportSection.nSize=result.listSectionRecords.at(result.nImportSection).nSize;
2601 }
2602
2603 if(result.nResourceSection!=-1)
2604 {
2605 result.osResourceSection.nOffset=result.listSectionRecords.at(result.nResourceSection).nOffset;
2606 result.osResourceSection.nSize=result.listSectionRecords.at(result.nResourceSection).nSize;
2607 }
2608
2609 // if(result.nCodeSectionSize)
2610 // {
2611 // memoryScan(&result.mapCodeSectionScanDetects,pDevice,result.nCodeSectionOffset,result.nCodeSectionSize,_codesectionscan_records,sizeof(_codesectionscan_records),result.basic_info.id.filetype,SpecAbstract::XBinary::FT_PE);
2612 // }
2613
2614 // if(result.nDataSectionSize)
2615 // {
2616 // memoryScan(&result.mapDataSectionScanDetects,pDevice,result.nDataSectionOffset,result.nDataSectionSize,_datasectionscan_records,sizeof(_datasectionscan_records),result.basic_info.id.filetype,SpecAbstract::XBinary::FT_PE);
2617 // }
2618
2619 // // TODO Check if resources exists
2620
2621 // memoryScan(&result.mapHeaderScanDetects,pDevice,0,qMin(result.basic_info.nSize,(qint64)1024),_headerscan_records,sizeof(_headerscan_records),result.basic_info.id.filetype,SpecAbstract::XBinary::FT_PE);
2622
2623 signatureScan(&result.basic_info.mapHeaderDetects,result.basic_info.sHeaderSignature,_MSDOS_linker_header_records,sizeof(_MSDOS_linker_header_records),result.basic_info.id.fileType,XBinary::FT_MSDOS,&(result.basic_info),DETECTTYPE_HEADER,pbIsStop);
2624 signatureScan(&result.basic_info.mapHeaderDetects,result.basic_info.sHeaderSignature,_PE_header_records,sizeof(_PE_header_records),result.basic_info.id.fileType,XBinary::FT_PE,&(result.basic_info),DETECTTYPE_HEADER,pbIsStop);
2625 signatureScan(&result.mapEntryPointDetects,result.sEntryPointSignature,_PE_entrypoint_records,sizeof(_PE_entrypoint_records),result.basic_info.id.fileType,XBinary::FT_PE,&(result.basic_info),DETECTTYPE_ENTRYPOINT,pbIsStop);
2626 signatureExpScan(&pe,&(result.basic_info.memoryMap),&result.mapEntryPointDetects,result.nEntryPointOffset,_PE_entrypointExp_records,sizeof(_PE_entrypointExp_records),result.basic_info.id.fileType,XBinary::FT_PE,&(result.basic_info),DETECTTYPE_ENTRYPOINT,pbIsStop);
2627 signatureScan(&result.mapOverlayDetects,result.sOverlaySignature,_binary_records,sizeof(_binary_records),result.basic_info.id.fileType,XBinary::FT_BINARY,&(result.basic_info),DETECTTYPE_OVERLAY,pbIsStop);
2628 signatureScan(&result.mapOverlayDetects,result.sOverlaySignature,_archive_records,sizeof(_archive_records),result.basic_info.id.fileType,XBinary::FT_ARCHIVE,&(result.basic_info),DETECTTYPE_OVERLAY,pbIsStop);
2629 signatureScan(&result.mapOverlayDetects,result.sOverlaySignature,_PE_overlay_records,sizeof(_PE_overlay_records),result.basic_info.id.fileType,XBinary::FT_BINARY,&(result.basic_info),DETECTTYPE_OVERLAY,pbIsStop);
2630
2631 stringScan(&result.mapSectionNamesDetects,&result.listSectionNames,_PE_sectionNames_records,sizeof(_PE_sectionNames_records),result.basic_info.id.fileType,XBinary::FT_PE,&(result.basic_info),DETECTTYPE_SECTIONNAME,pbIsStop);
2632
2633 // Import
2634 constScan(&(result.mapImportDetects),result.nImportHash64,result.nImportHash32,_PE_importhash_records,sizeof(_PE_importhash_records),result.basic_info.id.fileType,XBinary::FT_PE,&(result.basic_info),DETECTTYPE_IMPORTHASH,pbIsStop);
2635
2636 // Export
2637
2638 int nNumberOfImports=result.listImportPositionHashes.count();
2639
2640 for(int i=0;i<nNumberOfImports;i++)
2641 {
2642 constScan(&(result.mapImportDetects),i,result.listImportPositionHashes.at(i),_PE_importpositionhash_records,sizeof(_PE_importpositionhash_records),result.basic_info.id.fileType,XBinary::FT_PE,&(result.basic_info),DETECTTYPE_IMPORTHASH,pbIsStop);
2643 }
2644
2645 // TODO Resources scan
2646 PE_resourcesScan(&(result.mapResourcesDetects),&(result.listResources),_PE_resources_records,sizeof(_PE_resources_records),result.basic_info.id.fileType,XBinary::FT_PE,&(result.basic_info),DETECTTYPE_RESOURCES,pbIsStop);
2647
2648 PE_x86Emul(pDevice,pOptions->bIsImage,&result);
2649
2650 // Rich
2651 // int nNumberOfRichSignatures=result.listRichSignatures.count();
2652
2653 // for(int i=0;i<nNumberOfRichSignatures;i++)
2654 // {
2655 // PE_richScan(&(result.mapRichDetects),result.listRichSignatures.at(i).nId,result.listRichSignatures.at(i).nVersion,_PE_rich_records,sizeof(_PE_rich_records),result.basic_info.id.filetype,SpecAbstract::XBinary::FT_PE);
2656 // }
2657
2658
2659 // for(int i=0;i<result.listImports.count();i++)
2660 // {
2661 // signatureScan(&result._mapImportDetects,QBinary::stringToHex(result.listImports.at(i).sName.toUpper()),_import_records,sizeof(_import_records),result.basic_info.id.filetype,SpecAbstract::XBinary::FT_PE);
2662 // }
2663
2664 // for(int i=0;i<result.export_header.listPositions.count();i++)
2665 // {
2666 // signatureScan(&result.mapExportDetects,QBinary::stringToHex(result.export_header.listPositions.at(i).sFunctionName),_export_records,sizeof(_export_records),result.basic_info.id.filetype,SpecAbstract::XBinary::FT_PE);
2667 // }
2668
2669 // resourcesScan(&result.mapResourcesDetects,&result.listResources,_resources_records,sizeof(_resources_records),result.basic_info.id.filetype,SpecAbstract::XBinary::FT_PE);
2670
2671
2672 if(result.bIsNetPresent)
2673 {
2674 stringScan(&result.mapDotAnsiStringsDetects,&result.cliInfo.metaData.listAnsiStrings,_PE_dot_ansistrings_records,sizeof(_PE_dot_ansistrings_records),result.basic_info.id.fileType,XBinary::FT_PE,&(result.basic_info),DETECTTYPE_NETANSISTRING,pbIsStop);
2675 stringScan(&result.mapDotUnicodeStringsDetects,&result.cliInfo.metaData.listUnicodeStrings,_PE_dot_unicodestrings_records,sizeof(_PE_dot_unicodestrings_records),result.basic_info.id.fileType,XBinary::FT_PE,&(result.basic_info),DETECTTYPE_NETUNICODESTRING,pbIsStop);
2676
2677 // for(int i=0;i<result.cliInfo.listUnicodeStrings.count();i++)
2678 // {
2679 // signatureScan(&result.mapDotUnicodestringsDetects,QBinary::stringToHex(result.cliInfo.listUnicodeStrings.at(i)),_dot_unicodestrings_records,sizeof(_dot_unicodestrings_records),result.basic_info.id.filetype,SpecAbstract::XBinary::FT_PE);
2680 // }
2681
2682 if(result.basic_info.bIsDeepScan)
2683 {
2684 if(pe.checkOffsetSize(result.osCodeSection))
2685 {
2686 qint64 nSectionOffset=result.osCodeSection.nOffset;
2687 qint64 nSectionSize=result.osCodeSection.nSize;
2688
2689 memoryScan(&result.mapCodeSectionDetects,pDevice,pOptions->bIsImage,nSectionOffset,nSectionSize,_PE_dot_codesection_records,sizeof(_PE_dot_codesection_records),result.basic_info.id.fileType,XBinary::FT_PE,&(result.basic_info),DETECTTYPE_CODESECTION,pbIsStop);
2690 }
2691 }
2692 }
2693
2694 if(result.basic_info.bIsDeepScan)
2695 {
2696 if(pe.checkOffsetSize(result.osCodeSection))
2697 {
2698 qint64 nSectionOffset=result.osCodeSection.nOffset;
2699 qint64 nSectionSize=result.osCodeSection.nSize;
2700
2701 memoryScan(&result.mapCodeSectionDetects,pDevice,pOptions->bIsImage,nSectionOffset,nSectionSize,_PE_codesection_records,sizeof(_PE_codesection_records),result.basic_info.id.fileType,XBinary::FT_PE,&(result.basic_info),DETECTTYPE_CODESECTION,pbIsStop);
2702 }
2703
2704 if(pe.checkOffsetSize(result.osEntryPointSection))
2705 {
2706 qint64 nSectionOffset=result.osEntryPointSection.nOffset;
2707 qint64 nSectionSize=result.osEntryPointSection.nSize;
2708
2709 memoryScan(&result.mapEntryPointSectionDetects,pDevice,pOptions->bIsImage,nSectionOffset,nSectionSize,_PE_entrypointsection_records,sizeof(_PE_entrypointsection_records),result.basic_info.id.fileType,XBinary::FT_PE,&(result.basic_info),DETECTTYPE_ENTRYPOINTSECTION,pbIsStop);
2710 }
2711 }
2712
2713 PE_handle_import(pDevice,pOptions->bIsImage,&result);
2714
2715 PE_handle_OperationSystems(pDevice,pOptions->bIsImage,&result);
2716 PE_handle_Protection(pDevice,pOptions->bIsImage,&result,pbIsStop);
2717 PE_handle_SafeengineShielden(pDevice,pOptions->bIsImage,&result);
2718 PE_handle_VProtect(pDevice,pOptions->bIsImage,&result);
2719 PE_handle_TTProtect(pDevice,pOptions->bIsImage,&result); // TODO remove
2720 PE_handle_VMProtect(pDevice,pOptions->bIsImage,&result);
2721 PE_handle_tElock(pDevice,pOptions->bIsImage,&result);
2722 PE_handle_Armadillo(pDevice,pOptions->bIsImage,&result);
2723 PE_handle_Obsidium(pDevice,pOptions->bIsImage,&result);
2724 PE_handle_Themida(pDevice,pOptions->bIsImage,&result);
2725 PE_handle_StarForce(pDevice,pOptions->bIsImage,&result);
2726 PE_handle_Petite(pDevice,pOptions->bIsImage,&result);
2727 PE_handle_NETProtection(pDevice,pOptions->bIsImage,&result);
2728 PE_handle_PolyMorph(pDevice,pOptions->bIsImage,&result);
2729 PE_handle_Microsoft(pDevice,pOptions->bIsImage,&result,pbIsStop);
2730 PE_handle_Borland(pDevice,pOptions->bIsImage,&result);
2731 PE_handle_Watcom(pDevice,pOptions->bIsImage,&result);
2732 PE_handle_Tools(pDevice,pOptions->bIsImage,&result);
2733 PE_handle_wxWidgets(pDevice,pOptions->bIsImage,&result);
2734 PE_handle_GCC(pDevice,pOptions->bIsImage,&result);
2735 PE_handle_Signtools(pDevice,pOptions->bIsImage,&result);
2736 PE_handle_SFX(pDevice,pOptions->bIsImage,&result);
2737 PE_handle_Installers(pDevice,pOptions->bIsImage,&result);
2738 PE_handle_DongleProtection(pDevice,pOptions->bIsImage,&result);
2739 // PE_handle_AnslymPacker(pDevice,pOptions->bIsImage,&result);
2740 PE_handle_NeoLite(pDevice,pOptions->bIsImage,&result);
2741 PE_handle_PrivateEXEProtector(pDevice,pOptions->bIsImage,&result);
2742
2743 PE_handle_VisualBasicCryptors(pDevice,pOptions->bIsImage,&result);
2744 PE_handle_DelphiCryptors(pDevice,pOptions->bIsImage,&result);
2745
2746 PE_handle_Joiners(pDevice,pOptions->bIsImage,&result);
2747 PE_handle_PETools(pDevice,pOptions->bIsImage,&result);
2748
2749 if(pOptions->bHeuristicScan)
2750 {
2751 PE_handle_UnknownProtection(pDevice,pOptions->bIsImage,&result);
2752 }
2753
2754 PE_handle_FixDetects(pDevice,pOptions->bIsImage,&result);
2755
2756 PE_handleLanguages(pDevice,pOptions->bIsImage,&result);
2757
2758 PE_handle_Recursive(pDevice,pOptions->bIsImage,&result,pOptions,pbIsStop);
2759
2760 result.basic_info.listDetects.append(result.mapResultOperationSystems.values());
2761 result.basic_info.listDetects.append(result.mapResultLinkers.values());
2762 result.basic_info.listDetects.append(result.mapResultCompilers.values());
2763 result.basic_info.listDetects.append(result.mapResultLanguages.values());
2764 result.basic_info.listDetects.append(result.mapResultLibraries.values());
2765 result.basic_info.listDetects.append(result.mapResultTools.values());
2766 result.basic_info.listDetects.append(result.mapResultPETools.values());
2767 result.basic_info.listDetects.append(result.mapResultSigntools.values());
2768 result.basic_info.listDetects.append(result.mapResultProtectors.values());
2769 result.basic_info.listDetects.append(result.mapResultNETObfuscators.values());
2770 result.basic_info.listDetects.append(result.mapResultDongleProtection.values());
2771 result.basic_info.listDetects.append(result.mapResultPackers.values());
2772 result.basic_info.listDetects.append(result.mapResultNETCompressors.values());
2773 result.basic_info.listDetects.append(result.mapResultJoiners.values());
2774 result.basic_info.listDetects.append(result.mapResultSFX.values());
2775 result.basic_info.listDetects.append(result.mapResultInstallers.values());
2776
2777 // TODO unknown cryptors
2778 if(!result.basic_info.listDetects.count())
2779 {
2780 _SCANS_STRUCT ssUnknown={};
2781
2782 ssUnknown.type=SpecAbstract::RECORD_TYPE_UNKNOWN;
2783 ssUnknown.name=SpecAbstract::RECORD_NAME_UNKNOWN;
2784
2785 result.basic_info.listDetects.append(scansToScan(&(result.basic_info),&ssUnknown));
2786
2787 result.basic_info.bIsUnknown=true;
2788 }
2789
2790 result.basic_info.listDetects.append(result.listRecursiveDetects);
2791 }
2792
2793 result.basic_info.nElapsedTime=timer.elapsed();
2794
2795 return result;
2796 }
2797
getDEXInfo(QIODevice * pDevice,SpecAbstract::ID parentId,SpecAbstract::SCAN_OPTIONS * pOptions,qint64 nOffset,bool * pbIsStop)2798 SpecAbstract::DEXINFO_STRUCT SpecAbstract::getDEXInfo(QIODevice *pDevice, SpecAbstract::ID parentId, SpecAbstract::SCAN_OPTIONS *pOptions, qint64 nOffset, bool *pbIsStop)
2799 {
2800 QElapsedTimer timer;
2801 timer.start();
2802
2803 DEXINFO_STRUCT result={};
2804
2805 XDEX dex(pDevice);
2806
2807 if(dex.isValid()&&(!(*pbIsStop)))
2808 {
2809 result.basic_info.parentId=parentId;
2810 result.basic_info.id.fileType=XBinary::FT_DEX;
2811 result.basic_info.id.filePart=RECORD_FILEPART_HEADER;
2812 result.basic_info.id.sUuid=XBinary::generateUUID();
2813 result.basic_info.nOffset=nOffset;
2814 result.basic_info.nSize=pDevice->size();
2815 result.basic_info.sHeaderSignature=dex.getSignature(0,150);
2816 result.basic_info.bIsDeepScan=pOptions->bDeepScan;
2817 result.basic_info.bIsHeuristicScan=pOptions->bHeuristicScan;
2818 result.basic_info.bShowDetects=pOptions->bShowDetects;
2819 result.basic_info.bIsTest=pOptions->bIsTest;
2820 result.basic_info.memoryMap=dex.getMemoryMap();
2821
2822 result.header=dex.getHeader();
2823 result.mapItems=dex.getMapItems();
2824
2825 result.bIsStringPoolSorted=dex.isStringPoolSorted();
2826 result.bIsOverlayPresent=dex.isOverlayPresent(&(result.basic_info.memoryMap));
2827
2828 result.listStrings=dex.getStrings(&(result.mapItems),pbIsStop);
2829 result.listTypeItemStrings=dex.getTypeItemStrings(&(result.mapItems),&result.listStrings,pbIsStop);
2830
2831 stringScan(&result.mapStringDetects,&result.listStrings,_DEX_string_records,sizeof(_DEX_string_records),result.basic_info.id.fileType,XBinary::FT_DEX,&(result.basic_info),DETECTTYPE_DEXSTRING,pbIsStop);
2832 stringScan(&result.mapTypeDetects,&result.listTypeItemStrings,_DEX_type_records,sizeof(_DEX_type_records),result.basic_info.id.fileType,XBinary::FT_DEX,&(result.basic_info),DETECTTYPE_DEXTYPE,pbIsStop);
2833
2834 if(pOptions->bDeepScan)
2835 {
2836 // QList<XDEX_DEF::STRING_ITEM_ID> getList_STRING_ITEM_ID(&mapItems);
2837 // QList<XDEX_DEF::TYPE_ITEM_ID> getList_TYPE_ITEM_ID(&mapItems);
2838 // QList<XDEX_DEF::PROTO_ITEM_ID> getList_PROTO_ITEM_ID(&mapItems);
2839 result.listFieldIDs=dex.getList_FIELD_ITEM_ID(&(result.mapItems),pbIsStop);
2840 result.listMethodIDs=dex.getList_METHOD_ITEM_ID(&(result.mapItems),pbIsStop);
2841 // QList<XDEX_DEF::CLASS_ITEM_DEF> getList_CLASS_ITEM_DEF(&mapItems);
2842
2843 #ifdef QT_DEBUG
2844 // {
2845 // QList<XDEX_DEF::CLASS_ITEM_DEF> listClasses=dex.getList_CLASS_ITEM_DEF(&mapItems);
2846
2847 // int nNumberOfItems=listClasses.count();
2848
2849 // for(int i=0;i<nNumberOfItems;i++)
2850 // {
2851
2852 // QString sString=QString("%1|%2|%3") .arg(XBinary::getStringByIndex(&result.listTypeItemStrings,listClasses.at(i).class_idx))
2853 // .arg(XBinary::getStringByIndex(&result.listTypeItemStrings,listClasses.at(i).superclass_idx))
2854 // .arg(XBinary::getStringByIndex(&result.listStrings,listClasses.at(i).source_file_idx));
2855
2856 // qDebug(sString.toLatin1().data());
2857 // }
2858 // }
2859 // {
2860 // QList<XDEX_DEF::METHOD_ITEM_ID> listMethods=dex.getList_METHOD_ITEM_ID(&mapItems);
2861
2862 // int nNumberOfItems=listMethods.count();
2863
2864 // for(int i=0;i<nNumberOfItems;i++)
2865 // {
2866
2867 // QString sString=QString("%1|%2") .arg(XBinary::getStringByIndex(&result.listTypeItemStrings,listMethods.at(i).class_idx))
2868 // .arg(XBinary::getStringByIndex(&result.listStrings,listMethods.at(i).name_idx));
2869
2870 // qDebug(sString.toLatin1().data());
2871 // }
2872 // }
2873 #endif
2874 }
2875
2876 // TODO Check Strings
2877
2878 DEX_handle_Tools(pDevice,&result,pbIsStop);
2879 DEX_handle_Protection(pDevice,&result,pbIsStop);
2880 DEX_handle_Dexguard(pDevice,&result,pbIsStop);
2881
2882 DEX_handleLanguages(pDevice,&result);
2883
2884 result.basic_info.listDetects.append(result.mapResultOperationSystems.values());
2885 result.basic_info.listDetects.append(result.mapResultLinkers.values());
2886 result.basic_info.listDetects.append(result.mapResultCompilers.values());
2887 result.basic_info.listDetects.append(result.mapResultLanguages.values());
2888 result.basic_info.listDetects.append(result.mapResultLibraries.values());
2889 result.basic_info.listDetects.append(result.mapResultTools.values());
2890 result.basic_info.listDetects.append(result.mapResultProtectors.values());
2891 }
2892
2893 result.basic_info.nElapsedTime=timer.elapsed();
2894
2895 return result;
2896 }
2897
getZIPInfo(QIODevice * pDevice,SpecAbstract::ID parentId,SpecAbstract::SCAN_OPTIONS * pOptions,qint64 nOffset,bool * pbIsStop)2898 SpecAbstract::ZIPINFO_STRUCT SpecAbstract::getZIPInfo(QIODevice *pDevice, SpecAbstract::ID parentId, SpecAbstract::SCAN_OPTIONS *pOptions, qint64 nOffset, bool *pbIsStop)
2899 {
2900 QElapsedTimer timer;
2901 timer.start();
2902
2903 ZIPINFO_STRUCT result={};
2904
2905 XZip xzip(pDevice);
2906
2907 if(xzip.isValid()&&(!(*pbIsStop)))
2908 {
2909 result.basic_info.parentId=parentId;
2910 result.basic_info.id.fileType=XBinary::FT_ZIP;
2911 result.basic_info.id.filePart=RECORD_FILEPART_HEADER;
2912 result.basic_info.id.sUuid=XBinary::generateUUID();
2913 result.basic_info.nOffset=nOffset;
2914 result.basic_info.nSize=pDevice->size();
2915 result.basic_info.sHeaderSignature=xzip.getSignature(0,150);
2916 result.basic_info.bIsDeepScan=pOptions->bDeepScan;
2917 result.basic_info.bIsHeuristicScan=pOptions->bHeuristicScan;
2918 result.basic_info.bShowDetects=pOptions->bShowDetects;
2919 result.basic_info.bIsTest=pOptions->bIsTest;
2920 result.basic_info.memoryMap=xzip.getMemoryMap();
2921
2922 result.listArchiveRecords=xzip.getRecords();
2923
2924 result.bIsJAR=XArchive::isArchiveRecordPresent("META-INF/MANIFEST.MF",&(result.listArchiveRecords));
2925 result.bIsAPK=XArchive::isArchiveRecordPresent("classes.dex",&(result.listArchiveRecords));
2926 result.bIsIPA=XArchive::isArchiveRecordPresent("Payload/",&(result.listArchiveRecords));
2927 result.bIsKotlin= XArchive::isArchiveRecordPresent("META-INF/androidx.core_core-ktx.version",&(result.listArchiveRecords))||
2928 XArchive::isArchiveRecordPresent("kotlin/kotlin.kotlin_builtins",&(result.listArchiveRecords));
2929
2930 if(result.bIsIPA)
2931 {
2932 result.basic_info.id.fileType=XBinary::FT_IPA;
2933 }
2934 else if((result.bIsJAR)&&(!(result.bIsAPK)))
2935 {
2936 result.basic_info.id.fileType=XBinary::FT_JAR;
2937 }
2938 else if(result.bIsAPK)
2939 {
2940 result.basic_info.id.fileType=XBinary::FT_APK;
2941 }
2942
2943 if(result.bIsAPK)
2944 {
2945 archiveScan(&(result.mapArchiveDetects),&(result.listArchiveRecords),_APK_file_records,sizeof(_APK_file_records),result.basic_info.id.fileType,XBinary::FT_APK,&(result.basic_info),DETECTTYPE_ARCHIVE,pbIsStop);
2946 archiveExpScan(&(result.mapArchiveDetects),&(result.listArchiveRecords),_APK_fileExp_records,sizeof(_APK_fileExp_records),result.basic_info.id.fileType,XBinary::FT_APK,&(result.basic_info),DETECTTYPE_ARCHIVE,pbIsStop);
2947 result.dexInfoClasses=Zip_scan_DEX(pDevice,pOptions->bIsImage,&result,pOptions,pbIsStop,"classes.dex");
2948 }
2949
2950 Zip_handle_Metainfos(pDevice,pOptions->bIsImage,&result);
2951 Zip_handle_Microsoftoffice(pDevice,pOptions->bIsImage,&result);
2952 Zip_handle_OpenOffice(pDevice,pOptions->bIsImage,&result);
2953
2954 Zip_handle_JAR(pDevice,pOptions->bIsImage,&result,pOptions,pbIsStop);
2955 Zip_handle_APK(pDevice,pOptions->bIsImage,&result);
2956 Zip_handle_IPA(pDevice,pOptions->bIsImage,&result);
2957
2958 Zip_handle_Recursive(pDevice,pOptions->bIsImage,&result,pOptions,pbIsStop);
2959
2960 Zip_handle_FixDetects(pDevice,pOptions->bIsImage,&result);
2961
2962 Zip_handleLanguages(pDevice,pOptions->bIsImage,&result);
2963
2964 result.basic_info.listDetects.append(result.mapResultOperationSystems.values());
2965 result.basic_info.listDetects.append(result.mapResultArchives.values());
2966 result.basic_info.listDetects.append(result.mapResultFormats.values());
2967 result.basic_info.listDetects.append(result.mapResultTools.values());
2968 result.basic_info.listDetects.append(result.mapResultSigntools.values());
2969 result.basic_info.listDetects.append(result.mapResultLanguages.values());
2970 result.basic_info.listDetects.append(result.mapResultLibraries.values());
2971 result.basic_info.listDetects.append(result.mapResultAPKProtectors.values());
2972
2973 if(!result.basic_info.listDetects.count())
2974 {
2975 _SCANS_STRUCT ssUnknown={};
2976
2977 ssUnknown.type=SpecAbstract::RECORD_TYPE_UNKNOWN;
2978 ssUnknown.name=SpecAbstract::RECORD_NAME_UNKNOWN;
2979
2980 result.basic_info.listDetects.append(scansToScan(&(result.basic_info),&ssUnknown));
2981
2982 result.basic_info.bIsUnknown=true;
2983 }
2984
2985 result.basic_info.listDetects.append(result.listRecursiveDetects);
2986 }
2987
2988 result.basic_info.nElapsedTime=timer.elapsed();
2989
2990 return result;
2991 }
2992
getMACHOFATInfo(QIODevice * pDevice,SpecAbstract::ID parentId,SpecAbstract::SCAN_OPTIONS * pOptions,qint64 nOffset,bool * pbIsStop)2993 SpecAbstract::MACHOFATINFO_STRUCT SpecAbstract::getMACHOFATInfo(QIODevice *pDevice, SpecAbstract::ID parentId, SpecAbstract::SCAN_OPTIONS *pOptions, qint64 nOffset, bool *pbIsStop)
2994 {
2995 QElapsedTimer timer;
2996 timer.start();
2997
2998 MACHOFATINFO_STRUCT result={};
2999
3000 XMACHOFat xmachofat(pDevice);
3001
3002 if(xmachofat.isValid()&&(!(*pbIsStop)))
3003 {
3004 result.basic_info.parentId=parentId;
3005 result.basic_info.id.fileType=XBinary::FT_ARCHIVE;
3006 result.basic_info.id.filePart=RECORD_FILEPART_HEADER;
3007 result.basic_info.id.sUuid=XBinary::generateUUID();
3008 result.basic_info.nOffset=nOffset;
3009 result.basic_info.nSize=pDevice->size();
3010 result.basic_info.sHeaderSignature=xmachofat.getSignature(0,150);
3011 result.basic_info.bIsDeepScan=pOptions->bDeepScan;
3012 result.basic_info.bIsHeuristicScan=pOptions->bHeuristicScan;
3013 result.basic_info.bShowDetects=pOptions->bShowDetects;
3014 result.basic_info.bIsTest=pOptions->bIsTest;
3015 result.basic_info.memoryMap=xmachofat.getMemoryMap();
3016
3017 result.listArchiveRecords=xmachofat.getRecords();
3018
3019 int nNumberOfRecords=result.listArchiveRecords.count();
3020
3021 for(int i=0;(i<nNumberOfRecords)&&(!(*pbIsStop));i++)
3022 {
3023 SpecAbstract::SCAN_RESULT scanResult={0};
3024
3025 SpecAbstract::ID _parentId=result.basic_info.id;
3026 _parentId.filePart=SpecAbstract::RECORD_FILEPART_ARCHIVERECORD;
3027 _parentId.sInfo=result.listArchiveRecords.at(i).sFileName;
3028 _parentId.bVirtual=true; // TODO Check
3029
3030 QTemporaryFile fileTemp;
3031
3032 if(fileTemp.open())
3033 {
3034 QString sTempFileName=fileTemp.fileName();
3035
3036 if(xmachofat.decompressToFile(&(result.listArchiveRecords.at(i)),sTempFileName))
3037 {
3038 QFile file;
3039
3040 file.setFileName(sTempFileName);
3041
3042 if(file.open(QIODevice::ReadOnly))
3043 {
3044 scan(&file,&scanResult,0,file.size(),_parentId,pOptions,false,pbIsStop);
3045
3046 file.close();
3047 }
3048 }
3049 }
3050
3051 result.listRecursiveDetects.append(scanResult.listRecords);
3052 }
3053
3054
3055 _SCANS_STRUCT ssFormat=getScansStruct(0,XBinary::FT_ARCHIVE,RECORD_TYPE_FORMAT,RECORD_NAME_MACHOFAT,"","",0);
3056
3057 ssFormat.sVersion=xmachofat.getVersion();
3058 ssFormat.sInfo=QString("%1 records").arg(xmachofat.getNumberOfRecords());
3059
3060 result.basic_info.listDetects.append(scansToScan(&(result.basic_info),&ssFormat));
3061
3062 result.basic_info.listDetects.append(result.listRecursiveDetects);
3063 }
3064
3065 result.basic_info.nElapsedTime=timer.elapsed();
3066
3067 return result;
3068 }
3069
getScansStruct(quint32 nVariant,XBinary::FT fileType,SpecAbstract::RECORD_TYPE type,SpecAbstract::RECORD_NAME name,QString sVersion,QString sInfo,qint64 nOffset)3070 SpecAbstract::_SCANS_STRUCT SpecAbstract::getScansStruct(quint32 nVariant, XBinary::FT fileType, SpecAbstract::RECORD_TYPE type, SpecAbstract::RECORD_NAME name, QString sVersion, QString sInfo, qint64 nOffset)
3071 {
3072 // TODO bIsHeuristic;
3073 _SCANS_STRUCT result={};
3074
3075 result.nVariant=nVariant;
3076 result.fileType=fileType;
3077 result.type=type;
3078 result.name=name;
3079 result.sVersion=sVersion;
3080 result.sInfo=sInfo;
3081 result.nOffset=nOffset;
3082
3083 return result;
3084 }
3085
PE_handle_import(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)3086 void SpecAbstract::PE_handle_import(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
3087 {
3088 Q_UNUSED(pDevice)
3089 Q_UNUSED(bIsImage)
3090 // Import Check
3091
3092 //#ifdef QT_DEBUG
3093 // for(int j=0;j<pPEInfo->listImports.count();j++)
3094 // {
3095 // for(int i=0;i<pPEInfo->listImports.at(j).listPositions.count();i++)
3096 // {
3097 // qDebug("(pPEInfo->listImports.at(%d).listPositions.at(%d).sName==\"%s\")&&",j,i,pPEInfo->listImports.at(j).listPositions.at(i).sName.toLatin1().data());
3098 // }
3099 // }
3100 //#endif
3101
3102 QSet<QString> stDetects;
3103
3104 if(pPEInfo->listImports.count()>=1)
3105 {
3106 if(pPEInfo->listImports.at(0).sName.toUpper()=="KERNEL32.DLL")
3107 {
3108 if(pPEInfo->listImports.at(0).listPositions.count()==2)
3109 {
3110 if( (pPEInfo->listImports.at(0).listPositions.at(0).sName=="GetProcAddress")&&
3111 (pPEInfo->listImports.at(0).listPositions.at(1).sName=="LoadLibraryA"))
3112 {
3113 stDetects.insert("kernel32_zprotect");
3114 }
3115 }
3116 else if(pPEInfo->listImports.at(0).listPositions.count()==13)
3117 {
3118 if( (pPEInfo->listImports.at(0).listPositions.at(0).sName=="LoadLibraryA")&&
3119 (pPEInfo->listImports.at(0).listPositions.at(1).sName=="GetProcAddress")&&
3120 (pPEInfo->listImports.at(0).listPositions.at(2).sName=="VirtualAlloc")&&
3121 (pPEInfo->listImports.at(0).listPositions.at(3).sName=="VirtualFree")&&
3122 (pPEInfo->listImports.at(0).listPositions.at(4).sName=="ExitProcess")&&
3123 (pPEInfo->listImports.at(0).listPositions.at(5).sName=="CreateFileA")&&
3124 (pPEInfo->listImports.at(0).listPositions.at(6).sName=="CloseHandle")&&
3125 (pPEInfo->listImports.at(0).listPositions.at(7).sName=="WriteFile")&&
3126 (pPEInfo->listImports.at(0).listPositions.at(8).sName=="GetSystemDirectoryA")&&
3127 (pPEInfo->listImports.at(0).listPositions.at(9).sName=="GetFileTime")&&
3128 (pPEInfo->listImports.at(0).listPositions.at(10).sName=="SetFileTime")&&
3129 (pPEInfo->listImports.at(0).listPositions.at(11).sName=="GetWindowsDirectoryA")&&
3130 (pPEInfo->listImports.at(0).listPositions.at(12).sName=="lstrcatA"))
3131 {
3132 if(pPEInfo->listImports.count()==1)
3133 {
3134 stDetects.insert("kernel32_alloy0");
3135 }
3136 }
3137 }
3138 else if(pPEInfo->listImports.at(0).listPositions.count()==15)
3139 {
3140 if( (pPEInfo->listImports.at(0).listPositions.at(0).sName=="LoadLibraryA")&&
3141 (pPEInfo->listImports.at(0).listPositions.at(1).sName=="GetProcAddress")&&
3142 (pPEInfo->listImports.at(0).listPositions.at(2).sName=="VirtualAlloc")&&
3143 (pPEInfo->listImports.at(0).listPositions.at(3).sName=="VirtualFree")&&
3144 (pPEInfo->listImports.at(0).listPositions.at(4).sName=="ExitProcess")&&
3145 (pPEInfo->listImports.at(0).listPositions.at(5).sName=="CreateFileA")&&
3146 (pPEInfo->listImports.at(0).listPositions.at(6).sName=="CloseHandle")&&
3147 (pPEInfo->listImports.at(0).listPositions.at(7).sName=="WriteFile")&&
3148 (pPEInfo->listImports.at(0).listPositions.at(8).sName=="GetSystemDirectoryA")&&
3149 (pPEInfo->listImports.at(0).listPositions.at(9).sName=="GetFileTime")&&
3150 (pPEInfo->listImports.at(0).listPositions.at(10).sName=="SetFileTime")&&
3151 (pPEInfo->listImports.at(0).listPositions.at(11).sName=="GetWindowsDirectoryA")&&
3152 (pPEInfo->listImports.at(0).listPositions.at(12).sName=="lstrcatA")&&
3153 (pPEInfo->listImports.at(0).listPositions.at(13).sName=="FreeLibrary")&&
3154 (pPEInfo->listImports.at(0).listPositions.at(14).sName=="GetTempPathA"))
3155 {
3156 if(pPEInfo->listImports.count()==1)
3157 {
3158 stDetects.insert("kernel32_alloy2");
3159 }
3160 }
3161 }
3162 }
3163 else if(pPEInfo->listImports.at(0).sName.toUpper()=="USER32.DLL")
3164 {
3165 if(pPEInfo->listImports.at(0).listPositions.count()==1)
3166 {
3167 if((pPEInfo->listImports.at(0).listPositions.at(0).sName=="MessageBoxA"))
3168 {
3169 if(pPEInfo->listImports.count()==2)
3170 {
3171 stDetects.insert("user32_pespina");
3172 }
3173
3174 if(pPEInfo->listImports.count()==3)
3175 {
3176 stDetects.insert("user32_pespin");
3177 }
3178 }
3179 }
3180 }
3181 else if(pPEInfo->listImports.at(0).sName.toUpper()=="KERNEL32")
3182 {
3183 if(pPEInfo->listImports.at(0).listPositions.count()==1)
3184 {
3185 if((pPEInfo->listImports.at(0).listPositions.at(0).nOrdinal==1))
3186 {
3187 if(pPEInfo->listImports.count()==1)
3188 {
3189 stDetects.insert("kernel32_yzpack_b");
3190 }
3191 }
3192 }
3193 }
3194 }
3195
3196 if(pPEInfo->listImports.count()>=2)
3197 {
3198 if(pPEInfo->listImports.at(1).sName.toUpper()=="COMCTL32.DLL")
3199 {
3200 if(pPEInfo->listImports.at(1).listPositions.count()==1)
3201 {
3202 if((pPEInfo->listImports.at(1).listPositions.at(0).sName=="InitCommonControls"))
3203 {
3204 if(pPEInfo->listImports.count()==2)
3205 {
3206 stDetects.insert("comctl32_pespina");
3207 }
3208
3209 if(pPEInfo->listImports.count()==3)
3210 {
3211 stDetects.insert("comctl32_pespin");
3212 }
3213 }
3214 }
3215 }
3216 }
3217
3218 if(pPEInfo->listImports.count()>=3)
3219 {
3220 if(pPEInfo->listImports.at(2).sName.toUpper()=="KERNEL32.DLL")
3221 {
3222 if(pPEInfo->listImports.at(2).listPositions.count()==2)
3223 {
3224 if( (pPEInfo->listImports.at(2).listPositions.at(0).sName=="LoadLibraryA")&&
3225 (pPEInfo->listImports.at(2).listPositions.at(1).sName=="GetProcAddress"))
3226 {
3227 if(pPEInfo->listImports.count()==3)
3228 {
3229 stDetects.insert("kernel32_pespinx");
3230 }
3231 }
3232 }
3233 else if(pPEInfo->listImports.at(2).listPositions.count()==4)
3234 {
3235 if( (pPEInfo->listImports.at(2).listPositions.at(0).sName=="LoadLibraryA")&&
3236 (pPEInfo->listImports.at(2).listPositions.at(1).sName=="GetProcAddress")&&
3237 (pPEInfo->listImports.at(2).listPositions.at(2).sName=="VirtualAlloc")&&
3238 (pPEInfo->listImports.at(2).listPositions.at(3).sName=="VirtualFree"))
3239 {
3240 if(pPEInfo->listImports.count()==3)
3241 {
3242 stDetects.insert("kernel32_pespin");
3243 }
3244 }
3245 }
3246 }
3247 }
3248
3249 #ifdef QT_DEBUG
3250 qDebug()<<stDetects;
3251 #endif
3252
3253 // TODO 32/64
3254 if(stDetects.contains("kernel32_zprotect"))
3255 {
3256 pPEInfo->mapImportDetects.insert(RECORD_NAME_ZPROTECT,getScansStruct(0,XBinary::FT_PE32,RECORD_TYPE_PROTECTOR,RECORD_NAME_ZPROTECT,"","",0));
3257 }
3258
3259 if(stDetects.contains("user32_pespina")&&stDetects.contains("comctl32_pespina"))
3260 {
3261 pPEInfo->mapImportDetects.insert(RECORD_NAME_PESPIN,getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_PESPIN,"1.0-1.2","",0));
3262 }
3263
3264 if(stDetects.contains("user32_pespin")&&stDetects.contains("comctl32_pespin")&&stDetects.contains("kernel32_pespin"))
3265 {
3266 pPEInfo->mapImportDetects.insert(RECORD_NAME_PESPIN,getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_PESPIN,"","",0));
3267 }
3268
3269 if(stDetects.contains("user32_pespin")&&stDetects.contains("comctl32_pespin")&&stDetects.contains("kernel32_pespinx"))
3270 {
3271 pPEInfo->mapImportDetects.insert(RECORD_NAME_PESPIN,getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_PESPIN,"1.3X","",0));
3272 }
3273
3274 if(stDetects.contains("kernel32_alloy0"))
3275 {
3276 pPEInfo->mapImportDetects.insert(RECORD_NAME_ALLOY,getScansStruct(0,XBinary::FT_PE32,RECORD_TYPE_PROTECTOR,RECORD_NAME_ALLOY,"4.X","",0));
3277 }
3278
3279 if(stDetects.contains("kernel32_alloy2"))
3280 {
3281 pPEInfo->mapImportDetects.insert(RECORD_NAME_ALLOY,getScansStruct(2,XBinary::FT_PE32,RECORD_TYPE_PROTECTOR,RECORD_NAME_ALLOY,"4.X","",0));
3282 }
3283
3284 // if(stDetects.contains("kernel32_pecompact2"))
3285 // {
3286 // pPEInfo->mapImportDetects.insert(RECORD_NAME_PECOMPACT,getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PACKER,RECORD_NAME_PECOMPACT,"2.X","",0));
3287 // }
3288
3289 // TODO
3290 // Import
3291 }
3292
PE_handle_OperationSystems(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)3293 void SpecAbstract::PE_handle_OperationSystems(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
3294 {
3295 XPE pe(pDevice,bIsImage);
3296
3297 if(pe.isValid())
3298 {
3299 _SCANS_STRUCT ssOperationSystem=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_OPERATIONSYSTEM,RECORD_NAME_WINDOWS,"","",0);
3300
3301 quint16 nMajorOS=pe.getOptionalHeader_MajorOperatingSystemVersion();
3302 quint16 nMinorOS=pe.getOptionalHeader_MinorOperatingSystemVersion();
3303
3304 if ((nMajorOS==3)&&(nMinorOS==10)) ssOperationSystem.sVersion="NT 3.1";
3305 else if ((nMajorOS==4)&&(nMinorOS==0)) ssOperationSystem.sVersion="95";
3306 else if ((nMajorOS==4)&&(nMinorOS==1)) ssOperationSystem.sVersion="98";
3307 else if ((nMajorOS==4)&&(nMinorOS==9)) ssOperationSystem.sVersion="Millenium";
3308 else if ((nMajorOS==5)&&(nMinorOS==0)) ssOperationSystem.sVersion="2000";
3309 else if ((nMajorOS==5)&&(nMinorOS==1)) ssOperationSystem.sVersion="XP";
3310 else if ((nMajorOS==5)&&(nMinorOS==2)) ssOperationSystem.sVersion="Server 2003";
3311 else if ((nMajorOS==6)&&(nMinorOS==0)) ssOperationSystem.sVersion="Vista";
3312 else if ((nMajorOS==6)&&(nMinorOS==1)) ssOperationSystem.sVersion="7";
3313 else if ((nMajorOS==6)&&(nMinorOS==2)) ssOperationSystem.sVersion="8";
3314 else if ((nMajorOS==6)&&(nMinorOS==3)) ssOperationSystem.sVersion="8.1";
3315 else if ((nMajorOS==10)&&(nMinorOS==0)) ssOperationSystem.sVersion="10";
3316
3317 ssOperationSystem.sInfo=QString("%1, %2, %3").arg(pe.getArch(),(pPEInfo->bIs64)?("64-bit"):("32-bit"),pe.getTypeAsString());
3318
3319 pPEInfo->mapResultOperationSystems.insert(ssOperationSystem.name,scansToScan(&(pPEInfo->basic_info),&ssOperationSystem));
3320 }
3321 }
3322
PE_handle_Protection(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo,bool * pbIsStop)3323 void SpecAbstract::PE_handle_Protection(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo, bool *pbIsStop)
3324 {
3325 XPE pe(pDevice,bIsImage);
3326
3327 if(pe.isValid())
3328 {
3329 // MPRESS
3330 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MPRESS))
3331 {
3332 _SCANS_STRUCT recordMPRESS=pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_MPRESS);
3333
3334 qint64 nOffsetMPRESS=pe.find_ansiString(0x1f0,16,"v");
3335
3336 if(nOffsetMPRESS!=-1)
3337 {
3338 // TODO Check!
3339 recordMPRESS.sVersion=pe.read_ansiString(nOffsetMPRESS+1,0x1ff-nOffsetMPRESS);
3340 }
3341
3342 pPEInfo->mapResultPackers.insert(recordMPRESS.name,scansToScan(&(pPEInfo->basic_info),&recordMPRESS));
3343 }
3344
3345
3346 // Spoon Studio
3347 if(XPE::getResourceVersionValue("Packager",&(pPEInfo->resVersion)).contains("Spoon Studio 2011"))
3348 {
3349 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_SPOONSTUDIO2011,"","",0);
3350 ss.sVersion=XPE::getResourceVersionValue("PackagerVersion",&(pPEInfo->resVersion)).trimmed();
3351 ss.sVersion.replace(", ",".");
3352 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3353 }
3354 else if(XPE::getResourceVersionValue("Packager",&(pPEInfo->resVersion)).contains("Spoon Studio"))
3355 {
3356 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_SPOONSTUDIO,"","",0);
3357 ss.sVersion=XPE::getResourceVersionValue("PackagerVersion",&(pPEInfo->resVersion)).trimmed();
3358 ss.sVersion.replace(", ",".");
3359 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3360 }
3361 else if(XPE::getResourceVersionValue("Packager",&(pPEInfo->resVersion)).contains("Xenocode Virtual Application Studio 2009"))
3362 {
3363 // Xenocode Virtual Application Studio 2009
3364 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_XENOCODEVIRTUALAPPLICATIONSTUDIO2009,"","",0);
3365 ss.sVersion=XPE::getResourceVersionValue("PackagerVersion",&(pPEInfo->resVersion)).trimmed();
3366 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3367 }
3368 else if(XPE::getResourceVersionValue("Packager",&(pPEInfo->resVersion)).contains("Xenocode Virtual Application Studio 2010 ISV Edition"))
3369 {
3370 // Xenocode Virtual Application Studio 2010 (ISV Edition)
3371 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_XENOCODEVIRTUALAPPLICATIONSTUDIO2010ISVEDITION,"","",0);
3372 ss.sVersion=XPE::getResourceVersionValue("PackagerVersion",&(pPEInfo->resVersion)).trimmed();
3373 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3374 }
3375 else if(XPE::getResourceVersionValue("Packager",&(pPEInfo->resVersion)).contains("Xenocode Virtual Application Studio 2010"))
3376 {
3377 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_XENOCODEVIRTUALAPPLICATIONSTUDIO2010,"","",0);
3378 ss.sVersion=XPE::getResourceVersionValue("PackagerVersion",&(pPEInfo->resVersion)).trimmed();
3379 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3380 }
3381 else if(XPE::getResourceVersionValue("Packager",&(pPEInfo->resVersion)).contains("Xenocode Virtual Application Studio 2012 ISV Edition"))
3382 {
3383 // Xenocode Virtual Application Studio 2012 (ISV Edition)
3384 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_XENOCODEVIRTUALAPPLICATIONSTUDIO2012ISVEDITION,"","",0);
3385 ss.sVersion=XPE::getResourceVersionValue("PackagerVersion",&(pPEInfo->resVersion)).trimmed();
3386 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3387 }
3388 else if(XPE::getResourceVersionValue("Packager",&(pPEInfo->resVersion)).contains("Xenocode Virtual Application Studio 2013 ISV Edition"))
3389 {
3390 // Xenocode Virtual Application Studio 2013 (ISV Edition)
3391 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_XENOCODEVIRTUALAPPLICATIONSTUDIO2013ISVEDITION,"","",0);
3392 ss.sVersion=XPE::getResourceVersionValue("PackagerVersion",&(pPEInfo->resVersion)).trimmed();
3393 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3394 }
3395 else if(XPE::getResourceVersionValue("Packager",&(pPEInfo->resVersion)).contains("Turbo Studio"))
3396 {
3397 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_TURBOSTUDIO,"","",0);
3398 ss.sVersion=XPE::getResourceVersionValue("PackagerVersion",&(pPEInfo->resVersion)).trimmed();
3399 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3400 }
3401 else if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_SPOONSTUDIO))
3402 {
3403 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_SPOONSTUDIO,"","",0);
3404 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3405 }
3406 else if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_XENOCODE))
3407 {
3408 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_XENOCODE,"","",0);
3409 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3410 }
3411
3412 if(XPE::getResourceVersionValue("CompanyName",&(pPEInfo->resVersion)).contains("SerGreen"))
3413 {
3414 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PACKER,RECORD_NAME_SERGREENAPPACKER,"","",0);
3415 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
3416 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3417 }
3418
3419 // MoleBox Ultra
3420 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_MOLEBOXULTRA))
3421 {
3422 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_MOLEBOXULTRA))
3423 {
3424 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_MOLEBOXULTRA);
3425 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3426 }
3427 }
3428
3429 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_ACTIVEMARK))
3430 {
3431 _SCANS_STRUCT ssOverlay=pPEInfo->mapOverlayDetects.value(RECORD_NAME_ACTIVEMARK);
3432 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_ACTIVEMARK,ssOverlay.sVersion,ssOverlay.sInfo,0);
3433 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3434 }
3435
3436 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_SECUROM))
3437 {
3438 // TODO Version
3439 _SCANS_STRUCT ssOverlay=pPEInfo->mapOverlayDetects.value(RECORD_NAME_SECUROM);
3440 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_SECUROM,ssOverlay.sVersion,ssOverlay.sInfo,0);
3441 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3442 }
3443
3444 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_ENIGMAVIRTUALBOX))
3445 {
3446 _SCANS_STRUCT ss=pPEInfo->mapSectionNamesDetects.value(RECORD_NAME_ENIGMAVIRTUALBOX);
3447 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3448 }
3449
3450 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_ZLIB))
3451 {
3452 if(pe.checkOffsetSize(pPEInfo->osConstDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
3453 {
3454 VI_STRUCT viStruct=get_PyInstaller_vi(pDevice,bIsImage,pPEInfo->osConstDataSection.nOffset,pPEInfo->osConstDataSection.nSize);
3455
3456 if(viStruct.bIsValid)
3457 {
3458 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PACKER,RECORD_NAME_PYINSTALLER,"","",0);
3459
3460 ss.sVersion=viStruct.sVersion;
3461 ss.sInfo=viStruct.sInfo;
3462
3463 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3464 }
3465 }
3466 }
3467
3468 if(!pPEInfo->cliInfo.bValid)
3469 {
3470 // TODO MPRESS import
3471
3472 // UPX
3473 // TODO 32-64
3474 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_UPX))
3475 {
3476 VI_STRUCT viUPX=get_UPX_vi(pDevice,bIsImage,pPEInfo->osHeader.nOffset,pPEInfo->osHeader.nSize,XBinary::FT_PE);
3477
3478 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_UPX))
3479 {
3480 if((viUPX.bIsValid))
3481 {
3482 _SCANS_STRUCT recordUPX={};
3483
3484 recordUPX.type=RECORD_TYPE_PACKER;
3485 recordUPX.name=RECORD_NAME_UPX;
3486 recordUPX.sVersion=viUPX.sVersion;
3487 recordUPX.sInfo=viUPX.sInfo;
3488
3489 pPEInfo->mapResultPackers.insert(recordUPX.name,scansToScan(&(pPEInfo->basic_info),&recordUPX));
3490 }
3491 else
3492 {
3493 _SCANS_STRUCT recordUPX=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_UPX);
3494
3495 recordUPX.sInfo=append(recordUPX.sInfo,"modified");
3496
3497 pPEInfo->mapResultPackers.insert(recordUPX.name,scansToScan(&(pPEInfo->basic_info),&recordUPX));
3498 }
3499 }
3500 }
3501
3502 // EXPRESSOR
3503 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_EXPRESSOR)||(pPEInfo->mapImportDetects.contains(RECORD_NAME_EXPRESSOR_KERNEL32)&&pPEInfo->mapImportDetects.contains(RECORD_NAME_EXPRESSOR_USER32)))
3504 {
3505 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_EXPRESSOR))
3506 {
3507 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_EXPRESSOR);
3508
3509 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3510 }
3511 }
3512
3513 // ASProtect
3514 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ASPROTECT))
3515 {
3516 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ASPROTECT))
3517 {
3518 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_ASPROTECT);
3519
3520 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
3521 }
3522 }
3523
3524 // PE-Quake
3525 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PEQUAKE))
3526 {
3527 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PEQUAKE);
3528
3529 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
3530 }
3531
3532 // MORPHNAH
3533 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_MORPHNAH))
3534 {
3535 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_MORPHNAH);
3536
3537 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
3538 }
3539
3540 // PECompact
3541 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PECOMPACT))
3542 {
3543 _SCANS_STRUCT recordPC=pPEInfo->mapImportDetects.value(RECORD_NAME_PECOMPACT);
3544
3545 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PECOMPACT))
3546 {
3547 if(recordPC.nVariant==1)
3548 {
3549 recordPC.sVersion="1.10b4-1.10b5";
3550 }
3551
3552 pPEInfo->mapResultPackers.insert(recordPC.name,scansToScan(&(pPEInfo->basic_info),&recordPC));
3553 }
3554 else
3555 {
3556 VI_STRUCT viPECompact=PE_get_PECompact_vi(pDevice,bIsImage,pPEInfo);
3557
3558 if(viPECompact.bIsValid)
3559 {
3560 recordPC.sVersion=viPECompact.sVersion;
3561 recordPC.sInfo=viPECompact.sInfo;
3562
3563 pPEInfo->mapResultPackers.insert(recordPC.name,scansToScan(&(pPEInfo->basic_info),&recordPC));
3564 }
3565 }
3566 }
3567
3568 // NSPack
3569 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_NSPACK))
3570 {
3571 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_NSPACK))
3572 {
3573 _SCANS_STRUCT recordNSPack=pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_NSPACK);
3574 pPEInfo->mapResultPackers.insert(recordNSPack.name,scansToScan(&(pPEInfo->basic_info),&recordNSPack));
3575 }
3576 else if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_NSPACK))
3577 {
3578 _SCANS_STRUCT recordNSPack=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_NSPACK);
3579 pPEInfo->mapResultPackers.insert(recordNSPack.name,scansToScan(&(pPEInfo->basic_info),&recordNSPack));
3580 }
3581 }
3582
3583 // ENIGMA
3584 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ENIGMA))
3585 {
3586 if(pe.checkOffsetSize(pPEInfo->osImportSection)&&(pPEInfo->basic_info.bIsDeepScan))
3587 {
3588 qint64 nSectionOffset=pPEInfo->osImportSection.nOffset;
3589 qint64 nSectionSize=pPEInfo->osImportSection.nSize;
3590
3591 bool bDetect=false;
3592
3593 _SCANS_STRUCT recordEnigma={};
3594
3595 recordEnigma.type=SpecAbstract::RECORD_TYPE_PROTECTOR;
3596 recordEnigma.name=SpecAbstract::RECORD_NAME_ENIGMA;
3597
3598 if(!bDetect)
3599 {
3600 VI_STRUCT viEngima=get_Enigma_vi(pDevice,bIsImage,nSectionOffset,nSectionSize);
3601
3602 if(viEngima.bIsValid)
3603 {
3604 recordEnigma.sVersion=viEngima.sVersion;
3605 bDetect=true;
3606 }
3607 }
3608
3609 if(!bDetect)
3610 {
3611 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ENIGMA))
3612 {
3613 recordEnigma.sVersion=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_ENIGMA).sVersion;
3614 bDetect=true;
3615 }
3616 }
3617
3618 if(bDetect)
3619 {
3620 pPEInfo->mapResultProtectors.insert(recordEnigma.name,scansToScan(&(pPEInfo->basic_info),&recordEnigma));
3621 }
3622 }
3623 }
3624
3625 // PESpin
3626 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PESPIN))
3627 {
3628 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_PESPIN);
3629
3630 // Get version
3631 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PESPIN))
3632 {
3633 quint8 nByte=pPEInfo->sEntryPointSignature.mid(54,2).toUInt(nullptr,16);
3634
3635 switch(nByte)
3636 {
3637 case 0x5C: ss.sVersion="0.1"; break;
3638 case 0xB7: ss.sVersion="0.3"; break;
3639 case 0x73: ss.sVersion="0.4"; break;
3640 case 0x83: ss.sVersion="0.7"; break;
3641 case 0xC8: ss.sVersion="1.0"; break;
3642 case 0x7D: ss.sVersion="1.1"; break;
3643 case 0x71: ss.sVersion="1.3beta"; break;
3644 case 0xAC: ss.sVersion="1.3"; break;
3645 case 0x88: ss.sVersion="1.3x"; break;
3646 case 0x17: ss.sVersion="1.32"; break;
3647 case 0x77: ss.sVersion="1.33"; break;
3648 }
3649 }
3650
3651 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3652 }
3653
3654 // nPack
3655 // TODO Timestamp 'nPck'
3656 // TODO Check 64
3657 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_NPACK))
3658 {
3659 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_NPACK))
3660 {
3661 _SCANS_STRUCT recordNPACK=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_NPACK);
3662
3663 if(pe.checkOffsetSize(pPEInfo->osEntryPointSection)&&(pPEInfo->basic_info.bIsDeepScan))
3664 {
3665 qint64 _nOffset=pPEInfo->osEntryPointSection.nOffset;
3666 qint64 _nSize=pPEInfo->osEntryPointSection.nSize;
3667
3668 // TODO get max version
3669 qint64 nOffset_Version=pe.find_ansiString(_nOffset,_nSize,"nPack v");
3670
3671 if(nOffset_Version!=-1)
3672 {
3673 recordNPACK.sVersion=pe.read_ansiString(nOffset_Version+7).section(":",0,0);
3674 }
3675 else
3676 {
3677 recordNPACK.sVersion="1.1.200.2006";
3678 }
3679 }
3680
3681 pPEInfo->mapResultPackers.insert(recordNPACK.name,scansToScan(&(pPEInfo->basic_info),&recordNPACK));
3682 }
3683 }
3684
3685 if(!pPEInfo->bIs64)
3686 {
3687 // MaskPE
3688 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_MASKPE))
3689 {
3690 if(pPEInfo->mapEntryPointSectionDetects.contains(RECORD_NAME_MASKPE))
3691 {
3692 _SCANS_STRUCT ss=pPEInfo->mapEntryPointSectionDetects.value(RECORD_NAME_MASKPE);
3693 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3694 }
3695 }
3696
3697 // PE-Armor
3698 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PEARMOR))
3699 {
3700 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PEARMOR))
3701 {
3702 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PEARMOR);
3703 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3704 }
3705 }
3706
3707 // DalCrypt
3708 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_DALKRYPT)) // TODO more checks!
3709 {
3710 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_DALKRYPT);
3711
3712 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3713 }
3714
3715 // N-Code
3716 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_NCODE))
3717 {
3718 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_NCODE);
3719
3720 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3721 }
3722
3723 // LameCrypt
3724 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_LAMECRYPT))
3725 {
3726 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_LAMECRYPT);
3727
3728 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3729 }
3730
3731 // SC Obfuscator
3732 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_SCOBFUSCATOR))
3733 {
3734 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_SCOBFUSCATOR);
3735
3736 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3737 }
3738
3739 // PCShrink
3740 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PCSHRINK))
3741 {
3742 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PCSHRINK))
3743 {
3744 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PCSHRINK);
3745 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3746 }
3747 }
3748
3749 // DragonArmor
3750 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_DRAGONARMOR))
3751 {
3752 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_DRAGONARMOR))
3753 {
3754 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_DRAGONARMOR);
3755 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3756 }
3757 }
3758
3759 // NoodleCrypt
3760 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_NOODLECRYPT))
3761 {
3762 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_NOODLECRYPT))
3763 {
3764 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_NOODLECRYPT);
3765 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3766 }
3767 }
3768
3769 // PEnguinCrypt
3770 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PENGUINCRYPT))
3771 {
3772 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PENGUINCRYPT))
3773 {
3774 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PENGUINCRYPT);
3775 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3776 }
3777 }
3778
3779 // EXECrypt
3780 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_EXECRYPT))
3781 {
3782 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_EXECRYPT))
3783 {
3784 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_EXECRYPT);
3785 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3786 }
3787 }
3788
3789 // EXE Password Protector
3790 // TODO Manifest name: Microsoft.Windows.ExeProtector
3791 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_EXEPASSWORDPROTECTOR))
3792 {
3793 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_EXEPASSWORDPROTECTOR))
3794 {
3795 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_EXEPASSWORDPROTECTOR);
3796 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3797 }
3798 }
3799
3800 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_EXESTEALTH))
3801 {
3802 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_EXESTEALTH))
3803 {
3804 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_EXESTEALTH);
3805 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3806 }
3807 }
3808
3809 // PE Diminisher
3810 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PEDIMINISHER))
3811 {
3812 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PEDIMINISHER);
3813
3814 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3815 }
3816
3817 // G!X Protector
3818 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_GIXPROTECTOR))
3819 {
3820 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_GIXPROTECTOR);
3821
3822 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3823 }
3824
3825 // PC Guard
3826 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PCGUARD))
3827 {
3828 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PCGUARD))
3829 {
3830 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PCGUARD);
3831 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3832 }
3833 }
3834
3835 // Soft Defender
3836 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_SOFTDEFENDER))
3837 {
3838 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_SOFTDEFENDER))
3839 {
3840 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_SOFTDEFENDER);
3841 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3842 }
3843 }
3844
3845 // PECRYPT32
3846 // TODO Check!!!
3847 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PECRYPT32))
3848 {
3849 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PECRYPT32))
3850 {
3851 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PECRYPT32);
3852 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3853 }
3854 }
3855
3856 // EXECryptor
3857 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_EXECRYPTOR))
3858 {
3859 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_EXECRYPTOR);
3860 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3861 }
3862
3863 // YZPack
3864 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_YZPACK))
3865 {
3866 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_YZPACK))
3867 {
3868 _SCANS_STRUCT ss=pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_YZPACK);
3869 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3870 }
3871 }
3872
3873 // BCPack
3874 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_BACKDOORPECOMPRESSPROTECTOR))
3875 {
3876 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_BACKDOORPECOMPRESSPROTECTOR)) // TODO !!!
3877 {
3878 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_BACKDOORPECOMPRESSPROTECTOR);
3879
3880 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3881 }
3882 }
3883
3884 // CRYPToCRACks PE Protector
3885 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_CRYPTOCRACKPEPROTECTOR))
3886 {
3887 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_CRYPTOCRACKPEPROTECTOR);
3888
3889 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_CRYPTOCRACKPEPROTECTOR))
3890 {
3891 ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_CRYPTOCRACKPEPROTECTOR);
3892 }
3893
3894 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3895 }
3896
3897 // ZProtect
3898 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ZPROTECT))
3899 {
3900 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_NOSTUBLINKER))
3901 {
3902 if(pPEInfo->listSectionRecords.count()>=2)
3903 {
3904 if(pe.compareSignature(&(pPEInfo->basic_info.memoryMap),"'kernel32.dll'00000000'VirtualAlloc'00000000",pPEInfo->listSectionRecords.at(1).nOffset))
3905 {
3906 _SCANS_STRUCT recordZProtect=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_ZPROTECT,"1.3-1.4.4","",0);
3907 pPEInfo->mapResultProtectors.insert(recordZProtect.name,scansToScan(&(pPEInfo->basic_info),&recordZProtect));
3908 }
3909 }
3910 }
3911 }
3912 else if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ZPROTECT))
3913 {
3914 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_ZPROTECT);
3915
3916 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3917 }
3918
3919 if(!pPEInfo->mapResultProtectors.contains(RECORD_NAME_ZPROTECT))
3920 {
3921 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_NOSTUBLINKER))
3922 {
3923 if(pPEInfo->listSectionRecords.count()>=2)
3924 {
3925 if( (pPEInfo->listSectionHeaders.at(0).PointerToRawData==0)&&
3926 (pPEInfo->listSectionHeaders.at(0).SizeOfRawData==0)&&
3927 (pPEInfo->listSectionHeaders.at(0).Characteristics==0xe00000a0))
3928 {
3929 bool bDetect1=(pPEInfo->nEntryPointSection==1);
3930 bool bDetect2=(pe.getEntropy(pPEInfo->listSectionRecords.at(2).nOffset,pPEInfo->listSectionRecords.at(2).nSize)>7.6);
3931
3932 if(bDetect1||bDetect2)
3933 {
3934 _SCANS_STRUCT recordZProtect=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_ZPROTECT,"1.XX","",0);
3935 pPEInfo->mapResultProtectors.insert(recordZProtect.name,scansToScan(&(pPEInfo->basic_info),&recordZProtect));
3936 }
3937 }
3938 }
3939 }
3940 }
3941
3942 // ExeFog
3943 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_EXEFOG))
3944 {
3945 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_EXEFOG);
3946
3947 if( (pPEInfo->fileHeader.TimeDateStamp==0)&&
3948 (pPEInfo->optional_header.optionalHeader32.MajorLinkerVersion==0)&&
3949 (pPEInfo->optional_header.optionalHeader32.MinorLinkerVersion==0)&&
3950 (pPEInfo->optional_header.optionalHeader32.BaseOfData==0x1000))
3951 {
3952 if(pPEInfo->listSectionHeaders.count())
3953 {
3954 if(pPEInfo->listSectionHeaders.at(0).Characteristics==0xe0000020)
3955 {
3956 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3957 }
3958 }
3959 }
3960 }
3961
3962 // AHPacker
3963 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_AHPACKER))
3964 {
3965 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_AHPACKER))
3966 {
3967 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_AHPACKER);
3968 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3969 }
3970 }
3971
3972 // 12311134
3973 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_12311134)) // TODO Check!
3974 {
3975 _SCANS_STRUCT ss=pPEInfo->mapSectionNamesDetects.value(RECORD_NAME_12311134);
3976 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3977 }
3978
3979 // AZProtect
3980 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_AZPROTECT))
3981 {
3982 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_AZPROTECT);
3983 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3984 }
3985
3986 // AverCryptor
3987 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_AVERCRYPTOR))
3988 {
3989 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_AVERCRYPTOR))
3990 {
3991 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_AVERCRYPTOR);
3992 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
3993 }
3994 }
3995
3996 // WinKript
3997 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_WINKRIPT))
3998 {
3999 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_WINKRIPT);
4000 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4001 }
4002
4003 // AffilliateEXE
4004 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_AFFILLIATEEXE))
4005 {
4006 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_AFFILLIATEEXE);
4007 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4008 }
4009
4010 // Advanced UPX Scrammbler
4011 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_UPX))
4012 {
4013 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ADVANCEDUPXSCRAMMBLER))
4014 {
4015 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_ADVANCEDUPXSCRAMMBLER);
4016 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4017 }
4018 }
4019
4020 // BeRoEXEPacker
4021 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_BEROEXEPACKER))
4022 {
4023 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_BEROEXEPACKER))
4024 {
4025 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_BEROEXEPACKER);
4026
4027 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_BEROEXEPACKER))
4028 {
4029 ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_BEROEXEPACKER);
4030 }
4031
4032 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4033 }
4034 else if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GENERIC))
4035 {
4036 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_BEROEXEPACKER))
4037 {
4038 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_BEROEXEPACKER);
4039 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4040 }
4041 }
4042 }
4043
4044 // Winupack
4045 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_WINUPACK))
4046 {
4047 _SCANS_STRUCT ss=pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_WINUPACK);
4048
4049 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_WINUPACK))
4050 {
4051 ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_WINUPACK);
4052 }
4053
4054 // recordWinupack.sVersion=QString("%1.%2").arg(pPEInfo->nMajorLinkerVersion).arg(((pPEInfo->nMinorLinkerVersion)/16)*10+(pPEInfo->nMinorLinkerVersion)%16);
4055
4056 int nBuildNumber=0;
4057
4058 if((ss.nVariant==1)||(ss.nVariant==2))
4059 {
4060 nBuildNumber=pPEInfo->nMinorLinkerVersion;
4061 }
4062 else if((ss.nVariant==3)||(ss.nVariant==4))
4063 {
4064 nBuildNumber=pPEInfo->nMinorImageVersion;
4065 }
4066 #ifdef QT_DEBUG
4067 qDebug("nBuildNumber: %x",nBuildNumber);
4068 #endif
4069 switch(nBuildNumber)
4070 {
4071 case 0x21: ss.sVersion="0.21"; break;
4072 case 0x22: ss.sVersion="0.22"; break;
4073 case 0x23: ss.sVersion="0.23"; break;
4074 case 0x24: ss.sVersion="0.24"; break;
4075 case 0x25: ss.sVersion="0.25"; break;
4076 case 0x26: ss.sVersion="0.26"; break;
4077 case 0x27: ss.sVersion="0.27"; break;
4078 case 0x28: ss.sVersion="0.28"; break;
4079 case 0x29: ss.sVersion="0.29"; break;
4080 case 0x30: ss.sVersion="0.30"; break;
4081 case 0x31: ss.sVersion="0.31"; break;
4082 case 0x32: ss.sVersion="0.32"; break;
4083 case 0x33: ss.sVersion="0.33"; break;
4084 case 0x34: ss.sVersion="0.34"; break;
4085 case 0x35: ss.sVersion="0.35"; break;
4086 case 0x36: ss.sVersion="0.36 beta"; break;
4087 case 0x37: ss.sVersion="0.37 beta"; break;
4088 case 0x38: ss.sVersion="0.38 beta"; break;
4089 case 0x39: ss.sVersion="0.39 final"; break;
4090 case 0x3A: ss.sVersion="0.399"; break;
4091 }
4092
4093 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4094 }
4095
4096 // ANDpakk2
4097 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ANDPAKK2)||
4098 pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_ANDPAKK2))
4099 {
4100 // TODO compare entryPoint and import sections
4101 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ANDPAKK2))
4102 {
4103 _SCANS_STRUCT recordANFpakk2=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_ANDPAKK2);
4104 pPEInfo->mapResultPackers.insert(recordANFpakk2.name,scansToScan(&(pPEInfo->basic_info),&recordANFpakk2));
4105 }
4106 }
4107
4108 // KByS
4109 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_KBYS))
4110 {
4111 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_KBYS))
4112 {
4113 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_KBYS);
4114 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4115 }
4116 }
4117
4118 // Crunch
4119 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_CRUNCH))
4120 {
4121 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_CRUNCH))
4122 {
4123 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_CRUNCH);
4124 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4125 }
4126 }
4127
4128 // ASDPack
4129 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ASDPACK))
4130 {
4131 bool bDetected=false;
4132 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_ASDPACK);
4133
4134 if(pPEInfo->listSectionRecords.count()==2)
4135 {
4136 if(pPEInfo->bIsTLSPresent)
4137 {
4138 bDetected=true; // 1.00
4139 }
4140 }
4141
4142 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ASDPACK))
4143 {
4144 ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_ASDPACK);
4145 bDetected=true;
4146 }
4147
4148 if(bDetected)
4149 {
4150
4151 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4152 }
4153 }
4154
4155 // VPacker
4156 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_VPACKER))
4157 {
4158 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_VPACKER))
4159 {
4160 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_VPACKER);
4161 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4162 }
4163 }
4164
4165 // RLP
4166 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_RLP))
4167 {
4168 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_RLP))
4169 {
4170 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_RLP);
4171 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4172 }
4173 }
4174
4175 // Crinkler
4176 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_CRINKLER))
4177 {
4178 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_CRINKLER))
4179 {
4180 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_CRINKLER);
4181 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4182 }
4183 }
4184
4185 // EZIP
4186 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_EZIP))
4187 {
4188 if(pPEInfo->nOverlaySize)
4189 {
4190 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_EZIP);
4191 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4192 }
4193 }
4194
4195 // KKrunchy
4196 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_KKRUNCHY))
4197 {
4198 if( pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_KKRUNCHY)||
4199 pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GENERIC))
4200 {
4201 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_KKRUNCHY))
4202 {
4203 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_KKRUNCHY);
4204
4205 if(!pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_KKRUNCHY))
4206 {
4207 ss.sInfo="Patched";
4208 }
4209
4210 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4211 }
4212 }
4213 }
4214
4215 // QuickPack NT
4216 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_QUICKPACKNT))
4217 {
4218 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_QUICKPACKNT))
4219 {
4220 _SCANS_STRUCT ss=pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_QUICKPACKNT);
4221
4222 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4223 }
4224 }
4225
4226 // MKFPack
4227 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_MKFPACK))
4228 {
4229 qint64 mLfanew=pPEInfo->dosHeader.e_lfanew-5;
4230
4231 if(mLfanew>0)
4232 {
4233 QString sSignature=pe.read_ansiString(mLfanew,5);
4234
4235 if(sSignature=="llydd")
4236 {
4237 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_MKFPACK);
4238 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4239 }
4240 }
4241 }
4242
4243 // 32lite
4244 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_32LITE))
4245 {
4246 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_32LITE))
4247 {
4248 // TODO compare entryPoint and import sections
4249 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_32LITE);
4250 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4251 }
4252 }
4253
4254 // EProt
4255 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_EPROT))
4256 {
4257 if(pPEInfo->nEntryPointSection>0)
4258 {
4259 if(pPEInfo->sEntryPointSectionName=="!eprot")
4260 {
4261 quint32 nValue=pe.read_uint32(pPEInfo->osEntryPointSection.nOffset+pPEInfo->osEntryPointSection.nSize-4);
4262
4263 if(nValue==0x78787878)
4264 {
4265 _SCANS_STRUCT ss=pPEInfo->mapSectionNamesDetects.value(RECORD_NAME_EPROT);
4266 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4267 }
4268 }
4269 }
4270 }
4271
4272 // RLPack
4273 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_RLPACK))
4274 {
4275 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_RLPACK);
4276
4277 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_RLPACK))
4278 {
4279 ss.sInfo=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_RLPACK).sInfo;
4280 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4281 }
4282 else if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_FAKESIGNATURE))
4283 {
4284 if(pPEInfo->listSectionHeaders.count()>=2)
4285 {
4286 if(pPEInfo->listSectionHeaders.at(0).SizeOfRawData<=0x200)
4287 {
4288 ss.sInfo=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_FAKESIGNATURE).sInfo;
4289 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4290 }
4291 }
4292 }
4293 }
4294
4295 // Packman
4296 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PACKMAN))
4297 {
4298 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PACKMAN))
4299 {
4300 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PACKMAN);
4301 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4302 }
4303 }
4304
4305 // Fish PE Packer
4306 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_FISHPEPACKER))
4307 {
4308 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_FISHPEPACKER))
4309 {
4310 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_FISHPEPACKER);
4311 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4312 }
4313 }
4314
4315 // Inquartos Obfuscator
4316 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_INQUARTOSOBFUSCATOR))
4317 {
4318 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_INQUARTOSOBFUSCATOR)&&pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GENERIC))
4319 {
4320 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_INQUARTOSOBFUSCATOR);
4321 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4322 }
4323 }
4324
4325 // Hide & Protect
4326 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_HIDEANDPROTECT))
4327 {
4328 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_HIDEANDPROTECT))
4329 {
4330 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_HIDEANDPROTECT);
4331 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4332 }
4333 }
4334
4335 // mPack
4336 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_MPACK))
4337 {
4338 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_MPACK))
4339 {
4340 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_MPACK);
4341 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4342 }
4343 }
4344
4345 // EncryptPE
4346 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ENCRYPTPE))
4347 {
4348 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ENCRYPTPE))
4349 {
4350 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_ENCRYPTPE);
4351
4352 qint64 _nOffset=pPEInfo->osHeader.nOffset;
4353 qint64 _nSize=pPEInfo->osHeader.nSize;
4354
4355 qint64 nOffset_Version=pe.find_ansiString(_nOffset,_nSize,"EncryptPE V");
4356
4357 if(nOffset_Version!=-1)
4358 {
4359 ss.sVersion=pe.read_ansiString(nOffset_Version+11).section(",",0,0);
4360 }
4361
4362 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4363 }
4364 }
4365
4366 // Yoda's Protector
4367 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_YODASPROTECTOR))
4368 {
4369 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_YODASPROTECTOR))
4370 {
4371 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_YODASPROTECTOR);
4372 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4373 }
4374 }
4375
4376 // Xtreme-Protector
4377 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_XTREMEPROTECTOR))
4378 {
4379 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_XTREMEPROTECTOR))
4380 {
4381 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_XTREMEPROTECTOR);
4382
4383 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4384 }
4385 }
4386
4387 // ACProtect
4388 // 1.X-2.X
4389 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ACPROTECT))
4390 {
4391 if(pe.checkOffsetSize(pPEInfo->osImportSection)&&(pPEInfo->basic_info.bIsDeepScan))
4392 {
4393 qint64 nSectionOffset=pPEInfo->osImportSection.nOffset;
4394 qint64 nSectionSize=pPEInfo->osImportSection.nSize;
4395
4396 qint64 nOffset1=pe.find_array(nSectionOffset,nSectionSize,"MineImport_Endss",16);
4397
4398 if(nOffset1!=-1)
4399 {
4400 _SCANS_STRUCT recordACProtect={};
4401 recordACProtect.type=RECORD_TYPE_PROTECTOR;
4402 recordACProtect.name=RECORD_NAME_ACPROTECT;
4403
4404 recordACProtect.sVersion="1.XX-2.XX";
4405
4406 // qint64 nOffset2=pe.find_array(nSectionOffset,nSectionSize,"Randimize",9);
4407
4408 // if(nOffset2!=-1)
4409 // {
4410 // recordACProtect.sVersion="1.X";
4411 // }
4412
4413
4414 pPEInfo->mapResultProtectors.insert(recordACProtect.name,scansToScan(&(pPEInfo->basic_info),&recordACProtect));
4415 }
4416 }
4417 }
4418
4419 // ACProtect
4420 // 2.0.X
4421 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ACPROTECT)) // TODO CHECK
4422 {
4423 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_ACPROTECT);
4424 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4425 }
4426
4427 // FSG
4428 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_FSG))
4429 {
4430 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_FSG))
4431 {
4432 _SCANS_STRUCT ss=pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_FSG);
4433
4434 if(ss.nVariant==0)
4435 {
4436 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4437 }
4438 else if(ss.nVariant==1)
4439 {
4440 if(pe.read_ansiString(0x154)=="KERNEL32.dll")
4441 {
4442 ss.sVersion="1.33";
4443 }
4444 else
4445 {
4446 ss.sVersion="2.00";
4447 }
4448
4449 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4450 }
4451 }
4452 }
4453
4454 // MEW
4455 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_MEW10))
4456 {
4457 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_MEW10))
4458 {
4459 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_MEW10);
4460 pPEInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4461 }
4462 }
4463
4464 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_MEW11SE))
4465 {
4466 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MEW11SE))
4467 {
4468 _SCANS_STRUCT recordSS=pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_MEW11SE);
4469 pPEInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4470 }
4471 }
4472
4473 // Alex Protector
4474 // 2.0.X
4475 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ALEXPROTECTOR))
4476 {
4477 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ALEXPROTECTOR))
4478 {
4479 // TODO compare entryPoint and import sections
4480 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_ALEXPROTECTOR);
4481 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4482 }
4483 }
4484
4485 // PEBundle
4486 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PEBUNDLE))
4487 {
4488 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PEBUNDLE))
4489 {
4490 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PEBUNDLE);
4491 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4492 }
4493 }
4494
4495 // PE-SHiELD
4496 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PESHIELD))
4497 {
4498 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PESHIELD))
4499 {
4500 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PESHIELD);
4501 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4502 }
4503 }
4504
4505 // PUNiSHER
4506 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PUNISHER))
4507 {
4508 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PUNISHER))
4509 {
4510 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PUNISHER);
4511 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4512 }
4513 }
4514
4515 // Shrinker
4516 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_SHRINKER))
4517 {
4518 if(pe.isImportFunctionPresentI("KERNEL32.DLL","8",&(pPEInfo->listImports)))
4519 {
4520 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_SHRINKER);
4521 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4522 }
4523 }
4524
4525 // Secure Shade
4526 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_SECURESHADE))
4527 {
4528 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_SECURESHADE))
4529 {
4530 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_SECURESHADE);
4531 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4532 }
4533 }
4534
4535 // PolyCrypt PE
4536 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_POLYCRYPTPE))
4537 {
4538 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_POLYCRYPTPE))
4539 {
4540 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_POLYCRYPTPE);
4541
4542 if(pPEInfo->nImportSection==pPEInfo->nEntryPointSection)
4543 {
4544 if(pe.checkOffsetSize(pPEInfo->osEntryPointSection)&&(pPEInfo->basic_info.bIsDeepScan))
4545 {
4546 qint64 _nOffset=pPEInfo->osEntryPointSection.nOffset;
4547 qint64 _nSize=pPEInfo->osEntryPointSection.nSize;
4548
4549 qint64 nOffset_Version=pe.find_ansiString(_nOffset,_nSize,"PolyCrypt PE (c) 2004-2005, JLabSoftware.");
4550
4551 if(nOffset_Version==-1)
4552 {
4553 recordSS.sInfo="Modified";
4554 }
4555 }
4556 }
4557
4558 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4559 }
4560 }
4561
4562 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_HMIMYSPROTECTOR))
4563 {
4564 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_HMIMYSPROTECTOR))
4565 {
4566 // TODO compare entryPoint and import sections
4567 _SCANS_STRUCT recordSS=pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_HMIMYSPROTECTOR);
4568 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4569 }
4570 }
4571
4572 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PEPACKSPROTECT))
4573 {
4574 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_PEPACKSPROTECT))
4575 {
4576 // TODO compare entryPoint and import sections
4577 _SCANS_STRUCT recordSS=pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_PEPACKSPROTECT);
4578 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4579 }
4580 else if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_PEPACKSPROTECT))
4581 {
4582 _SCANS_STRUCT recordSS=pPEInfo->mapSectionNamesDetects.value(RECORD_NAME_PEPACKSPROTECT);
4583 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4584 }
4585 }
4586
4587 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_HMIMYSPACKER))
4588 {
4589 if(XPE::isSectionNamePresent(".hmimys",&(pPEInfo->listSectionHeaders))) // TODO Check
4590 {
4591 _SCANS_STRUCT recordSS=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PACKER,RECORD_NAME_HMIMYSPACKER,"","",0);
4592 pPEInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4593 }
4594 }
4595
4596 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ORIEN))
4597 {
4598 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ORIEN))
4599 {
4600 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_ORIEN);
4601
4602 QString sVersion=pPEInfo->sEntryPointSignature.mid(16,2);
4603
4604 if(sVersion=="CE")
4605 {
4606 recordSS.sVersion="2.11";
4607 }
4608 else if(sVersion=="CD")
4609 {
4610 recordSS.sVersion="2.12";
4611 }
4612
4613 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4614 }
4615 }
4616
4617 // Alloy
4618 // 4.X
4619 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ALLOY))
4620 {
4621 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ALLOY))
4622 {
4623 // TODO compare entryPoint and import sections
4624 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_ALLOY);
4625 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4626 }
4627 }
4628
4629 // PeX
4630 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PEX))
4631 {
4632 // TODO compare entryPoint and import sections
4633 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PEX))
4634 {
4635 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PEX);
4636 pPEInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4637 }
4638 }
4639
4640 // PEVProt
4641 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_REVPROT))
4642 {
4643 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_REVPROT))
4644 {
4645 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_REVPROT);
4646 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4647 }
4648 }
4649
4650 // Software Compress
4651 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_SOFTWARECOMPRESS))
4652 {
4653 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_SOFTWARECOMPRESS))
4654 {
4655 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_SOFTWARECOMPRESS);
4656 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4657 }
4658 }
4659
4660 // SDProtector Pro
4661 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_SDPROTECTORPRO))
4662 {
4663 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_SDPROTECTORPRO))
4664 {
4665 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_SDPROTECTORPRO);
4666 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4667 }
4668 }
4669
4670 // Simple Pack
4671 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_SIMPLEPACK))
4672 {
4673 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_SIMPLEPACK))
4674 {
4675 _SCANS_STRUCT recordSS=pPEInfo->mapImportDetects.value(RECORD_NAME_SIMPLEPACK);
4676 pPEInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4677 }
4678 }
4679
4680 // NakedPacker
4681 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_NAKEDPACKER))
4682 {
4683 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_NAKEDPACKER)&&(!pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_KAOSPEDLLEXECUTABLEUNDETECTER)))
4684 {
4685 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_NAKEDPACKER);
4686 pPEInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4687 }
4688 }
4689
4690 // KaOs PE-DLL eXecutable Undetecter
4691 // the same as NakedPacker
4692 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_KAOSPEDLLEXECUTABLEUNDETECTER))
4693 {
4694 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_KAOSPEDLLEXECUTABLEUNDETECTER)&&pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_KAOSPEDLLEXECUTABLEUNDETECTER))
4695 {
4696 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_KAOSPEDLLEXECUTABLEUNDETECTER);
4697 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4698 }
4699 }
4700
4701 // ASPack
4702 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ASPACK))
4703 {
4704 // TODO compare entryPoint and import sections
4705 QString _sSignature=pPEInfo->sEntryPointSignature;
4706 qint64 _nOffset=0;
4707 // QString _sVersion;
4708
4709 // TODO a function
4710 while(true)
4711 {
4712 bool bContinue=false;
4713
4714 if(XBinary::compareSignatureStrings(_sSignature,"90"))
4715 {
4716 bContinue=true;
4717 _nOffset++;
4718 _sSignature.remove(0,2);
4719 }
4720
4721 if(XBinary::compareSignatureStrings(_sSignature,"7500"))
4722 {
4723 bContinue=true;
4724 _nOffset+=2;
4725 _sSignature.remove(0,4);
4726 }
4727
4728 if(XBinary::compareSignatureStrings(_sSignature,"7501"))
4729 {
4730 bContinue=true;
4731 _nOffset+=3;
4732 _sSignature.remove(0,6);
4733 }
4734
4735 if(XBinary::compareSignatureStrings(_sSignature,"E9"))
4736 {
4737 bContinue=true;
4738 _nOffset++;
4739 _sSignature.remove(0,2);
4740 qint32 nAddress=XBinary::hexToInt32(_sSignature);
4741 _nOffset+=4;
4742 // TODO image
4743 qint64 nSignatureOffset=pe.addressToOffset(pPEInfo->nImageBaseAddress+pPEInfo->nEntryPointAddress+_nOffset+nAddress);
4744
4745 if(nSignatureOffset!=-1)
4746 {
4747 _sSignature=pe.getSignature(nSignatureOffset,150);
4748 }
4749 else
4750 {
4751 break;
4752 }
4753 }
4754
4755 if(_nOffset)
4756 {
4757 signatureScan(&(pPEInfo->mapEntryPointDetects),_sSignature,_PE_entrypoint_records,sizeof(_PE_entrypoint_records),pPEInfo->basic_info.id.fileType,XBinary::FT_PE,&(pPEInfo->basic_info),DETECTTYPE_ENTRYPOINT,pbIsStop);
4758 signatureExpScan(&pe,&(pPEInfo->basic_info.memoryMap),&(pPEInfo->mapEntryPointDetects),pPEInfo->nEntryPointOffset+_nOffset,_PE_entrypointExp_records,sizeof(_PE_entrypointExp_records),pPEInfo->basic_info.id.fileType,XBinary::FT_PE,&(pPEInfo->basic_info),DETECTTYPE_ENTRYPOINT,pbIsStop);
4759 }
4760
4761 if(_nOffset>20)
4762 {
4763 break;
4764 }
4765
4766 if(!bContinue)
4767 {
4768 break;
4769 }
4770
4771 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ASPACK))
4772 {
4773 break;
4774 }
4775 }
4776
4777 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ASPACK))
4778 {
4779 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_ASPACK);
4780 pPEInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
4781 }
4782 }
4783
4784 // No Import
4785 // WWPACK32
4786 // TODO false
4787 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_WWPACK32))
4788 {
4789 _SCANS_STRUCT ss={};
4790
4791 ss.type=RECORD_TYPE_PACKER;
4792 ss.name=RECORD_NAME_WWPACK32;
4793 ss.sVersion=XBinary::hexToString(pPEInfo->sEntryPointSignature.mid(102,8));
4794 //recordAndpakk.sInfo;
4795
4796 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4797 }
4798
4799 // EXE Pack
4800 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_EPEXEPACK))
4801 {
4802 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_EPEXEPACK))
4803 {
4804 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_EPEXEPACK);
4805
4806 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4807 }
4808 else if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_EPEXEPACK))
4809 {
4810 _SCANS_STRUCT ss=pPEInfo->mapSectionNamesDetects.value(RECORD_NAME_EPEXEPACK);
4811
4812 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4813 }
4814 }
4815
4816 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_EPROT))
4817 {
4818 _SCANS_STRUCT ss=pPEInfo->mapSectionNamesDetects.value(RECORD_NAME_EPROT);
4819
4820 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4821 }
4822
4823 // RCryptor
4824 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_RCRYPTOR))
4825 {
4826 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_RCRYPTOR);
4827 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4828 }
4829
4830 // PE-PACK
4831 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PEPACK))
4832 {
4833 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PEPACK))
4834 {
4835 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PEPACK);
4836
4837 if(pe.checkOffsetSize(pPEInfo->osImportSection)&&(pPEInfo->basic_info.bIsDeepScan))
4838 {
4839 qint64 _nOffset=pPEInfo->osImportSection.nOffset;
4840 qint64 _nSize=pPEInfo->osImportSection.nSize;
4841
4842 qint64 nOffset_PEPACK=pe.find_ansiString(_nOffset,_nSize,"PE-PACK v");
4843
4844 if(nOffset_PEPACK!=-1)
4845 {
4846 ss.sVersion=pe.read_ansiString(nOffset_PEPACK+9,50);
4847 ss.sVersion=ss.sVersion.section(" ",0,0);
4848 }
4849 }
4850
4851 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4852 }
4853 }
4854
4855 // PKLITE32
4856 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PKLITE32))
4857 {
4858 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PKLITE32);
4859
4860 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4861 }
4862
4863 // MoleBox
4864 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_MOLEBOX))
4865 {
4866 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_MOLEBOX);
4867
4868 QString sComment=XPE::getResourceVersionValue("Comments",&(pPEInfo->resVersion));
4869
4870 if(sComment.contains("MoleBox "))
4871 {
4872 ss.sVersion=sComment.section("MoleBox ",1,-1);
4873 }
4874
4875 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4876 }
4877
4878 // XComp
4879 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_XCOMP))
4880 {
4881 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_XCOMP))
4882 {
4883 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_XCOMP);
4884
4885 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4886 }
4887 }
4888
4889 // XPack
4890 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_XPACK))
4891 {
4892 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_XPACK))
4893 {
4894 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_XPACK);
4895
4896 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4897 }
4898 }
4899
4900 // Krypton
4901 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_KRYPTON))
4902 {
4903 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_KRYPTON))
4904 {
4905 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_KRYPTON);
4906
4907 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4908 }
4909 }
4910
4911 // SVK Protector
4912 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_SVKPROTECTOR))
4913 {
4914 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_SVKPROTECTOR))
4915 {
4916 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_SVKPROTECTOR);
4917
4918 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4919 }
4920 }
4921
4922 // TPP Pack
4923 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_TPPPACK))
4924 {
4925 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_TPPPACK))
4926 {
4927 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_TPPPACK);
4928
4929 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4930 }
4931 }
4932
4933 // VCasm-Protector
4934 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_VCASMPROTECTOR))
4935 {
4936 _SCANS_STRUCT ss={};
4937 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_VCASMPROTECTOR))
4938 {
4939 ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_VCASMPROTECTOR);
4940 }
4941
4942 if(pe.checkOffsetSize(pPEInfo->osEntryPointSection)&&(pPEInfo->basic_info.bIsDeepScan))
4943 {
4944 ss=pPEInfo->mapImportDetects.value(RECORD_NAME_VCASMPROTECTOR);
4945
4946 qint64 _nOffset=pPEInfo->osEntryPointSection.nOffset;
4947 qint64 _nSize=pPEInfo->osEntryPointSection.nSize;
4948
4949 // TODO get max version
4950 qint64 nOffset_Version=pe.find_ansiString(_nOffset,_nSize,"vcasm_protect_");
4951
4952 QString sVersionString;
4953
4954 if(nOffset_Version!=-1)
4955 {
4956 sVersionString=pe.read_ansiString(nOffset_Version).section("_",2,-1);
4957 }
4958
4959 if(sVersionString=="2004_11_30")
4960 {
4961 ss.sVersion="1.0";
4962 }
4963 if(sVersionString=="2005_3_18")
4964 {
4965 ss.sVersion="1.1-1.2";
4966 }
4967 }
4968
4969
4970 if(ss.name!=RECORD_NAME_UNKNOWN)
4971 {
4972 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4973 }
4974 }
4975
4976 // JDPack
4977 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_JDPACK))
4978 {
4979 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_JDPACK))
4980 {
4981 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_JDPACK);
4982
4983 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4984 }
4985 }
4986
4987 // Yoda's crypter
4988 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_YODASCRYPTER))
4989 {
4990 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_YODASCRYPTER))
4991 {
4992 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_YODASCRYPTER);
4993
4994 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
4995 }
4996 }
4997
4998 // QrYPt0r
4999 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_QRYPT0R))
5000 {
5001 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_QRYPT0R))
5002 {
5003 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_QRYPT0R);
5004
5005 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5006 }
5007 }
5008
5009 // DBPE
5010 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_DBPE))
5011 {
5012 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_DBPE))
5013 {
5014 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_DBPE);
5015
5016 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5017 }
5018 }
5019
5020 // FISH PE Shield
5021 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_FISHPESHIELD))
5022 {
5023 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_FISHPESHIELD))
5024 {
5025 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_FISHPESHIELD);
5026
5027 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5028 }
5029 }
5030
5031 // bambam
5032 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_BAMBAM))
5033 {
5034 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_BAMBAM))
5035 {
5036 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_BAMBAM);
5037
5038 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5039 }
5040 }
5041
5042 // DotFix NeceProtect
5043 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_DOTFIXNICEPROTECT))
5044 {
5045 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_DOTFIXNICEPROTECT))
5046 {
5047 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_DOTFIXNICEPROTECT);
5048
5049 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5050 }
5051 }
5052
5053 // The Best Cryptor [by FsK]
5054 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_THEBESTCRYPTORBYFSK))
5055 {
5056 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_THEBESTCRYPTORBYFSK);
5057
5058 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5059 }
5060
5061 // DYAMAR
5062 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_DYAMAR))
5063 {
5064 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_DYAMAR))
5065 {
5066 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_DYAMAR);
5067
5068 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5069 }
5070 }
5071
5072 // CExe
5073 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_CEXE))
5074 {
5075 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_CEXE);
5076
5077 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5078 }
5079
5080 // K!Cryptor
5081 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_KCRYPTOR))
5082 {
5083 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_KCRYPTOR))
5084 {
5085 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_KCRYPTOR);
5086
5087 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5088 }
5089 }
5090
5091 // Crypter
5092 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_CRYPTER))
5093 {
5094 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_CRYPTER);
5095
5096 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5097 }
5098
5099 // Thinstall
5100 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_THINSTALL)) // TODO Imports EP
5101 {
5102 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_THINSTALL);
5103
5104 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5105 }
5106 else if(XPE::getResourceVersionValue("ThinAppVersion",&(pPEInfo->resVersion))!="")
5107 {
5108 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_THINSTALL,"","",0);
5109 ss.sVersion=XPE::getResourceVersionValue("ThinAppVersion",&(pPEInfo->resVersion)).trimmed();
5110
5111 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5112 }
5113 else if(XPE::getResourceVersionValue("ThinstallVersion",&(pPEInfo->resVersion))!="")
5114 {
5115 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_THINSTALL,"","",0);
5116 ss.sVersion=XPE::getResourceVersionValue("ThinstallVersion",&(pPEInfo->resVersion)).trimmed();
5117
5118 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5119 }
5120
5121 // ABC Cryptor
5122 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_ABCCRYPTOR))
5123 {
5124 _SCANS_STRUCT recordEP=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_ABCCRYPTOR);
5125
5126 if((pPEInfo->nEntryPointAddress-pPEInfo->listSectionHeaders.at(pPEInfo->nEntryPointSection).VirtualAddress)==1)
5127 {
5128 pPEInfo->mapResultPackers.insert(recordEP.name,scansToScan(&(pPEInfo->basic_info),&recordEP));
5129 }
5130 }
5131
5132 // exe 32 pack
5133 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_EXE32PACK))
5134 {
5135 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_EXE32PACK))
5136 {
5137 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_EXE32PACK);
5138
5139 qint64 _nOffset=pPEInfo->osHeader.nOffset;
5140 qint64 _nSize=qMin(pPEInfo->basic_info.nSize,(qint64)0x2000);
5141
5142 qint64 nOffset_version=pe.find_ansiString(_nOffset,_nSize,"Packed by exe32pack");
5143
5144 if(nOffset_version!=-1)
5145 {
5146 ss.sVersion=pe.read_ansiString(nOffset_version+20,50);
5147 ss.sVersion=ss.sVersion.section(" ",0,0);
5148 }
5149
5150 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5151 }
5152 }
5153
5154 // SC PACK
5155 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_SCPACK))
5156 {
5157 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_SCPACK))
5158 {
5159 if(pPEInfo->listSectionRecords.count()>=3)
5160 {
5161 if(pPEInfo->nEntryPointSection==1)
5162 {
5163 if(pPEInfo->listSectionHeaders.at(1).VirtualAddress==pPEInfo->nEntryPointAddress)
5164 {
5165 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_SCPACK);
5166
5167 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5168 }
5169 }
5170 }
5171 }
5172 }
5173
5174 // dePack
5175 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_DEPACK))
5176 {
5177 if(pe.compareEntryPoint("EB$$60"))
5178 {
5179 _SCANS_STRUCT ss=pPEInfo->mapSectionNamesDetects.value(RECORD_NAME_DEPACK);
5180
5181 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5182 }
5183 }
5184 }
5185 else
5186 {
5187 // Only 64
5188 // lARP64
5189 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_LARP64))
5190 {
5191 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_LARP64))
5192 {
5193 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_LARP64);
5194 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5195 }
5196 }
5197 }
5198 }
5199 }
5200 }
5201
PE_handle_VMProtect(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)5202 void SpecAbstract::PE_handle_VMProtect(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
5203 {
5204 XPE pe(pDevice,bIsImage);
5205
5206 if(pe.isValid())
5207 {
5208 if(!pPEInfo->cliInfo.bValid)
5209 {
5210 bool bSuccess=false;
5211
5212 QSet<QString> stDetects;
5213
5214 int nNumberOfImports=pPEInfo->listImports.count();
5215
5216 // TODO Check!
5217 if(nNumberOfImports>=2)
5218 {
5219 if(pPEInfo->listImports.at(nNumberOfImports-2).sName.toUpper()=="KERNEL32.DLL")
5220 {
5221 if(pPEInfo->listImports.at(nNumberOfImports-2).listPositions.count()==12)
5222 {
5223 if( (pPEInfo->listImports.at(nNumberOfImports-2).listPositions.at(0).sName=="LocalAlloc")&&
5224 (pPEInfo->listImports.at(nNumberOfImports-2).listPositions.at(1).sName=="LocalFree")&&
5225 (pPEInfo->listImports.at(nNumberOfImports-2).listPositions.at(2).sName=="GetModuleFileNameW")&&
5226 (pPEInfo->listImports.at(nNumberOfImports-2).listPositions.at(3).sName=="GetProcessAffinityMask")&&
5227 (pPEInfo->listImports.at(nNumberOfImports-2).listPositions.at(4).sName=="SetProcessAffinityMask")&&
5228 (pPEInfo->listImports.at(nNumberOfImports-2).listPositions.at(5).sName=="SetThreadAffinityMask")&&
5229 (pPEInfo->listImports.at(nNumberOfImports-2).listPositions.at(6).sName=="Sleep")&&
5230 (pPEInfo->listImports.at(nNumberOfImports-2).listPositions.at(7).sName=="ExitProcess")&&
5231 (pPEInfo->listImports.at(nNumberOfImports-2).listPositions.at(8).sName=="FreeLibrary")&&
5232 (pPEInfo->listImports.at(nNumberOfImports-2).listPositions.at(9).sName=="LoadLibraryA")&&
5233 (pPEInfo->listImports.at(nNumberOfImports-2).listPositions.at(10).sName=="GetModuleHandleA")&&
5234 (pPEInfo->listImports.at(nNumberOfImports-2).listPositions.at(11).sName=="GetProcAddress"))
5235 {
5236 stDetects.insert("kernel32_3");
5237 }
5238 }
5239 }
5240
5241 if(pPEInfo->listImports.at(nNumberOfImports-1).sName.toUpper()=="USER32.DLL")
5242 {
5243 if(pPEInfo->listImports.at(nNumberOfImports-1).listPositions.count()==2)
5244 {
5245 if( (pPEInfo->listImports.at(nNumberOfImports-1).listPositions.at(0).sName=="GetProcessWindowStation")&&
5246 (pPEInfo->listImports.at(nNumberOfImports-1).listPositions.at(1).sName=="GetUserObjectInformationW"))
5247 {
5248 stDetects.insert("user32_3");
5249 }
5250 }
5251 }
5252 }
5253
5254 if( stDetects.contains("kernel32_3")&&
5255 stDetects.contains("user32_3"))
5256 {
5257 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_VMPROTECT,"","",0);
5258 ss.sVersion="3.X";
5259 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5260
5261 bSuccess=true;
5262 }
5263
5264 // Import
5265 if(!bSuccess)
5266 {
5267 bSuccess=pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_VMPROTECT);
5268 }
5269
5270 if(!bSuccess)
5271 {
5272 bSuccess=pPEInfo->mapImportDetects.contains(RECORD_NAME_VMPROTECT);
5273 }
5274
5275 if(!bSuccess)
5276 {
5277 if(pPEInfo->nEntryPointSection>=3)
5278 {
5279 bSuccess=true;
5280
5281 int nNumberOfSections=pPEInfo->listSectionHeaders.count();
5282
5283 for(int i=0; i<nNumberOfSections; i++)
5284 {
5285 // TODO init section
5286 if( (i==pPEInfo->nEntryPointSection)||
5287 (i==pPEInfo->nResourceSection)||
5288 (i==pPEInfo->nTLSSection)||
5289 (i==pPEInfo->nRelocsSection)||
5290 (QString((char *)pPEInfo->listSectionHeaders.at(i).Name)==".INIT")||
5291 (QString((char *)pPEInfo->listSectionHeaders.at(i).Name)==".tls")||
5292 (QString((char *)pPEInfo->listSectionHeaders.at(i).Name).contains("0"))
5293 )
5294 {
5295 continue;
5296 }
5297
5298 if(pPEInfo->listSectionHeaders.at(i).SizeOfRawData)
5299 {
5300 bSuccess=false;
5301 break;
5302 }
5303 }
5304 }
5305 }
5306
5307 if(bSuccess)
5308 {
5309 if( pe.compareEntryPoint("68........E8")||
5310 pe.compareEntryPoint("68........E9")||
5311 pe.compareEntryPoint("9C60")||
5312 pe.compareEntryPoint("EB$$E9$$$$$$$$68........E8")||
5313 pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_VMPROTECT))
5314 {
5315 // TODO more checks
5316 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_VMPROTECT,"","",0);
5317 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5318 }
5319 }
5320 }
5321 }
5322 }
5323
PE_handle_VProtect(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)5324 void SpecAbstract::PE_handle_VProtect(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
5325 {
5326 XPE pe(pDevice,bIsImage);
5327
5328 if(pe.isValid())
5329 {
5330 if(!pPEInfo->cliInfo.bValid)
5331 {
5332 if(pPEInfo->nEntryPointSection>0)
5333 {
5334 if(pPEInfo->sEntryPointSectionName=="VProtect") // TODO !!!
5335 {
5336 if(pe.checkOffsetSize(pPEInfo->osEntryPointSection)&&(pPEInfo->basic_info.bIsDeepScan))
5337 {
5338 qint64 nSectionOffset=pPEInfo->osEntryPointSection.nOffset;
5339 qint64 nSectionSize=pPEInfo->osEntryPointSection.nSize;
5340
5341 qint64 nOffset_Version=pe.find_ansiString(nSectionOffset,nSectionSize,"VProtect");
5342
5343 if(nOffset_Version!=-1)
5344 {
5345 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_VIRTUALIZEPROTECT,"","",0);
5346
5347 nOffset_Version=pe.find_ansiString(nSectionOffset,nSectionSize,"VProtect Ultimate v");
5348
5349 if(nOffset_Version!=-1)
5350 {
5351 ss.sVersion=pe.read_ansiString(nOffset_Version).section(" v",1,1);
5352 }
5353
5354 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5355 }
5356 }
5357 }
5358 }
5359 }
5360 }
5361 }
5362
PE_handle_TTProtect(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)5363 void SpecAbstract::PE_handle_TTProtect(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
5364 {
5365 XPE pe(pDevice,bIsImage);
5366
5367 if(pe.isValid())
5368 {
5369 if(!pPEInfo->cliInfo.bValid)
5370 {
5371 if(pPEInfo->listImportPositionHashes.count()>=1)
5372 {
5373 if(pPEInfo->listImportPositionHashes.at(0)==0xf3f52749) // TODO !!!
5374 {
5375 if(pPEInfo->nEntryPointSection>0)
5376 {
5377 if(pPEInfo->sEntryPointSectionName==".TTP") // TODO !!!
5378 {
5379 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_TTPROTECT,"","",0);
5380
5381 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5382 }
5383 }
5384 }
5385 }
5386 }
5387 }
5388 }
5389
PE_handle_SafeengineShielden(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)5390 void SpecAbstract::PE_handle_SafeengineShielden(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
5391 {
5392 XPE pe(pDevice,bIsImage);
5393
5394 if(pe.isValid())
5395 {
5396 if(!pPEInfo->cliInfo.bValid)
5397 {
5398 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_SAFEENGINESHIELDEN))
5399 {
5400 if(pPEInfo->nEntryPointSection>0)
5401 {
5402 if(pPEInfo->sEntryPointSectionName==".sedata") // TODO !!!
5403 {
5404 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_SAFEENGINESHIELDEN,"2.XX","",0);
5405
5406 qint64 nSectionOffset=pPEInfo->listSectionRecords.at(1).nOffset;
5407 qint64 nSectionSize=pPEInfo->listSectionRecords.at(1).nSize;
5408
5409 qint64 nOffset_Version=pe.find_ansiString(nSectionOffset,nSectionSize,"Safengine Shielden v");
5410
5411 if(nOffset_Version!=-1)
5412 {
5413 ss.sVersion=pe.read_ansiString(nOffset_Version).section(" v",1,1);
5414 }
5415
5416 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5417 }
5418 }
5419 }
5420 }
5421 }
5422 }
5423
PE_handle_tElock(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)5424 void SpecAbstract::PE_handle_tElock(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
5425 {
5426 XPE pe(pDevice,bIsImage);
5427
5428 if(pe.isValid())
5429 {
5430 if(!pPEInfo->cliInfo.bValid)
5431 {
5432 if(pPEInfo->listImports.count()==2)
5433 {
5434 bool bKernel32=false;
5435 bool bUser32=false;
5436
5437 // TODO !!!
5438 if(pPEInfo->listImports.at(0).sName=="kernel32.dll")
5439 {
5440 if(pPEInfo->listImports.at(0).listPositions.count()==1)
5441 {
5442 if(pPEInfo->listImports.at(0).listPositions.at(0).sFunction=="GetModuleHandleA")
5443 {
5444 bKernel32=true;
5445 }
5446 }
5447 }
5448 if(pPEInfo->listImports.at(1).sName=="user32.dll")
5449 {
5450 if(pPEInfo->listImports.at(1).listPositions.count()==1)
5451 {
5452 if((pPEInfo->listImports.at(1).listPositions.at(0).sFunction=="MessageBoxA"))
5453 {
5454 bUser32=true;
5455 }
5456 }
5457 }
5458
5459 if(bKernel32&&bUser32)
5460 {
5461 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_TELOCK))
5462 {
5463 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_TELOCK);
5464
5465 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5466 }
5467 }
5468 }
5469 }
5470 }
5471 }
5472
PE_handle_Armadillo(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)5473 void SpecAbstract::PE_handle_Armadillo(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
5474 {
5475 XPE pe(pDevice,bIsImage);
5476
5477 if(pe.isValid())
5478 {
5479 if(!pPEInfo->cliInfo.bValid)
5480 {
5481 bool bHeaderDetect=false;
5482 bool bImportDetect=false;
5483
5484 if((pPEInfo->nMajorLinkerVersion==0x53)&&(pPEInfo->nMinorLinkerVersion==0x52))
5485 {
5486 bHeaderDetect=true;
5487 }
5488
5489 int nNumberOfImports=pPEInfo->listImports.count();
5490
5491 if(nNumberOfImports>=3)
5492 {
5493 bImportDetect= ( (pPEInfo->listImports.at(0).sName.toUpper()=="KERNEL32.DLL")&&
5494 (pPEInfo->listImports.at(1).sName.toUpper()=="USER32.DLL")&&
5495 (pPEInfo->listImports.at(2).sName.toUpper()=="GDI32.DLL") )||
5496 ( (pPEInfo->listImports.at(0).sName.toUpper()=="KERNEL32.DLL")&&
5497 (pPEInfo->listImports.at(1).sName.toUpper()=="GDI32.DLL")&&
5498 (pPEInfo->listImports.at(2).sName.toUpper()=="USER32.DLL") );
5499 }
5500
5501 if(bImportDetect||bHeaderDetect)
5502 {
5503 bool bDetect=false;
5504
5505 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_ARMADILLO,"","",0);
5506
5507 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ARMADILLO))
5508 {
5509 ss=pPEInfo->mapImportDetects.value(RECORD_NAME_ARMADILLO);
5510
5511 bDetect=true;
5512 }
5513
5514 if(bHeaderDetect)
5515 {
5516 bDetect=true;
5517 }
5518
5519 if(bDetect)
5520 {
5521 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5522 }
5523 }
5524 }
5525 }
5526 }
5527
PE_handle_Obsidium(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)5528 void SpecAbstract::PE_handle_Obsidium(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
5529 {
5530 XPE pe(pDevice,bIsImage);
5531
5532 if(pe.isValid())
5533 {
5534 // TODO x64
5535 // KERNEL32.DLL
5536 // USER32.DLL
5537 // ADVAPI32.DLL
5538 // SHEL32.DLL
5539 if(!pPEInfo->cliInfo.bValid)
5540 {
5541 int nNumberOfImports=pPEInfo->listImports.count();
5542
5543 if((nNumberOfImports==2)||(nNumberOfImports==3))
5544 {
5545 bool bKernel32=false;
5546 bool bUser32=false;
5547 // bool bAdvapi32=false;
5548
5549 if(pPEInfo->listImports.at(0).sName=="KERNEL32.DLL")
5550 {
5551 if(pPEInfo->listImports.at(0).listPositions.count()==1)
5552 {
5553 if((pPEInfo->listImports.at(0).listPositions.at(0).sFunction=="ExitProcess"))
5554 {
5555 bKernel32=true;
5556 }
5557 }
5558 }
5559
5560 if(pPEInfo->listImports.at(1).sName=="USER32.DLL")
5561 {
5562 if(pPEInfo->listImports.at(1).listPositions.count()==1)
5563 {
5564 if((pPEInfo->listImports.at(1).listPositions.at(0).sFunction=="MessageBoxA"))
5565 {
5566 bUser32=true;
5567 }
5568 }
5569 }
5570
5571 if(nNumberOfImports==3)
5572 {
5573 if(pPEInfo->listImports.at(2).sName=="ADVAPI32.DLL")
5574 {
5575 if(pPEInfo->listImports.at(2).listPositions.count()==1)
5576 {
5577 if((pPEInfo->listImports.at(2).listPositions.at(0).sFunction=="RegOpenKeyExA"))
5578 {
5579 // bAdvapi32=true;
5580 }
5581 }
5582 }
5583 }
5584
5585 if(bKernel32&&bUser32)
5586 {
5587 if( pe.compareEntryPoint("EB$$50EB$$E8")||
5588 pe.compareEntryPoint("EB$$E8........EB$$EB"))
5589 {
5590 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_OBSIDIUM,"","",0);
5591
5592 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5593 }
5594 }
5595 }
5596 }
5597 }
5598 }
5599
PE_handle_Themida(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)5600 void SpecAbstract::PE_handle_Themida(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
5601 {
5602 XPE pe(pDevice,bIsImage);
5603
5604 if(pe.isValid())
5605 {
5606 if(!pPEInfo->cliInfo.bValid)
5607 {
5608 if(pPEInfo->listImports.count()==1)
5609 {
5610 if(pPEInfo->listImports.at(0).sName=="kernel32.dll")
5611 {
5612 if(pPEInfo->listImports.at(0).listPositions.count()==1)
5613 {
5614 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_THEMIDAWINLICENSE))
5615 {
5616 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_THEMIDAWINLICENSE);
5617
5618 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5619 }
5620 }
5621 }
5622 }
5623 else if(pPEInfo->listImports.count()==2)
5624 {
5625 bool bKernel32=false;
5626 bool bComctl32=false;
5627
5628 // TODO
5629 if(pPEInfo->listImports.at(0).sName=="KERNEL32.dll")
5630 {
5631 if(pPEInfo->listImports.at(0).listPositions.count()==2)
5632 {
5633 if( (pPEInfo->listImports.at(0).listPositions.at(0).sFunction=="CreateFileA")||
5634 (pPEInfo->listImports.at(0).listPositions.at(1).sFunction=="lstrcpy"))
5635 {
5636 bKernel32=true;
5637 }
5638 }
5639 }
5640 else if(pPEInfo->listImports.at(0).sName=="kernel32.dll") // TODO Check
5641 {
5642 if(pPEInfo->listImports.at(0).listPositions.count()==1)
5643 {
5644 if((pPEInfo->listImports.at(0).listPositions.at(0).sFunction=="lstrcpy"))
5645 {
5646 bKernel32=true;
5647 }
5648 }
5649 }
5650
5651 if((pPEInfo->listImports.at(1).sName=="COMCTL32.dll")||(pPEInfo->listImports.at(1).sName=="comctl32.dll"))
5652 {
5653 if(pPEInfo->listImports.at(1).listPositions.count()==1)
5654 {
5655 if((pPEInfo->listImports.at(1).listPositions.at(0).sFunction=="InitCommonControls"))
5656 {
5657 bComctl32=true;
5658 }
5659 }
5660 }
5661
5662 if(bKernel32&&bComctl32)
5663 {
5664 // TODO Version
5665 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_THEMIDAWINLICENSE,"1.XX-2.XX","",0);
5666
5667 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5668 }
5669 }
5670
5671 if(!pPEInfo->mapResultProtectors.contains(RECORD_NAME_THEMIDAWINLICENSE))
5672 {
5673 // New version
5674 int nNumbersOfImport=pPEInfo->listImports.count();
5675
5676 bool bSuccess=true;
5677
5678 for(int i=0;i<nNumbersOfImport;i++)
5679 {
5680 if(pPEInfo->listImports.at(i).listPositions.count()!=1)
5681 {
5682 bSuccess=false;
5683 break;
5684 }
5685 }
5686
5687 if(bSuccess)
5688 {
5689 if(pPEInfo->listSectionNames.count()>1)
5690 {
5691 if(pPEInfo->listSectionNames.at(0)==" ")
5692 {
5693 bSuccess=false;
5694
5695 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_THEMIDAWINLICENSE,"3.XX","",0);
5696
5697 if(XPE::isSectionNamePresent(".themida",&(pPEInfo->listSectionHeaders)))
5698 {
5699 ss.sInfo="Themida";
5700 bSuccess=true;
5701 }
5702 else if(XPE::isSectionNamePresent(".winlice",&(pPEInfo->listSectionHeaders)))
5703 {
5704 ss.sInfo="Winlicense";
5705 bSuccess=true;
5706 }
5707
5708 if(bSuccess)
5709 {
5710 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5711 }
5712 }
5713 }
5714 }
5715 }
5716 }
5717 }
5718 }
5719
PE_handle_StarForce(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)5720 void SpecAbstract::PE_handle_StarForce(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
5721 {
5722 XPE pe(pDevice,bIsImage);
5723
5724 if(pe.isValid())
5725 {
5726 bool bSF3=XPE::isSectionNamePresent(".sforce3",&(pPEInfo->listSectionHeaders)); // TODO
5727 bool bSF4=XPE::isSectionNamePresent(".ps4",&(pPEInfo->listSectionHeaders)); // TODO
5728
5729 if(bSF3||bSF4)
5730 {
5731 QString sVersion;
5732 QString sInfo;
5733
5734 if(bSF3)
5735 {
5736 sVersion="3.X";
5737 }
5738
5739 if(bSF4)
5740 {
5741 sVersion="4.X-5.X";
5742 }
5743
5744 int nNumberOfImports=pPEInfo->listImports.count();
5745
5746 for(int i=0; i<nNumberOfImports; i++)
5747 {
5748 if(pPEInfo->listImports.at(i).listPositions.count()==1)
5749 {
5750 if(pPEInfo->listImports.at(i).listPositions.at(0).sName=="")
5751 {
5752 sInfo=pPEInfo->listImports.at(i).sName;
5753 }
5754 }
5755 }
5756
5757 _SCANS_STRUCT recordSS=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_STARFORCE,sVersion,sInfo,0);
5758 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
5759 }
5760 }
5761 }
5762
PE_handle_Petite(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)5763 void SpecAbstract::PE_handle_Petite(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
5764 {
5765 XPE pe(pDevice,bIsImage);
5766
5767 if(pe.isValid())
5768 {
5769 if(!pPEInfo->cliInfo.bValid)
5770 {
5771 if(!pPEInfo->bIs64)
5772 {
5773 bool bKernel32=false;
5774 bool bUser32=false;
5775 QString sVersion;
5776
5777 // TODO !!!
5778 // TODO Petite 2.4 Check header
5779
5780 int nNumberOfImports=pPEInfo->listImports.count();
5781
5782 for(int i=0; i<nNumberOfImports; i++)
5783 {
5784 if(pPEInfo->listImports.at(i).sName.toUpper()=="USER32.DLL")
5785 {
5786 if(pPEInfo->listImports.at(i).listPositions.count()==2)
5787 {
5788 if( (pPEInfo->listImports.at(i).listPositions.at(0).sName=="MessageBoxA")&&
5789 (pPEInfo->listImports.at(i).listPositions.at(1).sName=="wsprintfA"))
5790 {
5791 bUser32=true;
5792 }
5793 }
5794 else if(pPEInfo->listImports.at(i).listPositions.count()==1)
5795 {
5796 if((pPEInfo->listImports.at(i).listPositions.at(0).sName=="MessageBoxA"))
5797 {
5798 bUser32=true;
5799 }
5800 }
5801 }
5802 else if(pPEInfo->listImports.at(i).sName.toUpper()=="KERNEL32.DLL")
5803 {
5804 if(pPEInfo->listImports.at(i).listPositions.count()==7)
5805 {
5806 if( (pPEInfo->listImports.at(i).listPositions.at(0).sName=="ExitProcess")&&
5807 (pPEInfo->listImports.at(i).listPositions.at(1).sName=="GetModuleHandleA")&&
5808 (pPEInfo->listImports.at(i).listPositions.at(2).sName=="GetProcAddress")&&
5809 (pPEInfo->listImports.at(i).listPositions.at(3).sName=="VirtualProtect")&&
5810 (pPEInfo->listImports.at(i).listPositions.at(4).sName=="VirtualAlloc")&&
5811 (pPEInfo->listImports.at(i).listPositions.at(5).sName=="VirtualFree")&&
5812 (pPEInfo->listImports.at(i).listPositions.at(6).sName=="LoadLibraryA"))
5813 {
5814 sVersion="2.4";
5815 bKernel32=true;
5816 }
5817 else if((pPEInfo->listImports.at(i).listPositions.at(0).sName=="ExitProcess")&&
5818 (pPEInfo->listImports.at(i).listPositions.at(1).sName=="LoadLibraryA")&&
5819 (pPEInfo->listImports.at(i).listPositions.at(2).sName=="GetProcAddress")&&
5820 (pPEInfo->listImports.at(i).listPositions.at(3).sName=="VirtualProtect")&&
5821 (pPEInfo->listImports.at(i).listPositions.at(4).sName=="GlobalAlloc")&&
5822 (pPEInfo->listImports.at(i).listPositions.at(5).sName=="GlobalFree")&&
5823 (pPEInfo->listImports.at(i).listPositions.at(6).sName=="GetModuleHandleA"))
5824 {
5825 sVersion="2.3";
5826 bKernel32=true;
5827 }
5828 }
5829
5830 if(pPEInfo->listImports.at(i).listPositions.count()==6)
5831 {
5832 if( (pPEInfo->listImports.at(i).listPositions.at(0).sName=="ExitProcess")&&
5833 (pPEInfo->listImports.at(i).listPositions.at(1).sName=="GetModuleHandleA")&&
5834 (pPEInfo->listImports.at(i).listPositions.at(2).sName=="GetProcAddress")&&
5835 (pPEInfo->listImports.at(i).listPositions.at(3).sName=="VirtualProtect")&&
5836 (pPEInfo->listImports.at(i).listPositions.at(4).sName=="GlobalAlloc")&&
5837 (pPEInfo->listImports.at(i).listPositions.at(5).sName=="GlobalFree"))
5838 {
5839 sVersion="2.3";// DLL only?? // TODO Check
5840 bKernel32=true;
5841 }
5842 }
5843 else if(pPEInfo->listImports.at(i).listPositions.count()==5)
5844 {
5845 if( (pPEInfo->listImports.at(i).listPositions.at(0).sName=="ExitProcess")&&
5846 (pPEInfo->listImports.at(i).listPositions.at(1).sName=="LoadLibraryA")&&
5847 (pPEInfo->listImports.at(i).listPositions.at(2).sName=="GetProcAddress")&&
5848 (pPEInfo->listImports.at(i).listPositions.at(3).sName=="VirtualProtect")&&
5849 (pPEInfo->listImports.at(i).listPositions.at(4).sName=="GlobalAlloc"))
5850 {
5851 sVersion="2.2";
5852 bKernel32=true;
5853 }
5854 }
5855 else if(pPEInfo->listImports.at(i).listPositions.count()==4)
5856 {
5857 if( (pPEInfo->listImports.at(i).listPositions.at(0).sName=="ExitProcess")&&
5858 (pPEInfo->listImports.at(i).listPositions.at(1).sName=="GetProcAddress")&&
5859 (pPEInfo->listImports.at(i).listPositions.at(2).sName=="LoadLibraryA")&&
5860 (pPEInfo->listImports.at(i).listPositions.at(3).sName=="GlobalAlloc"))
5861 {
5862 sVersion="1.4";
5863 bKernel32=true;
5864 }
5865 }
5866 }
5867 }
5868
5869 // TODO Import hash
5870 if(bUser32&&bKernel32)
5871 {
5872 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PETITE))
5873 {
5874 _SCANS_STRUCT recordPETITE=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PETITE);
5875 recordPETITE.sVersion=sVersion;
5876 pPEInfo->mapResultPackers.insert(recordPETITE.name,scansToScan(&(pPEInfo->basic_info),&recordPETITE));
5877 }
5878 }
5879 else if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_PETITE))
5880 {
5881 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PETITE))
5882 {
5883 _SCANS_STRUCT recordPETITE=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PETITE);
5884 pPEInfo->mapResultPackers.insert(recordPETITE.name,scansToScan(&(pPEInfo->basic_info),&recordPETITE));
5885 }
5886 }
5887 }
5888 }
5889 }
5890 }
5891
PE_handle_NETProtection(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)5892 void SpecAbstract::PE_handle_NETProtection(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
5893 {
5894 XPE pe(pDevice,bIsImage);
5895
5896 if(pe.isValid())
5897 {
5898 if(pPEInfo->bIsNetPresent)
5899 {
5900 // .NET
5901 // Enigma
5902 if(pe.checkOffsetSize(pPEInfo->osCodeSection)&&(pPEInfo->basic_info.bIsDeepScan)) // TODO
5903 {
5904 qint64 nSectionOffset=pPEInfo->osCodeSection.nOffset;
5905 qint64 nSectionSize=pPEInfo->osCodeSection.nSize;
5906
5907 VI_STRUCT viEnigma=get_Enigma_vi(pDevice,bIsImage,nSectionOffset,nSectionSize);
5908
5909 if(viEnigma.bIsValid)
5910 {
5911 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_ENIGMA,viEnigma.sVersion,".NET",0);
5912 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5913 }
5914 }
5915
5916 // .Net reactor
5917 if(pPEInfo->listSectionRecords.count()>=2)
5918 {
5919 if(pPEInfo->basic_info.bIsDeepScan)
5920 {
5921 qint64 _nOffset=pPEInfo->listSectionRecords.at(1).nOffset;
5922 qint64 _nSize=pPEInfo->listSectionRecords.at(1).nSize;
5923
5924 qint64 nOffset_NetReactor=pe.find_signature(&(pPEInfo->basic_info.memoryMap),_nOffset,_nSize,"5266686E204D182276B5331112330C6D0A204D18229EA129611C76B505190158");
5925
5926 if(nOffset_NetReactor!=-1)
5927 {
5928 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_DOTNETREACTOR,"4.8-4.9","",0);
5929 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5930 }
5931 }
5932 }
5933
5934 // TODO
5935 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_YANO))
5936 {
5937 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_YANO);
5938 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5939 }
5940
5941 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_DOTFUSCATOR))
5942 {
5943 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_DOTFUSCATOR);
5944 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5945 }
5946
5947 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_AGILENET))
5948 {
5949 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_AGILENET);
5950 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5951 }
5952
5953 if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_SKATER))
5954 {
5955 _SCANS_STRUCT ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_SKATER);
5956 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5957 }
5958
5959 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_BABELNET))
5960 {
5961 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_BABELNET);
5962 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5963 }
5964
5965 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_GOLIATHNET))
5966 {
5967 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_GOLIATHNET);
5968 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5969 }
5970
5971 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_SPICESNET))
5972 {
5973 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_SPICESNET);
5974 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5975 }
5976
5977 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_OBFUSCATORNET2009))
5978 {
5979 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_OBFUSCATORNET2009);
5980 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5981 }
5982
5983 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_DEEPSEA))
5984 {
5985 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_DEEPSEA);
5986 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
5987 }
5988
5989 {
5990 bool bDetect=false;
5991 _SCANS_STRUCT ss={};
5992
5993 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_DEEPSEA))
5994 {
5995 ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_DEEPSEA);
5996 bDetect=true;
5997 }
5998 else if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_DEEPSEA))
5999 {
6000 ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_DEEPSEA);
6001 bDetect=true;
6002 }
6003
6004 if(bDetect)
6005 {
6006 qint64 nSectionOffset=pPEInfo->osCodeSection.nOffset;
6007 qint64 nSectionSize=pPEInfo->osCodeSection.nSize;
6008
6009 VI_STRUCT vi=get_DeepSea_vi(pDevice,bIsImage,nSectionOffset,nSectionSize);
6010
6011 if(vi.bIsValid)
6012 {
6013 ss.sVersion=vi.sVersion;
6014 ss.sInfo=vi.sInfo;
6015 }
6016
6017 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6018 }
6019 }
6020
6021 // cliSecure
6022 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_CLISECURE))
6023 {
6024 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_CLISECURE);
6025 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6026 }
6027 else
6028 {
6029 if(pPEInfo->listSectionHeaders.count()>=2)
6030 {
6031 qint64 _nOffset=pPEInfo->listSectionRecords.at(1).nOffset;
6032 qint64 _nSize=pPEInfo->listSectionRecords.at(1).nSize;
6033 qint32 _nCharacteristics=pPEInfo->listSectionRecords.at(1).nCharacteristics;
6034
6035 if(_nCharacteristics&(XPE_DEF::S_IMAGE_SCN_MEM_EXECUTE))
6036 {
6037 qint64 nOffset_CliSecure=pe.find_unicodeString(_nOffset,_nSize,"CliSecure");
6038
6039 if(nOffset_CliSecure!=-1)
6040 {
6041 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_NETOBFUSCATOR,RECORD_NAME_CLISECURE,"4.X","",0);
6042 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6043 }
6044 }
6045 }
6046 }
6047
6048 if((pPEInfo->mapOverlayDetects.contains(RECORD_NAME_FISHNET))||(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_FISHNET)))
6049 {
6050 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_NETOBFUSCATOR,RECORD_NAME_FISHNET,"1.X","",0); // TODO
6051 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss)); // TODO obfuscator?
6052 }
6053
6054 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_NSPACK))
6055 {
6056 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_NSPACK);
6057 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6058 }
6059
6060 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_DNGUARD))
6061 {
6062 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_DNGUARD);
6063 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6064 }
6065
6066 // .NETZ
6067 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_DOTNETZ))
6068 {
6069 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_DOTNETZ);
6070 pPEInfo->mapResultNETCompressors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6071 }
6072 else if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_DOTNETZ))
6073 {
6074 _SCANS_STRUCT ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_DOTNETZ);
6075 pPEInfo->mapResultNETCompressors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6076 }
6077
6078 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_MAXTOCODE))
6079 {
6080 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_MAXTOCODE);
6081 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6082 }
6083
6084 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_PHOENIXPROTECTOR))
6085 {
6086 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_PHOENIXPROTECTOR);
6087 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6088 }
6089
6090 {
6091 bool bDetect=false;
6092 _SCANS_STRUCT ss={};
6093
6094 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_SMARTASSEMBLY))
6095 {
6096 ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_SMARTASSEMBLY);
6097 bDetect=true;
6098 }
6099 else if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_SMARTASSEMBLY))
6100 {
6101 ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_SMARTASSEMBLY);
6102 bDetect=true;
6103 }
6104
6105 if(bDetect)
6106 {
6107 qint64 nSectionOffset=pPEInfo->osCodeSection.nOffset;
6108 qint64 nSectionSize=pPEInfo->osCodeSection.nSize;
6109
6110 VI_STRUCT vi=get_SmartAssembly_vi(pDevice,bIsImage,nSectionOffset,nSectionSize);
6111
6112 if(vi.bIsValid)
6113 {
6114 ss.sVersion=vi.sVersion;
6115 ss.sInfo=vi.sInfo;
6116 }
6117
6118 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6119 }
6120 }
6121
6122 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_CONFUSER))
6123 {
6124 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_CONFUSER);
6125
6126 if(pe.checkOffsetSize(pPEInfo->osCodeSection)&&(pPEInfo->basic_info.bIsDeepScan))
6127 {
6128 qint64 _nOffset=pPEInfo->osCodeSection.nOffset;
6129 qint64 _nSize=pPEInfo->osCodeSection.nSize;
6130
6131 qint64 nOffset_detect=pe.find_ansiString(_nOffset,_nSize,"Confuser v");
6132
6133 if(nOffset_detect!=-1)
6134 {
6135 ss.sVersion=pe.read_ansiString(nOffset_detect+10);
6136 }
6137
6138 if(nOffset_detect==-1)
6139 {
6140 qint64 nOffset_ConfuserEx=pe.find_ansiString(_nOffset,_nSize,"ConfuserEx v");
6141
6142 if(nOffset_ConfuserEx!=-1)
6143 {
6144 ss.name=RECORD_NAME_CONFUSEREX;
6145 ss.sVersion=pe.read_ansiString(nOffset_ConfuserEx+12);
6146 }
6147 }
6148 }
6149
6150 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6151 }
6152
6153 // Xenocode Postbuild
6154 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_XENOCODEPOSTBUILD))
6155 {
6156 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_XENOCODEPOSTBUILD);
6157 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6158 }
6159 // CodeVeil
6160 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_CODEVEIL))
6161 {
6162 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_CODEVEIL);
6163 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6164 }
6165 else if(pPEInfo->mapDotUnicodeStringsDetects.contains(RECORD_NAME_CODEVEIL))
6166 {
6167 _SCANS_STRUCT ss=pPEInfo->mapDotUnicodeStringsDetects.value(RECORD_NAME_CODEVEIL);
6168 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6169 }
6170 // CodeWall
6171 if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_CODEWALL))
6172 {
6173 _SCANS_STRUCT ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_CODEWALL);
6174 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6175 }
6176 // Crypto Obfuscator for .NET
6177 if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_CRYPTOOBFUSCATORFORNET))
6178 {
6179 _SCANS_STRUCT ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_CRYPTOOBFUSCATORFORNET);
6180 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6181 }
6182 // Eazfuscator
6183 if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_EAZFUSCATOR))
6184 {
6185 _SCANS_STRUCT ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_EAZFUSCATOR);
6186 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6187 }
6188 else if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_EAZFUSCATOR))
6189 {
6190 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_EAZFUSCATOR);
6191 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6192 }
6193 // Obfuscar
6194 if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_OBFUSCAR))
6195 {
6196 _SCANS_STRUCT ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_OBFUSCAR);
6197 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6198 }
6199 // .NET Spider
6200 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_DOTNETSPIDER))
6201 {
6202 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_DOTNETSPIDER);
6203 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6204 }
6205 else if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_DOTNETSPIDER))
6206 {
6207 _SCANS_STRUCT ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_DOTNETSPIDER);
6208 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6209 }
6210 // Phoenix Protector
6211 if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_PHOENIXPROTECTOR))
6212 {
6213 _SCANS_STRUCT ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_PHOENIXPROTECTOR);
6214 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6215 }
6216 // Sixxpack
6217 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_SIXXPACK))
6218 {
6219 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_SIXXPACK);
6220 pPEInfo->mapResultNETCompressors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6221 }
6222 else if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_SIXXPACK))
6223 {
6224 _SCANS_STRUCT ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_SIXXPACK);
6225 pPEInfo->mapResultNETCompressors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6226 }
6227 // ReNET-Pack
6228 if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_RENETPACK))
6229 {
6230 _SCANS_STRUCT ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_RENETPACK);
6231 pPEInfo->mapResultNETCompressors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6232 }
6233 // .netshrink
6234 if(pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_DOTNETSHRINK))
6235 {
6236 _SCANS_STRUCT ss=pPEInfo->mapCodeSectionDetects.value(RECORD_NAME_DOTNETSHRINK);
6237 pPEInfo->mapResultNETCompressors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6238 }
6239 }
6240
6241 // Xenocode Virtual Application Studio 2009
6242 if(XPE::getResourceVersionValue("Packager",&(pPEInfo->resVersion)).contains("Xenocode Postbuild 2009 for .NET"))
6243 {
6244 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_NETOBFUSCATOR,RECORD_NAME_XENOCODEPOSTBUILD2009FORDOTNET,"","",0);
6245 ss.sVersion=XPE::getResourceVersionValue("PackagerVersion",&(pPEInfo->resVersion)).trimmed();
6246 pPEInfo->mapResultNETObfuscators.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6247 }
6248
6249 // Xenocode Postbuild 2010 for .NET
6250 if(XPE::getResourceVersionValue("Packager",&(pPEInfo->resVersion)).contains("Xenocode Postbuild 2010 for .NET"))
6251 {
6252 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_XENOCODEPOSTBUILD2010FORDOTNET,"","",0);
6253 ss.sVersion=XPE::getResourceVersionValue("PackagerVersion",&(pPEInfo->resVersion)).trimmed();
6254 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6255 }
6256
6257 if(!pPEInfo->mapResultProtectors.contains(RECORD_NAME_DOTNETREACTOR))
6258 {
6259 if( pPEInfo->mapImportDetects.contains(RECORD_NAME_DOTNETREACTOR)&&
6260 XPE::isResourcePresent(XPE_DEF::S_RT_RCDATA,"__",&(pPEInfo->listResources)))
6261 {
6262 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_DOTNETREACTOR);
6263 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6264 }
6265 }
6266 if(!pPEInfo->mapResultProtectors.contains(RECORD_NAME_CODEVEIL))
6267 {
6268 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_CODEVEIL))
6269 {
6270 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_CODEVEIL))
6271 {
6272 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_CODEVEIL);
6273 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
6274 }
6275 }
6276 }
6277 }
6278 }
6279
PE_handle_Microsoft(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo,bool * pbIsStop)6280 void SpecAbstract::PE_handle_Microsoft(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo, bool *pbIsStop)
6281 {
6282 _SCANS_STRUCT ssLinker={};
6283 _SCANS_STRUCT ssCompiler={};
6284 _SCANS_STRUCT ssTool={};
6285 _SCANS_STRUCT ssMFC={};
6286 _SCANS_STRUCT ssNET={};
6287
6288 QMap<QString,QString> mapVersions;
6289
6290 mapVersions.insert("6.00","12.00");
6291 mapVersions.insert("7.00","13.00");
6292 mapVersions.insert("7.10","13.10");
6293 mapVersions.insert("8.00","14.00");
6294 mapVersions.insert("9.00","15.00");
6295 mapVersions.insert("10.00","16.00");
6296 mapVersions.insert("11.00","17.00");
6297 mapVersions.insert("12.00","18.00");
6298 mapVersions.insert("14.00","19.00");
6299 mapVersions.insert("14.10","19.10");
6300 mapVersions.insert("14.11","19.11");
6301 mapVersions.insert("14.12","19.12");
6302 mapVersions.insert("14.13","19.13");
6303 mapVersions.insert("14.14","19.14");
6304 mapVersions.insert("14.15","19.15");
6305 mapVersions.insert("14.16","19.16");
6306 mapVersions.insert("14.20","19.20");
6307
6308 XPE pe(pDevice,bIsImage);
6309
6310 if(pe.isValid())
6311 {
6312 // Linker
6313 if( (pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MICROSOFTLINKER))&&
6314 (!pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GENERICLINKER)))
6315 {
6316 ssLinker.type=RECORD_TYPE_LINKER;
6317 ssLinker.name=RECORD_NAME_MICROSOFTLINKER;
6318 }
6319 else if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GENERICLINKER))
6320 {
6321 bool bMicrosoftLinker=false;
6322
6323 if((pPEInfo->nMajorLinkerVersion==8)&&(pPEInfo->nMinorImageVersion==0)) // 8.0
6324 {
6325 bMicrosoftLinker=true;
6326 }
6327
6328 if(bMicrosoftLinker)
6329 {
6330 ssLinker.type=RECORD_TYPE_LINKER;
6331 ssLinker.name=RECORD_NAME_MICROSOFTLINKER;
6332 }
6333 }
6334 else if((pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MICROSOFTLINKER))&&(pPEInfo->cliInfo.bValid))
6335 {
6336 ssLinker.type=RECORD_TYPE_LINKER;
6337 ssLinker.name=RECORD_NAME_MICROSOFTLINKER;
6338
6339 ssCompiler.type=RECORD_TYPE_COMPILER;
6340 ssCompiler.name=RECORD_NAME_VISUALCSHARP;
6341 }
6342
6343 // MFC
6344 // Static
6345 if(pe.checkOffsetSize(pPEInfo->osDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
6346 {
6347 qint64 _nOffset=pPEInfo->osDataSection.nOffset;
6348 qint64 _nSize=pPEInfo->osDataSection.nSize;
6349
6350 qint64 nOffset_MFC=pe.find_ansiString(_nOffset,_nSize,"CMFCComObject");
6351
6352 if(nOffset_MFC!=-1)
6353 {
6354 ssMFC.type=RECORD_TYPE_LIBRARY;
6355 ssMFC.name=RECORD_NAME_MFC;
6356 ssMFC.sInfo="Static";
6357 }
6358 }
6359
6360 int nNumberOfImports=pPEInfo->listImports.count();
6361
6362 for(int i=0; i<nNumberOfImports; i++)
6363 {
6364 // https://en.wikipedia.org/wiki/Microsoft_Foundation_Class_Library
6365 // TODO eMbedded Visual C++ 4.0 mfcce400.dll MFC 6.0
6366 if(XBinary::isRegExpPresent("^MFC",pPEInfo->listImports.at(i).sName.toUpper()))
6367 {
6368 // QRegularExpression rxVersion("(\\d+)");
6369 // QRegularExpressionMatch matchVersion=rxVersion.match(pPEInfo->listImports.at(i).sName.toUpper());
6370 //
6371 // if(matchVersion.hasMatch())
6372 // {
6373 // double dVersion=matchVersion.captured(0).toDouble()/10;
6374 //
6375 // if(dVersion)
6376 // {
6377 // recordMFC.type=RECORD_TYPE_LIBRARY;
6378 // recordMFC.name=RECORD_NAME_MFC;
6379 // recordMFC.sVersion=QString::number(dVersion,'f',2);
6380 //
6381 // if(pPEInfo->listImports.at(i).sName.toUpper().contains("U.DLL"))
6382 // {
6383 // recordMFC.sInfo="Unicode";
6384 // }
6385 // }
6386 // }
6387
6388 QString sVersion=XBinary::regExp("(\\d+)",pPEInfo->listImports.at(i).sName.toUpper(),0);
6389
6390 if(sVersion!="")
6391 {
6392 double dVersion=sVersion.toDouble()/10;
6393
6394 if(dVersion)
6395 {
6396 ssMFC.type=RECORD_TYPE_LIBRARY;
6397 ssMFC.name=RECORD_NAME_MFC;
6398 ssMFC.sVersion=QString::number(dVersion,'f',2);
6399
6400 if(pPEInfo->listImports.at(i).sName.toUpper().contains("U.DLL"))
6401 {
6402 ssMFC.sInfo="Unicode";
6403 }
6404 }
6405 }
6406
6407 break;
6408 }
6409 }
6410
6411 // Rich
6412 int nRichSignaturesCount=pPEInfo->listRichSignatures.count();
6413
6414 QList<_SCANS_STRUCT> listRichDescriptions;
6415
6416 for(int i=0;i<nRichSignaturesCount;i++)
6417 {
6418 listRichDescriptions.append(MSDOS_richScan(pPEInfo->listRichSignatures.at(i).nId,pPEInfo->listRichSignatures.at(i).nVersion,_MS_rich_records,sizeof(_MS_rich_records),pPEInfo->basic_info.id.fileType,XBinary::FT_MSDOS,&(pPEInfo->basic_info),DETECTTYPE_RICH,pbIsStop));
6419 }
6420
6421 int nRichDescriptionsCount=listRichDescriptions.count();
6422
6423 bool bVB=false;
6424 for(int i=nRichDescriptionsCount-1;i>=0;i--)
6425 {
6426 if(listRichDescriptions.at(i).type==SpecAbstract::RECORD_TYPE_LINKER)
6427 {
6428 ssLinker.name=listRichDescriptions.at(i).name;
6429 ssLinker.sVersion=listRichDescriptions.at(i).sVersion;
6430 ssLinker.sInfo=listRichDescriptions.at(i).sInfo;
6431 ssLinker.type=listRichDescriptions.at(i).type;
6432 }
6433
6434 if(listRichDescriptions.at(i).type==SpecAbstract::RECORD_TYPE_COMPILER)
6435 {
6436 if(!bVB)
6437 {
6438 if(listRichDescriptions.at(i).name==RECORD_NAME_UNIVERSALTUPLECOMPILER)
6439 {
6440 if(listRichDescriptions.at(i).sInfo!="Basic")
6441 {
6442 ssCompiler.name=RECORD_NAME_VISUALCCPP;
6443 ssCompiler.sVersion=listRichDescriptions.at(i).sVersion;
6444 ssCompiler.sInfo=listRichDescriptions.at(i).sInfo;
6445 ssCompiler.type=listRichDescriptions.at(i).type;
6446 }
6447 else
6448 {
6449 ssCompiler.type=RECORD_TYPE_COMPILER;
6450 ssCompiler.name=RECORD_NAME_VISUALBASIC;
6451 ssCompiler.sVersion=listRichDescriptions.at(i).sVersion;
6452
6453 QString _sVersion=ssCompiler.sVersion.section(".",0,1);
6454 QString _sVersionCompiler=mapVersions.key(_sVersion,"");
6455
6456 if(_sVersionCompiler!="")
6457 {
6458 ssCompiler.sVersion=ssCompiler.sVersion.replace(_sVersion,_sVersionCompiler);
6459 }
6460
6461 ssCompiler.sInfo="Native";
6462 bVB=true;
6463 }
6464 }
6465 else
6466 {
6467 ssCompiler.name=listRichDescriptions.at(i).name;
6468 ssCompiler.sVersion=listRichDescriptions.at(i).sVersion;
6469 ssCompiler.sInfo=listRichDescriptions.at(i).sInfo;
6470 ssCompiler.type=listRichDescriptions.at(i).type;
6471 }
6472 }
6473
6474 }
6475
6476 if(listRichDescriptions.at(i).name==SpecAbstract::RECORD_NAME_IMPORT)
6477 {
6478 break;
6479 }
6480 }
6481
6482 // TODO Check MASM for .NET
6483
6484 if(!pPEInfo->cliInfo.bValid)
6485 {
6486 // VB
6487 bool bVBnew=false;
6488
6489 _SCANS_STRUCT _recordCompiler={};
6490
6491 if(XPE::isImportLibraryPresentI("VB40032.DLL",&(pPEInfo->listImports)))
6492 {
6493 _recordCompiler.type=RECORD_TYPE_COMPILER;
6494 _recordCompiler.name=RECORD_NAME_VISUALBASIC;
6495 _recordCompiler.sVersion="4.0";
6496 }
6497 else if(XPE::isImportLibraryPresentI("MSVBVM50.DLL",&(pPEInfo->listImports)))
6498 {
6499 _recordCompiler.type=RECORD_TYPE_COMPILER;
6500 _recordCompiler.name=RECORD_NAME_VISUALBASIC;
6501 _recordCompiler.sVersion="5.0";
6502 bVBnew=true;
6503 }
6504
6505 if(XPE::isImportLibraryPresentI("MSVBVM60.DLL",&(pPEInfo->listImports)))
6506 {
6507 _recordCompiler.type=RECORD_TYPE_COMPILER;
6508 _recordCompiler.name=RECORD_NAME_VISUALBASIC;
6509 _recordCompiler.sVersion="6.0";
6510 bVBnew=true;
6511 }
6512
6513 if(bVBnew)
6514 {
6515 if(pe.checkOffsetSize(pPEInfo->osCodeSection)&&(pPEInfo->basic_info.bIsDeepScan))
6516 {
6517 qint64 _nOffset=pPEInfo->osCodeSection.nOffset;
6518 qint64 _nSize=pPEInfo->osCodeSection.nSize;
6519
6520 qint64 nOffset_Options=pe.find_uint32(_nOffset,_nSize,0x21354256);
6521
6522 if(nOffset_Options==-1)
6523 {
6524 nOffset_Options=pe.find_uint32(_nOffset,_nSize,0x21364256);
6525 }
6526
6527 if(nOffset_Options!=-1)
6528 {
6529 quint32 nOffsetOptions2=pe.read_uint32(_nOffset+0x30);
6530
6531 quint32 nOffsetOptions3=pe.addressToOffset(pe.getBaseAddress()+nOffsetOptions2);
6532 quint32 nValue=pe.read_uint32(nOffsetOptions3+0x20);
6533 _recordCompiler.sInfo=nValue?"P-Code":"Native";
6534 }
6535 }
6536 }
6537
6538 if(ssCompiler.name!=RECORD_NAME_VISUALBASIC)
6539 {
6540 if(_recordCompiler.name==RECORD_NAME_VISUALBASIC)
6541 {
6542 ssCompiler=_recordCompiler;
6543 }
6544 }
6545 }
6546 else
6547 {
6548 ssNET.type=SpecAbstract::RECORD_TYPE_LIBRARY;
6549 ssNET.name=SpecAbstract::RECORD_NAME_DOTNET;
6550 ssNET.sVersion=pPEInfo->cliInfo.metaData.header.sVersion;
6551
6552 if(pPEInfo->cliInfo.bHidden)
6553 {
6554 ssNET.sInfo="Hidden";
6555 }
6556
6557 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_VBNET))
6558 {
6559 ssCompiler.type=RECORD_TYPE_COMPILER;
6560 ssCompiler.name=RECORD_NAME_VBNET;
6561 }
6562 }
6563
6564 if((ssMFC.name==RECORD_NAME_MFC)&&(ssCompiler.type==RECORD_TYPE_UNKNOWN))
6565 {
6566 ssCompiler.type=SpecAbstract::RECORD_TYPE_COMPILER;
6567 ssCompiler.name=SpecAbstract::RECORD_NAME_VISUALCCPP;
6568
6569 QString _sVersion=mapVersions.value(ssMFC.sVersion);
6570
6571 if(_sVersion!="")
6572 {
6573 ssCompiler.sVersion=_sVersion;
6574 }
6575 }
6576
6577 if(ssCompiler.name!=RECORD_NAME_VISUALCCPP)
6578 {
6579 // TODO Check mb MS Linker only
6580
6581 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_VISUALCCPP))
6582 {
6583 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_VISUALCCPP);
6584
6585 ssCompiler.type=ss.type;
6586 ssCompiler.name=ss.name;
6587 ssCompiler.sVersion=ss.sVersion;
6588 }
6589 }
6590
6591 // TODO if Export ^? RECORD_NAME_VISUALCCPP/C++
6592
6593 if((ssMFC.name==RECORD_NAME_MFC)&&(ssMFC.sVersion==""))
6594 {
6595 if((ssCompiler.name==RECORD_NAME_VISUALCCPP)&&(ssLinker.sVersion!=""))
6596 {
6597 ssMFC.sVersion=ssLinker.sVersion.section(".",0,1);
6598 }
6599 }
6600
6601 if((ssMFC.name==RECORD_NAME_MFC)&&(ssLinker.name!=RECORD_NAME_MICROSOFTLINKER))
6602 {
6603 ssLinker.type=SpecAbstract::RECORD_TYPE_LINKER;
6604 ssLinker.name=SpecAbstract::RECORD_NAME_MICROSOFTLINKER;
6605 }
6606
6607 if((ssCompiler.name==RECORD_NAME_VISUALCCPP)&&(ssLinker.name!=RECORD_NAME_MICROSOFTLINKER))
6608 {
6609 ssLinker.type=SpecAbstract::RECORD_TYPE_LINKER;
6610 ssLinker.name=SpecAbstract::RECORD_NAME_MICROSOFTLINKER;
6611 }
6612
6613 if((ssLinker.name==RECORD_NAME_MICROSOFTLINKER)&&(ssLinker.sVersion==""))
6614 {
6615 ssLinker.sVersion=QString("%1.%2").arg(pPEInfo->nMajorLinkerVersion).arg(pPEInfo->nMinorLinkerVersion,2,10,QChar('0'));
6616 }
6617
6618 if((ssMFC.name==RECORD_NAME_MFC)&&(ssLinker.sVersion=="")&&(pPEInfo->nMinorLinkerVersion!=10))
6619 {
6620 ssLinker.sVersion=ssMFC.sVersion;
6621 // recordLinker.sVersion=QString("%1.%2").arg(pPEInfo->nMajorLinkerVersion).arg(pPEInfo->nMinorLinkerVersion);
6622 }
6623
6624 if(ssLinker.name==RECORD_NAME_MICROSOFTLINKER)
6625 {
6626 if( (ssCompiler.name==RECORD_NAME_VISUALCCPP)||
6627 (ssCompiler.name==RECORD_NAME_VISUALCSHARP))
6628 {
6629 if(ssCompiler.sVersion=="")
6630 {
6631 QString sLinkerVersion=ssLinker.sVersion;
6632 QString sLinkerMajorVersion=sLinkerVersion.section(".",0,1);
6633
6634 QString _sVersion=mapVersions.value(sLinkerMajorVersion);
6635
6636 if(_sVersion!="")
6637 {
6638 ssCompiler.sVersion=_sVersion;
6639 }
6640 }
6641 }
6642 }
6643
6644 if( (ssCompiler.name==RECORD_NAME_VISUALCCPP)||
6645 (ssCompiler.name==RECORD_NAME_VISUALCSHARP))
6646 {
6647 QString sLinkerVersion=ssLinker.sVersion;
6648 QString sCompilerVersion=ssCompiler.sVersion;
6649 QString sCompilerMajorVersion=sCompilerVersion.section(".",0,1);
6650
6651 ssTool.type=SpecAbstract::RECORD_TYPE_TOOL;
6652 ssTool.name=SpecAbstract::RECORD_NAME_MICROSOFTVISUALSTUDIO;
6653
6654 // https://docs.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warnings-by-compiler-version?view=vs-2019
6655
6656 if(sCompilerVersion=="12.00.8168")
6657 {
6658 ssTool.sVersion="6.0";
6659 }
6660 else if(sCompilerVersion=="12.00.8804")
6661 {
6662 ssTool.sVersion="6.0 SP5-SP6";
6663 }
6664 else if(sCompilerVersion=="12.00.8447")
6665 {
6666 ssTool.sVersion="6.0 SP5";
6667 }
6668 else if((sLinkerVersion=="7.00.9466")&&(sCompilerVersion=="13.00.9466"))
6669 {
6670 ssTool.sVersion="2002";
6671 }
6672 else if((sLinkerVersion=="7.10.3052")&&(sCompilerVersion=="13.10.3052"))
6673 {
6674 ssTool.sVersion="2003";
6675 }
6676 else if((sLinkerVersion=="7.10.3077")&&(sCompilerVersion=="13.10.3077"))
6677 {
6678 ssTool.sVersion="2003";
6679 }
6680 else if((sLinkerVersion=="7.10.4035")&&(sCompilerVersion=="13.10.4035"))
6681 {
6682 ssTool.sVersion="2003";
6683 }
6684 else if((sLinkerVersion=="7.10.6030")&&(sCompilerVersion=="13.10.6030"))
6685 {
6686 ssTool.sVersion="2003 SP1";
6687 }
6688 else if((sLinkerVersion=="8.00.40310")&&(sCompilerVersion=="14.00.40310"))
6689 {
6690 ssTool.sVersion="2005";
6691 }
6692 else if((sLinkerVersion=="8.00.50727")&&(sCompilerVersion=="14.00.50727"))
6693 {
6694 ssTool.sVersion="2005";
6695 }
6696 else if((sLinkerVersion=="9.00.21022")&&(sCompilerVersion=="15.00.21022"))
6697 {
6698 ssTool.sVersion="2008 RTM";
6699 }
6700 else if((sLinkerVersion=="9.00.30411")&&(sCompilerVersion=="15.00.30411"))
6701 {
6702 ssTool.sVersion="2008 with Feature Pack";
6703 }
6704 else if((sLinkerVersion=="9.00.30729")&&(sCompilerVersion=="15.00.30729"))
6705 {
6706 ssTool.sVersion="2008 SP1";
6707 }
6708 else if((sLinkerVersion=="10.00.30319")&&(sCompilerVersion=="16.00.30319"))
6709 {
6710 ssTool.sVersion="2010 RTM";
6711 }
6712 else if((sLinkerVersion=="10.00.40219")&&(sCompilerVersion=="16.00.40219"))
6713 {
6714 ssTool.sVersion="2010 SP1";
6715 }
6716 else if((sLinkerVersion=="11.00.50727")&&(sCompilerVersion=="17.00.50727"))
6717 {
6718 ssTool.sVersion="2012";
6719 }
6720 else if((sLinkerVersion=="11.00.51025")&&(sCompilerVersion=="17.00.51025"))
6721 {
6722 ssTool.sVersion="2012";
6723 }
6724 else if((sLinkerVersion=="11.00.51106")&&(sCompilerVersion=="17.00.51106"))
6725 {
6726 ssTool.sVersion="2012 Update 1";
6727 }
6728 else if((sLinkerVersion=="11.00.60315")&&(sCompilerVersion=="17.00.60315"))
6729 {
6730 ssTool.sVersion="2012 Update 2";
6731 }
6732 else if((sLinkerVersion=="11.00.60610")&&(sCompilerVersion=="17.00.60610"))
6733 {
6734 ssTool.sVersion="2012 Update 3";
6735 }
6736 else if((sLinkerVersion=="11.00.61030")&&(sCompilerVersion=="17.00.61030"))
6737 {
6738 ssTool.sVersion="2012 Update 4";
6739 }
6740 else if((sLinkerVersion=="12.00.21005")&&(sCompilerVersion=="18.00.21005"))
6741 {
6742 ssTool.sVersion="2013 RTM";
6743 }
6744 else if((sLinkerVersion=="12.00.30501")&&(sCompilerVersion=="18.00.30501"))
6745 {
6746 ssTool.sVersion="2013 Update 2";
6747 }
6748 else if((sLinkerVersion=="12.00.30723")&&(sCompilerVersion=="18.00.30723"))
6749 {
6750 ssTool.sVersion="2013 Update 3";
6751 }
6752 else if((sLinkerVersion=="12.00.31101")&&(sCompilerVersion=="18.00.31101"))
6753 {
6754 ssTool.sVersion="2013 Update 4";
6755 }
6756 else if((sLinkerVersion=="12.00.40629")&&(sCompilerVersion=="18.00.40629"))
6757 {
6758 ssTool.sVersion="2013 SP5";
6759 }
6760 else if((sLinkerVersion=="14.00.22215")&&(sCompilerVersion=="19.00.22215"))
6761 {
6762 ssTool.sVersion="2015";
6763 }
6764 else if((sLinkerVersion=="14.00.23007")&&(sCompilerVersion=="19.00.23007"))
6765 {
6766 ssTool.sVersion="2015";
6767 }
6768 else if((sLinkerVersion=="14.00.23013")&&(sCompilerVersion=="19.00.23013"))
6769 {
6770 ssTool.sVersion="2015";
6771 }
6772 else if((sLinkerVersion=="14.00.23026")&&(sCompilerVersion=="19.00.23026"))
6773 {
6774 ssTool.sVersion="2015 RTM";
6775 }
6776 else if((sLinkerVersion=="14.00.23506")&&(sCompilerVersion=="19.00.23506"))
6777 {
6778 ssTool.sVersion="2015 Update 1";
6779 }
6780 else if((sLinkerVersion=="14.00.23918")&&(sCompilerVersion=="19.00.23918"))
6781 {
6782 ssTool.sVersion="2015 Update 2";
6783 }
6784 else if((sLinkerVersion=="14.00.24103")&&(sCompilerVersion=="19.00.24103"))
6785 {
6786 ssTool.sVersion="2015 SP1"; // ???
6787 }
6788 else if((sLinkerVersion=="14.00.24118")&&(sCompilerVersion=="19.00.24118"))
6789 {
6790 ssTool.sVersion="2015 SP1"; // ???
6791 }
6792 else if((sLinkerVersion=="14.00.24123")&&(sCompilerVersion=="19.00.24123"))
6793 {
6794 ssTool.sVersion="2015 Update 3";
6795 }
6796 else if((sLinkerVersion=="14.00.24210")&&(sCompilerVersion=="19.00.24210"))
6797 {
6798 ssTool.sVersion="2015 Update 3";
6799 }
6800 else if((sLinkerVersion=="14.00.24212")&&(sCompilerVersion=="19.00.24212"))
6801 {
6802 ssTool.sVersion="2015 Update 3";
6803 }
6804 else if((sLinkerVersion=="14.00.24213")&&(sCompilerVersion=="19.00.24213"))
6805 {
6806 ssTool.sVersion="2015 Update 3";
6807 }
6808 else if((sLinkerVersion=="14.00.24215")&&(sCompilerVersion=="19.00.24215"))
6809 {
6810 ssTool.sVersion="2015 Update 3.1";
6811 }
6812 else if((sLinkerVersion=="14.00.24218")&&(sCompilerVersion=="19.00.24218"))
6813 {
6814 ssTool.sVersion="2015 Update 3.1";
6815 }
6816 else if((sLinkerVersion=="14.00.24723")&&(sCompilerVersion=="19.00.24723"))
6817 {
6818 ssTool.sVersion="2015"; // Update 4? 2017?
6819 }
6820 else if((sLinkerVersion=="14.10.25017")&&(sCompilerVersion=="19.10.25017"))
6821 {
6822 ssTool.sVersion="2017 RTM";
6823 }
6824 else if((sLinkerVersion=="14.10.25019")&&(sCompilerVersion=="19.10.25019"))
6825 {
6826 ssTool.sVersion="2017"; // 15.2?
6827 }
6828 else if((sLinkerVersion=="14.10.25506")&&(sCompilerVersion=="19.10.25506"))
6829 {
6830 ssTool.sVersion="2017 version 15.3";
6831 }
6832 else if((sLinkerVersion=="14.11.25547")&&(sCompilerVersion=="19.11.25547"))
6833 {
6834 ssTool.sVersion="2017";
6835 }
6836 else if((sLinkerVersion=="14.11.25830")&&(sCompilerVersion=="19.11.25830"))
6837 {
6838 ssTool.sVersion="2017 version 15.5";
6839 }
6840 else if((sLinkerVersion=="14.12.25834")&&(sCompilerVersion=="19.12.25834")) // TODO Check v15.5.4
6841 {
6842 ssTool.sVersion="2017";
6843 }
6844 else if((sLinkerVersion=="14.13.26128")&&(sCompilerVersion=="19.13.26128"))
6845 {
6846 ssTool.sVersion="2017 version 15.6";
6847 }
6848 else if((sLinkerVersion=="14.14.26428")&&(sCompilerVersion=="19.14.26428"))
6849 {
6850 ssTool.sVersion="2017 version 15.7";
6851 }
6852 else if((sLinkerVersion=="14.15.26726")&&(sCompilerVersion=="19.15.26726"))
6853 {
6854 ssTool.sVersion="2017 version 15.8";
6855 }
6856 else if((sLinkerVersion=="14.16.26926")&&(sCompilerVersion=="19.16.26926"))
6857 {
6858 ssTool.sVersion="2017 version 15.9";
6859 }
6860 else if((sLinkerVersion=="14.16.27027")&&(sCompilerVersion=="19.16.27027")) // TODO Check
6861 {
6862 ssTool.sVersion="2017";
6863 }
6864 else if((sLinkerVersion=="14.20.27004")&&(sCompilerVersion=="19.20.27004"))
6865 {
6866 ssTool.sVersion="2019 RTM";
6867 }
6868 else if((sLinkerVersion=="14.20.27508")&&(sCompilerVersion=="19.20.27508"))
6869 {
6870 ssTool.sVersion="2019";
6871 }
6872 else if(sCompilerMajorVersion=="12.00")
6873 {
6874 ssTool.sVersion="6.0";
6875 }
6876 else if(sCompilerMajorVersion=="13.00")
6877 {
6878 ssTool.sVersion="2002";
6879 }
6880 else if(sCompilerMajorVersion=="13.10")
6881 {
6882 ssTool.sVersion="2003";
6883 }
6884 else if(sCompilerMajorVersion=="14.00")
6885 {
6886 ssTool.sVersion="2005";
6887 }
6888 else if(sCompilerMajorVersion=="15.00")
6889 {
6890 ssTool.sVersion="2008";
6891 }
6892 else if(sCompilerMajorVersion=="16.00")
6893 {
6894 ssTool.sVersion="2010";
6895 }
6896 else if(sCompilerMajorVersion=="17.00")
6897 {
6898 ssTool.sVersion="2012";
6899 }
6900 else if(sCompilerMajorVersion=="18.00")
6901 {
6902 ssTool.sVersion="2013";
6903 }
6904 else if(sCompilerMajorVersion=="19.00")
6905 {
6906 ssTool.sVersion="2015";
6907 }
6908 else if(sCompilerMajorVersion=="19.10") // TODO ???
6909 {
6910 ssTool.sVersion="2017 RTM";
6911 }
6912 else if(sCompilerMajorVersion=="19.11")
6913 {
6914 ssTool.sVersion="2017 version 15.3";
6915 }
6916 else if(sCompilerMajorVersion=="19.12")
6917 {
6918 ssTool.sVersion="2017 version 15.5";
6919 }
6920 else if(sCompilerMajorVersion=="19.13")
6921 {
6922 ssTool.sVersion="2017 version 15.6";
6923 }
6924 else if(sCompilerMajorVersion=="19.14")
6925 {
6926 ssTool.sVersion="2017 version 15.7";
6927 }
6928 else if(sCompilerMajorVersion=="19.15")
6929 {
6930 ssTool.sVersion="2017 version 15.8";
6931 }
6932 else if(sCompilerMajorVersion=="19.16")
6933 {
6934 ssTool.sVersion="2017 version 15.9";
6935 }
6936 else if(sCompilerMajorVersion=="19.20")
6937 {
6938 ssTool.sVersion="2019";
6939 }
6940
6941 if(ssTool.sVersion=="")
6942 {
6943 // TODO
6944 }
6945 }
6946 else if(ssCompiler.name==SpecAbstract::RECORD_NAME_MASM)
6947 {
6948 QString sCompilerVersion=ssCompiler.sVersion;
6949 QString sLinkerVersion=ssLinker.sVersion;
6950
6951 if((sLinkerVersion=="5.12.8078")&&(sCompilerVersion=="6.14.8444"))
6952 {
6953 ssTool.type=SpecAbstract::RECORD_TYPE_TOOL;
6954 ssTool.name=SpecAbstract::RECORD_NAME_MASM32;
6955 ssTool.sVersion="8-11";
6956 }
6957 }
6958
6959 if(pe.isImportLibraryPresentI("MSVCRT.dll",&(pPEInfo->listImports)))
6960 {
6961 // TODO
6962 }
6963
6964 if(ssLinker.type!=RECORD_TYPE_UNKNOWN)
6965 {
6966 pPEInfo->mapResultLinkers.insert(ssLinker.name,scansToScan(&(pPEInfo->basic_info),&ssLinker));
6967 }
6968
6969 if(ssCompiler.type!=RECORD_TYPE_UNKNOWN)
6970 {
6971 pPEInfo->mapResultCompilers.insert(ssCompiler.name,scansToScan(&(pPEInfo->basic_info),&ssCompiler));
6972 }
6973
6974 if(ssTool.type!=RECORD_TYPE_UNKNOWN)
6975 {
6976 pPEInfo->mapResultTools.insert(ssTool.name,scansToScan(&(pPEInfo->basic_info),&ssTool));
6977 }
6978
6979 if(ssMFC.type!=RECORD_TYPE_UNKNOWN)
6980 {
6981 pPEInfo->mapResultLibraries.insert(ssMFC.name,scansToScan(&(pPEInfo->basic_info),&ssMFC));
6982 }
6983
6984 if(ssNET.type!=RECORD_TYPE_UNKNOWN)
6985 {
6986 pPEInfo->mapResultLibraries.insert(ssNET.name,scansToScan(&(pPEInfo->basic_info),&ssNET));
6987 }
6988 }
6989 }
6990
PE_handle_Borland(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)6991 void SpecAbstract::PE_handle_Borland(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
6992 {
6993 // TODO Turbo Linker
6994 // https://delphi.fandom.com/wiki/Determine_Delphi_Application
6995 // TODO if Delphi Linker -> 2.25
6996 XPE pe(pDevice,bIsImage);
6997
6998 if(pe.isValid())
6999 {
7000 _SCANS_STRUCT recordLinker={};
7001 _SCANS_STRUCT recordCompiler={};
7002 _SCANS_STRUCT recordTool={};
7003 _SCANS_STRUCT recordVCL={};
7004
7005 if(pPEInfo->basic_info.mapHeaderDetects.contains(SpecAbstract::RECORD_NAME_TURBOLINKER))
7006 {
7007 _SCANS_STRUCT recordTurboLinker=pPEInfo->basic_info.mapHeaderDetects.value(SpecAbstract::RECORD_NAME_TURBOLINKER);
7008
7009 VI_STRUCT vi=get_TurboLinker_vi(pDevice,bIsImage);
7010
7011 if(vi.bIsValid)
7012 {
7013 recordTurboLinker.sVersion=vi.sVersion;
7014 }
7015 else
7016 {
7017 recordTurboLinker.sVersion=QString("%1.%2").arg(pPEInfo->nMajorLinkerVersion).arg(pPEInfo->nMinorLinkerVersion,2,10,QChar('0'));
7018 }
7019
7020 recordLinker=recordTurboLinker;
7021 }
7022
7023 if(!pPEInfo->cliInfo.bValid)
7024 {
7025 qint64 nOffset_string=-1;
7026 qint64 nOffset_Boolean=-1;
7027 qint64 nOffset_String=-1;
7028 qint64 nOffset_TObject=-1;
7029 // qint64 nOffset_AnsiString=-1;
7030 // qint64 nOffset_WideString=-1;
7031
7032 qint64 nOffset_BorlandCPP=-1;
7033 qint64 nOffset_CodegearCPP=-1;
7034 qint64 nOffset_EmbarcaderoCPP_old=-1;
7035 qint64 nOffset_EmbarcaderoCPP_new=-1;
7036
7037 QList<VCL_STRUCT> listVCL;
7038
7039 bool bCppExport= (XBinary::isStringInListPresent(&(pPEInfo->listExportFunctionNames),"__CPPdebugHook"))||
7040 (XBinary::isStringInListPresent(&(pPEInfo->listExportFunctionNames),"___CPPdebugHook"));
7041
7042 if(pe.checkOffsetSize(pPEInfo->osCodeSection)&&(pPEInfo->basic_info.bIsDeepScan))
7043 {
7044 qint64 _nOffset=pPEInfo->osCodeSection.nOffset;
7045 qint64 _nSize=pPEInfo->osCodeSection.nSize;
7046
7047 nOffset_TObject=pe.find_array(_nOffset,_nSize,"\x07\x54\x4f\x62\x6a\x65\x63\x74",8); // TObject
7048
7049 if(nOffset_TObject!=-1)
7050 {
7051 nOffset_Boolean=pe.find_array(_nOffset,_nSize,"\x07\x42\x6f\x6f\x6c\x65\x61\x6e",8); // Boolean
7052 nOffset_string=pe.find_array(_nOffset,_nSize,"\x06\x73\x74\x72\x69\x6e\x67",7); // string
7053
7054 if((nOffset_Boolean!=-1)||(nOffset_string!=-1))
7055 {
7056 if(nOffset_string==-1)
7057 {
7058 nOffset_String=pe.find_array(_nOffset,_nSize,"\x06\x53\x74\x72\x69\x6e\x67",7); // String
7059 }
7060
7061 listVCL=PE_getVCLstruct(pDevice,bIsImage,_nOffset,_nSize,pPEInfo->bIs64);
7062 }
7063 }
7064 // nOffset_AnsiString=pe.find_array(_nOffset,_nSize,"\x0a\x41\x6e\x73\x69\x53\x74\x72\x69\x6e\x67",11); // AnsiString
7065 // nOffset_WideString=pe.find_array(_nOffset,_nSize,"\x0a\x57\x69\x64\x65\x53\x74\x72\x69\x6e\x67",11); // WideString
7066 }
7067
7068 if(pe.checkOffsetSize(pPEInfo->osDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
7069 {
7070 qint64 _nOffset=pPEInfo->osDataSection.nOffset;
7071 qint64 _nSize=pPEInfo->osDataSection.nSize;
7072
7073 nOffset_BorlandCPP=pe.find_ansiString(_nOffset,_nSize,"Borland C++ - Copyright "); // Borland C++ - Copyright 1994 Borland Intl.
7074
7075 if(nOffset_BorlandCPP==-1)
7076 {
7077 nOffset_CodegearCPP=pe.find_ansiString(_nOffset,_nSize,"CodeGear C++ - Copyright "); // CodeGear C++ - Copyright 2008 Embarcadero Technologies
7078
7079 if(nOffset_CodegearCPP==-1)
7080 {
7081 nOffset_EmbarcaderoCPP_old=pe.find_ansiString(_nOffset,_nSize,"Embarcadero RAD Studio - Copyright "); // Embarcadero RAD Studio - Copyright 2009 Embarcadero Technologies, Inc.
7082
7083 if(nOffset_EmbarcaderoCPP_old==-1)
7084 {
7085 nOffset_EmbarcaderoCPP_new=pe.find_ansiString(_nOffset,_nSize,"Embarcadero RAD Studio 27.0 - Copyright 2020 Embarcadero Technologies, Inc.");
7086 }
7087 }
7088 }
7089 }
7090
7091 bool bPackageinfo=XPE::isResourcePresent(XPE_DEF::S_RT_RCDATA,"PACKAGEINFO",&(pPEInfo->listResources));
7092 bool bDvcal=XPE::isResourcePresent(XPE_DEF::S_RT_RCDATA,"DVCLAL",&(pPEInfo->listResources));
7093
7094 if(bPackageinfo||
7095 bDvcal||
7096 pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_BORLANDCPP)||
7097 (nOffset_TObject!=-1)||
7098 (nOffset_BorlandCPP!=-1)||
7099 (nOffset_CodegearCPP!=-1)||
7100 (nOffset_EmbarcaderoCPP_old!=-1)||
7101 (nOffset_EmbarcaderoCPP_new!=-1)||
7102 bCppExport)
7103 {
7104 bool bCpp=false;
7105 bool bVCL=bPackageinfo;
7106 QString sVCLVersion;
7107 QString sDelphiVersion;
7108 QString sBuilderVersion;
7109 QString sObjectPascalCompilerVersion;
7110 QString sCppCompilerVersion;
7111 bool bNewVersion=false;
7112
7113 enum COMPANY
7114 {
7115 COMPANY_BORLAND=0,
7116 COMPANY_CODEGEAR,
7117 COMPANY_EMBARCADERO
7118 };
7119
7120 COMPANY company=COMPANY_BORLAND;
7121
7122 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_BORLANDCPP)||
7123 (nOffset_BorlandCPP!=-1)||
7124 (nOffset_CodegearCPP!=-1)||
7125 (nOffset_EmbarcaderoCPP_old!=-1)||
7126 (nOffset_EmbarcaderoCPP_new!=-1)||
7127 bCppExport)
7128 {
7129 bCpp=true;
7130
7131 if(nOffset_BorlandCPP!=-1)
7132 {
7133 company=COMPANY_BORLAND;
7134 }
7135 else if(nOffset_CodegearCPP!=-1)
7136 {
7137 company=COMPANY_CODEGEAR;
7138 }
7139 else if(nOffset_EmbarcaderoCPP_old!=-1)
7140 {
7141 company=COMPANY_EMBARCADERO;
7142 }
7143 else if(nOffset_EmbarcaderoCPP_new!=-1)
7144 {
7145 company=COMPANY_EMBARCADERO;
7146 }
7147 else if(bCppExport)
7148 {
7149 company=COMPANY_EMBARCADERO;
7150 }
7151 }
7152
7153 if(nOffset_TObject!=-1)
7154 {
7155 if(nOffset_string!=-1)
7156 {
7157 if(bDvcal||bPackageinfo)
7158 {
7159 // TODO Borland Version
7160 sDelphiVersion="2005+";
7161 bNewVersion=true;
7162 }
7163 else
7164 {
7165 sDelphiVersion="2";
7166 sObjectPascalCompilerVersion="9.0";
7167 }
7168 }
7169 else if(nOffset_String!=-1)
7170 {
7171 company=COMPANY_BORLAND;
7172 sDelphiVersion="3-7";
7173 }
7174 }
7175
7176 if(bPackageinfo)
7177 {
7178 VCL_PACKAGEINFO pi=PE_getVCLPackageInfo(pDevice,bIsImage,&pPEInfo->listResources);
7179
7180 if(pi.listModules.count())
7181 {
7182 quint32 nProducer=(pi.nFlags>>26)&0x3;
7183
7184 if(nProducer==2) // C++
7185 {
7186 bCpp=true;
7187 }
7188 else if(nProducer==3) // Pascal
7189 {
7190 bCpp=false;
7191 }
7192
7193 // for(int i=0;i<pi.listModules.count();i++)
7194 // {
7195 // qDebug(pi.listModules.at(i).sName.toLatin1().data());
7196 // }
7197 }
7198 }
7199
7200 if(nOffset_BorlandCPP!=-1)
7201 {
7202 sCppCompilerVersion=pe.read_ansiString(nOffset_BorlandCPP+24,4);
7203 }
7204
7205 if(nOffset_CodegearCPP!=-1)
7206 {
7207 sCppCompilerVersion=pe.read_ansiString(nOffset_CodegearCPP+25,4);
7208 }
7209
7210 if(nOffset_EmbarcaderoCPP_old!=-1)
7211 {
7212 sCppCompilerVersion=pe.read_ansiString(nOffset_EmbarcaderoCPP_old+35,4);
7213 }
7214
7215 if(nOffset_EmbarcaderoCPP_new!=-1)
7216 {
7217 sCppCompilerVersion=pe.read_ansiString(nOffset_EmbarcaderoCPP_new+40,4);
7218 }
7219
7220 if(sCppCompilerVersion=="2009")
7221 {
7222 sBuilderVersion="2009";
7223 }
7224 else if(sCppCompilerVersion=="2015")
7225 {
7226 sBuilderVersion="2015";
7227 }
7228 else if(sCppCompilerVersion=="2020")
7229 {
7230 sBuilderVersion="10.4";
7231 }
7232
7233 if(listVCL.count())
7234 {
7235 bVCL=true;
7236 int nVCLOffset=listVCL.at(0).nOffset;
7237 int nVCLValue=listVCL.at(0).nValue;
7238
7239 // qDebug("nVCLOffset: %d",nVCLOffset);
7240 // qDebug("nVCLValue: %d",nVCLValue);
7241 // bVCL=true;
7242
7243 if((nVCLOffset==24)&&(nVCLValue==168))
7244 {
7245 company=COMPANY_BORLAND;
7246 sDelphiVersion="2";
7247 sObjectPascalCompilerVersion="9.0";
7248 // sVCLVersion="20";
7249 }
7250 else if((nVCLOffset==28)&&(nVCLValue==180))
7251 {
7252 company=COMPANY_BORLAND;
7253 sDelphiVersion="3";
7254 sObjectPascalCompilerVersion="10.0";
7255 // sVCLVersion="30";
7256 }
7257 else if((nVCLOffset==40)&&(nVCLValue==276))
7258 {
7259 company=COMPANY_BORLAND;
7260 sDelphiVersion="4";
7261 sObjectPascalCompilerVersion="12.0";
7262 // sVCLVersion="40";
7263 }
7264 else if((nVCLOffset==40)&&(nVCLValue==288))
7265 {
7266 company=COMPANY_BORLAND;
7267 sDelphiVersion="5";
7268 sObjectPascalCompilerVersion="13.0";
7269 // sVCLVersion="50";
7270 }
7271 else if((nVCLOffset==40)&&(nVCLValue==296))
7272 {
7273 company=COMPANY_BORLAND;
7274 sDelphiVersion="6 CLX";
7275 sObjectPascalCompilerVersion="14.0";
7276 // sVCLVersion="60";
7277 }
7278 else if((nVCLOffset==40)&&(nVCLValue==300))
7279 {
7280 company=COMPANY_BORLAND;
7281 sDelphiVersion="7 CLX";
7282 sObjectPascalCompilerVersion="15.0";
7283 // sVCLVersion="70";
7284 }
7285 // else if(nVCLOffset==40)
7286 // {
7287 // if(nVCLValue==264)
7288 // {
7289 // recordTool.sVersion="???TODO";
7290 // sVCLVersion="50";
7291 // }
7292 // }
7293 else if((nVCLOffset==40)&&(nVCLValue==348))
7294 {
7295 company=COMPANY_BORLAND;
7296 sDelphiVersion="6-7";
7297 sObjectPascalCompilerVersion="14.0-15.0";
7298 // sVCLVersion="140-150";
7299 }
7300 else if((nVCLOffset==40)&&(nVCLValue==356))
7301 {
7302 company=COMPANY_BORLAND;
7303 sDelphiVersion="2005";
7304 sObjectPascalCompilerVersion="17.0";
7305 // sVCLVersion="170";
7306 }
7307 else if((nVCLOffset==40)&&(nVCLValue==400))
7308 {
7309 company=COMPANY_BORLAND;
7310 sDelphiVersion="2006";
7311 sObjectPascalCompilerVersion="18.0";
7312 // sVCLVersion="180";
7313 }
7314 else if((nVCLOffset==52)&&(nVCLValue==420))
7315 {
7316 company=COMPANY_EMBARCADERO;
7317 sDelphiVersion="2009";
7318 sObjectPascalCompilerVersion="20.0";
7319 // sVCLVersion="200";
7320 }
7321 else if((nVCLOffset==52)&&(nVCLValue==428))
7322 {
7323 company=COMPANY_EMBARCADERO;
7324 sDelphiVersion="2010-XE";
7325 sObjectPascalCompilerVersion="21.0-22.0";
7326 // sVCLVersion="210-220";
7327 }
7328 else if((nVCLOffset==52)&&(nVCLValue==436))
7329 {
7330 company=COMPANY_EMBARCADERO;
7331 sDelphiVersion="XE2-XE4";
7332 sObjectPascalCompilerVersion="23.0-25.0";
7333 // sVCLVersion="230-250";
7334
7335 bNewVersion=true;
7336 }
7337 else if((nVCLOffset==52)&&(nVCLValue==444))
7338 {
7339 company=COMPANY_EMBARCADERO;
7340 sDelphiVersion="XE2-XE8";
7341 sObjectPascalCompilerVersion="23.0-29.0";
7342 // sVCLVersion="230-290";
7343
7344 bNewVersion=true;
7345 }
7346 else if((nVCLOffset==104)&&(nVCLValue==760)) // 64
7347 {
7348 company=COMPANY_EMBARCADERO;
7349 sDelphiVersion="XE2";
7350 sObjectPascalCompilerVersion="23.0";
7351
7352 bNewVersion=true;
7353 }
7354 else if((nVCLOffset==128)&&(nVCLValue==776)) // 64
7355 {
7356 company=COMPANY_EMBARCADERO;
7357 sDelphiVersion="XE8-10 Seattle";
7358 sObjectPascalCompilerVersion="30.0";
7359
7360 bNewVersion=true;
7361 }
7362 // TODO more x64
7363 }
7364
7365 // TODO Console !!!
7366
7367 if(bNewVersion)
7368 {
7369 if(pe.checkOffsetSize(pPEInfo->osConstDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
7370 {
7371 qint64 _nOffset=pPEInfo->osConstDataSection.nOffset;
7372 qint64 _nSize=pPEInfo->osConstDataSection.nSize;
7373
7374 qint64 nOffset_Version=0;
7375
7376 if(pPEInfo->bIs64)
7377 {
7378 nOffset_Version=pe.find_ansiString(_nOffset,_nSize,"Embarcadero Delphi for Win64 compiler version ");
7379 }
7380 else
7381 {
7382 nOffset_Version=pe.find_ansiString(_nOffset,_nSize,"Embarcadero Delphi for Win32 compiler version ");
7383 }
7384
7385 if(nOffset_Version!=-1)
7386 {
7387 company=COMPANY_EMBARCADERO;
7388
7389 sObjectPascalCompilerVersion=pe.read_ansiString(nOffset_Version+46);
7390
7391 sDelphiVersion=_get_DelphiVersionFromCompiler(sObjectPascalCompilerVersion).sVersion;
7392 }
7393 }
7394 }
7395
7396 recordCompiler.type=RECORD_TYPE_COMPILER;
7397 recordTool.type=RECORD_TYPE_TOOL;
7398
7399 if(!bCpp)
7400 {
7401 if(company==COMPANY_BORLAND)
7402 {
7403 recordCompiler.name=RECORD_NAME_BORLANDOBJECTPASCAL;
7404 recordTool.name=RECORD_NAME_BORLANDDELPHI;
7405 }
7406 else if(company==COMPANY_CODEGEAR)
7407 {
7408 recordCompiler.name=RECORD_NAME_CODEGEAROBJECTPASCAL;
7409 recordTool.name=RECORD_NAME_CODEGEARDELPHI;
7410 }
7411 else if(company==COMPANY_EMBARCADERO)
7412 {
7413 recordCompiler.name=RECORD_NAME_EMBARCADEROOBJECTPASCAL;
7414 recordTool.name=RECORD_NAME_EMBARCADERODELPHI;
7415 }
7416
7417 recordCompiler.sVersion=sObjectPascalCompilerVersion;
7418 recordTool.sVersion=sDelphiVersion;
7419 }
7420 else
7421 {
7422 if(company==COMPANY_BORLAND)
7423 {
7424 recordCompiler.name=RECORD_NAME_BORLANDCPP;
7425 recordTool.name=RECORD_NAME_BORLANDCPPBUILDER;
7426 }
7427 else if(company==COMPANY_CODEGEAR)
7428 {
7429 recordCompiler.name=RECORD_NAME_CODEGEARCPP;
7430 recordTool.name=RECORD_NAME_CODEGEARCPPBUILDER;
7431 }
7432 else if(company==COMPANY_EMBARCADERO)
7433 {
7434 recordCompiler.name=RECORD_NAME_EMBARCADEROCPP;
7435 recordTool.name=RECORD_NAME_EMBARCADEROCPPBUILDER;
7436 }
7437
7438 recordCompiler.sVersion=sCppCompilerVersion;
7439 recordTool.sVersion=sBuilderVersion;
7440 }
7441
7442 if(bVCL)
7443 {
7444 recordVCL.type=RECORD_TYPE_LIBRARY;
7445 recordVCL.name=RECORD_NAME_VCL;
7446 recordVCL.sVersion=sVCLVersion;
7447 }
7448
7449 if(recordLinker.type==RECORD_TYPE_UNKNOWN)
7450 {
7451 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LINKER,RECORD_NAME_TURBOLINKER,"","",0);
7452 recordLinker=ss;
7453 }
7454 }
7455 }
7456 else
7457 {
7458 // .NET TODO: Check!!!!
7459 if(pPEInfo->mapDotAnsiStringsDetects.contains(RECORD_NAME_EMBARCADERODELPHIDOTNET))
7460 {
7461 _SCANS_STRUCT ss=pPEInfo->mapDotAnsiStringsDetects.value(RECORD_NAME_EMBARCADERODELPHIDOTNET);
7462 recordTool=ss;
7463 }
7464 }
7465
7466 if(recordLinker.type!=RECORD_TYPE_UNKNOWN)
7467 {
7468 pPEInfo->mapResultLinkers.insert(recordLinker.name,scansToScan(&(pPEInfo->basic_info),&recordLinker));
7469 }
7470
7471 if(recordCompiler.type!=RECORD_TYPE_UNKNOWN)
7472 {
7473 pPEInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pPEInfo->basic_info),&recordCompiler));
7474 }
7475
7476 if(recordVCL.type!=RECORD_TYPE_UNKNOWN)
7477 {
7478 pPEInfo->mapResultLibraries.insert(recordVCL.name,scansToScan(&(pPEInfo->basic_info),&recordVCL));
7479 }
7480
7481 if(recordTool.type!=RECORD_TYPE_UNKNOWN)
7482 {
7483 pPEInfo->mapResultTools.insert(recordTool.name,scansToScan(&(pPEInfo->basic_info),&recordTool));
7484 }
7485 }
7486 }
7487
PE_handle_Watcom(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)7488 void SpecAbstract::PE_handle_Watcom(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
7489 {
7490 // TODO Turbo Linker
7491 XPE pe(pDevice,bIsImage);
7492
7493 if(pe.isValid())
7494 {
7495 _SCANS_STRUCT ssLinker={};
7496 _SCANS_STRUCT ssCompiler={};
7497
7498 // Watcom linker
7499 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_WATCOMLINKER))
7500 {
7501 ssLinker=pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_WATCOMLINKER);
7502 ssLinker.sVersion=QString("%1.%2").arg(pPEInfo->nMajorLinkerVersion).arg(pPEInfo->nMinorLinkerVersion,2,10,QChar('0'));
7503 }
7504
7505 // Watcom CPP
7506 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_WATCOMCCPP))
7507 {
7508 // TODO Version???
7509 ssCompiler=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_WATCOMCCPP);
7510 }
7511
7512 if((ssLinker.type!=RECORD_TYPE_UNKNOWN)&&(ssCompiler.type==RECORD_TYPE_UNKNOWN))
7513 {
7514 ssCompiler=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_WATCOMCCPP,"","",0);
7515 }
7516
7517 if((ssLinker.type==RECORD_TYPE_UNKNOWN)&&(ssCompiler.type!=RECORD_TYPE_UNKNOWN))
7518 {
7519 ssLinker=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LINKER,RECORD_NAME_WATCOMLINKER,"","",0);
7520 }
7521
7522 if(ssLinker.type!=RECORD_TYPE_UNKNOWN)
7523 {
7524 pPEInfo->mapResultLinkers.insert(ssLinker.name,scansToScan(&(pPEInfo->basic_info),&ssLinker));
7525 }
7526
7527 if(ssCompiler.type!=RECORD_TYPE_UNKNOWN)
7528 {
7529 pPEInfo->mapResultCompilers.insert(ssCompiler.name,scansToScan(&(pPEInfo->basic_info),&ssCompiler));
7530 }
7531 }
7532 }
7533
PE_handle_Tools(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)7534 void SpecAbstract::PE_handle_Tools(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
7535 {
7536 XPE pe(pDevice,bIsImage);
7537
7538 if(pe.isValid())
7539 {
7540 if((pPEInfo->bIsTLSPresent)&&(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_RUST)))
7541 {
7542 if(pe.checkOffsetSize(pPEInfo->osConstDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
7543 {
7544 VI_STRUCT viStruct=get_Rust_vi(pDevice,bIsImage,pPEInfo->osConstDataSection.nOffset,pPEInfo->osConstDataSection.nSize);
7545
7546 if(viStruct.bIsValid)
7547 {
7548 _SCANS_STRUCT ssCompiler=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_RUST);
7549
7550 ssCompiler.sVersion=viStruct.sVersion;
7551 ssCompiler.sInfo=viStruct.sInfo;
7552
7553 pPEInfo->mapResultCompilers.insert(ssCompiler.name,scansToScan(&(pPEInfo->basic_info),&ssCompiler));
7554 }
7555 }
7556 }
7557
7558 if(XPE::isImportLibraryPresentI("msvcrt.dll",&(pPEInfo->listImports))&&(pPEInfo->nMajorLinkerVersion==6)&&(pPEInfo->nMinorLinkerVersion==0))
7559 {
7560 bool bDetected=false;
7561
7562 if(pPEInfo->bIs64)
7563 {
7564 if(pPEInfo->listSectionNames.count()==3)
7565 {
7566 if((pPEInfo->listSectionNames.at(0)==".text")&&(pPEInfo->listSectionNames.at(1)==".data")&&(pPEInfo->listSectionNames.at(2)==".pdata"))
7567 {
7568 bDetected=true;
7569 }
7570 }
7571 }
7572 else
7573 {
7574 if(pPEInfo->listSectionNames.count()==2)
7575 {
7576 if((pPEInfo->listSectionNames.at(0)==".text")&&(pPEInfo->listSectionNames.at(1)==".data"))
7577 {
7578 bDetected=true;
7579 }
7580 }
7581 }
7582
7583 if(bDetected)
7584 {
7585 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_TINYC,"","",0);
7586 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7587 }
7588 }
7589
7590 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_CHROMIUMCRASHPAD))
7591 {
7592 XPE::SECTION_RECORD sr=XPE::getSectionRecordByName("CPADinfo",&(pPEInfo->listSectionRecords));
7593
7594 if(sr.nSize)
7595 {
7596 quint32 nSignature=pe.read_uint32(sr.nOffset);
7597
7598 if(nSignature==0x43506164)
7599 {
7600 quint32 nVersion=pe.read_uint32(sr.nOffset+8);
7601
7602 _SCANS_STRUCT ssLibrary=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_CHROMIUMCRASHPAD,"","",0);
7603 ssLibrary.sVersion=QString("%1.0").arg(nVersion);
7604 pPEInfo->mapResultLibraries.insert(ssLibrary.name,scansToScan(&(pPEInfo->basic_info),&ssLibrary));
7605 }
7606 }
7607 }
7608
7609 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_EXCELSIORJET))
7610 {
7611 // TODO Version
7612 _SCANS_STRUCT ssLibrary=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_JAVA,"","Native",0);
7613 pPEInfo->mapResultLibraries.insert(ssLibrary.name,scansToScan(&(pPEInfo->basic_info),&ssLibrary));
7614
7615 // TODO Version
7616 _SCANS_STRUCT ssCompiler=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_EXCELSIORJET,"","",0); // mb Tool
7617 pPEInfo->mapResultCompilers.insert(ssCompiler.name,scansToScan(&(pPEInfo->basic_info),&ssCompiler));
7618 }
7619
7620 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_GO)||pPEInfo->mapCodeSectionDetects.contains(RECORD_NAME_GO))
7621 {
7622 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_GO,"1.X","",0);
7623
7624 if(pe.checkOffsetSize(pPEInfo->osConstDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
7625 {
7626 VI_STRUCT viStruct=get_Go_vi(pDevice,bIsImage,pPEInfo->osConstDataSection.nOffset,pPEInfo->osConstDataSection.nSize);
7627
7628 if(viStruct.bIsValid)
7629 {
7630 ss.sVersion=viStruct.sVersion;
7631 ss.sInfo=viStruct.sInfo;
7632 }
7633 }
7634
7635 pPEInfo->mapResultTools.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7636 }
7637
7638 // Visual Objects
7639 if(pe.compareSignature(&(pPEInfo->basic_info.memoryMap),"'This Visual Objects application cannot be run in DOS mode'",0x312))
7640 {
7641 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_VISUALOBJECTS,"2.XX","",0);
7642 ss.sVersion=QString("%1.%2").arg(QString::number(pPEInfo->nMajorLinkerVersion),QString::number(pPEInfo->nMinorLinkerVersion));
7643 pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7644 }
7645
7646 // FASM
7647 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_FASM))
7648 {
7649 // TODO correct Version
7650 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_FASM,"","",0);
7651 ss.sVersion=QString("%1.%2").arg(QString::number(pPEInfo->nMajorLinkerVersion),QString::number(pPEInfo->nMinorLinkerVersion));
7652 pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7653 }
7654
7655 // Zig
7656 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GENERICLINKER)&&(pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_GENERICLINKER).nVariant==1))
7657 {
7658 if(pe.checkOffsetSize(pPEInfo->osConstDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
7659 {
7660 VI_STRUCT viStruct=get_Zig_vi(pDevice,bIsImage,pPEInfo->osConstDataSection.nOffset,pPEInfo->osConstDataSection.nSize);
7661
7662 if(viStruct.bIsValid)
7663 {
7664 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_ZIG,"","",0);
7665
7666 ss.sVersion=viStruct.sVersion;
7667 ss.sInfo=viStruct.sInfo;
7668
7669 pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7670 }
7671 }
7672 }
7673
7674 if(pe.checkOffsetSize(pPEInfo->osConstDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
7675 {
7676 VI_STRUCT viNim=get_Nim_vi(pDevice,bIsImage,pPEInfo->osConstDataSection.nOffset,pPEInfo->osConstDataSection.nSize);
7677
7678 if(viNim.bIsValid)
7679 {
7680 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_NIM,"","",0);
7681 pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7682 }
7683 }
7684
7685 // Valve
7686 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_VALVE))
7687 {
7688 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_STUB,RECORD_NAME_VALVE,"","",0);
7689 pPEInfo->mapResultTools.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7690 }
7691
7692 // UniLink
7693 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_UNILINK))
7694 {
7695 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LINKER,RECORD_NAME_UNILINK,"","",0);
7696 pPEInfo->mapResultLinkers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7697 }
7698
7699 // DMD32 D
7700 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_DMD32D))
7701 {
7702 // TODO correct Version
7703 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_DMD32D,"","",0);
7704 pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7705 }
7706
7707 // GoLink, GoAsm
7708 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GOLINK))
7709 {
7710 _SCANS_STRUCT ssLinker=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LINKER,RECORD_NAME_GOLINK,"","",0);
7711 ssLinker.sVersion=QString("%1.%2").arg(QString::number(pPEInfo->nMajorLinkerVersion),QString::number(pPEInfo->nMinorLinkerVersion));
7712 pPEInfo->mapResultLinkers.insert(ssLinker.name,scansToScan(&(pPEInfo->basic_info),&ssLinker));
7713
7714 _SCANS_STRUCT ssCompiler=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_GOASM,"","",0);
7715 pPEInfo->mapResultCompilers.insert(ssCompiler.name,scansToScan(&(pPEInfo->basic_info),&ssCompiler));
7716 }
7717
7718 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_LAYHEYFORTRAN90))
7719 {
7720 QString sLFString=pe.read_ansiString(0x200);
7721
7722 if(sLFString=="This program must be run under Windows 95, NT, or Win32s\r\nPress any key to exit.$")
7723 {
7724 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_LAYHEYFORTRAN90,"","",0);
7725 pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7726 }
7727 }
7728
7729 // Flex
7730 if(pe.checkOffsetSize(pPEInfo->osDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
7731 {
7732 qint64 _nOffset=pPEInfo->osDataSection.nOffset;
7733 qint64 _nSize=pPEInfo->osDataSection.nSize;
7734 // TODO FPC Version in Major and Minor linker
7735
7736 qint64 nOffset_FlexLM=pe.find_ansiString(_nOffset,_nSize,"@(#) FLEXlm ");
7737
7738 if(nOffset_FlexLM!=-1)
7739 {
7740 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_FLEXLM,"","",0);
7741
7742 ss.sVersion=pe.read_ansiString(nOffset_FlexLM+12,50);
7743 ss.sVersion=ss.sVersion.section(" ",0,0);
7744
7745 if(ss.sVersion.left(1)=="v")
7746 {
7747 ss.sVersion.remove(0,1);
7748 }
7749
7750 // TODO Version
7751 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7752 }
7753
7754 qint64 nOffset_FlexNet=-1;
7755
7756 if(nOffset_FlexLM==-1)
7757 {
7758 nOffset_FlexNet=pe.find_ansiString(_nOffset,_nSize,"@(#) FLEXnet Licensing v");
7759 }
7760
7761 if(nOffset_FlexNet==-1)
7762 {
7763 nOffset_FlexNet=pe.find_ansiString(_nOffset,_nSize,"@(#) FlexNet Licensing v");
7764 }
7765
7766 if(nOffset_FlexNet!=-1)
7767 {
7768 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_FLEXNET,"","",0);
7769
7770 ss.sVersion=pe.read_ansiString(nOffset_FlexNet+24,50);
7771
7772 if(ss.sVersion.contains("build"))
7773 {
7774 ss.sVersion=ss.sVersion.section(" ",0,2);
7775 }
7776 else
7777 {
7778 ss.sVersion=ss.sVersion.section(" ",0,0);
7779 }
7780
7781 // TODO Version
7782 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7783 }
7784 }
7785
7786 if(!pPEInfo->cliInfo.bValid)
7787 {
7788 // Qt
7789 // TODO Find Strings QObject
7790 if(XPE::isImportLibraryPresentI("QtCore4.dll",&(pPEInfo->listImports)))
7791 {
7792 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_QT,"4.X","",0);
7793 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7794 }
7795 else if(XPE::isImportLibraryPresentI("QtCored4.dll",&(pPEInfo->listImports)))
7796 {
7797 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_QT,"4.X","Debug",0);
7798 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7799 }
7800 else if(XPE::isImportLibraryPresentI("Qt5Core.dll",&(pPEInfo->listImports)))
7801 {
7802 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_QT,"5.X","",0);
7803 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7804 }
7805 else if(XPE::isImportLibraryPresentI("Qt5Cored.dll",&(pPEInfo->listImports)))
7806 {
7807 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_QT,"5.X","Debug",0);
7808 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7809 }
7810 else if(XPE::isImportLibraryPresentI("Qt6Core.dll",&(pPEInfo->listImports)))
7811 {
7812 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_QT,"6.X","",0);
7813 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7814 }
7815 else if(XPE::isImportLibraryPresentI("Qt6Cored.dll",&(pPEInfo->listImports)))
7816 {
7817 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_QT,"6.X","Debug",0);
7818 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7819 }
7820 else if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_QT))
7821 {
7822 // TODO Version!
7823 _SCANS_STRUCT ss=pPEInfo->mapSectionNamesDetects.value(RECORD_NAME_QT);
7824 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7825 }
7826
7827 if(pe.checkOffsetSize(pPEInfo->osDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
7828 {
7829 qint64 _nOffset=pPEInfo->osDataSection.nOffset;
7830 qint64 _nSize=pPEInfo->osDataSection.nSize;
7831 // TODO FPC Version in Major and Minor linker
7832
7833 qint64 nOffset_FPC=pe.find_ansiString(_nOffset,_nSize,"FPC ");
7834
7835 if(nOffset_FPC!=-1)
7836 {
7837 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_FPC,"","",0);
7838 QString sFPCVersion=pe.read_ansiString(nOffset_FPC);
7839 ss.sVersion=sFPCVersion.section(" ",1,-1).section(" - ",0,0);
7840
7841 pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7842
7843 // Lazarus
7844 qint64 nOffset_Lazarus=pe.find_ansiString(_nOffset,_nSize,"Lazarus LCL: ");
7845
7846 if(nOffset_Lazarus==-1)
7847 {
7848 if(pe.checkOffsetSize(pPEInfo->osConstDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
7849 {
7850 _nOffset=pPEInfo->osConstDataSection.nOffset;
7851 _nSize=pPEInfo->osConstDataSection.nSize;
7852
7853 nOffset_Lazarus=pe.find_ansiString(_nOffset,_nSize,"Lazarus LCL: ");
7854 }
7855 }
7856
7857 QString sLazarusVersion;
7858
7859 if(nOffset_Lazarus!=-1)
7860 {
7861 sLazarusVersion=pe.read_ansiString(nOffset_Lazarus+13);
7862 sLazarusVersion=sLazarusVersion.section(" ",0,0);
7863 }
7864
7865 if(nOffset_Lazarus!=-1)
7866 {
7867 _SCANS_STRUCT ssLazarus=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_TOOL,RECORD_NAME_LAZARUS,"","",0);
7868
7869 ssLazarus.sVersion=sLazarusVersion;
7870
7871 pPEInfo->mapResultTools.insert(ssLazarus.name,scansToScan(&(pPEInfo->basic_info),&ssLazarus));
7872 }
7873 }
7874 else
7875 {
7876 // qint64 nOffset_TObject=pe.find_array(_nOffset,_nSize,"\x07\x54\x4f\x62\x6a\x65\x63\x74",8); // TObject
7877
7878 // if(nOffset_TObject!=-1)
7879 // {
7880
7881 // SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_FPC,"","",0);
7882
7883 // // TODO Version
7884 // pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7885 // }
7886 qint64 nOffset_RunTimeError=pe.find_array(_nOffset,_nSize,"\x0e\x52\x75\x6e\x74\x69\x6d\x65\x20\x65\x72\x72\x6f\x72\x20",15); // Runtime Error TODO: use findAnsiString
7887
7888 if(nOffset_RunTimeError!=-1)
7889 {
7890
7891 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_FPC,"","",0);
7892
7893 // TODO Version
7894 pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7895 }
7896 }
7897 }
7898
7899 // Python
7900 // TODO Create function
7901 int nNumberOfImports=pPEInfo->listImports.count();
7902
7903 for(int i=0; i<nNumberOfImports; i++)
7904 {
7905 if(XBinary::isRegExpPresent("^PYTHON",pPEInfo->listImports.at(i).sName.toUpper()))
7906 {
7907 QString sVersion=XBinary::regExp("(\\d+)",pPEInfo->listImports.at(i).sName.toUpper(),0);
7908
7909 if(sVersion!="")
7910 {
7911 double dVersion=sVersion.toDouble();
7912
7913 if(dVersion)
7914 {
7915 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_PYTHON,"","",0);
7916
7917 ss.sVersion=QString::number(dVersion/10,'f',1);
7918 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7919 }
7920 }
7921
7922 break;
7923 }
7924 }
7925
7926 // Perl
7927 // TODO Create function
7928 for(int i=0; i<nNumberOfImports; i++)
7929 {
7930 if(XBinary::isRegExpPresent("^PERL",pPEInfo->listImports.at(i).sName.toUpper()))
7931 {
7932 QString sVersion=XBinary::regExp("(\\d+)",pPEInfo->listImports.at(i).sName.toUpper(),0);
7933
7934 if(sVersion!="")
7935 {
7936 double dVersion=sVersion.toDouble();
7937
7938 if(dVersion)
7939 {
7940 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_PERL,"","",0);
7941
7942 ss.sVersion=QString::number(dVersion/100,'f',2);
7943 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7944 }
7945 }
7946
7947 break;
7948 }
7949 }
7950
7951 // Virtual Pascal
7952 if(pe.checkOffsetSize(pPEInfo->osDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
7953 {
7954 qint64 _nOffset=pPEInfo->osDataSection.nOffset;
7955 qint64 _nSize=pPEInfo->osDataSection.nSize;
7956 // TODO VP Version in Major and Minor linker
7957
7958 qint64 nOffset_VP=pe.find_ansiString(_nOffset,_nSize,"Virtual Pascal - Copyright (C) "); // "Virtual Pascal - Copyright (C) 1996-2000 vpascal.com"
7959
7960 if(nOffset_VP!=-1)
7961 {
7962 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_VIRTUALPASCAL,"","",0);
7963
7964 // TODO Version???
7965 ss.sVersion=QString("%1.%2").arg(QString::number(pPEInfo->nMajorLinkerVersion),QString::number(pPEInfo->nMinorLinkerVersion));
7966 pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7967 }
7968 }
7969
7970 // PowerBASIC
7971 if(pe.checkOffsetSize(pPEInfo->osCodeSection)&&(pPEInfo->basic_info.bIsDeepScan))
7972 {
7973 qint64 _nOffset=pPEInfo->osCodeSection.nOffset;
7974 qint64 _nSize=pPEInfo->osCodeSection.nSize;
7975 // TODO VP Version in Major and Minor linker
7976
7977 qint64 nOffset_PB=pe.find_ansiString(_nOffset,_nSize,"PowerBASIC");
7978
7979 if(nOffset_PB!=-1)
7980 {
7981 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_COMPILER,RECORD_NAME_POWERBASIC,"","",0);
7982
7983 // TODO Version???
7984 pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7985 }
7986 }
7987
7988 // PureBasic
7989 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_PUREBASIC))
7990 {
7991 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_PUREBASIC);
7992
7993 // TODO Version???
7994 pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
7995 }
7996
7997 // lcc-win
7998 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_LCCWIN))
7999 {
8000 _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_LCCWIN);
8001
8002 // TODO Version???
8003 pPEInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8004
8005 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GENERICLINKER))
8006 {
8007 _SCANS_STRUCT ssLinker={};
8008 ssLinker.name=RECORD_NAME_LCCLNK;
8009 ssLinker.type=RECORD_TYPE_LINKER;
8010 ssLinker.sVersion=QString("%1.%2").arg(QString::number(pPEInfo->nMajorLinkerVersion),QString::number(pPEInfo->nMinorLinkerVersion));
8011 pPEInfo->mapResultLinkers.insert(ssLinker.name,scansToScan(&(pPEInfo->basic_info),&ssLinker));
8012 }
8013 }
8014 }
8015 }
8016 }
8017
PE_handle_PETools(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)8018 void SpecAbstract::PE_handle_PETools(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
8019 {
8020 XPE pe(pDevice,bIsImage);
8021
8022 if(pe.isValid())
8023 {
8024 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_VMUNPACKER))
8025 {
8026 _SCANS_STRUCT ss=pPEInfo->mapSectionNamesDetects.value(RECORD_NAME_VMUNPACKER);
8027
8028 pPEInfo->mapResultPETools.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8029 }
8030
8031 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_XVOLKOLAK))
8032 {
8033 _SCANS_STRUCT ss=pPEInfo->mapSectionNamesDetects.value(RECORD_NAME_XVOLKOLAK);
8034
8035 pPEInfo->mapResultPETools.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8036 }
8037
8038 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_HOODLUM))
8039 {
8040 _SCANS_STRUCT ss=pPEInfo->mapSectionNamesDetects.value(RECORD_NAME_HOODLUM);
8041
8042 pPEInfo->mapResultPETools.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8043 }
8044 }
8045 }
8046
PE_handle_wxWidgets(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)8047 void SpecAbstract::PE_handle_wxWidgets(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
8048 {
8049 XPE pe(pDevice,bIsImage);
8050
8051 if(pe.isValid())
8052 {
8053 if(!pPEInfo->cliInfo.bValid)
8054 {
8055 bool bDynamic=false;
8056 bool bStatic=false;
8057 QString sVersion;
8058 QString sInfo;
8059
8060 int nNumberOfImports=pPEInfo->listImports.count();
8061
8062 for(int i=0; i<nNumberOfImports; i++)
8063 {
8064 if(XBinary::isRegExpPresent("^WX",pPEInfo->listImports.at(i).sName.toUpper()))
8065 {
8066 QString sDllVersion=XBinary::regExp("(\\d+)",pPEInfo->listImports.at(i).sName.toUpper(),0);
8067
8068 if(sDllVersion!="")
8069 {
8070 double dVersion=sDllVersion.toDouble();
8071
8072 if(dVersion)
8073 {
8074 // TODO a function
8075 if(dVersion<100)
8076 {
8077 sVersion=QString::number(dVersion/10,'f',1);
8078 }
8079 else if(dVersion<1000)
8080 {
8081 sVersion=QString::number(dVersion/100,'f',2);
8082 }
8083
8084 bDynamic=true;
8085 }
8086 }
8087
8088 break;
8089 }
8090 }
8091
8092 if(!bDynamic)
8093 {
8094 if(XPE::isResourcePresent(XPE_DEF::S_RT_MENU,"WXWINDOWMENU",&(pPEInfo->listResources)))
8095 {
8096 bStatic=true;
8097 }
8098 }
8099
8100 if(bDynamic||bStatic)
8101 {
8102 if(pe.checkOffsetSize(pPEInfo->osConstDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
8103 {
8104 qint64 _nOffset=pPEInfo->osConstDataSection.nOffset;
8105 qint64 _nSize=pPEInfo->osConstDataSection.nSize;
8106 // TODO VP Version in Major and Minor linker
8107
8108 qint64 nOffset_Version=-1;
8109
8110 if(nOffset_Version==-1)
8111 {
8112 nOffset_Version=pe.find_ansiString(_nOffset,_nSize,"3.1.1 (wchar_t,Visual C++ 1900,wx containers)");
8113
8114 if(nOffset_Version!=-1)
8115 {
8116 sVersion="3.1.1";
8117 sInfo="Visual C++ 1900";
8118 }
8119 }
8120
8121 if(nOffset_Version==-1)
8122 {
8123 nOffset_Version=pe.find_ansiString(_nOffset,_nSize,"3.1.2 (wchar_t,Visual C++ 1900,wx containers,compatible with 3.0)");
8124
8125 if(nOffset_Version!=-1)
8126 {
8127 sVersion="3.1.2";
8128 sInfo="Visual C++ 1900";
8129 }
8130 }
8131 }
8132 }
8133
8134 if(bDynamic||bStatic)
8135 {
8136 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_LIBRARY,RECORD_NAME_WXWIDGETS,"","",0);
8137
8138 if(bDynamic)
8139 {
8140 ss.sInfo="";
8141 }
8142 else if(bStatic)
8143 {
8144 ss.sInfo="Static";
8145 }
8146
8147 ss.sVersion=sVersion;
8148 ss.sInfo=append(ss.sInfo,sInfo);
8149
8150 pPEInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8151 }
8152 }
8153 }
8154 }
8155
PE_handle_GCC(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)8156 void SpecAbstract::PE_handle_GCC(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
8157 {
8158 _SCANS_STRUCT ssLinker={};
8159 _SCANS_STRUCT ssCompiler={};
8160 _SCANS_STRUCT ssTool={};
8161
8162 XPE pe(pDevice,bIsImage);
8163
8164 if(pe.isValid())
8165 {
8166 if(!pPEInfo->cliInfo.bValid)
8167 {
8168 bool bDetectGCC=false;
8169 bool bHeurGCC=false;
8170
8171 if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GENERICLINKER))
8172 {
8173 switch(pPEInfo->nMajorLinkerVersion)
8174 {
8175 case 2:
8176 switch(pPEInfo->nMinorLinkerVersion) // TODO Check MinGW versions
8177 {
8178 case 22:
8179 case 23:
8180 case 24:
8181 case 25:
8182 case 26:
8183 case 27:
8184 case 28:
8185 case 29:
8186 case 30:
8187 case 31:
8188 case 32:
8189 case 33:
8190 case 34:
8191 case 35:
8192 case 36:
8193 case 56:
8194 bHeurGCC=true;
8195 break;
8196 }
8197
8198 break;
8199 }
8200 }
8201
8202 QString sDllLib;
8203
8204 if(pe.checkOffsetSize(pPEInfo->osConstDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
8205 {
8206 sDllLib=pe.read_ansiString(pPEInfo->osConstDataSection.nOffset);
8207 }
8208
8209 if( XPE::isImportLibraryPresentI("msys-1.0.dll",&(pPEInfo->listImports))||
8210 sDllLib.contains("msys-"))
8211 {
8212 // Msys 1.0
8213 ssTool.type=RECORD_TYPE_TOOL;
8214 ssTool.name=RECORD_NAME_MSYS;
8215 ssTool.sVersion="1.0";
8216 }
8217
8218 if( (sDllLib.contains("gcc"))||
8219 (sDllLib.contains("libgcj"))||
8220 (sDllLib.contains("cyggcj"))||
8221 (sDllLib=="_set_invalid_parameter_handler")||
8222 XPE::isImportLibraryPresentI("libgcc_s_dw2-1.dll",&(pPEInfo->listImports))||
8223 pPEInfo->mapOverlayDetects.contains(RECORD_NAME_MINGW)||
8224 pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_GCC))
8225 {
8226 bDetectGCC=true;
8227 }
8228
8229 if(bDetectGCC||bHeurGCC)
8230 {
8231 // Mingw
8232 // Msys
8233 if(pe.checkOffsetSize(pPEInfo->osConstDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
8234 {
8235 VI_STRUCT viStruct=get_GCC_vi1(pDevice,bIsImage,pPEInfo->osConstDataSection.nOffset,pPEInfo->osConstDataSection.nSize);
8236
8237 ssCompiler.sVersion=viStruct.sVersion;
8238
8239 // TODO MinGW-w64
8240 if(viStruct.sInfo.contains("MinGW"))
8241 {
8242 ssTool.type=RECORD_TYPE_TOOL;
8243 ssTool.name=RECORD_NAME_MINGW;
8244 }
8245 else if(viStruct.sInfo.contains("MSYS2"))
8246 {
8247 ssTool.type=RECORD_TYPE_TOOL;
8248 ssTool.name=RECORD_NAME_MSYS2;
8249 }
8250 else if(viStruct.sInfo.contains("Cygwin"))
8251 {
8252 ssTool.type=RECORD_TYPE_TOOL;
8253 ssTool.name=RECORD_NAME_CYGWIN;
8254 }
8255
8256 if(ssCompiler.sVersion=="")
8257 {
8258 QString _sGCCVersion;
8259
8260 if(pe.checkOffsetSize(pPEInfo->osConstDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
8261 {
8262 _sGCCVersion=get_GCC_vi2(pDevice,bIsImage,pPEInfo->osConstDataSection.nOffset,pPEInfo->osConstDataSection.nSize).sVersion;
8263
8264 if(_sGCCVersion!="")
8265 {
8266 ssCompiler.sVersion=_sGCCVersion;
8267 }
8268 }
8269
8270 if(_sGCCVersion=="")
8271 {
8272 if(pe.checkOffsetSize(pPEInfo->osDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
8273 {
8274 _sGCCVersion=get_GCC_vi2(pDevice,bIsImage,pPEInfo->osDataSection.nOffset,pPEInfo->osDataSection.nSize).sVersion;
8275
8276 if(_sGCCVersion!="")
8277 {
8278 ssCompiler.sVersion=_sGCCVersion;
8279 }
8280 }
8281 }
8282 }
8283
8284 if((ssTool.type==RECORD_TYPE_UNKNOWN)&&(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_GCC)))
8285 {
8286 if(pPEInfo->mapEntryPointDetects.value(RECORD_NAME_GCC).sInfo.contains("MinGW"))
8287 {
8288 ssTool.type=RECORD_TYPE_TOOL;
8289 ssTool.name=RECORD_NAME_MINGW;
8290 }
8291 }
8292 }
8293
8294 if(ssCompiler.sVersion!="")
8295 {
8296 bDetectGCC=true;
8297 }
8298
8299 if(!bDetectGCC)
8300 {
8301 if(pPEInfo->basic_info.bIsDeepScan)
8302 {
8303 qint64 nGCC_MinGW=pe.find_ansiString(pPEInfo->osConstDataSection.nOffset,pPEInfo->osConstDataSection.nSize,"Mingw-w64 runtime failure:");
8304
8305 if(nGCC_MinGW!=-1)
8306 {
8307 ssTool.type=RECORD_TYPE_TOOL;
8308 ssTool.name=RECORD_NAME_MINGW;
8309
8310 bDetectGCC=true;
8311 }
8312 }
8313 }
8314
8315 if(bDetectGCC)
8316 {
8317 ssCompiler.type=RECORD_TYPE_COMPILER;
8318 ssCompiler.name=RECORD_NAME_GCC;
8319 }
8320 }
8321
8322 int nNumberOfImports=pPEInfo->listImports.count();
8323
8324 for(int i=0; i<nNumberOfImports; i++)
8325 {
8326 if(XBinary::isRegExpPresent("^CYGWIN",pPEInfo->listImports.at(i).sName.toUpper()))
8327 {
8328 QString sVersion=XBinary::regExp("(\\d+)",pPEInfo->listImports.at(i).sName.toUpper(),0);
8329
8330 if(sVersion!="")
8331 {
8332 double dVersion=sVersion.toDouble();
8333
8334 if(dVersion)
8335 {
8336 ssTool.sVersion=QString::number(dVersion,'f',2);
8337 }
8338 }
8339
8340 ssTool.type=RECORD_TYPE_TOOL;
8341 ssTool.name=RECORD_NAME_CYGWIN;
8342
8343 break;
8344 }
8345 }
8346
8347 if(ssCompiler.type==RECORD_TYPE_UNKNOWN)
8348 {
8349 if(XPE::isSectionNamePresent(".stabstr",&(pPEInfo->listSectionHeaders))) // TODO
8350 {
8351 XPE::SECTION_RECORD sr=XPE::getSectionRecordByName(".stabstr",&(pPEInfo->listSectionRecords));
8352
8353 if(sr.nSize)
8354 {
8355 qint64 _nOffset=sr.nOffset;
8356 qint64 _nSize=sr.nSize;
8357
8358 bool bSuccess=false;
8359
8360 if(!bSuccess)
8361 {
8362 qint64 nGCC_MinGW=pe.find_ansiString(_nOffset,_nSize,"/gcc/mingw32/");
8363
8364 if(nGCC_MinGW!=-1)
8365 {
8366 ssTool.type=RECORD_TYPE_TOOL;
8367 ssTool.name=RECORD_NAME_MINGW;
8368
8369 bSuccess=true;
8370 }
8371 }
8372
8373 if(!bSuccess)
8374 {
8375 qint64 nCygwin=pe.find_ansiString(_nOffset,_nSize,"/gcc/i686-pc-cygwin/");
8376
8377 if(nCygwin!=-1)
8378 {
8379 ssTool.type=RECORD_TYPE_TOOL;
8380 ssTool.name=RECORD_NAME_CYGWIN;
8381
8382 bSuccess=true;
8383 }
8384 }
8385 }
8386 }
8387 }
8388
8389 if(ssCompiler.type==RECORD_TYPE_UNKNOWN)
8390 {
8391 if( (ssTool.name==RECORD_NAME_MINGW)||
8392 (ssTool.name==RECORD_NAME_MSYS)||
8393 (ssTool.name==RECORD_NAME_MSYS2)||
8394 (ssTool.name==RECORD_NAME_CYGWIN))
8395 {
8396 ssCompiler.type=RECORD_TYPE_COMPILER;
8397 ssCompiler.name=RECORD_NAME_GCC;
8398 }
8399 }
8400
8401 if((ssCompiler.name==RECORD_NAME_GCC)&&(ssTool.type==RECORD_TYPE_UNKNOWN))
8402 {
8403 ssTool.type=RECORD_TYPE_TOOL;
8404 ssTool.name=RECORD_NAME_MINGW;
8405 }
8406
8407 if((ssCompiler.name==RECORD_NAME_GCC)&&(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GENERICLINKER)))
8408 {
8409 ssLinker.type=RECORD_TYPE_LINKER;
8410 ssLinker.name=RECORD_NAME_GNULINKER;
8411 ssLinker.sVersion=QString("%1.%2").arg(pPEInfo->nMajorLinkerVersion).arg(pPEInfo->nMinorLinkerVersion);
8412 }
8413
8414 if(ssTool.name==RECORD_NAME_MINGW)
8415 {
8416 if(ssTool.sVersion=="")
8417 {
8418 switch(pPEInfo->nMajorLinkerVersion)
8419 {
8420 case 2:
8421 switch(pPEInfo->nMinorLinkerVersion)
8422 {
8423 case 23: ssTool.sVersion="4.7.0-4.8.0"; break;
8424 case 24: ssTool.sVersion="4.8.2-4.9.2"; break;
8425 case 25: ssTool.sVersion="5.3.0"; break;
8426 case 29: ssTool.sVersion="7.3.0"; break;
8427 case 30: ssTool.sVersion="7.3.0"; break; // TODO Check
8428 }
8429 break;
8430 }
8431 }
8432 }
8433
8434 // TODO Check overlay debug
8435
8436 if(ssLinker.type!=RECORD_TYPE_UNKNOWN)
8437 {
8438 pPEInfo->mapResultLinkers.insert(ssLinker.name,scansToScan(&(pPEInfo->basic_info),&ssLinker));
8439 }
8440 if(ssCompiler.type!=RECORD_TYPE_UNKNOWN)
8441 {
8442 pPEInfo->mapResultCompilers.insert(ssCompiler.name,scansToScan(&(pPEInfo->basic_info),&ssCompiler));
8443 }
8444 if(ssTool.type!=RECORD_TYPE_UNKNOWN)
8445 {
8446 pPEInfo->mapResultTools.insert(ssTool.name,scansToScan(&(pPEInfo->basic_info),&ssTool));
8447 }
8448 }
8449 }
8450 }
8451
PE_handle_Signtools(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)8452 void SpecAbstract::PE_handle_Signtools(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
8453 {
8454 XPE pe(pDevice,bIsImage);
8455
8456 if(pe.isValid())
8457 {
8458 if(pe.isSignPresent())
8459 {
8460 // TODO image
8461 XPE_DEF::IMAGE_DATA_DIRECTORY dd=pe.getOptionalHeader_DataDirectory(XPE_DEF::S_IMAGE_DIRECTORY_ENTRY_SECURITY);
8462
8463 QList<XPE::CERT> listCerts=pe.getCertList(dd.VirtualAddress,dd.Size);
8464
8465 if(listCerts.count())
8466 {
8467 if((listCerts.at(0).record.wRevision==0x200)&&(listCerts.at(0).record.wCertificateType==2))
8468 {
8469 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_SIGNTOOL,RECORD_NAME_WINAUTH,"2.0","PKCS #7",0);
8470 pPEInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8471 }
8472 }
8473 }
8474 }
8475 }
8476
PE_handle_Installers(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)8477 void SpecAbstract::PE_handle_Installers(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
8478 {
8479 XPE pe(pDevice,bIsImage);
8480
8481 if(pe.isValid())
8482 {
8483 if(!pPEInfo->cliInfo.bValid)
8484 {
8485 // Inno Setup
8486 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_INNOSETUP)||pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_INNOSETUP))
8487 {
8488 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_INNOSETUP,"","",0);
8489
8490 if((pe.read_uint32(0x30)==0x6E556E49)) // Uninstall
8491 {
8492 ss.sInfo="Uninstall";
8493
8494 if(pe.checkOffsetSize(pPEInfo->osCodeSection)&&(pPEInfo->basic_info.bIsDeepScan))
8495 {
8496 qint64 _nOffset=pPEInfo->osCodeSection.nOffset;
8497 qint64 _nSize=pPEInfo->osCodeSection.nSize;
8498
8499 qint64 nOffsetVersion=pe.find_ansiString(_nOffset,_nSize,"Setup version: Inno Setup version ");
8500
8501 if(nOffsetVersion!=-1)
8502 {
8503 QString sVersionString=pe.read_ansiString(nOffsetVersion+34);
8504 ss.sVersion=sVersionString.section(" ",0,0);
8505 QString sEncodes=sVersionString.section(" ",1,1);
8506
8507 if(sEncodes=="(a)")
8508 {
8509 ss.sInfo=append(ss.sInfo,"ANSI");
8510 }
8511 else if(sEncodes=="(u)")
8512 {
8513 ss.sInfo=append(ss.sInfo,"Unicode");
8514 }
8515 }
8516 }
8517 }
8518 else if(pPEInfo->mapOverlayDetects.value(RECORD_NAME_INNOSETUP).sInfo=="Uninstall")
8519 {
8520 ss.sInfo="Uninstall";
8521 qint64 _nOffset=pPEInfo->nOverlayOffset;
8522 qint64 _nSize=pPEInfo->nOverlaySize;
8523
8524 qint64 nOffsetVersion=pe.find_ansiString(_nOffset,_nSize,"Inno Setup Messages (");
8525
8526 if(nOffsetVersion!=-1)
8527 {
8528 QString sVersionString=pe.read_ansiString(nOffsetVersion+21);
8529 ss.sVersion=sVersionString.section(" ",0,0);
8530 ss.sVersion=ss.sVersion.remove(")");
8531 QString sEncodes=sVersionString.section(" ",1,1);
8532
8533 // TODO Check
8534 if(sEncodes=="(a))")
8535 {
8536 ss.sInfo=append(ss.sInfo,"ANSI");
8537 }
8538 else if(sEncodes=="(u))")
8539 {
8540 ss.sInfo=append(ss.sInfo,"Unicode");
8541 }
8542 }
8543 }
8544 else
8545 {
8546 qint64 nLdrTableOffset=-1;
8547
8548 if(pe.read_uint32(0x30)==0x6F6E6E49)
8549 {
8550 ss.sVersion="1.XX-5.1.X";
8551 ss.sInfo="Install";
8552 nLdrTableOffset=pe.read_uint32(0x30+4);
8553 }
8554 else // New versions
8555 {
8556 XPE::RESOURCE_RECORD resHeader=XPE::getResourceRecord(XPE_DEF::S_RT_RCDATA,11111,&(pPEInfo->listResources));
8557
8558 nLdrTableOffset=resHeader.nOffset;
8559
8560 if(nLdrTableOffset!=-1)
8561 {
8562 ss.sVersion="5.1.X-X.X.X";
8563 ss.sInfo="Install";
8564 }
8565 }
8566
8567 if(nLdrTableOffset!=-1)
8568 {
8569 // TODO 1 function
8570 QString sSignature=pe.getSignature(nLdrTableOffset+0,12);
8571
8572 if(sSignature.left(12)=="72446C507453") // rDlPtS
8573 {
8574 // result.nLdrTableVersion=read_uint32(nLdrTableOffset+12+0);
8575 // result.nTotalSize=read_uint32(nLdrTableOffset+12+4);
8576 // result.nSetupE32Offset=read_uint32(nLdrTableOffset+12+8);
8577 // result.nSetupE32UncompressedSize=read_uint32(nLdrTableOffset+12+12);
8578 // result.nSetupE32CRC=read_uint32(nLdrTableOffset+12+16);
8579 // result.nSetupBin0Offset=read_uint32(nLdrTableOffset+12+20);
8580 // result.nSetupBin1Offset=read_uint32(nLdrTableOffset+12+24);
8581 // result.nTableCRC=read_uint32(nLdrTableOffset+12+28);
8582
8583 QString sSetupDataString=pe.read_ansiString(pe.read_uint32(nLdrTableOffset+12+20));
8584
8585 if(!sSetupDataString.contains("("))
8586 {
8587 sSetupDataString=pe.read_ansiString(pe.read_uint32(nLdrTableOffset+12+24));
8588 // TODO
8589 // ss.sInfo=append(ss.sInfo,"OLD.TODO");
8590 }
8591
8592 QString sVersion=XBinary::regExp("\\((.*?)\\)",sSetupDataString,1);
8593 QString sOptions=XBinary::regExp("\\) \\((.*?)\\)",sSetupDataString,1);
8594
8595 if(sVersion!="")
8596 {
8597 ss.sVersion=sVersion;
8598 }
8599
8600 if(sOptions!="")
8601 {
8602 QString sEncode=sOptions;
8603
8604 if(sEncode=="a")
8605 {
8606 ss.sInfo=append(ss.sInfo,"ANSI");
8607 }
8608 else if(sEncode=="u")
8609 {
8610 ss.sInfo=append(ss.sInfo,"Unicode");
8611 }
8612 }
8613 }
8614 }
8615 }
8616
8617 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8618 }
8619
8620 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_CAB))
8621 {
8622 // Wix Tools
8623 if(XPE::isSectionNamePresent(".wixburn",&(pPEInfo->listSectionHeaders))) // TODO
8624 {
8625 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_WIXTOOLSET,"","",0);
8626 ss.sVersion="3.X"; // TODO check "E:\delivery\Dev\wix37\build\ship\x86\burn.pdb"
8627 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8628 }
8629 }
8630
8631 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_NOSINSTALLER))
8632 {
8633 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_NOSINSTALLER))
8634 {
8635 // TODO Version from resources!
8636 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_NOSINSTALLER,"","",0);
8637 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8638 }
8639 }
8640
8641 // CAB SFX
8642 if(pPEInfo->sResourceManifest.contains("sfxcab.exe"))
8643 {
8644 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_SFX,RECORD_NAME_CAB,"","",0);
8645
8646 if(pe.checkOffsetSize(pPEInfo->osResourceSection)&&(pPEInfo->basic_info.bIsDeepScan))
8647 {
8648 qint64 nSectionOffset= pPEInfo->listSectionHeaders.at(pPEInfo->nResourceSection).PointerToRawData+
8649 pPEInfo->listSectionHeaders.at(pPEInfo->nResourceSection).Misc.VirtualSize;
8650
8651 qint64 nVersionOffset=pe.find_signature(&(pPEInfo->basic_info.memoryMap),nSectionOffset-0x600,0x600,"BD04EFFE00000100");
8652 if(nVersionOffset!=-1)
8653 {
8654 ss.sVersion=QString("%1.%2.%3.%4")
8655 .arg(pe.read_uint16(nVersionOffset+16+2))
8656 .arg(pe.read_uint16(nVersionOffset+16+0))
8657 .arg(pe.read_uint16(nVersionOffset+16+6))
8658 .arg(pe.read_uint16(nVersionOffset+16+4));
8659 }
8660 }
8661
8662 pPEInfo->mapResultSFX.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8663 }
8664
8665 // Install Anywhere
8666 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_INSTALLANYWHERE))
8667 {
8668 if(XPE::getResourceVersionValue("ProductName",&(pPEInfo->resVersion))=="InstallAnywhere")
8669 {
8670 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_INSTALLANYWHERE,"","",0);
8671 ss.sVersion=XPE::getResourceVersionValue("ProductVersion",&(pPEInfo->resVersion));
8672 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8673 }
8674 }
8675
8676 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_GHOSTINSTALLER))
8677 {
8678 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_GHOSTINSTALLER,"","",0);
8679 ss.sVersion="1.0";
8680 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8681 }
8682
8683 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_QTINSTALLER))
8684 {
8685 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_QTINSTALLER,"","",0);
8686 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8687 }
8688
8689 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_INSTALL4J))
8690 {
8691 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_INSTALL4J,"","",0);
8692 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8693 }
8694
8695 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_SMARTINSTALLMAKER))
8696 {
8697 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_SMARTINSTALLMAKER,"","",0);
8698 ss.sVersion=XBinary::hexToString(pPEInfo->sOverlaySignature.mid(46,14)); // TODO make 1 function
8699 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8700 }
8701
8702 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_TARMAINSTALLER))
8703 {
8704 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_TARMAINSTALLER,"","",0);
8705 // TODO version
8706 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8707 }
8708
8709 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_CLICKTEAM))
8710 {
8711 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_CLICKTEAM,"","",0);
8712 // TODO version
8713 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8714 }
8715
8716 // NSIS
8717 if((pPEInfo->mapOverlayDetects.contains(RECORD_NAME_NSIS))||(pPEInfo->sResourceManifest.contains("Nullsoft.NSIS")))
8718 {
8719 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_NSIS,"","",0);
8720
8721 QString _sInfo=pPEInfo->mapOverlayDetects.value(RECORD_NAME_NSIS).sInfo;
8722
8723 if(_sInfo!="")
8724 {
8725 ss.sInfo=_sInfo;
8726 }
8727
8728 // QRegularExpression rxVersion("Null[sS]oft Install System v?(.*?)<");
8729 // QRegularExpressionMatch matchVersion=rxVersion.match(pPEInfo->sResourceManifest);
8730
8731 // if(matchVersion.hasMatch())
8732 // {
8733 // ss.sVersion=matchVersion.captured(1);
8734 // }
8735
8736 QString sVersion=XBinary::regExp("Null[sS]oft Install System v?(.*?)<",pPEInfo->sResourceManifest,1);
8737
8738 if(sVersion!="")
8739 {
8740 ss.sVersion=sVersion;
8741 }
8742
8743 // TODO options
8744
8745 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8746 }
8747
8748 // InstallShield
8749 if(XPE::getResourceVersionValue("ProductName",&(pPEInfo->resVersion)).contains("InstallShield"))
8750 {
8751 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_INSTALLSHIELD,"","",0);
8752 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8753 ss.sVersion.replace(", ",".");
8754 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8755 }
8756 else if(pPEInfo->sResourceManifest.contains("InstallShield"))
8757 {
8758 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_INSTALLSHIELD,"","",0);
8759
8760 if(pe.checkOffsetSize(pPEInfo->osDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
8761 {
8762 qint64 _nOffset=pPEInfo->osDataSection.nOffset;
8763 qint64 _nSize=pPEInfo->osDataSection.nSize;
8764
8765 qint64 nOffsetVersion=pe.find_ansiString(_nOffset,_nSize,"SOFTWARE\\InstallShield\\1");
8766
8767 if(nOffsetVersion!=-1)
8768 {
8769 QString sVersionString=pe.read_ansiString(nOffsetVersion);
8770 ss.sVersion=sVersionString.section("\\",2,2);
8771 }
8772 }
8773
8774 if(ss.sVersion=="")
8775 {
8776 // TODO unicode
8777 ss.sVersion=XPE::getResourceVersionValue("ISInternalVersion",&(pPEInfo->resVersion));
8778 }
8779
8780 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8781 }
8782 else if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_INSTALLSHIELD))
8783 {
8784 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_INSTALLSHIELD,"","PackageForTheWeb",0);
8785 // TODO version
8786 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8787 }
8788 else if(XPE::getResourceVersionValue("CompanyName",&(pPEInfo->resVersion)).contains("InstallShield"))
8789 {
8790 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_INSTALLSHIELD,"","",0);
8791
8792 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion));
8793
8794 if(XPE::getResourceVersionValue("CompanyName",&(pPEInfo->resVersion)).contains("PackageForTheWeb"))
8795 {
8796 ss.sInfo="PackageForTheWeb";
8797 }
8798
8799 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8800 }
8801
8802 if(pPEInfo->sResourceManifest.contains("AdvancedInstallerSetup"))
8803 {
8804 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_ADVANCEDINSTALLER,"","",0);
8805
8806 if((pPEInfo->nOverlayOffset)&&(pPEInfo->nOverlaySize)&&(pPEInfo->basic_info.bIsDeepScan))
8807 {
8808 qint64 _nOffset=pPEInfo->nOverlayOffset;
8809 qint64 _nSize=pPEInfo->nOverlaySize;
8810
8811 qint64 nOffsetVersion=pe.find_ansiString(_nOffset,_nSize,"Advanced Installer ");
8812
8813 if(nOffsetVersion!=-1)
8814 {
8815 QString sVersionString=pe.read_ansiString(nOffsetVersion);
8816 ss.sVersion=sVersionString.section(" ",2,2);
8817 }
8818 }
8819
8820 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8821 }
8822
8823 if(pPEInfo->sResourceManifest.contains("Illustrate.Spoon.Installer"))
8824 {
8825 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_SPOONINSTALLER,"","",0);
8826
8827 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8828 }
8829
8830 if(pPEInfo->sResourceManifest.contains("DeployMaster Installer"))
8831 {
8832 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_DEPLOYMASTER,"","",0);
8833
8834 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8835 }
8836
8837 if( (pPEInfo->sResourceManifest.contains("Gentee.Installer.Install"))||
8838 (pPEInfo->sResourceManifest.contains("name=\"gentee\"")))
8839 {
8840 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_GENTEEINSTALLER,"","",0);
8841
8842 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8843 }
8844 else
8845 {
8846 if(pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_GENTEEINSTALLER))
8847 {
8848 if(XPE::isResourcePresent(XPE_DEF::S_RT_RCDATA,"SETUP_TEMP",&(pPEInfo->listResources)))
8849 {
8850 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_GENTEEINSTALLER,"","",0);
8851
8852 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8853 }
8854 }
8855 }
8856
8857 if(pPEInfo->sResourceManifest.contains("BitRock Installer"))
8858 {
8859 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_BITROCKINSTALLER,"","",0);
8860
8861 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8862 }
8863
8864 if( XPE::getResourceVersionValue("FileDescription",&(pPEInfo->resVersion)).contains("GP-Install")&&
8865 XPE::getResourceVersionValue("FileDescription",&(pPEInfo->resVersion)).contains("TASPro6-Install"))
8866 {
8867 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_GPINSTALL,"","",0);
8868 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8869 ss.sVersion.replace(", ",".");
8870 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8871 }
8872
8873 if(XPE::getResourceVersionValue("FileDescription",&(pPEInfo->resVersion)).contains("Total Commander Installer"))
8874 {
8875 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_TOTALCOMMANDERINSTALLER,"","",0);
8876 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8877 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8878 }
8879
8880 if(XPE::getResourceVersionValue("Comments",&(pPEInfo->resVersion)).contains("Actual Installer"))
8881 {
8882 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_ACTUALINSTALLER,"","",0);
8883 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8884
8885 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8886 }
8887
8888 if(XPE::getResourceVersionValue("Comments",&(pPEInfo->resVersion)).contains("Avast Antivirus"))
8889 {
8890 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_AVASTANTIVIRUS,"","",0);
8891 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8892
8893 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8894 }
8895
8896 if(XPE::getResourceVersionValue("ProductName",&(pPEInfo->resVersion)).contains("Opera Installer"))
8897 {
8898 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_OPERA,"","",0);
8899 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8900
8901 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8902 }
8903
8904 if(XPE::getResourceVersionValue("ProductName",&(pPEInfo->resVersion)).contains("Yandex Installer"))
8905 {
8906 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_YANDEX,"","",0);
8907 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8908
8909 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8910 }
8911
8912 if(XPE::getResourceVersionValue("ProductName",&(pPEInfo->resVersion)).contains("Google Update"))
8913 {
8914 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_GOOGLE,"","",0);
8915 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8916
8917 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8918 }
8919
8920 if(XPE::getResourceVersionValue("FileDescription",&(pPEInfo->resVersion)).contains("Visual Studio Installer"))
8921 {
8922 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_MICROSOFTVISUALSTUDIO,"","",0);
8923 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8924
8925 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8926 }
8927
8928 if(XPE::getResourceVersionValue("InternalName",&(pPEInfo->resVersion)).contains("Dropbox Update Setup"))
8929 {
8930 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_DROPBOX,"","",0);
8931 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8932
8933 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8934 }
8935
8936 if(XPE::getResourceVersionValue("ProductName",&(pPEInfo->resVersion)).contains("VeraCrypt"))
8937 {
8938 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_VERACRYPT,"","",0);
8939 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8940
8941 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8942 }
8943
8944 if(XPE::getResourceVersionValue("FileDescription",&(pPEInfo->resVersion)).contains("Microsoft .NET Framework"))
8945 {
8946 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_MICROSOFTDOTNETFRAMEWORK,"","",0);
8947 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8948
8949 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8950 }
8951
8952 if(XPE::getResourceVersionValue("LegalTrademarks",&(pPEInfo->resVersion)).contains("Setup Factory"))
8953 {
8954 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_SETUPFACTORY,"","",0);
8955 ss.sVersion=XPE::getResourceVersionValue("ProductVersion",&(pPEInfo->resVersion)).trimmed();
8956
8957 if(ss.sVersion.contains(","))
8958 {
8959 ss.sVersion=ss.sVersion.remove(" ");
8960 ss.sVersion=ss.sVersion.replace(",",".");
8961 }
8962
8963 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8964 }
8965
8966 if( XPE::getResourceVersionValue("FileDescription",&(pPEInfo->resVersion)).contains("Java")&&
8967 XPE::getResourceVersionValue("InternalName",&(pPEInfo->resVersion)).contains("Setup Launcher"))
8968 {
8969 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_JAVA,"","",0);
8970 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8971
8972 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8973 }
8974
8975 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_VMWARE)||XPE::getResourceVersionValue("FileDescription",&(pPEInfo->resVersion)).contains("VMware installation"))
8976 {
8977 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_VMWARE,"","",0);
8978 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
8979 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8980 }
8981
8982 // Windows Installer
8983 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_MICROSOFTCOMPOUND))
8984 {
8985 VI_STRUCT vi=get_WindowsInstaller_vi(pDevice,bIsImage,pPEInfo->nOverlayOffset,pPEInfo->nOverlaySize);
8986
8987 if(vi.sVersion!="")
8988 {
8989 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_WINDOWSINSTALLER,"","",0);
8990
8991 ss.sVersion=vi.sVersion;
8992 ss.sInfo=vi.sInfo;
8993
8994 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
8995 }
8996 }
8997
8998 // Alchemy Mindworks
8999 if( XPE::isResourcePresent(XPE_DEF::S_RT_RCDATA,4001,&(pPEInfo->listResources))&&
9000 XPE::isResourcePresent(XPE_DEF::S_RT_RCDATA,5001,&(pPEInfo->listResources)))
9001 {
9002 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_ALCHEMYMINDWORKS,"","",0);
9003 // TODO versions
9004
9005 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9006 }
9007
9008 if(!pPEInfo->mapResultInstallers.contains(RECORD_NAME_WINDOWSINSTALLER))
9009 {
9010 int nNumberOfResources=pPEInfo->listResources.count();
9011
9012 for(int i=0; i<nNumberOfResources; i++)
9013 {
9014 qint64 _nOffset=pPEInfo->listResources.at(i).nOffset;
9015 qint64 _nSize=pPEInfo->listResources.at(i).nSize;
9016 qint64 _nSignatureSize=qMin(_nSize,(qint64)8);
9017
9018 if(_nSignatureSize)
9019 {
9020 QString sSignature=pe.getSignature(_nOffset,_nSignatureSize);
9021
9022 if(sSignature=="D0CF11E0A1B11AE1") // DOC File TODO move to signatures
9023 {
9024 VI_STRUCT vi=get_WindowsInstaller_vi(pDevice,bIsImage,_nOffset,_nSize);
9025
9026 if(vi.sVersion!="")
9027 {
9028 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_WINDOWSINSTALLER,"","",0);
9029
9030 ss.sVersion=vi.sVersion;
9031 ss.sInfo=vi.sInfo;
9032
9033 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9034
9035 break;
9036 }
9037 }
9038 }
9039 }
9040 }
9041
9042 // WISE Installer
9043 if(pPEInfo->exportHeader.sName=="STUB32.EXE")
9044 {
9045 if(pPEInfo->exportHeader.listPositions.count()==2)
9046 {
9047 if( (pPEInfo->exportHeader.listPositions.at(0).sFunctionName=="_MainWndProc@16")||
9048 (pPEInfo->exportHeader.listPositions.at(1).sFunctionName=="_StubFileWrite@12"))
9049 {
9050 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_WISE,"","",0);
9051
9052 // Check version
9053 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9054 }
9055 }
9056 else if(pPEInfo->exportHeader.listPositions.count()==6)
9057 {
9058 if( (pPEInfo->exportHeader.listPositions.at(0).sFunctionName=="_LanguageDlg@16")||
9059 (pPEInfo->exportHeader.listPositions.at(1).sFunctionName=="_PasswordDlg@16")||
9060 (pPEInfo->exportHeader.listPositions.at(2).sFunctionName=="_ProgressDlg@16")||
9061 (pPEInfo->exportHeader.listPositions.at(3).sFunctionName=="_UpdateCRC@8")||
9062 (pPEInfo->exportHeader.listPositions.at(4).sFunctionName=="_t1@40")||
9063 (pPEInfo->exportHeader.listPositions.at(5).sFunctionName=="_t2@12"))
9064 {
9065 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_WISE,"","",0);
9066
9067 // Check version
9068 pPEInfo->mapResultInstallers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9069 }
9070 }
9071 }
9072 }
9073 }
9074 }
9075
PE_handle_SFX(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)9076 void SpecAbstract::PE_handle_SFX(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
9077 {
9078 XPE pe(pDevice,bIsImage);
9079
9080 if(pe.isValid())
9081 {
9082 if(!pPEInfo->cliInfo.bValid)
9083 {
9084 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_RAR))
9085 {
9086 if( XPE::isResourcePresent(XPE_DEF::S_RT_DIALOG,"STARTDLG",&(pPEInfo->listResources))&&
9087 XPE::isResourcePresent(XPE_DEF::S_RT_DIALOG,"LICENSEDLG",&(pPEInfo->listResources)))
9088 {
9089 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_SFX,RECORD_NAME_WINRAR,"","",0);
9090 // TODO Version
9091 pPEInfo->mapResultSFX.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9092 }
9093 }
9094
9095 if((pPEInfo->mapOverlayDetects.contains(RECORD_NAME_WINRAR))||(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_ZIP)))
9096 {
9097 if(pPEInfo->sResourceManifest.contains("WinRAR"))
9098 {
9099 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_SFX,RECORD_NAME_WINRAR,"","",0);
9100 // TODO Version
9101 pPEInfo->mapResultSFX.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9102 }
9103 }
9104
9105 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_ZIP))
9106 {
9107 if(pe.checkOffsetSize(pPEInfo->osDataSection)&&(pPEInfo->basic_info.bIsDeepScan))
9108 {
9109 qint64 _nOffset=pPEInfo->osDataSection.nOffset;
9110 qint64 _nSize=pPEInfo->osDataSection.nSize;
9111
9112 qint64 nOffset_Version=pe.find_ansiString(_nOffset,_nSize,"ZIP self-extractor");
9113 if(nOffset_Version!=-1)
9114 {
9115 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_SFX,RECORD_NAME_ZIP,"","",0);
9116 // TODO Version
9117 pPEInfo->mapResultSFX.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9118 }
9119 }
9120 }
9121
9122 // 7z SFX
9123 if(XPE::getResourceVersionValue("ProductName",&(pPEInfo->resVersion)).contains("7-Zip"))
9124 {
9125 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_SFX,RECORD_NAME_7Z,"","",0);
9126 ss.sVersion=XPE::getResourceVersionValue("ProductVersion",&(pPEInfo->resVersion));
9127 pPEInfo->mapResultSFX.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9128 }
9129
9130 if((!pPEInfo->mapResultSFX.contains(RECORD_NAME_7Z))&&(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_7Z)))
9131 {
9132 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_SFX,RECORD_NAME_7Z,"","",0);
9133 ss.sInfo="modified";
9134 pPEInfo->mapResultSFX.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9135 }
9136
9137 // SQUEEZ SFX
9138 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_SQUEEZSFX))
9139 {
9140 if(XPE::getResourceVersionValue("ProductName",&(pPEInfo->resVersion)).contains("Squeez"))
9141 {
9142 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_INSTALLER,RECORD_NAME_SQUEEZSFX,"","",0);
9143 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion)).trimmed();
9144 pPEInfo->mapResultSFX.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9145 }
9146 }
9147
9148 // WinACE
9149 if( XPE::getResourceVersionValue("InternalName",&(pPEInfo->resVersion)).contains("WinACE")||
9150 XPE::getResourceVersionValue("InternalName",&(pPEInfo->resVersion)).contains("WinAce")||
9151 XPE::getResourceVersionValue("InternalName",&(pPEInfo->resVersion)).contains("UNACE"))
9152 {
9153 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_SFX,RECORD_NAME_WINACE,"","",0);
9154 ss.sVersion=XPE::getResourceVersionValue("ProductVersion",&(pPEInfo->resVersion));
9155 pPEInfo->mapResultSFX.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9156 }
9157
9158 // WinZip
9159 if( (pPEInfo->sResourceManifest.contains("WinZipComputing.WinZip"))||
9160 (XPE::isSectionNamePresent("_winzip_",&(pPEInfo->listSectionHeaders)))) // TODO
9161 {
9162 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_SFX,RECORD_NAME_WINZIP,"","",0);
9163
9164 QString _sManifest=pPEInfo->sResourceManifest.section("assemblyIdentity",1,1);
9165 ss.sVersion=XBinary::regExp("version=\"(.*?)\"",_sManifest,1);
9166 pPEInfo->mapResultSFX.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9167 }
9168
9169 // Cab
9170 if(XPE::getResourceVersionValue("FileDescription",&(pPEInfo->resVersion)).contains("Self-Extracting Cabinet"))
9171 {
9172 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_SFX,RECORD_NAME_CAB,"","",0);
9173 ss.sVersion=XPE::getResourceVersionValue("FileVersion",&(pPEInfo->resVersion));
9174 pPEInfo->mapResultSFX.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9175 }
9176
9177 // GkSetup SFX
9178 if(XPE::getResourceVersionValue("ProductName",&(pPEInfo->resVersion)).contains("GkSetup Self extractor"))
9179 {
9180 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_SFX,RECORD_NAME_GKSETUPSFX,"","",0);
9181 ss.sVersion=XPE::getResourceVersionValue("ProductVersion",&(pPEInfo->resVersion));
9182 pPEInfo->mapResultSFX.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9183 }
9184 }
9185 }
9186 }
9187
PE_handle_PolyMorph(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)9188 void SpecAbstract::PE_handle_PolyMorph(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
9189 {
9190 Q_UNUSED(pDevice)
9191 Q_UNUSED(bIsImage)
9192 Q_UNUSED(pPEInfo)
9193 // ExeSax
9194
9195 }
9196
PE_handle_DongleProtection(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)9197 void SpecAbstract::PE_handle_DongleProtection(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
9198 {
9199 Q_UNUSED(pDevice)
9200 Q_UNUSED(bIsImage)
9201
9202 if(pPEInfo->listImports.count()==1)
9203 {
9204 if(XBinary::isRegExpPresent("^NOVEX",pPEInfo->listImports.at(0).sName.toUpper()))
9205 {
9206 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_DONGLEPROTECTION,RECORD_NAME_GUARDIANSTEALTH,"","",0);
9207 pPEInfo->mapResultSFX.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9208 }
9209 }
9210 }
9211
9212 //void SpecAbstract::PE_handle_AnslymPacker(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
9213 //{
9214 // XPE pe(pDevice,bIsImage);
9215
9216 // if(pe.isValid())
9217 // {
9218 // if(!pPEInfo->cliInfo.bInit)
9219 // {
9220 // if((pPEInfo->nImportHash64==0xaf2e74867b)&&(pPEInfo->nImportHash32==0x51a4c42b))
9221 // {
9222 // _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PACKER,RECORD_NAME_ANSLYMPACKER,"","",0);
9223 // pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9224 // }
9225 // }
9226 // }
9227 //}
9228
PE_handle_NeoLite(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)9229 void SpecAbstract::PE_handle_NeoLite(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
9230 {
9231 XPE pe(pDevice,bIsImage);
9232
9233 if(pe.isValid())
9234 {
9235 if(!pPEInfo->cliInfo.bValid)
9236 {
9237 if(pPEInfo->nEntryPointSection!=0)
9238 {
9239 if(pe.checkOffsetSize(pPEInfo->osEntryPointSection)&&(pPEInfo->basic_info.bIsDeepScan))
9240 {
9241 qint64 _nOffset=pPEInfo->osEntryPointSection.nOffset;
9242 qint64 _nSize=pPEInfo->osEntryPointSection.nSize;
9243
9244 qint64 nOffset_Version=pe.find_ansiString(_nOffset,_nSize,"NeoLite Executable File Compressor");
9245
9246 if(nOffset_Version!=-1)
9247 {
9248 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PACKER,RECORD_NAME_NEOLITE,"1.0","",0);
9249 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9250 }
9251 }
9252 }
9253 }
9254 }
9255 }
9256
PE_handle_PrivateEXEProtector(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)9257 void SpecAbstract::PE_handle_PrivateEXEProtector(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
9258 {
9259 XPE pe(pDevice,bIsImage);
9260
9261 if(pe.isValid())
9262 {
9263 if(!pPEInfo->cliInfo.bValid)
9264 {
9265 bool bKernel32ExitProcess=false;
9266 bool bKernel32=false;
9267 bool bUser32=false;
9268 bool bCharacteristics=false;
9269 bool bPEPLinker=false;
9270 bool bTurboLinker=false;
9271
9272 if(pPEInfo->listImports.count()>=1)
9273 {
9274 if(pPEInfo->listImports.at(0).sName=="KERNEL32.DLL")
9275 {
9276 if(pPEInfo->listImports.at(0).listPositions.count()==1)
9277 {
9278 bKernel32=true;
9279
9280 if(pPEInfo->listImports.at(0).listPositions.at(0).sName=="ExitProcess")
9281 {
9282 bKernel32ExitProcess=true;
9283 }
9284 }
9285 }
9286 }
9287
9288 if(pPEInfo->listImports.count()==2)
9289 {
9290 if(pPEInfo->listImports.at(1).sName=="USER32.DLL")
9291 {
9292 if(pPEInfo->listImports.at(1).listPositions.count()==1)
9293 {
9294 bUser32=true;
9295 }
9296 }
9297 }
9298
9299 int nNumberOfSections=pPEInfo->listSectionHeaders.count();
9300
9301 for(int i=0;i<nNumberOfSections;i++)
9302 {
9303 if((pPEInfo->listSectionHeaders.at(i).Characteristics&0xFFFF)==0)
9304 {
9305 bCharacteristics=true;
9306 break;
9307 }
9308 }
9309
9310 bPEPLinker=pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_PRIVATEEXEPROTECTOR);
9311 bTurboLinker=pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_TURBOLINKER);
9312
9313 if(bKernel32ExitProcess&&bCharacteristics&&bPEPLinker)
9314 {
9315 _SCANS_STRUCT ss=pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_PRIVATEEXEPROTECTOR);
9316
9317 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9318 }
9319
9320 if(bKernel32&&bCharacteristics&&bTurboLinker)
9321 {
9322 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_PRIVATEEXEPROTECTOR,"2.25","",0);
9323
9324 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9325 }
9326
9327 if(bKernel32&&bUser32&&bCharacteristics&&bTurboLinker)
9328 {
9329 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_PRIVATEEXEPROTECTOR,"2.30-2.70","",0);
9330
9331 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9332 }
9333 }
9334 }
9335 }
9336
PE_handle_VisualBasicCryptors(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)9337 void SpecAbstract::PE_handle_VisualBasicCryptors(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
9338 {
9339 XPE pe(pDevice,bIsImage);
9340
9341 if(pe.isValid())
9342 {
9343 // 1337 Exe Crypter
9344 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_1337EXECRYPTER))
9345 {
9346 if(XPE::isImportLibraryPresentI("MSVBVM60.DLL",&(pPEInfo->listImports)))
9347 {
9348 _SCANS_STRUCT ssOverlay=pPEInfo->mapOverlayDetects.value(RECORD_NAME_1337EXECRYPTER);
9349 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_PE,RECORD_TYPE_PROTECTOR,RECORD_NAME_1337EXECRYPTER,ssOverlay.sVersion,ssOverlay.sInfo,0);
9350 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9351 }
9352 }
9353
9354 // AGAINNATIVITYCRYPTER
9355 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_AGAINNATIVITYCRYPTER))
9356 {
9357 if(pPEInfo->mapOverlayDetects.contains(RECORD_NAME_AGAINNATIVITYCRYPTER))
9358 {
9359 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_AGAINNATIVITYCRYPTER);
9360
9361 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9362 }
9363 }
9364
9365 // AR Crypt
9366 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ARCRYPT))
9367 {
9368 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_ARCRYPT);
9369
9370 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9371 }
9372
9373 // WingsCrypt
9374 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_WINGSCRYPT)) // TODO more checks!
9375 {
9376 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_WINGSCRYPT);
9377
9378 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9379 }
9380
9381 // Crypt R.Roads
9382 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_CRYPTRROADS)) // TODO more checks!
9383 {
9384 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_CRYPTRROADS);
9385
9386 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9387 }
9388
9389 // Whitell Crypt
9390 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_WHITELLCRYPT)) // TODO more checks!
9391 {
9392 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_WHITELLCRYPT);
9393
9394 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9395 }
9396
9397 // ZeldaCrypt
9398 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ZELDACRYPT)) // TODO more checks!
9399 {
9400 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_ZELDACRYPT);
9401
9402 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9403 }
9404
9405 // Biohazard Crypter
9406 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_BIOHAZARDCRYPTER)) // TODO more checks!
9407 {
9408 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_BIOHAZARDCRYPTER);
9409
9410 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9411 }
9412
9413 // Cryptable seducation
9414 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_CRYPTABLESEDUCATION)) // TODO more checks!
9415 {
9416 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_CRYPTABLESEDUCATION);
9417
9418 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9419 }
9420
9421 // Cryptic
9422 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_CRYPTIC)) // TODO more checks!
9423 {
9424 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_CRYPTIC);
9425
9426 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9427 }
9428
9429 // CRyptOZ
9430 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_CRYPTOZ)) // TODO more checks!
9431 {
9432 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_CRYPTOZ);
9433
9434 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9435 }
9436
9437 // Dirty Cryptor
9438 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_DIRTYCRYPTOR)) // TODO more checks!
9439 {
9440 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_DIRTYCRYPTOR);
9441
9442 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9443 }
9444
9445 // Fakus Cryptor
9446 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_FAKUSCRYPTOR)) // TODO more checks!
9447 {
9448 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_FAKUSCRYPTOR);
9449
9450 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9451 }
9452
9453 // Fast file Crypt
9454 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_FASTFILECRYPT)) // TODO more checks!
9455 {
9456 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_FASTFILECRYPT);
9457
9458 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9459 }
9460
9461 // FileShield
9462 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_FILESHIELD)) // TODO more checks!
9463 {
9464 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_FILESHIELD);
9465
9466 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9467 }
9468
9469 // GhaZza CryPter
9470 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_GHAZZACRYPTER)) // TODO more checks!
9471 {
9472 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_GHAZZACRYPTER);
9473
9474 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9475 }
9476
9477 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_H4CKY0UORGCRYPTER)) // TODO more checks!
9478 {
9479 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_H4CKY0UORGCRYPTER);
9480
9481 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9482 }
9483
9484 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_HACCREWCRYPTER)) // TODO more checks!
9485 {
9486 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_HACCREWCRYPTER);
9487
9488 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9489 }
9490
9491 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_HALVCRYPTER)) // TODO more checks!
9492 {
9493 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_HALVCRYPTER);
9494
9495 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9496 }
9497
9498 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_KGBCRYPTER)) // TODO more checks!
9499 {
9500 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_KGBCRYPTER);
9501
9502 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9503 }
9504
9505 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_KIAMSCRYPTOR)) // TODO more checks!
9506 {
9507 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_KIAMSCRYPTOR);
9508
9509 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9510 }
9511
9512 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_KRATOSCRYPTER)) // TODO more checks!
9513 {
9514 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_KRATOSCRYPTER);
9515
9516 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9517 }
9518
9519 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_KUR0KX2TO)) // TODO more checks!
9520 {
9521 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_KUR0KX2TO);
9522
9523 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9524 }
9525
9526 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_LIGHTNINGCRYPTERPRIVATE)) // TODO more checks!
9527 {
9528 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_LIGHTNINGCRYPTERPRIVATE);
9529
9530 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9531 }
9532
9533 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_LIGHTNINGCRYPTERSCANTIME)) // TODO more checks!
9534 {
9535 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_LIGHTNINGCRYPTERSCANTIME);
9536
9537 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9538 }
9539
9540 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_LUCYPHER)) // TODO more checks!
9541 {
9542 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_LUCYPHER);
9543
9544 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9545 }
9546
9547 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_MONEYCRYPTER)) // TODO more checks!
9548 {
9549 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_MONEYCRYPTER);
9550
9551 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9552 }
9553
9554 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_MORTALTEAMCRYPTER2)) // TODO more checks!
9555 {
9556 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_MORTALTEAMCRYPTER2);
9557
9558 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9559 }
9560
9561 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_NOXCRYPT)) // TODO more checks!
9562 {
9563 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_NOXCRYPT);
9564
9565 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9566 }
9567
9568 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PUSSYCRYPTER)) // TODO more checks!
9569 {
9570 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_PUSSYCRYPTER);
9571
9572 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9573 }
9574
9575 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_RDGTEJONCRYPTER)) // TODO more checks!
9576 {
9577 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_RDGTEJONCRYPTER);
9578
9579 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9580 }
9581
9582 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_RDGTEJONCRYPTER)) // TODO more checks!
9583 {
9584 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_RDGTEJONCRYPTER);
9585
9586 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9587 }
9588
9589 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_SMOKESCREENCRYPTER)) // TODO more checks!
9590 {
9591 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_SMOKESCREENCRYPTER);
9592
9593 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9594 }
9595
9596 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_SNOOPCRYPT)) // TODO more checks!
9597 {
9598 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_SNOOPCRYPT);
9599
9600 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9601 }
9602
9603 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_STASFODIDOCRYPTOR)) // TODO more checks!
9604 {
9605 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_STASFODIDOCRYPTOR);
9606
9607 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9608 }
9609
9610 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_TSTCRYPTER)) // TODO more checks!
9611 {
9612 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_TSTCRYPTER);
9613
9614 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9615 }
9616
9617 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_TURKISHCYBERSIGNATURE)) // TODO more checks!
9618 {
9619 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_TURKISHCYBERSIGNATURE);
9620
9621 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9622 }
9623
9624 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_TURKOJANCRYPTER)) // TODO more checks!
9625 {
9626 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_TURKOJANCRYPTER);
9627
9628 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9629 }
9630
9631 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_UNDOCRYPTER)) // TODO more checks!
9632 {
9633 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_UNDOCRYPTER);
9634
9635 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9636 }
9637
9638 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_WLCRYPT)) // TODO more checks!
9639 {
9640 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_WLCRYPT);
9641
9642 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9643 }
9644
9645 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_WOUTHRSEXECRYPTER)) // TODO more checks!
9646 {
9647 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_WOUTHRSEXECRYPTER);
9648
9649 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9650 }
9651
9652 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ROGUEPACK)) // TODO more checks!
9653 {
9654 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_ROGUEPACK);
9655
9656 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9657 }
9658 }
9659 }
9660
PE_handle_DelphiCryptors(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)9661 void SpecAbstract::PE_handle_DelphiCryptors(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
9662 {
9663 XPE pe(pDevice,bIsImage);
9664
9665 if(pe.isValid())
9666 {
9667 // Ass Crypter
9668 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ASSCRYPTER)) // TODO more checks!
9669 {
9670 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_ASSCRYPTER);
9671
9672 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9673 }
9674
9675 // Aase
9676 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_AASE)) // TODO more checks!
9677 {
9678 // if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_AASE))
9679 // {
9680 // _SCANS_STRUCT ss=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_AASE);
9681 // pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9682 // }
9683
9684 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_AASE);
9685 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9686 }
9687
9688 // Anskya Polymorphic Packer
9689 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ANSKYAPOLYMORPHICPACKER)) // TODO more checks!
9690 {
9691 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_ANSKYAPOLYMORPHICPACKER);
9692
9693 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9694 }
9695
9696 // AnslymPacker
9697 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ANSLYMPACKER)) // TODO more checks!
9698 {
9699 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_ANSLYMPACKER);
9700
9701 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9702 }
9703
9704 // Cigicigi Crypter
9705 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_CIGICIGICRYPTER)) // TODO more checks!
9706 {
9707 if(XPE::isResourcePresent(XPE_DEF::S_RT_RCDATA,"AYARLAR",&(pPEInfo->listResources)))
9708 {
9709 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_CIGICIGICRYPTER);
9710
9711 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9712 }
9713 }
9714
9715 // fEaRz Crypter
9716 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_FEARZCRYPTER)) // TODO more checks!
9717 {
9718 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_FEARZCRYPTER);
9719
9720 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9721 }
9722
9723 // fEaRz Packer
9724 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_FEARZPACKER)) // TODO more checks!
9725 {
9726 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_FEARZPACKER);
9727
9728 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9729 }
9730
9731 // GKripto
9732 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_GKRIPTO)) // TODO more checks!
9733 {
9734 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_GKRIPTO);
9735
9736 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9737 }
9738
9739 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_HOUNDHACKCRYPTER)) // TODO more checks!
9740 {
9741 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_HOUNDHACKCRYPTER);
9742
9743 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9744 }
9745
9746 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_ICRYPT)) // TODO more checks!
9747 {
9748 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_ICRYPT);
9749
9750 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9751 }
9752
9753 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_INFCRYPTOR)) // TODO more checks!
9754 {
9755 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_INFCRYPTOR);
9756
9757 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9758 }
9759
9760 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_MALPACKER)) // TODO more checks!
9761 {
9762 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_MALPACKER);
9763
9764 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9765 }
9766
9767 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_MINKE)) // TODO more checks!
9768 {
9769 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_MINKE);
9770
9771 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9772 }
9773
9774 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_MORTALTEAMCRYPTER)) // TODO more checks!
9775 {
9776 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_MORTALTEAMCRYPTER);
9777
9778 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9779 }
9780
9781 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_MORUKCREWCRYPTERPRIVATE)) // TODO more checks!
9782 {
9783 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_MORUKCREWCRYPTERPRIVATE);
9784
9785 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9786 }
9787
9788 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_MRUNDECTETABLE)) // TODO more checks!
9789 {
9790 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_MRUNDECTETABLE);
9791
9792 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9793 }
9794
9795 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_NIDHOGG)) // TODO more checks!
9796 {
9797 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_NIDHOGG);
9798
9799 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9800 }
9801
9802 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_NME)) // TODO more checks!
9803 {
9804 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_NME);
9805
9806 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9807 }
9808
9809 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_OPENSOURCECODECRYPTER)) // TODO more checks!
9810 {
9811 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_OPENSOURCECODECRYPTER);
9812
9813 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9814 }
9815
9816 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_OSCCRYPTER)) // TODO more checks!
9817 {
9818 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_OSCCRYPTER);
9819
9820 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9821 }
9822
9823 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_P0KESCRAMBLER)) // TODO more checks!
9824 {
9825 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_P0KESCRAMBLER);
9826
9827 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9828 }
9829
9830 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PANDORA)) // TODO more checks!
9831 {
9832 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_PANDORA);
9833
9834 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9835 }
9836
9837 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PFECX)) // TODO more checks!
9838 {
9839 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_PFECX);
9840
9841 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9842 }
9843
9844 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PICRYPTOR)) // TODO more checks!
9845 {
9846 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_PICRYPTOR);
9847
9848 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9849 }
9850
9851 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_POKECRYPTER)) // TODO more checks!
9852 {
9853 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_POKECRYPTER);
9854
9855 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9856 }
9857
9858 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_PUBCRYPTER)) // TODO more checks!
9859 {
9860 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_PUBCRYPTER);
9861
9862 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9863 }
9864
9865 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_SIMCRYPTER)) // TODO more checks!
9866 {
9867 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_SIMCRYPTER);
9868
9869 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9870 }
9871
9872 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_SEXECRYPTER)) // TODO more checks!
9873 {
9874 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_SEXECRYPTER);
9875
9876 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9877 }
9878
9879 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_SIMPLECRYPTER)) // TODO more checks!
9880 {
9881 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_SIMPLECRYPTER);
9882
9883 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9884 }
9885
9886 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_TGRCRYPTER)) // TODO more checks!
9887 {
9888 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_TGRCRYPTER);
9889
9890 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9891 }
9892
9893 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_THEZONECRYPTER)) // TODO more checks!
9894 {
9895 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_THEZONECRYPTER);
9896
9897 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9898 }
9899
9900 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_UNDERGROUNDCRYPTER)) // TODO more checks!
9901 {
9902 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_UNDERGROUNDCRYPTER);
9903
9904 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9905 }
9906
9907 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_UNKOWNCRYPTER)) // TODO more checks!
9908 {
9909 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_UNKOWNCRYPTER);
9910
9911 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9912 }
9913
9914 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_WINDOFCRYPT)) // TODO more checks!
9915 {
9916 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_WINDOFCRYPT);
9917
9918 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9919 }
9920
9921 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_WLGROUPCRYPTER)) // TODO more checks!
9922 {
9923 _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_WLGROUPCRYPTER);
9924
9925 pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9926 }
9927
9928 // if(pPEInfo->mapImportDetects.contains(RECORD_NAME_DCRYPTPRIVATE)) // TODO more checks!
9929 // {
9930 // _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_DCRYPTPRIVATE);
9931
9932 // pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9933 // }
9934
9935 // if(pPEInfo->mapImportDetects.contains(RECORD_NAME_DALKRYPT)) // TODO more checks!
9936 // {
9937 // _SCANS_STRUCT ss=pPEInfo->mapImportDetects.value(RECORD_NAME_DALKRYPT);
9938
9939 // pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
9940 // }
9941 }
9942 }
9943
PE_handle_Joiners(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)9944 void SpecAbstract::PE_handle_Joiners(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
9945 {
9946 XPE pe(pDevice,bIsImage);
9947
9948 if(pe.isValid())
9949 {
9950 // Blade Joiner
9951 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_BLADEJOINER))
9952 {
9953 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_BLADEJOINER))
9954 {
9955 if(pPEInfo->nOverlaySize)
9956 {
9957 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_BLADEJOINER);
9958 pPEInfo->mapResultJoiners.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
9959 }
9960 }
9961 }
9962
9963 // ExeJoiner
9964 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_EXEJOINER))
9965 {
9966 if(pPEInfo->mapEntryPointDetects.contains(RECORD_NAME_EXEJOINER))
9967 {
9968 if(pPEInfo->nOverlaySize)
9969 {
9970 _SCANS_STRUCT recordSS=pPEInfo->mapEntryPointDetects.value(RECORD_NAME_EXEJOINER);
9971 pPEInfo->mapResultJoiners.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
9972 }
9973 }
9974 }
9975
9976 // Celesty File Binder
9977 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_CELESTYFILEBINDER))
9978 {
9979 if(pe.isResourcePresent("RBIND",-1,&(pPEInfo->listResources)))
9980 {
9981 _SCANS_STRUCT recordSS=pPEInfo->mapImportDetects.value(RECORD_NAME_CELESTYFILEBINDER);
9982 pPEInfo->mapResultJoiners.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
9983 }
9984 }
9985
9986 // N-Joiner
9987 if(pPEInfo->mapImportDetects.contains(RECORD_NAME_NJOINER))
9988 {
9989 if(pe.isResourcePresent("NJ",-1,&(pPEInfo->listResources))||pe.isResourcePresent("NJOY",-1,&(pPEInfo->listResources)))
9990 {
9991 _SCANS_STRUCT recordSS=pPEInfo->mapImportDetects.value(RECORD_NAME_NJOINER);
9992 pPEInfo->mapResultJoiners.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
9993 }
9994 }
9995 }
9996 }
9997
PE_isProtectionPresent(SpecAbstract::PEINFO_STRUCT * pPEInfo)9998 bool SpecAbstract::PE_isProtectionPresent(SpecAbstract::PEINFO_STRUCT *pPEInfo)
9999 {
10000 return (pPEInfo->mapResultPackers.count()||
10001 pPEInfo->mapResultProtectors.count()||
10002 pPEInfo->mapResultSFX.count()||
10003 pPEInfo->mapResultInstallers.count()||
10004 pPEInfo->mapResultNETObfuscators.count()||
10005 pPEInfo->mapResultDongleProtection.count());
10006 }
10007
PE_handle_UnknownProtection(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)10008 void SpecAbstract::PE_handle_UnknownProtection(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
10009 {
10010 XPE pe(pDevice,bIsImage);
10011
10012 if(pe.isValid())
10013 {
10014 #ifdef QT_DEBUG
10015 // int i=pPEInfo->listImportPositionHashes.count()-1;
10016
10017 // if(i>0)
10018 // {
10019 // if(pPEInfo->listImports.at(i).listPositions.count()>1)
10020 // {
10021 // _SCANS_STRUCT ss={};
10022
10023 // ss.type=RECORD_TYPE_PROTECTOR;
10024 // ss.name=(SpecAbstract::RECORD_NAME)(RECORD_NAME_UNKNOWN0+i);
10025 // ss.sVersion=QString("%1").arg(pPEInfo->listImportPositionHashes.at(i),0,16);
10026 // ss.bIsHeuristic=true;
10027
10028 // pPEInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
10029 // }
10030 // }
10031
10032 #endif
10033
10034 if(!PE_isProtectionPresent(pPEInfo))
10035 {
10036 if(pPEInfo->listSectionRecords.count())
10037 {
10038 if(pPEInfo->listSectionRecords.at(0).nSize==0)
10039 {
10040 if( pPEInfo->mapImportDetects.contains(RECORD_NAME_UPX)&&
10041 (pPEInfo->mapImportDetects.value(RECORD_NAME_UPX).nVariant==0))
10042 {
10043 _SCANS_STRUCT ss={};
10044
10045 ss.type=RECORD_TYPE_PACKER;
10046 ss.name=RECORD_NAME_UNK_UPXLIKE;
10047 ss.bIsHeuristic=true;
10048
10049 pPEInfo->mapResultPackers.insert(ss.name,scansToScan(&(pPEInfo->basic_info),&ss));
10050 }
10051 }
10052 }
10053 }
10054
10055 if(!PE_isProtectionPresent(pPEInfo))
10056 {
10057 QMapIterator<RECORD_NAME,_SCANS_STRUCT> i(pPEInfo->mapEntryPointDetects);
10058
10059 while(i.hasNext())
10060 {
10061 i.next();
10062
10063 _SCANS_STRUCT recordSS=i.value();
10064
10065 if(recordSS.name!=RECORD_NAME_GENERIC)
10066 {
10067 recordSS.bIsHeuristic=true;
10068
10069 if(recordSS.type==RECORD_TYPE_PACKER)
10070 {
10071 pPEInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
10072 }
10073 else if(recordSS.type==RECORD_TYPE_PROTECTOR)
10074 {
10075 pPEInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
10076 }
10077 }
10078 }
10079 }
10080
10081 if((!pPEInfo->mapResultPackers.contains(RECORD_NAME_UPX))&&(!pPEInfo->mapResultPackers.contains(RECORD_NAME_UNK_UPXLIKE)))
10082 {
10083 VI_STRUCT viUPX=get_UPX_vi(pDevice,bIsImage,pPEInfo->osHeader.nOffset,pPEInfo->osHeader.nSize,XBinary::FT_PE);
10084
10085 if((viUPX.bIsValid))
10086 {
10087 _SCANS_STRUCT recordSS={};
10088
10089 recordSS.type=RECORD_TYPE_PACKER;
10090 recordSS.name=RECORD_NAME_UPX;
10091 recordSS.sVersion=viUPX.sVersion;
10092 recordSS.sInfo=viUPX.sInfo;
10093 recordSS.bIsHeuristic=true;
10094
10095 pPEInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
10096 }
10097 }
10098
10099 if(!pPEInfo->mapResultPackers.contains(RECORD_NAME_ASPACK))
10100 {
10101 if(XPE::isSectionNamePresent(".aspack",&(pPEInfo->listSectionHeaders))&&XPE::isSectionNamePresent(".adata",&(pPEInfo->listSectionHeaders)))
10102 {
10103 _SCANS_STRUCT recordSS={};
10104
10105 recordSS.type=RECORD_TYPE_PACKER;
10106 recordSS.name=RECORD_NAME_ASPACK;
10107 recordSS.sVersion="2.12-2.XX";
10108 recordSS.bIsHeuristic=true;
10109
10110 pPEInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
10111 }
10112 }
10113
10114 if(!pPEInfo->mapResultPackers.contains(RECORD_NAME_PECOMPACT))
10115 {
10116 VI_STRUCT viPECompact=PE_get_PECompact_vi(pDevice,bIsImage,pPEInfo);
10117
10118 if(viPECompact.bIsValid)
10119 {
10120 _SCANS_STRUCT recordSS={};
10121
10122 recordSS.type=RECORD_TYPE_PACKER;
10123 recordSS.name=RECORD_NAME_PECOMPACT;
10124 recordSS.sVersion=viPECompact.sVersion;
10125 recordSS.sInfo=viPECompact.sInfo;
10126 recordSS.bIsHeuristic=true;
10127
10128 pPEInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
10129 }
10130 }
10131
10132 if(!pPEInfo->mapResultPackers.contains(RECORD_NAME_KKRUNCHY))
10133 {
10134 if( pPEInfo->mapSectionNamesDetects.contains(RECORD_NAME_KKRUNCHY)&&
10135 (pPEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_KKRUNCHY).nVariant==0))
10136 {
10137 _SCANS_STRUCT recordSS={};
10138
10139 recordSS.type=RECORD_TYPE_PACKER;
10140 recordSS.name=RECORD_NAME_KKRUNCHY;
10141 recordSS.bIsHeuristic=true;
10142
10143 pPEInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pPEInfo->basic_info),&recordSS));
10144 }
10145 }
10146 }
10147 }
10148
PE_handle_FixDetects(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)10149 void SpecAbstract::PE_handle_FixDetects(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
10150 {
10151 Q_UNUSED(pDevice)
10152 Q_UNUSED(bIsImage)
10153
10154 if( pPEInfo->mapResultPackers.contains(RECORD_NAME_RLPACK)||
10155 pPEInfo->mapResultPackers.contains(RECORD_NAME_BACKDOORPECOMPRESSPROTECTOR))
10156 {
10157 pPEInfo->mapResultLinkers.remove(RECORD_NAME_MICROSOFTLINKER);
10158 pPEInfo->mapResultCompilers.remove(RECORD_NAME_MASM);
10159 pPEInfo->mapResultTools.remove(RECORD_NAME_MASM32);
10160 }
10161
10162 if( pPEInfo->mapResultPackers.contains(RECORD_NAME_AHPACKER)||
10163 pPEInfo->mapResultPackers.contains(RECORD_NAME_EPEXEPACK))
10164 {
10165 pPEInfo->mapResultPackers.remove(RECORD_NAME_AHPACKER);
10166 }
10167
10168 // Check SafeEngine
10169 if( pPEInfo->mapResultCompilers.contains(RECORD_NAME_VISUALCCPP)&&
10170 pPEInfo->mapResultCompilers.contains(RECORD_NAME_BORLANDOBJECTPASCAL))
10171 {
10172 pPEInfo->mapResultCompilers.remove(RECORD_NAME_BORLANDOBJECTPASCAL);
10173 }
10174
10175 if( pPEInfo->mapResultLinkers.contains(RECORD_NAME_MICROSOFTLINKER)&&
10176 pPEInfo->mapResultLinkers.contains(RECORD_NAME_TURBOLINKER))
10177 {
10178 pPEInfo->mapResultLinkers.remove(RECORD_NAME_TURBOLINKER);
10179 }
10180
10181 if( pPEInfo->mapResultTools.contains(RECORD_NAME_MICROSOFTVISUALSTUDIO)&&
10182 pPEInfo->mapResultTools.contains(RECORD_NAME_BORLANDDELPHI))
10183 {
10184 pPEInfo->mapResultTools.remove(RECORD_NAME_BORLANDDELPHI);
10185 }
10186
10187 if( pPEInfo->mapResultPackers.contains(RECORD_NAME_SIMPLEPACK)&&
10188 pPEInfo->mapResultCompilers.contains(RECORD_NAME_FASM))
10189 {
10190 pPEInfo->mapResultCompilers.remove(RECORD_NAME_FASM);
10191 }
10192 }
10193
PE_handleLanguages(QIODevice * pDevice,bool bIsImage,PEINFO_STRUCT * pPEInfo)10194 void SpecAbstract::PE_handleLanguages(QIODevice *pDevice, bool bIsImage, PEINFO_STRUCT *pPEInfo)
10195 {
10196 Q_UNUSED(pDevice)
10197 Q_UNUSED(bIsImage)
10198
10199 getLanguage(&(pPEInfo->mapResultLinkers),&(pPEInfo->mapResultLanguages));
10200 getLanguage(&(pPEInfo->mapResultCompilers),&(pPEInfo->mapResultLanguages));
10201 getLanguage(&(pPEInfo->mapResultLibraries),&(pPEInfo->mapResultLanguages));
10202 getLanguage(&(pPEInfo->mapResultTools),&(pPEInfo->mapResultLanguages));
10203 getLanguage(&(pPEInfo->mapResultPackers),&(pPEInfo->mapResultLanguages));
10204
10205 fixLanguage(&(pPEInfo->mapResultLanguages));
10206 }
10207
PE_handle_Recursive(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo,SpecAbstract::SCAN_OPTIONS * pOptions,bool * pbIsStop)10208 void SpecAbstract::PE_handle_Recursive(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo, SpecAbstract::SCAN_OPTIONS *pOptions, bool *pbIsStop)
10209 {
10210 if(pOptions->bRecursiveScan)
10211 {
10212 XPE pe(pDevice,bIsImage);
10213
10214 if(pe.isValid())
10215 {
10216 if(pPEInfo->nOverlaySize)
10217 {
10218 SpecAbstract::SCAN_RESULT scanResult={0};
10219
10220 SpecAbstract::ID _parentId=pPEInfo->basic_info.id;
10221 _parentId.filePart=SpecAbstract::RECORD_FILEPART_OVERLAY;
10222 scan(pDevice,&scanResult,pPEInfo->nOverlayOffset,pPEInfo->nOverlaySize,_parentId,pOptions,false,pbIsStop);
10223
10224 pPEInfo->listRecursiveDetects.append(scanResult.listRecords);
10225 }
10226 }
10227 }
10228 }
10229
Binary_handle_Texts(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)10230 void SpecAbstract::Binary_handle_Texts(QIODevice *pDevice,bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
10231 {
10232 XBinary binary(pDevice,bIsImage);
10233
10234 if((pBinaryInfo->bIsPlainText)||(pBinaryInfo->unicodeType!=XBinary::UNICODE_TYPE_NONE)||(pBinaryInfo->bIsUTF8))
10235 {
10236 int nSignaturesCount=sizeof(_TEXT_Exp_records)/sizeof(STRING_RECORD);
10237
10238 for(int i=0; i<nSignaturesCount; i++) // TODO move to an own function !!!
10239 {
10240 if(XBinary::isRegExpPresent(_TEXT_Exp_records[i].pszString,pBinaryInfo->sHeaderText))
10241 {
10242 _SCANS_STRUCT record={};
10243 record.nVariant=_TEXT_Exp_records[i].basicInfo.nVariant;
10244 record.fileType=_TEXT_Exp_records[i].basicInfo.fileType;
10245 record.type=_TEXT_Exp_records[i].basicInfo.type;
10246 record.name=_TEXT_Exp_records[i].basicInfo.name;
10247 record.sVersion=_TEXT_Exp_records[i].basicInfo.pszVersion;
10248 record.sInfo=_TEXT_Exp_records[i].basicInfo.pszInfo;
10249 record.nOffset=0;
10250
10251 pBinaryInfo->mapTextHeaderDetects.insert(record.name,record);
10252 }
10253 }
10254
10255 if(pBinaryInfo->mapTextHeaderDetects.contains(RECORD_NAME_CCPP))
10256 {
10257 _SCANS_STRUCT ss=pBinaryInfo->mapTextHeaderDetects.value(RECORD_NAME_CCPP);
10258 pBinaryInfo->mapResultTexts.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10259 }
10260
10261 if(pBinaryInfo->mapTextHeaderDetects.contains(RECORD_NAME_PYTHON))
10262 {
10263 if((pBinaryInfo->sHeaderText.contains("class"))&&(pBinaryInfo->sHeaderText.contains("self")))
10264 {
10265 _SCANS_STRUCT ss=pBinaryInfo->mapTextHeaderDetects.value(RECORD_NAME_PYTHON);
10266 pBinaryInfo->mapResultTexts.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10267 }
10268 }
10269
10270 if(pBinaryInfo->mapTextHeaderDetects.contains(RECORD_NAME_HTML))
10271 {
10272 _SCANS_STRUCT ss=pBinaryInfo->mapTextHeaderDetects.value(RECORD_NAME_HTML);
10273 pBinaryInfo->mapResultTexts.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10274 }
10275
10276 if(pBinaryInfo->mapTextHeaderDetects.contains(RECORD_NAME_XML))
10277 {
10278 _SCANS_STRUCT ss=pBinaryInfo->mapTextHeaderDetects.value(RECORD_NAME_XML);
10279 ss.sVersion=XBinary::regExp("version=['\"](.*?)['\"]",pBinaryInfo->sHeaderText,1);
10280
10281 pBinaryInfo->mapResultTexts.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10282 }
10283
10284 if(pBinaryInfo->mapTextHeaderDetects.contains(RECORD_NAME_PHP))
10285 {
10286 _SCANS_STRUCT ss=pBinaryInfo->mapTextHeaderDetects.value(RECORD_NAME_PHP);
10287 pBinaryInfo->mapResultTexts.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10288 }
10289
10290 // if(pBinaryInfo->mapTextHeaderDetects.contains(RECORD_NAME_PERL))
10291 // {
10292 // _SCANS_STRUCT ss=pBinaryInfo->mapTextHeaderDetects.value(RECORD_NAME_PERL);
10293 // pBinaryInfo->mapResultTexts.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10294 // }
10295
10296 if(pBinaryInfo->mapTextHeaderDetects.contains(RECORD_NAME_SHELL))
10297 {
10298 QString sInterpreter;
10299
10300 if(sInterpreter=="") sInterpreter=XBinary::regExp("#!\\/usr\\/local\\/bin\\/(\\w+)", pBinaryInfo->sHeaderText,1); // #!/usr/local/bin/ruby
10301 if(sInterpreter=="") sInterpreter=XBinary::regExp("#!\\/usr\\/bin\\/env (\\w+)", pBinaryInfo->sHeaderText,1); // #!/usr/bin/env perl
10302 if(sInterpreter=="") sInterpreter=XBinary::regExp("#!\\/usr\\/bin\\/(\\w+)", pBinaryInfo->sHeaderText,1); // #!/usr/bin/perl
10303 if(sInterpreter=="") sInterpreter=XBinary::regExp("#!\\/bin\\/(\\w+)", pBinaryInfo->sHeaderText,1); // #!/bin/sh
10304 if(sInterpreter=="") sInterpreter=XBinary::regExp("#!(\\w+)", pBinaryInfo->sHeaderText,1); // #!perl
10305
10306 if(sInterpreter=="perl")
10307 {
10308 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_TEXT,RECORD_TYPE_SOURCECODE,RECORD_NAME_PERL,"","",0);
10309 pBinaryInfo->mapResultTexts.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10310 }
10311 else if(sInterpreter=="sh")
10312 {
10313 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_TEXT,RECORD_TYPE_SOURCECODE,RECORD_NAME_SHELL,"","",0);
10314 pBinaryInfo->mapResultTexts.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10315 }
10316 else if(sInterpreter=="ruby")
10317 {
10318 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_TEXT,RECORD_TYPE_SOURCECODE,RECORD_NAME_RUBY,"","",0);
10319 pBinaryInfo->mapResultTexts.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10320 }
10321 else if(sInterpreter=="python")
10322 {
10323 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_TEXT,RECORD_TYPE_SOURCECODE,RECORD_NAME_PYTHON,"","",0);
10324 pBinaryInfo->mapResultTexts.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10325 }
10326 else
10327 {
10328 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_TEXT,RECORD_TYPE_SOURCECODE,RECORD_NAME_SHELL,sInterpreter,"",0);
10329 pBinaryInfo->mapResultTexts.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10330 }
10331 }
10332
10333 // if(pBinaryInfo->mapResultTexts.count()==0)
10334 // {
10335 // _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_TEXT,RECORD_TYPE_FORMAT,RECORD_NAME_PLAIN,"","",0);
10336
10337 // if(pBinaryInfo->unicodeType!=XBinary::UNICODE_TYPE_NONE)
10338 // {
10339 // ss.name=RECORD_NAME_UNICODE;
10340
10341 // if(pBinaryInfo->unicodeType==XBinary::UNICODE_TYPE_BE)
10342 // {
10343 // ss.sVersion="Big Endian";
10344 // }
10345 // else if(pBinaryInfo->unicodeType==XBinary::UNICODE_TYPE_LE)
10346 // {
10347 // ss.sVersion="Little Endian";
10348 // }
10349 // }
10350 // else if(pBinaryInfo->bIsUTF8)
10351 // {
10352 // ss.name=RECORD_NAME_UTF8;
10353 // }
10354 // else if(pBinaryInfo->bIsPlainText)
10355 // {
10356 // ss.name=RECORD_NAME_PLAIN;
10357 // }
10358
10359 // pBinaryInfo->mapResultTexts.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10360 // }
10361 }
10362 }
10363
Binary_handle_COM(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)10364 void SpecAbstract::Binary_handle_COM(QIODevice *pDevice, bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
10365 {
10366 XBinary binary(pDevice,bIsImage);
10367
10368 if(pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_PKLITE))
10369 {
10370 pBinaryInfo->basic_info.id.fileType=XBinary::FT_COM;
10371 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_PKLITE);
10372 pBinaryInfo->mapResultCOMPackers.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10373 }
10374
10375 if(pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_UPX))
10376 {
10377 pBinaryInfo->basic_info.id.fileType=XBinary::FT_COM;
10378 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_UPX);
10379 pBinaryInfo->mapResultCOMPackers.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10380 }
10381
10382 if(pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_HACKSTOP))
10383 {
10384 pBinaryInfo->basic_info.id.fileType=XBinary::FT_COM;
10385 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_HACKSTOP);
10386 pBinaryInfo->mapResultCOMProtectors.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10387 }
10388
10389 if(pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_CRYPTDISMEMBER))
10390 {
10391 pBinaryInfo->basic_info.id.fileType=XBinary::FT_COM;
10392 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_CRYPTDISMEMBER);
10393 pBinaryInfo->mapResultCOMProtectors.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10394 }
10395
10396 if(pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_SPIRIT))
10397 {
10398 pBinaryInfo->basic_info.id.fileType=XBinary::FT_COM;
10399 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_SPIRIT);
10400 pBinaryInfo->mapResultCOMProtectors.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10401 }
10402
10403 if(pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_ICE))
10404 {
10405 pBinaryInfo->basic_info.id.fileType=XBinary::FT_COM;
10406 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_ICE);
10407 pBinaryInfo->mapResultCOMPackers.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10408 }
10409
10410 if(pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_DIET))
10411 {
10412 pBinaryInfo->basic_info.id.fileType=XBinary::FT_COM;
10413 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_DIET);
10414 pBinaryInfo->mapResultCOMPackers.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10415 }
10416
10417 if(pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_CRYPTCOM))
10418 {
10419 pBinaryInfo->basic_info.id.fileType=XBinary::FT_COM;
10420 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_CRYPTCOM);
10421 pBinaryInfo->mapResultCOMProtectors.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10422 }
10423
10424 if(pBinaryInfo->mapResultCOMProtectors.size()||pBinaryInfo->mapResultCOMPackers.size())
10425 {
10426 _SCANS_STRUCT ssOperationSystem=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_OPERATIONSYSTEM,RECORD_NAME_MSDOS,"","",0);
10427
10428 pBinaryInfo->mapResultOperationSystems.insert(ssOperationSystem.name,scansToScan(&(pBinaryInfo->basic_info),&ssOperationSystem));
10429 }
10430 }
10431
Binary_handle_Archives(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)10432 void SpecAbstract::Binary_handle_Archives(QIODevice *pDevice,bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
10433 {
10434 XBinary binary(pDevice,bIsImage);
10435
10436 // 7-Zip
10437 if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_7Z))&&(pBinaryInfo->basic_info.nSize>=64))
10438 {
10439 // // TODO more options
10440 // _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_7Z);
10441
10442 // if(ss.type==RECORD_TYPE_ARCHIVE)
10443 // {
10444 // ss.sVersion=QString("%1.%2").arg(XBinary::hexToUint8(pBinaryInfo->basic_info.sHeaderSignature.mid(6*2,2))).arg(XBinary::hexToUint8(pBinaryInfo->basic_info.sHeaderSignature.mid(7*2,2)));
10445 // pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10446 // }
10447
10448 XSevenZip xsevenzip(pDevice);
10449
10450 if(xsevenzip.isValid())
10451 {
10452 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10453
10454 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_7Z);
10455
10456 ss.sVersion=xsevenzip.getVersion();
10457 // ss.sInfo=QString("%1 records").arg(xsevenzip.getNumberOfRecords());
10458
10459 // TODO options
10460 // TODO files
10461 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10462 }
10463 }
10464 // ZIP
10465 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_ZIP))&&(pBinaryInfo->basic_info.nSize>=64)) // TODO min size
10466 {
10467 XZip xzip(pDevice);
10468
10469 if(xzip.isValid())
10470 {
10471 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10472 // TODO deep scan
10473 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_ZIP);
10474
10475 ss.sVersion=xzip.getVersion();
10476 ss.sInfo=QString("%1 records").arg(xzip.getNumberOfRecords());
10477
10478 if(xzip.isEncrypted())
10479 {
10480 ss.sInfo=append(ss.sInfo,"Encrypted");
10481 }
10482
10483 // TODO files
10484 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10485 }
10486 }
10487 // GZIP
10488 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GZIP))&&(pBinaryInfo->basic_info.nSize>=9))
10489 {
10490 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10491 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_GZIP);
10492
10493 // TODO options
10494 // TODO files
10495 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10496 }
10497 // xar
10498 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_XAR))&&(pBinaryInfo->basic_info.nSize>=9))
10499 {
10500 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10501 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_XAR);
10502
10503 // TODO options
10504 // TODO files
10505 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10506 }
10507 // LZFSE
10508 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_LZFSE))&&(pBinaryInfo->basic_info.nSize>=9))
10509 {
10510 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10511 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_LZFSE);
10512
10513 // TODO options
10514 // TODO files
10515 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10516 }
10517 // CAB
10518 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_CAB))&&(pBinaryInfo->basic_info.nSize>=30))
10519 {
10520 XCab xcab(pDevice);
10521
10522 if(xcab.isValid())
10523 {
10524 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10525 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_CAB);
10526
10527 ss.sVersion=xcab.getVersion();
10528 ss.sInfo=QString("%1 records").arg(xcab.getNumberOfRecords());
10529
10530 // TODO options
10531 // TODO files
10532 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10533 }
10534 }
10535 // MAch-O FAT
10536 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MACHOFAT))&&(pBinaryInfo->basic_info.nSize>=30))
10537 {
10538 XMACHOFat xmachofat(pDevice);
10539
10540 if(xmachofat.isValid())
10541 {
10542 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10543 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_MACHOFAT);
10544
10545 ss.sVersion=xmachofat.getVersion();
10546 ss.sInfo=QString("%1 records").arg(xmachofat.getNumberOfRecords());
10547
10548 // TODO options
10549 // TODO files
10550 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10551 }
10552 }
10553 // RAR
10554 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_RAR))&&(pBinaryInfo->basic_info.nSize>=64))
10555 {
10556 XRar xrar(pDevice);
10557
10558 if(xrar.isValid())
10559 {
10560 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10561 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_RAR);
10562
10563 ss.sVersion=xrar.getVersion();
10564
10565 // TODO options
10566 // TODO files
10567 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10568 }
10569 }
10570 // zlib
10571 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_ZLIB))&&(pBinaryInfo->basic_info.nSize>=32))
10572 {
10573 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10574 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_ZLIB);
10575
10576 // TODO options
10577 // TODO files
10578 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10579 }
10580 // XZ
10581 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_XZ))&&(pBinaryInfo->basic_info.nSize>=32))
10582 {
10583 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10584 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_XZ);
10585
10586 // TODO options
10587 // TODO files
10588 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10589 }
10590 // ARJ
10591 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_ARJ))&&(pBinaryInfo->basic_info.nSize>=4))
10592 {
10593 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10594 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_ARJ);
10595
10596 // TODO options
10597 // TODO files
10598 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10599 }
10600 // LHA
10601 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_LHA))&&(pBinaryInfo->basic_info.nSize>=4))
10602 {
10603 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_LHA);
10604
10605 bool bDetected=false;
10606
10607 switch(binary.read_uint8(0x5))
10608 {
10609 case 0x30: bDetected=1; break;
10610 case 0x31: bDetected=1; break;
10611 case 0x32: bDetected=1; break;
10612 case 0x33: bDetected=1; break;
10613 case 0x34: bDetected=1; break;
10614 case 0x35: bDetected=1; break;
10615 case 0x36: bDetected=1; break;
10616 case 0x64: bDetected=1; break;
10617 case 0x73: bDetected=1; break;
10618 }
10619
10620 if(bDetected)
10621 {
10622 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10623 // TODO options
10624 // TODO files
10625 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10626 }
10627 }
10628 // BZIP2
10629 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_BZIP2))&&(pBinaryInfo->basic_info.nSize>=9))
10630 {
10631 pBinaryInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
10632 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_BZIP2);
10633
10634 // TODO options
10635 // TODO files
10636 pBinaryInfo->mapResultArchives.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10637 }
10638 }
10639
Binary_handle_Certificates(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)10640 void SpecAbstract::Binary_handle_Certificates(QIODevice *pDevice,bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
10641 {
10642 XBinary binary(pDevice,bIsImage);
10643
10644 // Windows Authenticode Portable Executable Signature Format
10645 if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_WINAUTH))&&(pBinaryInfo->basic_info.nSize>=8))
10646 {
10647 quint32 nLength=XBinary::hexToUint32(pBinaryInfo->basic_info.sHeaderSignature.mid(0,8));
10648
10649 if(nLength>=pBinaryInfo->basic_info.nSize)
10650 {
10651 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_WINAUTH);
10652 pBinaryInfo->mapResultCertificates.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10653 }
10654 }
10655 }
10656
Binary_handle_DebugData(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)10657 void SpecAbstract::Binary_handle_DebugData(QIODevice *pDevice,bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
10658 {
10659 XBinary binary(pDevice,bIsImage);
10660
10661 if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MINGW))&&(pBinaryInfo->basic_info.nSize>=8))
10662 {
10663 // MinGW debug data
10664 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_MINGW);
10665 pBinaryInfo->mapResultDebugData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10666 }
10667 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_PDBFILELINK))&&(pBinaryInfo->basic_info.nSize>=8))
10668 {
10669 // PDB File Link
10670 // TODO more infos
10671 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_PDBFILELINK);
10672 pBinaryInfo->mapResultDebugData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10673 }
10674 }
10675
Binary_handle_Formats(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)10676 void SpecAbstract::Binary_handle_Formats(QIODevice *pDevice,bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
10677 {
10678 XBinary binary(pDevice,bIsImage);
10679
10680 if(pBinaryInfo->basic_info.nSize==0)
10681 {
10682 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_BINARY,RECORD_TYPE_FORMAT,RECORD_NAME_EMPTYFILE,"","",0);
10683 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10684 }
10685 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_PDF))&&(pBinaryInfo->basic_info.nSize>=8))
10686 {
10687 // PDF
10688 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_PDF);
10689 ss.sVersion=XBinary::hexToString(pBinaryInfo->basic_info.sHeaderSignature.mid(5*2,6));
10690 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10691 }
10692 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MICROSOFTCOMPOUND))&&(pBinaryInfo->basic_info.nSize>=8))
10693 {
10694 // Microsoft Compound
10695 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_MICROSOFTCOMPOUND);
10696 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10697 }
10698 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MICROSOFTCOMPILEDHTMLHELP))&&(pBinaryInfo->basic_info.nSize>=8))
10699 {
10700 // Microsoft Compiled HTML Help
10701 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_MICROSOFTCOMPILEDHTMLHELP);
10702 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10703 }
10704 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_AUTOIT))&&(pBinaryInfo->basic_info.nSize>=8))
10705 {
10706 // AutoIt Compiled Script
10707 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_AUTOIT);
10708 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10709 }
10710 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_RTF))&&(pBinaryInfo->basic_info.nSize>=8))
10711 {
10712 // RTF
10713 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_RTF);
10714 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10715 }
10716 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_LUACOMPILED))&&(pBinaryInfo->basic_info.nSize>=8))
10717 {
10718 // Lua
10719 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_LUACOMPILED);
10720 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10721 }
10722 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_JAVACOMPILEDCLASS))&&(pBinaryInfo->basic_info.nSize>=8))
10723 {
10724 // java
10725 quint16 nMinor=binary.read_uint16(4,true);
10726 quint16 nMajor=binary.read_uint16(6,true);
10727
10728 QString sVersion;
10729
10730 if(nMajor)
10731 {
10732 switch(nMajor)
10733 {
10734 case 0x2D: sVersion="JDK 1.1"; break;
10735 case 0x2E: sVersion="JDK 1.2"; break;
10736 case 0x2F: sVersion="JDK 1.3"; break;
10737 case 0x30: sVersion="JDK 1.4"; break;
10738 case 0x31: sVersion="Java SE 5.0"; break;
10739 case 0x32: sVersion="Java SE 6.0"; break;
10740 case 0x33: sVersion="Java SE 7"; break;
10741 case 0x34: sVersion="Java SE 8"; break;
10742 case 0x35: sVersion="Java SE 9"; break;
10743 case 0x36: sVersion="Java SE 10"; break;
10744 case 0x37: sVersion="Java SE 11"; break;
10745 case 0x38: sVersion="Java SE 12"; break;
10746 }
10747
10748 if((sVersion!="")&&(nMinor))
10749 {
10750 sVersion+=QString(".%1").arg(nMinor);
10751 }
10752
10753 if(sVersion!="")
10754 {
10755 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_JAVACOMPILEDCLASS);
10756 ss.sVersion=sVersion;
10757 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10758 }
10759 }
10760 }
10761 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_COFF))&&(pBinaryInfo->basic_info.nSize>=76))
10762 {
10763 // COFF
10764 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_COFF);
10765
10766 bool bDetected=false;
10767
10768 qint64 nOffset=binary.read_uint32(72,true)+58;
10769
10770 if(binary.compareSignature(&(pBinaryInfo->basic_info.memoryMap),"600A4C01",nOffset))
10771 {
10772 ss.sInfo="I386";
10773 bDetected=true;
10774 }
10775 if(binary.compareSignature(&(pBinaryInfo->basic_info.memoryMap),"600A6486",nOffset))
10776 {
10777 ss.sInfo="AMD64";
10778 bDetected=true;
10779 }
10780 if(binary.compareSignature(&(pBinaryInfo->basic_info.memoryMap),"600A0000FFFF....4C01",nOffset))
10781 {
10782 ss.sInfo="I386";
10783 bDetected=true;
10784 }
10785 if(binary.compareSignature(&(pBinaryInfo->basic_info.memoryMap),"600A0000FFFF....6486",nOffset))
10786 {
10787 ss.sInfo="AMD64";
10788 bDetected=true;
10789 }
10790
10791 if(bDetected)
10792 {
10793 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10794 }
10795 }
10796 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_DEX))&&(pBinaryInfo->basic_info.nSize>=8))
10797 {
10798 // dex
10799 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_DEX);
10800 ss.sVersion=XBinary::hexToString(pBinaryInfo->basic_info.sHeaderSignature.mid(8,6));
10801 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10802 }
10803 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_SWF))&&(pBinaryInfo->basic_info.nSize>=8))
10804 {
10805 // SWF
10806 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_SWF);
10807 ss.sVersion=QString("%1").arg(binary.read_uint8(3));
10808 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10809 }
10810 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MICROSOFTWINHELP))&&(pBinaryInfo->basic_info.nSize>=8))
10811 {
10812 // Microsoft WinHelp
10813 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_MICROSOFTWINHELP);
10814 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10815 }
10816 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MP3))&&(pBinaryInfo->basic_info.nSize>=8))
10817 {
10818 // MP3
10819 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_MP3);
10820 // TODO Version
10821 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10822 }
10823 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MP4))&&(pBinaryInfo->basic_info.nSize>=8))
10824 {
10825 // MP4
10826 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_MP4);
10827 // TODO Version
10828 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10829 }
10830 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_WINDOWSMEDIA))&&(pBinaryInfo->basic_info.nSize>=8))
10831 {
10832 // Windows Media
10833 // TODO WMV/WMA
10834 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_WINDOWSMEDIA);
10835 // TODO Version
10836 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10837 }
10838 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_FLASHVIDEO))&&(pBinaryInfo->basic_info.nSize>=8))
10839 {
10840 // Flash Video
10841 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_FLASHVIDEO);
10842 // TODO Version
10843 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10844 }
10845 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_WAV))&&(pBinaryInfo->basic_info.nSize>=8))
10846 {
10847 // VAW
10848 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_WAV);
10849 // TODO Version
10850 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10851 }
10852 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_AU))&&(pBinaryInfo->basic_info.nSize>=8))
10853 {
10854 // AU
10855 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_AU);
10856 // TODO Version
10857 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10858 }
10859 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_DEB))&&(pBinaryInfo->basic_info.nSize>=8))
10860 {
10861 // DEB
10862 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_DEB);
10863 // TODO Version
10864 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10865 }
10866 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_AVI))&&(pBinaryInfo->basic_info.nSize>=8))
10867 {
10868 // DEB
10869 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_AVI);
10870 // TODO Version
10871 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10872 }
10873 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_TTF))&&(pBinaryInfo->basic_info.nSize>=8))
10874 {
10875 // TTF
10876 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_TTF);
10877 // TODO Version
10878 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10879 }
10880 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_ANDROIDARSC))&&(pBinaryInfo->basic_info.nSize>=8))
10881 {
10882 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_ANDROIDARSC);
10883 // TODO Version
10884 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10885 }
10886 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_ANDROIDXML))&&(pBinaryInfo->basic_info.nSize>=8))
10887 {
10888 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_ANDROIDXML);
10889 // TODO Version
10890 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10891 }
10892
10893 if(pBinaryInfo->basic_info.nSize>=0x8010)
10894 {
10895 if(binary.compareSignature("01'CD001'01",0x8000))
10896 {
10897 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_BINARY,RECORD_TYPE_FORMAT,RECORD_NAME_ISO9660,"","",0);
10898 // TODO Version
10899 pBinaryInfo->mapResultFormats.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10900 }
10901 }
10902 }
10903
Binary_handle_Databases(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)10904 void SpecAbstract::Binary_handle_Databases(QIODevice *pDevice, bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
10905 {
10906 XBinary binary(pDevice,bIsImage);
10907
10908 if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_PDB))&&(pBinaryInfo->basic_info.nSize>=32))
10909 {
10910 // PDB
10911 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_PDB);
10912 pBinaryInfo->mapResultDatabases.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10913 }
10914 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MICROSOFTLINKERDATABASE))&&(pBinaryInfo->basic_info.nSize>=32))
10915 {
10916 // Microsoft Linker Database
10917 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_MICROSOFTLINKERDATABASE);
10918 // ss.sVersion=QString("%1.%2").arg(QBinary::hexToString(pBinaryInfo->basic_info.sHeaderSignature.mid(32*2,4))).arg(QBinary::hexToString(pBinaryInfo->basic_info.sHeaderSignature.mid(34*2,4)));
10919 pBinaryInfo->mapResultDatabases.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10920 }
10921 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MICROSOFTACCESS))&&(pBinaryInfo->basic_info.nSize>=128))
10922 {
10923 // Microsoft Access Database
10924 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_MICROSOFTACCESS);
10925
10926 quint32 nVersion=binary.read_int32(0x14);
10927
10928 switch(nVersion)
10929 {
10930 case 0x0000: ss.sVersion="JET3"; break;// TODO
10931 case 0x0001: ss.sVersion="JET4"; break;// TODO
10932 case 0x0002: ss.sVersion="2007"; break;
10933 case 0x0103: ss.sVersion="2010"; break;
10934 }
10935
10936 pBinaryInfo->mapResultDatabases.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10937 }
10938 }
10939
Binary_handle_Images(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)10940 void SpecAbstract::Binary_handle_Images(QIODevice *pDevice, bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
10941 {
10942 XBinary binary(pDevice,bIsImage);
10943
10944 if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_JPEG))&&(pBinaryInfo->basic_info.nSize>=8))
10945 {
10946 // JPEG
10947 pBinaryInfo->basic_info.id.fileType=XBinary::FT_IMAGE;
10948 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_JPEG);
10949 quint32 nMajor=pBinaryInfo->basic_info.sHeaderSignature.mid(11*2,2).toUInt(nullptr,16);
10950 quint32 nMinor=pBinaryInfo->basic_info.sHeaderSignature.mid(12*2,2).toUInt(nullptr,16);
10951 ss.sVersion=QString("%1.%2").arg(nMajor).arg(nMinor,2,10,QChar('0'));
10952 pBinaryInfo->mapResultImages.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10953 }
10954 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GIF))&&(pBinaryInfo->basic_info.nSize>=8))
10955 {
10956 // GIF
10957 pBinaryInfo->basic_info.id.fileType=XBinary::FT_IMAGE;
10958 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_GIF);
10959 // TODO Version
10960 pBinaryInfo->mapResultImages.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10961 }
10962 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_TIFF))&&(pBinaryInfo->basic_info.nSize>=8))
10963 {
10964 // TIFF
10965 pBinaryInfo->basic_info.id.fileType=XBinary::FT_IMAGE;
10966 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_TIFF);
10967 // More information
10968 pBinaryInfo->mapResultImages.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10969 }
10970 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_WINDOWSICON))&&(pBinaryInfo->basic_info.nSize>=40))
10971 {
10972 // Windows Icon
10973 // TODO more information
10974 pBinaryInfo->basic_info.id.fileType=XBinary::FT_IMAGE;
10975 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_WINDOWSICON);
10976 pBinaryInfo->mapResultImages.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
10977 }
10978 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_WINDOWSBITMAP))&&(pBinaryInfo->basic_info.nSize>=40))
10979 {
10980 // Windows Bitmap
10981 // TODO more information
10982 pBinaryInfo->basic_info.id.fileType=XBinary::FT_IMAGE;
10983 quint32 _nSize=qFromBigEndian(pBinaryInfo->basic_info.sHeaderSignature.mid(2*2,8).toUInt(nullptr,16));
10984 if(pBinaryInfo->basic_info.nSize>=_nSize)
10985 {
10986 QString sVersion;
10987
10988 switch(qFromBigEndian(pBinaryInfo->basic_info.sHeaderSignature.mid(14*2,8).toUInt(nullptr,16)))
10989 {
10990 case 40: sVersion="3"; break;
10991 case 108: sVersion="4"; break;
10992 case 124: sVersion="5"; break;
10993 }
10994
10995 if(sVersion!="")
10996 {
10997 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_WINDOWSBITMAP);
10998 ss.sVersion=sVersion;
10999 pBinaryInfo->mapResultImages.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11000 }
11001 }
11002 }
11003 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_PNG))&&(pBinaryInfo->basic_info.nSize>=8))
11004 {
11005 // PNG
11006 // TODO options
11007 pBinaryInfo->basic_info.id.fileType=XBinary::FT_IMAGE;
11008 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_PNG);
11009
11010 ss.sInfo=QString("%1x%2").arg(binary.read_uint32(16,true)).arg(binary.read_uint32(20,true));
11011
11012 pBinaryInfo->mapResultImages.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11013 }
11014 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_DJVU))&&(pBinaryInfo->basic_info.nSize>=8))
11015 {
11016 // DJVU
11017 // TODO options
11018 pBinaryInfo->basic_info.id.fileType=XBinary::FT_IMAGE;
11019 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_DJVU);
11020 pBinaryInfo->mapResultImages.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11021 }
11022 }
11023
Binary_handle_InstallerData(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)11024 void SpecAbstract::Binary_handle_InstallerData(QIODevice *pDevice,bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
11025 {
11026 XBinary binary(pDevice,bIsImage);
11027
11028 // Inno Setup
11029 if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_INNOSETUP))&&(pBinaryInfo->basic_info.nSize>=8))
11030 {
11031 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_INNOSETUP);
11032 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11033 }
11034 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_INSTALLANYWHERE))&&(pBinaryInfo->basic_info.nSize>=8))
11035 {
11036 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_INSTALLANYWHERE);
11037 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11038 }
11039 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GHOSTINSTALLER))&&(pBinaryInfo->basic_info.nSize>=8))
11040 {
11041 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_GHOSTINSTALLER);
11042 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11043 }
11044 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_NSIS))&&(pBinaryInfo->basic_info.nSize>=8))
11045 {
11046 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_NSIS);
11047 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11048 }
11049 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_SIXXPACK))&&(pBinaryInfo->basic_info.nSize>=8))
11050 {
11051 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_SIXXPACK);
11052 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11053 }
11054 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_THINSTALL))&&(pBinaryInfo->basic_info.nSize>=8))
11055 {
11056 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_THINSTALL);
11057 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11058 }
11059 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_SMARTINSTALLMAKER))&&(pBinaryInfo->basic_info.nSize>=30))
11060 {
11061 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_SMARTINSTALLMAKER);
11062 ss.sVersion=XBinary::hexToString(pBinaryInfo->basic_info.sHeaderSignature.mid(46,14));
11063 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11064 }
11065 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_TARMAINSTALLER))&&(pBinaryInfo->basic_info.nSize>=20))
11066 {
11067 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_TARMAINSTALLER);
11068 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11069 }
11070 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_CLICKTEAM))&&(pBinaryInfo->basic_info.nSize>=20))
11071 {
11072 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_CLICKTEAM);
11073 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11074 }
11075 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_QTINSTALLER))&&(pBinaryInfo->basic_info.nSize>=20))
11076 {
11077 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_QTINSTALLER);
11078 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11079 }
11080 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_ADVANCEDINSTALLER))&&(pBinaryInfo->basic_info.nSize>=20))
11081 {
11082 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_ADVANCEDINSTALLER);
11083 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11084 }
11085 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_OPERA))&&(pBinaryInfo->basic_info.nSize>=20))
11086 {
11087 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_OPERA);
11088 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11089 }
11090 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GPINSTALL))&&(pBinaryInfo->basic_info.nSize>=20))
11091 {
11092 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_GPINSTALL);
11093 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11094 }
11095 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_AVASTANTIVIRUS))&&(pBinaryInfo->basic_info.nSize>=20))
11096 {
11097 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_AVASTANTIVIRUS);
11098 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11099 }
11100 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_INSTALLSHIELD))&&(pBinaryInfo->basic_info.nSize>=8))
11101 {
11102 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_INSTALLSHIELD);
11103 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11104 }
11105 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_SETUPFACTORY))&&(pBinaryInfo->basic_info.nSize>=8))
11106 {
11107 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_SETUPFACTORY);
11108 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11109 }
11110 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_ACTUALINSTALLER))&&(pBinaryInfo->basic_info.nSize>=8))
11111 {
11112 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_ACTUALINSTALLER);
11113 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11114 }
11115 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_INSTALL4J))&&(pBinaryInfo->basic_info.nSize>=8))
11116 {
11117 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_INSTALL4J);
11118 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11119 }
11120 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_VMWARE))&&(pBinaryInfo->basic_info.nSize>=8))
11121 {
11122 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_VMWARE);
11123 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11124 }
11125 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_NOSINSTALLER))&&(pBinaryInfo->basic_info.nSize>=8))
11126 {
11127 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_NOSINSTALLER);
11128 pBinaryInfo->mapResultInstallerData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11129 }
11130 }
11131
Binary_handle_SFXData(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)11132 void SpecAbstract::Binary_handle_SFXData(QIODevice *pDevice,bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
11133 {
11134 XBinary binary(pDevice,bIsImage);
11135
11136 if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_WINRAR))&&(pBinaryInfo->basic_info.nSize>=20))
11137 {
11138 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_WINRAR);
11139 pBinaryInfo->mapResultSFXData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11140 }
11141 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_SQUEEZSFX))&&(pBinaryInfo->basic_info.nSize>=20))
11142 {
11143 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_SQUEEZSFX);
11144 pBinaryInfo->mapResultSFXData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11145 }
11146 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_7Z))&&(pBinaryInfo->basic_info.nSize>=20))
11147 {
11148 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_7Z);
11149
11150 if(ss.type==RECORD_TYPE_SFXDATA)
11151 {
11152 pBinaryInfo->mapResultSFXData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11153 }
11154 }
11155 }
11156
Binary_handle_ProtectorData(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)11157 void SpecAbstract::Binary_handle_ProtectorData(QIODevice *pDevice,bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
11158 {
11159 XBinary binary(pDevice,bIsImage);
11160
11161 if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_FISHNET))&&(pBinaryInfo->basic_info.nSize>=8))
11162 {
11163 // Inno Setup
11164 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_FISHNET);
11165 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11166 }
11167 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_XENOCODE))&&(pBinaryInfo->basic_info.nSize>=8))
11168 {
11169 // Xenocode
11170 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_XENOCODE);
11171 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11172 }
11173 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MOLEBOXULTRA))&&(pBinaryInfo->basic_info.nSize>=8))
11174 {
11175 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_MOLEBOXULTRA);
11176 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11177 }
11178 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_1337EXECRYPTER))&&(pBinaryInfo->basic_info.nSize>=8))
11179 {
11180 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_1337EXECRYPTER);
11181 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11182 }
11183 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_ACTIVEMARK))&&(pBinaryInfo->basic_info.nSize>=8))
11184 {
11185 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_ACTIVEMARK);
11186 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11187 }
11188 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_AGAINNATIVITYCRYPTER))&&(pBinaryInfo->basic_info.nSize>=8))
11189 {
11190 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_AGAINNATIVITYCRYPTER);
11191 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11192 }
11193 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_ARCRYPT))&&(pBinaryInfo->basic_info.nSize>=8))
11194 {
11195 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_ARCRYPT);
11196 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11197 }
11198 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_NOXCRYPT))&&(pBinaryInfo->basic_info.nSize>=8))
11199 {
11200 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_NOXCRYPT);
11201 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11202 }
11203 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_FASTFILECRYPT))&&(pBinaryInfo->basic_info.nSize>=8))
11204 {
11205 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_FASTFILECRYPT);
11206 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11207 }
11208 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_LIGHTNINGCRYPTERSCANTIME))&&(pBinaryInfo->basic_info.nSize>=8))
11209 {
11210 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_LIGHTNINGCRYPTERSCANTIME);
11211 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11212 }
11213 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_ZELDACRYPT))&&(pBinaryInfo->basic_info.nSize>=8))
11214 {
11215 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_ZELDACRYPT);
11216 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11217 }
11218 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_WOUTHRSEXECRYPTER))&&(pBinaryInfo->basic_info.nSize>=8))
11219 {
11220 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_WOUTHRSEXECRYPTER);
11221 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11222 }
11223 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_WLCRYPT))&&(pBinaryInfo->basic_info.nSize>=8))
11224 {
11225 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_WLCRYPT);
11226 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11227 }
11228 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_DOTNETSHRINK))&&(pBinaryInfo->basic_info.nSize>=8))
11229 {
11230 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_DOTNETSHRINK);
11231 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11232 }
11233 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_SPOONSTUDIO))&&(pBinaryInfo->basic_info.nSize>=8))
11234 {
11235 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_SPOONSTUDIO);
11236 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11237 }
11238 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_SECUROM))&&(pBinaryInfo->basic_info.nSize>=30))
11239 {
11240 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_SECUROM);
11241 ss.sVersion=binary.read_ansiString(8);
11242 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11243 }
11244 else if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_SERGREENAPPACKER))&&(pBinaryInfo->basic_info.nSize>=30))
11245 {
11246 _SCANS_STRUCT ss=pBinaryInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_SERGREENAPPACKER);
11247 // TODO Version
11248 pBinaryInfo->mapResultProtectorData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11249 }
11250 }
11251
Binary_handle_LibraryData(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)11252 void SpecAbstract::Binary_handle_LibraryData(QIODevice *pDevice, bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
11253 {
11254 XBinary binary(pDevice,bIsImage);
11255
11256 if((pBinaryInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_SHELL))&&(pBinaryInfo->basic_info.nSize>=8))
11257 {
11258 QString sString=binary.read_ansiString(0);
11259
11260 if(sString.contains("python"))
11261 {
11262 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_BINARY,RECORD_TYPE_LIBRARY,RECORD_NAME_PYTHON,"","",0);
11263 pBinaryInfo->mapResultLibraryData.insert(ss.name,scansToScan(&(pBinaryInfo->basic_info),&ss));
11264 }
11265 }
11266 }
11267
Zip_handle_Microsoftoffice(QIODevice * pDevice,bool bIsImage,ZIPINFO_STRUCT * pZipInfo)11268 void SpecAbstract::Zip_handle_Microsoftoffice(QIODevice *pDevice, bool bIsImage, ZIPINFO_STRUCT *pZipInfo)
11269 {
11270 Q_UNUSED(bIsImage)
11271
11272 XZip xzip(pDevice);
11273
11274 if(xzip.isValid())
11275 {
11276 XArchive::RECORD record=XArchive::getArchiveRecord("docProps/app.xml",&(pZipInfo->listArchiveRecords));
11277
11278 if(!record.sFileName.isEmpty())
11279 {
11280 if((record.nUncompressedSize)&&(record.nUncompressedSize<=0x4000))
11281 {
11282 pZipInfo->basic_info.id.fileType=XBinary::FT_DOCUMENT;
11283
11284 QString sData=xzip.decompress(&record).data();
11285 QString sApplication=XBinary::regExp("<Application>(.*?)</Application>",sData,1);
11286
11287 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_BINARY,RECORD_TYPE_FORMAT,RECORD_NAME_MICROSOFTOFFICE,"","",0);
11288
11289 if(sApplication=="Microsoft Office Word")
11290 {
11291 ss.name=RECORD_NAME_MICROSOFTOFFICEWORD;
11292 }
11293 else if(sApplication=="Microsoft Excel")
11294 {
11295 ss.name=RECORD_NAME_MICROSOFTEXCEL;
11296 }
11297 else if(sApplication=="Microsoft Visio")
11298 {
11299 ss.name=RECORD_NAME_MICROSOFTVISIO;
11300 }
11301 else if(sApplication=="SheetJS")
11302 {
11303 ss.name=RECORD_NAME_MICROSOFTEXCEL;
11304 ss.sInfo="SheetJS";
11305 }
11306
11307 ss.sVersion=XBinary::regExp("<AppVersion>(.*?)</AppVersion>",sData,1);
11308 pZipInfo->mapResultFormats.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11309 }
11310 }
11311 }
11312 }
11313
Zip_handle_OpenOffice(QIODevice * pDevice,bool bIsImage,ZIPINFO_STRUCT * pZipInfo)11314 void SpecAbstract::Zip_handle_OpenOffice(QIODevice *pDevice, bool bIsImage, ZIPINFO_STRUCT *pZipInfo)
11315 {
11316 Q_UNUSED(bIsImage)
11317
11318 XZip xzip(pDevice);
11319
11320 if(xzip.isValid())
11321 {
11322 XArchive::RECORD record=XArchive::getArchiveRecord("meta.xml",&(pZipInfo->listArchiveRecords));
11323
11324 if(!record.sFileName.isEmpty())
11325 {
11326 if((record.nUncompressedSize)&&(record.nUncompressedSize<=0x4000))
11327 {
11328 QString sData=xzip.decompress(&record).data();
11329
11330 // TODO
11331 if(sData.contains(":opendocument:"))
11332 {
11333 pZipInfo->basic_info.id.fileType=XBinary::FT_DOCUMENT;
11334
11335 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_BINARY,RECORD_TYPE_FORMAT,RECORD_NAME_OPENDOCUMENT,"","",0);
11336
11337 pZipInfo->mapResultFormats.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11338 }
11339 }
11340 }
11341 }
11342 }
11343
Zip_handle_Metainfos(QIODevice * pDevice,bool bIsImage,SpecAbstract::ZIPINFO_STRUCT * pZipInfo)11344 void SpecAbstract::Zip_handle_Metainfos(QIODevice *pDevice, bool bIsImage, SpecAbstract::ZIPINFO_STRUCT *pZipInfo)
11345 {
11346 Q_UNUSED(bIsImage)
11347
11348 if((pZipInfo->bIsJAR)||(pZipInfo->bIsAPK))
11349 {
11350 XZip xzip(pDevice);
11351
11352 if(xzip.isValid())
11353 {
11354 QString sDataManifest=xzip.decompress(&(pZipInfo->listArchiveRecords),"META-INF/MANIFEST.MF").data();
11355
11356 if(sDataManifest!="")
11357 {
11358 QString sCreatedBy=XBinary::regExp("Created-By: (.*?)\n",sDataManifest,1).remove("\r");
11359 QString sProtectedBy=XBinary::regExp("Protected-By: (.*?)\n",sDataManifest,1).remove("\r");
11360 QString sAntVersion=XBinary::regExp("Ant-Version: (.*?)\n",sDataManifest,1).remove("\r");
11361 QString sBuiltBy=XBinary::regExp("Built-By: (.*?)\n",sDataManifest,1).remove("\r");
11362 QString sBuiltJdk=XBinary::regExp("Build-Jdk: (.*?)\n",sDataManifest,1).remove("\r");
11363
11364 if(sCreatedBy.contains("Android Gradle"))
11365 {
11366 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_TOOL,RECORD_NAME_ANDROIDGRADLE,"","",0);
11367 ss.sVersion=XBinary::regExp("Android Gradle (.*?)$",sCreatedBy,1);
11368 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11369 }
11370 else if(sCreatedBy.contains("MOTODEV Studio for Android")||sCreatedBy.contains("MOTODEV Studio for ANDROID"))
11371 {
11372 // TODO Check "MOTODEV Studio for ANDROID" version
11373 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_TOOL,RECORD_NAME_MOTODEVSTUDIOFORANDROID,"","",0);
11374 ss.sVersion=XBinary::regExp("MOTODEV Studio for Android v(.*?).release",sCreatedBy,1);
11375 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11376 }
11377 else if(sCreatedBy.contains("Android Maven")||sCreatedBy.contains("Apache Maven Bundle Plugin"))
11378 {
11379 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_TOOL,RECORD_NAME_ANDROIDMAVENPLUGIN,"","",0);
11380 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11381 }
11382 else if(sCreatedBy.contains("(Radialix"))
11383 {
11384 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_TOOL,RECORD_NAME_RADIALIX,"","",0);
11385 ss.sVersion=sCreatedBy.section(" (Radialix",0,0);
11386 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11387 }
11388 else if(sCreatedBy.contains("AntiLVL"))
11389 {
11390 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_APKTOOL,RECORD_NAME_ANTILVL,"","",0);
11391 ss.sVersion=sCreatedBy.section(" ",0,0);
11392 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11393 }
11394 else if(sCreatedBy.contains("ApkEditor"))
11395 {
11396 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_APKTOOL,RECORD_NAME_APKEDITOR,"","",0);
11397 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11398 }
11399 else if(sCreatedBy.contains("d2j-apk-sign"))
11400 {
11401 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_D2JAPKSIGN,"","",0);
11402 ss.sVersion=XBinary::regExp("d2j-apk-sign (.*?)$",sCreatedBy,1);
11403 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11404 }
11405 else if(sCreatedBy.contains("singlejar"))
11406 {
11407 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_JAR,RECORD_TYPE_TOOL,RECORD_NAME_SINGLEJAR,"","",0);
11408 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11409 }
11410 else if(sCreatedBy.contains("PseudoApkSigner"))
11411 {
11412 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_PSEUDOAPKSIGNER,"","",0);
11413 ss.sVersion=XBinary::regExp("PseudoApkSigner (.*?)$",sCreatedBy,1);
11414 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11415 }
11416 else if(sCreatedBy.contains("ApkSigner"))
11417 {
11418 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_APKSIGNER,"","",0);
11419 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11420 }
11421 else if(sCreatedBy.contains("www.HiAPK.com"))
11422 {
11423 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_TOOL,RECORD_NAME_HIAPKCOM,"","",0);
11424 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11425 }
11426 else if(sBuiltBy.contains("com.haibison.apksigner")||sCreatedBy.contains("com.haibison.apksigner"))
11427 {
11428 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_APK_SIGNER,"","",0);
11429
11430 if(sBuiltBy.contains("com.haibison.apksigner"))
11431 {
11432 ss.sVersion=XBinary::regExp("com.haibison.apksigner (.*?)$",sBuiltBy,1);
11433 }
11434 else if(sCreatedBy.contains("com.haibison.apksigner"))
11435 {
11436 ss.sVersion=XBinary::regExp("com.haibison.apksigner (.*?)$",sCreatedBy,1);
11437 }
11438
11439 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11440 }
11441 else if(sBuiltBy.contains("BundleTool")||sCreatedBy.contains("BundleTool"))
11442 {
11443 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_TOOL,RECORD_NAME_BUNDLETOOL,"","",0);
11444
11445 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11446 }
11447 else if(sCreatedBy.contains("(COMEX SignApk)"))
11448 {
11449 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_COMEXSIGNAPK,"","",0);
11450 ss.sVersion=sCreatedBy.section(" (COMEX SignApk)",0,0);
11451 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11452 }
11453 else if(sCreatedBy.contains("(NetEase ApkSigner)")) // TODO Check " " !!!
11454 {
11455 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_NETEASEAPKSIGNER,"","",0);
11456 ss.sVersion=sCreatedBy.section(" (NetEase ApkSigner)",0,0);
11457 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11458 }
11459 else if(sCreatedBy.contains("(signatory)"))
11460 {
11461 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_SIGNATORY,"","",0);
11462 ss.sVersion=sCreatedBy.section(" (signatory)",0,0);
11463 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11464 }
11465 else if(sCreatedBy.contains("(signupdate)"))
11466 {
11467 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_SIGNUPDATE,"","",0);
11468 ss.sVersion=sCreatedBy.section(" (signupdate)",0,0);
11469 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11470 }
11471 else if(sCreatedBy.contains("(Android SignApk)"))
11472 {
11473 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_ANDROIDSIGNAPK,"","",0);
11474 ss.sVersion=sCreatedBy.section(" (Android SignApk)",0,0);
11475 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11476 }
11477 else if(sCreatedBy.contains("(KT Android SignApk)"))
11478 {
11479 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_ANDROIDSIGNAPK,"","",0);
11480 ss.sVersion=sCreatedBy.section(" (KT Android SignApk)",0,0);
11481 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11482 }
11483 else if(sCreatedBy.contains("(abc SignApk)"))
11484 {
11485 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_ANDROIDSIGNAPK,"","",0);
11486 ss.sVersion=sCreatedBy.section(" (abc SignApk)",0,0);
11487 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11488 }
11489 else if(sCreatedBy.contains("(dotools sign apk)"))
11490 {
11491 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_DOTOOLSSIGNAPK,"","",0);
11492 ss.sVersion=sCreatedBy.section(" (dotools sign apk)",0,0);
11493 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11494 }
11495 else if(sCreatedBy.contains("(Android apksigner)"))
11496 {
11497 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_ANDROIDAPKSIGNER,"","",0);
11498 ss.sVersion=sCreatedBy.section(" (Android apksigner)",0,0);
11499 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11500 }
11501 else if(sCreatedBy.contains("(ApkModifier SignApk)"))
11502 {
11503 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_APKMODIFIERSIGNAPK,"","",0);
11504 ss.sVersion=sCreatedBy.section(" (ApkModifier SignApk)",0,0);
11505 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11506 }
11507 else if(sCreatedBy.contains("(Baidu Signature platform)"))
11508 {
11509 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_BAIDUSIGNATUREPLATFORM,"","",0);
11510 ss.sVersion=sCreatedBy.section(" (Baidu Signature platform)",0,0);
11511 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11512 }
11513 else if(sCreatedBy.contains("tiny-sign"))
11514 {
11515 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_TINYSIGN,"","",0);
11516 ss.sVersion=sCreatedBy.section("tiny-sign-",1,1);
11517 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11518 }
11519 else if(sCreatedBy.contains("DexGuard, version"))
11520 {
11521 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_PROTECTOR,RECORD_NAME_DEXGUARD,"","",0);
11522 ss.sVersion=XBinary::regExp("DexGuard, version (.*?)$",sCreatedBy,1);
11523 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11524 }
11525 else if(sCreatedBy.contains("ApkProtector"))
11526 {
11527 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_PROTECTOR,RECORD_NAME_APKPROTECTOR,"","",0);
11528
11529 if(sCreatedBy.section(" ",0,0)=="ApkProtector")
11530 {
11531 ss.sVersion=sCreatedBy.section(" ",1,1).remove(")").remove("(");
11532 }
11533
11534 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11535 }
11536 else if(sCreatedBy.contains("(Sun Microsystems Inc.)")||
11537 sCreatedBy.contains("(BEA Systems, Inc.)")||
11538 sCreatedBy.contains("(The FreeBSD Foundation)")||
11539 sCreatedBy.contains("(d2j-null)")||
11540 sCreatedBy.contains("(d2j-2.1-SNAPSHOT)")||
11541 sCreatedBy.contains("(Oracle Corporation)")||
11542 sCreatedBy.contains("(Apple Inc.)")||
11543 sCreatedBy.contains("(Google Inc.)")||
11544 sCreatedBy.contains("(Jeroen Frijters)")||
11545 sCreatedBy.contains("(IBM Corporation)")||
11546 sCreatedBy.contains("(JetBrains s.r.o)")||
11547 sCreatedBy.contains("(Alibaba)")||
11548 sCreatedBy.contains("(AdoptOpenJdk)"))
11549 {
11550 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_JAR,RECORD_TYPE_TOOL,RECORD_NAME_JDK,"","",0);
11551 ss.sVersion=sCreatedBy.section(" ",0,0);
11552
11553 if(sCreatedBy.contains("(Apple Inc.)"))
11554 {
11555 ss.name=RECORD_NAME_APPLEJDK;
11556 }
11557 else if(sCreatedBy.contains("(IBM Corporation)"))
11558 {
11559 ss.name=RECORD_NAME_IBMJDK;
11560 }
11561 else if(sCreatedBy.contains("(AdoptOpenJdk)"))
11562 {
11563 ss.name=RECORD_NAME_OPENJDK;
11564 }
11565
11566 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11567 }
11568 else if(sCreatedBy=="1.6.0_21")
11569 {
11570 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_TOOL,RECORD_NAME_JDK,"","",0);
11571 ss.sVersion=sCreatedBy;
11572 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11573 }
11574
11575 if(sCreatedBy.contains("(JetBrains s.r.o)"))
11576 {
11577 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_JAR,RECORD_TYPE_TOOL,RECORD_NAME_JETBRAINS,"","",0);
11578 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11579 }
11580 else if(sCreatedBy.contains("(d2j-null)"))
11581 {
11582 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_APKTOOL,RECORD_NAME_DEX2JAR,"","",0);
11583 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11584 }
11585 else if(sCreatedBy.contains("(d2j-2.1-SNAPSHOT)"))
11586 {
11587 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_APKTOOL,RECORD_NAME_DEX2JAR,"2.1","",0);
11588 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11589 }
11590 else if(sCreatedBy.contains("(Jeroen Frijters)"))
11591 {
11592 // Check OpenJDK
11593 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_JAR,RECORD_TYPE_TOOL,RECORD_NAME_IKVMDOTNET,"","",0);
11594 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11595 }
11596 else if(sCreatedBy.contains("(BEA Systems, Inc.)"))
11597 {
11598 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_JAR,RECORD_TYPE_TOOL,RECORD_NAME_BEAWEBLOGIC,"","",0);
11599 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11600 }
11601
11602 if(sAntVersion.contains("Apache Ant"))
11603 {
11604 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_JAR,RECORD_TYPE_TOOL,RECORD_NAME_APACHEANT,"","",0);
11605 ss.sVersion=XBinary::regExp("Apache Ant (.*?)$",sAntVersion,1);
11606 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11607 }
11608
11609 if(sBuiltBy.contains("Generated-by-ADT"))
11610 {
11611 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_TOOL,RECORD_NAME_ECLIPSE,"","ADT",0);
11612 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11613 }
11614
11615 if(sBuiltJdk!="")
11616 {
11617 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_JAR,RECORD_TYPE_TOOL,RECORD_NAME_JDK,"","",0);
11618 ss.sVersion=sBuiltJdk;
11619 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11620 }
11621
11622 if(sProtectedBy.contains("DexProtector"))
11623 {
11624 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_PROTECTOR,RECORD_NAME_DEXPROTECTOR,"","",0);
11625
11626 if(sProtectedBy.section(" ",0,0)=="DexProtector")
11627 {
11628 ss.sVersion=sProtectedBy.section(" ",1,1).remove(")").remove("(");
11629 }
11630 else if(sProtectedBy.section(" ",1,1)=="DexProtector")
11631 {
11632 ss.sVersion=sProtectedBy.section(" ",0,0);
11633 }
11634
11635 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11636 }
11637
11638 if(XBinary::regExp("^\\d+(\\.\\d+)*$",sCreatedBy,0)!="") // 0.0.0
11639 {
11640 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_GENERIC,RECORD_NAME_GENERIC,"","",0);
11641
11642 ss.sVersion=XBinary::regExp("(.*?)$",sCreatedBy,1);
11643 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11644 }
11645
11646 if(sCreatedBy.contains("(d8)")||sCreatedBy.contains("(dx)")) // Dexguard
11647 {
11648 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_GENERIC,RECORD_NAME_GENERIC,"","",0);
11649
11650 ss.sVersion=XBinary::regExp("(.*?)$",sCreatedBy,1);
11651 pZipInfo->mapMetainfosDetects.insert(ss.name,ss);
11652 }
11653
11654 // TODO heur if String contains add to heur
11655 }
11656 }
11657 }
11658 }
11659
Zip_handle_JAR(QIODevice * pDevice,bool bIsImage,ZIPINFO_STRUCT * pZipInfo,SpecAbstract::SCAN_OPTIONS * pOptions,bool * pbIsStop)11660 void SpecAbstract::Zip_handle_JAR(QIODevice *pDevice, bool bIsImage, ZIPINFO_STRUCT *pZipInfo, SpecAbstract::SCAN_OPTIONS *pOptions, bool *pbIsStop)
11661 {
11662 Q_UNUSED(bIsImage)
11663 Q_UNUSED(pOptions)
11664
11665 XZip xzip(pDevice);
11666
11667 if(xzip.isValid()&&(!(*pbIsStop)))
11668 {
11669 _SCANS_STRUCT ssVM=getScansStruct(0,XBinary::FT_JAR,RECORD_TYPE_VIRTUALMACHINE,RECORD_NAME_JVM,"","",0);
11670 pZipInfo->mapResultOperationSystems.insert(ssVM.name,scansToScan(&(pZipInfo->basic_info),&ssVM));
11671
11672 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_JDK))
11673 {
11674 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_JDK);
11675 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11676 }
11677
11678 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_APPLEJDK))
11679 {
11680 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_APPLEJDK);
11681 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11682 }
11683
11684 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_IBMJDK))
11685 {
11686 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_IBMJDK);
11687 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11688 }
11689
11690 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_OPENJDK))
11691 {
11692 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_OPENJDK);
11693 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11694 }
11695
11696 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_JETBRAINS))
11697 {
11698 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_JETBRAINS);
11699 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11700 }
11701
11702 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_IKVMDOTNET))
11703 {
11704 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_IKVMDOTNET);
11705 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11706 }
11707
11708 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_BEAWEBLOGIC))
11709 {
11710 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_BEAWEBLOGIC);
11711 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11712 }
11713
11714 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_APACHEANT))
11715 {
11716 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_APACHEANT);
11717 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11718 }
11719
11720 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_SINGLEJAR))
11721 {
11722 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_SINGLEJAR);
11723 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11724 }
11725 }
11726 }
11727
Zip_handle_APK(QIODevice * pDevice,bool bIsImage,ZIPINFO_STRUCT * pZipInfo)11728 void SpecAbstract::Zip_handle_APK(QIODevice *pDevice, bool bIsImage, ZIPINFO_STRUCT *pZipInfo)
11729 {
11730 Q_UNUSED(bIsImage)
11731
11732 if(pZipInfo->bIsAPK)
11733 {
11734 XZip xzip(pDevice);
11735
11736 if(xzip.isValid())
11737 {
11738 // 0x7109871a APK_SIGNATURE_SCHEME_V2_BLOCK_ID
11739 // TODO Check 0x7109871f https://github.com/18598925736/ApkChannelPackageJavaCore/blob/9342d57a1fc5f9271d569612df6028758f6ee42d/src/channel/data/Constants.java#L38
11740 // 0xf05368c0 APK_SIGNATURE_SCHEME_V3_BLOCK_ID
11741 // 0x42726577 padding
11742 // 0x504b4453 DEPENDENCY_INFO_BLOCK_ID; https://github.com/jomof/CppBuildCacheWorkInProgress/blob/148b94d712d14b6f2a13ab37a526c7795e2215b3/agp-7.1.0-alpha01/tools/base/signflinger/src/com/android/signflinger/SignedApk.java#L56
11743 // 0x71777777 Walle https://github.com/Meituan-Dianping/walle/blob/f78edcf1117a0aa858a3d04bb24d86bf9ad51bb2/payload_reader/src/main/java/com/meituan/android/walle/ApkUtil.java#L40
11744 // 0x6dff800d SOURCE_STAMP_BLOCK_ID
11745 // 0x2146444e Google Play
11746
11747 QList<XZip::APK_SIG_BLOCK_RECORD> listApkSignaturesBlockRecords=xzip.getAPKSignaturesBlockRecordsList();
11748
11749 _SCANS_STRUCT ssSignTool=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_APKSIGNATURESCHEME,"","",0);
11750
11751 if(XZip::isAPKSignatureBlockRecordPresent(&listApkSignaturesBlockRecords,0x7109871a))
11752 {
11753 ssSignTool.sVersion="v2";
11754 }
11755 else if(XZip::isAPKSignatureBlockRecordPresent(&listApkSignaturesBlockRecords,0xf05368c0))
11756 {
11757 ssSignTool.sVersion="v3";
11758 }
11759
11760 // TODO V4
11761
11762 if(ssSignTool.sVersion!="")
11763 {
11764 pZipInfo->mapResultSigntools.insert(ssSignTool.name,scansToScan(&(pZipInfo->basic_info),&ssSignTool));
11765 }
11766
11767 if(XZip::isAPKSignatureBlockRecordPresent(&listApkSignaturesBlockRecords,0x71777777))
11768 {
11769 _SCANS_STRUCT ssWalle=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_TOOL,RECORD_NAME_WALLE,"","",0);
11770 pZipInfo->mapResultTools.insert(ssWalle.name,scansToScan(&(pZipInfo->basic_info),&ssWalle));
11771 }
11772
11773 if(XZip::isAPKSignatureBlockRecordPresent(&listApkSignaturesBlockRecords,0x2146444e))
11774 {
11775 _SCANS_STRUCT ssGooglePlay=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_TOOL,RECORD_NAME_GOOGLEPLAY,"","",0);
11776 pZipInfo->mapResultTools.insert(ssGooglePlay.name,scansToScan(&(pZipInfo->basic_info),&ssGooglePlay));
11777 }
11778
11779 if(pZipInfo->bIsKotlin)
11780 {
11781 _SCANS_STRUCT ssKotlin=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_LANGUAGE,RECORD_NAME_KOTLIN,"","",0);
11782 pZipInfo->mapResultLanguages.insert(ssKotlin.name,scansToScan(&(pZipInfo->basic_info),&ssKotlin));
11783 }
11784 else
11785 {
11786 _SCANS_STRUCT ssJava=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_LANGUAGE,RECORD_NAME_JAVA,"","",0);
11787 pZipInfo->mapResultLanguages.insert(ssJava.name,scansToScan(&(pZipInfo->basic_info),&ssJava));
11788 }
11789
11790 if(pZipInfo->basic_info.bIsTest)
11791 {
11792 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_SIGNTOOL,RECORD_NAME_UNKNOWN,"","",0);
11793
11794 int nNumberOfRecords=listApkSignaturesBlockRecords.count();
11795
11796 for(int i=0;i<nNumberOfRecords;i++)
11797 {
11798 if(listApkSignaturesBlockRecords.at(i).nID>0xFFFF)
11799 {
11800 if( (listApkSignaturesBlockRecords.at(i).nID!=0x7109871a)&&
11801 (listApkSignaturesBlockRecords.at(i).nID!=0xf05368c0)&&
11802 (listApkSignaturesBlockRecords.at(i).nID!=0x42726577))
11803 {
11804 ss.name=(RECORD_NAME)((int)RECORD_NAME_UNKNOWN0+i);
11805 ss.sVersion=XBinary::valueToHex(listApkSignaturesBlockRecords.at(i).nID);
11806 //ss.sInfo=XBinary::valueToHex(listApkSignaturesBlockRecords.at(i).nDataSize);
11807 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11808 }
11809 }
11810 }
11811 }
11812
11813 QByteArray baAndroidManifest=xzip.decompress(&(pZipInfo->listArchiveRecords),"AndroidManifest.xml");
11814
11815 QString sAndroidManifest=XAndroidBinary::getDecoded(&baAndroidManifest);
11816
11817 QString sCompileSdkVersion=XBinary::regExp("android:compileSdkVersion=\"(.*?)\"",sAndroidManifest,1);
11818 QString sCompileSdkVersionCodename=XBinary::regExp("android:compileSdkVersionCodename=\"(.*?)\"",sAndroidManifest,1);
11819 QString sPlatformBuildVersionCode=XBinary::regExp("platformBuildVersionCode=\"(.*?)\"",sAndroidManifest,1);
11820 QString sPlatformBuildVersionName=XBinary::regExp("platformBuildVersionName=\"(.*?)\"",sAndroidManifest,1);
11821 QString sTargetSdkVersion=XBinary::regExp("android:targetSdkVersion=\"(.*?)\"",sAndroidManifest,1);
11822 QString sMinSdkVersion=XBinary::regExp("android:minSdkVersion=\"(.*?)\"",sAndroidManifest,1);
11823 QString sAndroid=XBinary::regExp("android:=\"(.*?)\"",sAndroidManifest,1);
11824 QString sAndroidVersionName=XBinary::regExp("android:versionName=\"(.*?)\"",sAndroidManifest,1);
11825
11826 // Check
11827 if(!XBinary::checkStringNumber(sCompileSdkVersion,1,40)) sCompileSdkVersion="";
11828 if(!XBinary::checkStringNumber(sPlatformBuildVersionCode,1,40)) sPlatformBuildVersionCode="";
11829 if(!XBinary::checkStringNumber(sTargetSdkVersion,1,40)) sTargetSdkVersion="";
11830 if(!XBinary::checkStringNumber(sMinSdkVersion,1,40)) sMinSdkVersion="";
11831 if(!XBinary::checkStringNumber(sAndroid,1,40)) sAndroid="";
11832
11833 if(!XBinary::checkStringNumber(sCompileSdkVersionCodename.section(".",0,0),1,15)) sCompileSdkVersionCodename="";
11834 if(!XBinary::checkStringNumber(sPlatformBuildVersionName.section(".",0,0),1,15)) sPlatformBuildVersionName="";
11835
11836 if( (sCompileSdkVersion!="")||
11837 (sCompileSdkVersionCodename!="")||
11838 (sPlatformBuildVersionCode!="")||
11839 (sPlatformBuildVersionName!="")||
11840 (sTargetSdkVersion!="")||
11841 (sMinSdkVersion!="")||
11842 (sAndroid!=""))
11843 {
11844 _SCANS_STRUCT ssAndroidSDK=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_TOOL,RECORD_NAME_ANDROIDSDK,"","",0);
11845 _SCANS_STRUCT ssAndroid=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_OPERATIONSYSTEM,RECORD_NAME_ANDROID,"","",0);
11846
11847 QString _sVersion;
11848 QString _sAndroidVersion;
11849
11850 _sVersion=sCompileSdkVersion;
11851 _sAndroidVersion=sCompileSdkVersionCodename;
11852
11853 if(_sVersion=="") _sVersion=sCompileSdkVersion;
11854 if(_sVersion=="") _sVersion=sPlatformBuildVersionCode;
11855 if(_sVersion=="") _sVersion=sTargetSdkVersion;
11856 if(_sVersion=="") _sVersion=sMinSdkVersion;
11857 if(_sVersion=="") _sVersion=sAndroid;
11858
11859 if(_sAndroidVersion=="") _sAndroidVersion=sCompileSdkVersionCodename;
11860 if(_sAndroidVersion=="") _sAndroidVersion=sPlatformBuildVersionName;
11861 if(_sAndroidVersion=="") _sAndroidVersion=sAndroidVersionName;
11862
11863 if(_sAndroidVersion=="")
11864 {
11865 _sAndroidVersion=getAndroidVersionFromApi(_sVersion.toUInt());
11866 }
11867
11868 if(_sVersion!="")
11869 {
11870 ssAndroidSDK.sVersion=QString("API %1").arg(_sVersion);
11871
11872 pZipInfo->mapResultTools.insert(ssAndroidSDK.name,scansToScan(&(pZipInfo->basic_info),&ssAndroidSDK));
11873 }
11874
11875 ssAndroid.sVersion=QString("%1").arg(_sAndroidVersion);
11876
11877 pZipInfo->mapResultOperationSystems.insert(ssAndroid.name,scansToScan(&(pZipInfo->basic_info),&ssAndroid));
11878 }
11879
11880 QString sJetpack=xzip.decompress(&(pZipInfo->listArchiveRecords),"META-INF/androidx.core_core.version").data();
11881 if(sJetpack!="")
11882 {
11883 QString sJetpackVersion=XBinary::regExp("(.*?)\n",sJetpack,1).remove("\r");
11884
11885 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_LIBRARY,RECORD_NAME_ANDROIDJETPACK,"","",0);
11886 ss.sVersion=sJetpackVersion;
11887 pZipInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11888 }
11889
11890 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_ANDROIDGRADLE))
11891 {
11892 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_ANDROIDGRADLE);
11893 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11894 }
11895
11896 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_ANDROIDMAVENPLUGIN))
11897 {
11898 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_ANDROIDMAVENPLUGIN);
11899 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11900 }
11901
11902 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_RADIALIX))
11903 {
11904 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_RADIALIX);
11905 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11906 }
11907
11908 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_MOTODEVSTUDIOFORANDROID))
11909 {
11910 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_MOTODEVSTUDIOFORANDROID);
11911 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11912 }
11913
11914 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_ANTILVL))
11915 {
11916 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_ANTILVL);
11917 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11918 }
11919
11920 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_APKEDITOR))
11921 {
11922 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_APKEDITOR);
11923 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11924 }
11925
11926 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_BUNDLETOOL))
11927 {
11928 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_BUNDLETOOL);
11929 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11930 }
11931
11932 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_DEX2JAR))
11933 {
11934 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_DEX2JAR);
11935 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11936 }
11937
11938 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_D2JAPKSIGN))
11939 {
11940 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_D2JAPKSIGN);
11941 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11942 }
11943
11944 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_PSEUDOAPKSIGNER))
11945 {
11946 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_PSEUDOAPKSIGNER);
11947 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11948 }
11949
11950 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_APKSIGNER))
11951 {
11952 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_APKSIGNER);
11953 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11954 }
11955
11956 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_APK_SIGNER))
11957 {
11958 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_APK_SIGNER);
11959 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11960 }
11961
11962 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_NETEASEAPKSIGNER))
11963 {
11964 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_NETEASEAPKSIGNER);
11965 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11966 }
11967
11968 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_ANDROIDSIGNAPK))
11969 {
11970 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_ANDROIDSIGNAPK);
11971 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11972 }
11973
11974 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_DOTOOLSSIGNAPK))
11975 {
11976 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_DOTOOLSSIGNAPK);
11977 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11978 }
11979
11980 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_SIGNATORY))
11981 {
11982 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_SIGNATORY);
11983 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11984 }
11985
11986 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_SIGNUPDATE))
11987 {
11988 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_SIGNUPDATE);
11989 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11990 }
11991
11992 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_ANDROIDAPKSIGNER))
11993 {
11994 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_ANDROIDAPKSIGNER);
11995 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
11996 }
11997
11998 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_APKMODIFIERSIGNAPK))
11999 {
12000 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_APKMODIFIERSIGNAPK);
12001 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12002 }
12003
12004 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_BAIDUSIGNATUREPLATFORM))
12005 {
12006 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_BAIDUSIGNATUREPLATFORM);
12007 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12008 }
12009
12010 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_TINYSIGN))
12011 {
12012 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_TINYSIGN);
12013 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12014 }
12015
12016 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_COMEXSIGNAPK))
12017 {
12018 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_COMEXSIGNAPK);
12019 pZipInfo->mapResultSigntools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12020 }
12021
12022 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_ECLIPSE))
12023 {
12024 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_ECLIPSE);
12025 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12026 }
12027
12028 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_HIAPKCOM))
12029 {
12030 _SCANS_STRUCT ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_HIAPKCOM);
12031 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12032 }
12033
12034 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_SECSHELL))
12035 {
12036 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_SECSHELL);
12037 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12038 }
12039
12040 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_JIAGU))
12041 {
12042 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_JIAGU);
12043 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12044 }
12045
12046 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_IJIAMI))
12047 {
12048 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_IJIAMI);
12049 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12050 }
12051
12052 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_TENCENTPROTECTION))
12053 {
12054 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_TENCENTPROTECTION);
12055 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12056 }
12057
12058 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_TENCENTLEGU)||pZipInfo->mapArchiveDetects.contains(RECORD_NAME_MOBILETENCENTPROTECT))
12059 {
12060 _SCANS_STRUCT ss={};
12061
12062 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_TENCENTLEGU))
12063 {
12064 ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_TENCENTLEGU);
12065 }
12066 else if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_MOBILETENCENTPROTECT))
12067 {
12068 ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_MOBILETENCENTPROTECT);
12069 }
12070
12071 int nNumberOfRecords=pZipInfo->listArchiveRecords.count();
12072
12073 for(int i=0;i<nNumberOfRecords;i++)
12074 {
12075 if(pZipInfo->listArchiveRecords.at(i).sFileName.contains("lib/arm64-v8a/libshella-"))
12076 {
12077 ss.sVersion=XBinary::regExp("lib/arm64-v8a/libshella-(.*?).so",pZipInfo->listArchiveRecords.at(i).sFileName,1);
12078
12079 break;
12080 }
12081 else if(pZipInfo->listArchiveRecords.at(i).sFileName.contains("lib/armeabi-v7a/libshella-"))
12082 {
12083 ss.sVersion=XBinary::regExp("lib/armeabi-v7a/libshella-(.*?).so",pZipInfo->listArchiveRecords.at(i).sFileName,1);
12084
12085 break;
12086 }
12087 else if(pZipInfo->listArchiveRecords.at(i).sFileName.contains("lib/armeabi/libshella-"))
12088 {
12089 ss.sVersion=XBinary::regExp("lib/armeabi/libshella-(.*?).so",pZipInfo->listArchiveRecords.at(i).sFileName,1);
12090
12091 break;
12092 }
12093 else if(pZipInfo->listArchiveRecords.at(i).sFileName.contains("lib/x86/libshella-"))
12094 {
12095 ss.sVersion=XBinary::regExp("lib/x86/libshella-(.*?).so",pZipInfo->listArchiveRecords.at(i).sFileName,1);
12096
12097 break;
12098 }
12099 }
12100
12101 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12102 }
12103
12104 // AppGuard
12105 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_APPGUARD))
12106 {
12107 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_APPGUARD);
12108
12109 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12110 }
12111
12112 // Kiro
12113 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_KIRO))
12114 {
12115 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_KIRO);
12116
12117 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12118 }
12119
12120 // DxShield
12121 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_DXSHIELD))
12122 {
12123 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_DXSHIELD);
12124
12125 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12126 }
12127
12128 // qdbh
12129 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_QDBH))
12130 {
12131 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_QDBH);
12132
12133 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12134 }
12135
12136 // Bangcle Protection
12137 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_BANGCLEPROTECTION))
12138 {
12139 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_BANGCLEPROTECTION);
12140
12141 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12142 }
12143
12144 // Qihoo 360 Protection
12145 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_QIHOO360PROTECTION))
12146 {
12147 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_QIHOO360PROTECTION);
12148
12149 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12150 }
12151
12152 // Alibaba Protection
12153 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_ALIBABAPROTECTION))
12154 {
12155 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_ALIBABAPROTECTION);
12156
12157 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12158 }
12159
12160 // Baidu Protection
12161 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_BAIDUPROTECTION))
12162 {
12163 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_BAIDUPROTECTION);
12164
12165 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12166 }
12167
12168 // NQ Shield
12169 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_NQSHIELD))
12170 {
12171 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_NQSHIELD);
12172
12173 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12174 }
12175
12176 // Nagapt Protection
12177 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_NAGAPTPROTECTION))
12178 {
12179 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_NAGAPTPROTECTION);
12180
12181 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12182 }
12183
12184 // SecNeo
12185 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_SECNEO))
12186 {
12187 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_SECNEO);
12188
12189 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12190 }
12191
12192 // LIAPP
12193 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_LIAPP))
12194 {
12195 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_LIAPP);
12196
12197 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12198 }
12199
12200 // yidun
12201 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_YIDUN))
12202 {
12203 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_YIDUN);
12204
12205 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12206 }
12207
12208 // PangXie
12209 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_PANGXIE))
12210 {
12211 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_PANGXIE);
12212
12213 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12214 }
12215
12216 // Hdus-Wjus
12217 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_HDUS_WJUS))
12218 {
12219 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_HDUS_WJUS);
12220
12221 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12222 }
12223
12224 // Medusah
12225 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_MEDUSAH))
12226 {
12227 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_MEDUSAH);
12228
12229 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12230 }
12231
12232 // AppSolid
12233 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_APPSOLID))
12234 {
12235 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_APPSOLID);
12236
12237 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12238 }
12239
12240 // Proguard
12241 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_PROGUARD))
12242 {
12243 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_PROGUARD);
12244
12245 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12246 }
12247
12248 // VDog
12249 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_VDOG))
12250 {
12251 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_VDOG);
12252
12253 QString sVersion=xzip.decompress(&(pZipInfo->listArchiveRecords),"assets/version").data();
12254
12255 if(sVersion!="")
12256 {
12257 // V4.1.0_VDOG-1.8.5.3_AOP-7.23
12258 ss.sVersion=sVersion.section("VDOG-",1,1).section("_",0,0);
12259 }
12260
12261 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12262 }
12263
12264 // APKProtect
12265 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_APKPROTECT))
12266 {
12267 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_APKPROTECT);
12268
12269 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12270 }
12271
12272 // ollvm-tll
12273 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_OLLVMTLL))
12274 {
12275 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_OLLVMTLL);
12276
12277 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12278 }
12279
12280 // DexGuard
12281 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_DEXGUARD)||pZipInfo->dexInfoClasses.mapResultProtectors.contains(RECORD_NAME_DEXGUARD))
12282 {
12283 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_PROTECTOR,RECORD_NAME_DEXGUARD,"","",0);
12284
12285 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_DEXGUARD))
12286 {
12287 ss.sVersion=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_DEXGUARD).sVersion;
12288 }
12289 else if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_GENERIC))
12290 {
12291 ss.sVersion=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_GENERIC).sVersion;
12292 }
12293
12294 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12295 }
12296
12297 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_DEXPROTECTOR)||pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_DEXPROTECTOR))
12298 {
12299 _SCANS_STRUCT ss={};
12300
12301 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_DEXPROTECTOR))
12302 {
12303 ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_DEXPROTECTOR);
12304 }
12305 else
12306 {
12307 ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_DEXPROTECTOR);
12308 }
12309
12310 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12311 }
12312
12313 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_APKPROTECTOR)||pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_APKPROTECTOR))
12314 {
12315 _SCANS_STRUCT ss={};
12316
12317 if(pZipInfo->mapMetainfosDetects.contains(RECORD_NAME_APKPROTECTOR))
12318 {
12319 ss=pZipInfo->mapMetainfosDetects.value(RECORD_NAME_APKPROTECTOR);
12320 }
12321 else
12322 {
12323 ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_APKPROTECTOR);
12324 }
12325
12326 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12327 }
12328
12329 // SandHook
12330 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_SANDHOOK))
12331 {
12332 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_SANDHOOK);
12333
12334 pZipInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12335 }
12336
12337 // Unicom SDK
12338 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_UNICOMSDK))
12339 {
12340 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_UNICOMSDK);
12341
12342 pZipInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12343 }
12344
12345 // Unity
12346 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_UNITY))
12347 {
12348 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_UNITY);
12349
12350 pZipInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12351 }
12352
12353 // IL2CPP
12354 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_IL2CPP))
12355 {
12356 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_IL2CPP);
12357
12358 pZipInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12359 }
12360
12361 // Basic4Android
12362 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_BASIC4ANDROID))
12363 {
12364 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_BASIC4ANDROID);
12365
12366 pZipInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12367 }
12368
12369 // ApkToolPlus
12370 if(pZipInfo->mapArchiveDetects.contains(RECORD_NAME_APKTOOLPLUS))
12371 {
12372 _SCANS_STRUCT ss=pZipInfo->mapArchiveDetects.value(RECORD_NAME_APKTOOLPLUS);
12373
12374 pZipInfo->mapResultTools.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12375 }
12376 }
12377 }
12378 }
12379
Zip_handle_IPA(QIODevice * pDevice,bool bIsImage,SpecAbstract::ZIPINFO_STRUCT * pZipInfo)12380 void SpecAbstract::Zip_handle_IPA(QIODevice *pDevice, bool bIsImage, SpecAbstract::ZIPINFO_STRUCT *pZipInfo)
12381 {
12382 Q_UNUSED(bIsImage)
12383
12384 XZip xzip(pDevice);
12385
12386 if(xzip.isValid())
12387 {
12388 if(pZipInfo->bIsIPA)
12389 {
12390 _SCANS_STRUCT ssFormat=getScansStruct(0,XBinary::FT_ARCHIVE,RECORD_TYPE_FORMAT,RECORD_NAME_IPA,"","",0);
12391
12392 ssFormat.sVersion=xzip.getVersion();
12393 ssFormat.sInfo=QString("%1 records").arg(xzip.getNumberOfRecords());
12394
12395 pZipInfo->basic_info.listDetects.append(scansToScan(&(pZipInfo->basic_info),&ssFormat));
12396 }
12397 }
12398 }
12399
Zip_handle_Recursive(QIODevice * pDevice,bool bIsImage,SpecAbstract::ZIPINFO_STRUCT * pZipInfo,SpecAbstract::SCAN_OPTIONS * pOptions,bool * pbIsStop)12400 void SpecAbstract::Zip_handle_Recursive(QIODevice *pDevice, bool bIsImage, SpecAbstract::ZIPINFO_STRUCT *pZipInfo, SpecAbstract::SCAN_OPTIONS *pOptions, bool *pbIsStop)
12401 {
12402 Q_UNUSED(bIsImage)
12403
12404 XZip xzip(pDevice);
12405
12406 if(xzip.isValid())
12407 {
12408 if(((pZipInfo->bIsAPK)||(pZipInfo->bIsIPA))&&(pOptions->bRecursiveScan))
12409 {
12410 if(pOptions->bDeepScan)
12411 {
12412 int nNumberOfRecords=pZipInfo->listArchiveRecords.count();
12413
12414 for(int i=0;(i<nNumberOfRecords)&&(!(*pbIsStop));i++)
12415 {
12416 if(pZipInfo->basic_info.bIsTest)
12417 {
12418 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_PROTECTOR,RECORD_NAME_UNKNOWN,"","",0);
12419
12420 if( pZipInfo->listArchiveRecords.at(i).sFileName.contains("libdiresu.so")||
12421 pZipInfo->listArchiveRecords.at(i).sFileName.contains("assets/agconfig")||
12422 pZipInfo->listArchiveRecords.at(i).sFileName.contains("libkonyjsvm.so")||
12423 pZipInfo->listArchiveRecords.at(i).sFileName.contains("libapproov.so")||
12424 pZipInfo->listArchiveRecords.at(i).sFileName.contains("apkPackerConfiguration")||
12425 pZipInfo->listArchiveRecords.at(i).sFileName.contains("libAppSuit.so")||
12426 pZipInfo->listArchiveRecords.at(i).sFileName.contains("libUnpacker.so")||
12427 pZipInfo->listArchiveRecords.at(i).sFileName.contains("libcovault.so")||
12428 pZipInfo->listArchiveRecords.at(i).sFileName.contains("libcovault-appsec.so")||
12429 pZipInfo->listArchiveRecords.at(i).sFileName.contains("libsecenh.so")||
12430 pZipInfo->listArchiveRecords.at(i).sFileName.contains("guardit4j.fin")||
12431 pZipInfo->listArchiveRecords.at(i).sFileName.contains("libmedl.so")||
12432 pZipInfo->listArchiveRecords.at(i).sFileName.contains("libCodeGuard.so")||
12433 pZipInfo->listArchiveRecords.at(i).sFileName.contains("libshield.so")||
12434 pZipInfo->listArchiveRecords.at(i).sFileName.contains("libvosWrapperEx.so"))
12435 {
12436 ss.sVersion=pZipInfo->listArchiveRecords.at(i).sFileName;
12437 pZipInfo->mapResultAPKProtectors.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12438 }
12439 }
12440
12441 QByteArray baRecordData=xzip.decompress(&(pZipInfo->listArchiveRecords.at(i)),true);
12442
12443 QSet<XBinary::FT> stFileTypes=XBinary::getFileTypes(&baRecordData,true);
12444
12445 if( stFileTypes.contains(XBinary::FT_DEX)||
12446 stFileTypes.contains(XBinary::FT_ELF32)||
12447 stFileTypes.contains(XBinary::FT_ELF64)||
12448 stFileTypes.contains(XBinary::FT_MACHOFAT)||
12449 stFileTypes.contains(XBinary::FT_MACHO32)||
12450 stFileTypes.contains(XBinary::FT_MACHO64))
12451 {
12452 SpecAbstract::SCAN_RESULT scanResult={0};
12453
12454 SpecAbstract::ID _parentId=pZipInfo->basic_info.id;
12455 _parentId.filePart=SpecAbstract::RECORD_FILEPART_ARCHIVERECORD;
12456 _parentId.sInfo=pZipInfo->listArchiveRecords.at(i).sFileName;
12457 _parentId.bVirtual=true; // TODO Check
12458
12459 if(pZipInfo->listArchiveRecords.at(i).nUncompressedSize>baRecordData.size())
12460 {
12461 QTemporaryFile fileTemp;
12462
12463 if(fileTemp.open())
12464 {
12465 QString sTempFileName=fileTemp.fileName();
12466
12467 if(xzip.decompressToFile(&(pZipInfo->listArchiveRecords.at(i)),sTempFileName))
12468 {
12469 QFile file;
12470
12471 file.setFileName(sTempFileName);
12472
12473 if(file.open(QIODevice::ReadOnly))
12474 {
12475 scan(&file,&scanResult,0,file.size(),_parentId,pOptions,false,pbIsStop);
12476
12477 file.close();
12478 }
12479 }
12480 }
12481 }
12482 else
12483 {
12484 QBuffer buffer(&baRecordData);
12485
12486 if(buffer.open(QIODevice::ReadOnly))
12487 {
12488 scan(&buffer,&scanResult,0,buffer.size(),_parentId,pOptions,false,pbIsStop);
12489
12490 buffer.close();
12491 }
12492 }
12493
12494 if(stFileTypes.contains(XBinary::FT_DEX))
12495 {
12496 // TODO get language(Java/Kotlin) from DEX
12497 // bIsKotlin
12498 // bIsJava
12499 }
12500
12501 // if( stFileTypes.contains(XBinary::FT_ELF32)||
12502 // stFileTypes.contains(XBinary::FT_ELF64))
12503 // {
12504 // filterResult(&scanResult.listRecords,QSet<RECORD_TYPE>()<<RECORD_TYPE_PACKER<<RECORD_TYPE_PROTECTOR);
12505 // }
12506
12507 pZipInfo->listRecursiveDetects.append(scanResult.listRecords);
12508 }
12509 }
12510 }
12511 }
12512 }
12513 }
12514
Zip_handle_FixDetects(QIODevice * pDevice,bool bIsImage,SpecAbstract::ZIPINFO_STRUCT * pZipInfo)12515 void SpecAbstract::Zip_handle_FixDetects(QIODevice *pDevice, bool bIsImage, SpecAbstract::ZIPINFO_STRUCT *pZipInfo)
12516 {
12517 Q_UNUSED(bIsImage)
12518
12519 XZip xzip(pDevice);
12520
12521 if(xzip.isValid())
12522 {
12523 if( pZipInfo->basic_info.id.fileType==XBinary::FT_ZIP)
12524 {
12525 pZipInfo->basic_info.id.fileType=XBinary::FT_ARCHIVE;
12526 // TODO deep scan
12527 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_ARCHIVE,RECORD_TYPE_FORMAT,RECORD_NAME_ZIP,"","",0);
12528
12529 ss.sVersion=xzip.getVersion();
12530 ss.sInfo=QString("%1 records").arg(xzip.getNumberOfRecords());
12531
12532 if(xzip.isEncrypted())
12533 {
12534 ss.sInfo=append(ss.sInfo,"Encrypted");
12535 }
12536
12537 // TODO files
12538 pZipInfo->mapResultArchives.insert(ss.name,scansToScan(&(pZipInfo->basic_info),&ss));
12539 }
12540
12541 if(pZipInfo->basic_info.bIsTest)
12542 {
12543 if(pZipInfo->mapMetainfosDetects.count()==0)
12544 {
12545 QString sDataManifest=xzip.decompress("META-INF/MANIFEST.MF").data();
12546
12547 QString sProtectedBy=XBinary::regExp("Protected-By: (.*?)\n",sDataManifest,1).remove("\r");
12548 QString sCreatedBy=XBinary::regExp("Created-By: (.*?)\n",sDataManifest,1).remove("\r");
12549 QString sBuiltBy=XBinary::regExp("Built-By: (.*?)\n",sDataManifest,1).remove("\r");
12550
12551 if(sProtectedBy!="")
12552 {
12553 _SCANS_STRUCT recordSS={};
12554
12555 recordSS.type=RECORD_TYPE_PROTECTOR;
12556 recordSS.name=(RECORD_NAME)(RECORD_NAME_UNKNOWN0);
12557 recordSS.sVersion="Protected: "+sProtectedBy;
12558
12559 pZipInfo->mapResultAPKProtectors.insert(recordSS.name,scansToScan(&(pZipInfo->basic_info),&recordSS));
12560 }
12561
12562 if((sCreatedBy!="")&&(sCreatedBy!="1.0 (Android)"))
12563 {
12564 _SCANS_STRUCT recordSS={};
12565
12566 recordSS.type=RECORD_TYPE_PROTECTOR;
12567 recordSS.name=(RECORD_NAME)(RECORD_NAME_UNKNOWN1);
12568 recordSS.sVersion="Created: "+sCreatedBy;
12569
12570 pZipInfo->mapResultAPKProtectors.insert(recordSS.name,scansToScan(&(pZipInfo->basic_info),&recordSS));
12571 }
12572
12573 if(sBuiltBy!="")
12574 {
12575 _SCANS_STRUCT recordSS={};
12576
12577 recordSS.type=RECORD_TYPE_PROTECTOR;
12578 recordSS.name=(RECORD_NAME)(RECORD_NAME_UNKNOWN2);
12579 recordSS.sVersion="Built: "+sBuiltBy;
12580
12581 pZipInfo->mapResultAPKProtectors.insert(recordSS.name,scansToScan(&(pZipInfo->basic_info),&recordSS));
12582 }
12583 }
12584 }
12585 }
12586 }
12587
Zip_handleLanguages(QIODevice * pDevice,bool bIsImage,ZIPINFO_STRUCT * pZipInfo)12588 void SpecAbstract::Zip_handleLanguages(QIODevice *pDevice, bool bIsImage, ZIPINFO_STRUCT *pZipInfo)
12589 {
12590 Q_UNUSED(pDevice)
12591 Q_UNUSED(bIsImage)
12592
12593 getLanguage(&(pZipInfo->mapResultLibraries),&(pZipInfo->mapResultLanguages));
12594 getLanguage(&(pZipInfo->mapResultTools),&(pZipInfo->mapResultLanguages));
12595
12596 fixLanguage(&(pZipInfo->mapResultLanguages));
12597 }
12598
Zip_scan_DEX(QIODevice * pDevice,bool bIsImage,SpecAbstract::ZIPINFO_STRUCT * pZipInfo,SCAN_OPTIONS * pOptions,bool * pbIsStop,QString sFileName)12599 SpecAbstract::DEXINFO_STRUCT SpecAbstract::Zip_scan_DEX(QIODevice *pDevice, bool bIsImage, SpecAbstract::ZIPINFO_STRUCT *pZipInfo, SCAN_OPTIONS *pOptions, bool *pbIsStop, QString sFileName)
12600 {
12601 Q_UNUSED(bIsImage)
12602
12603 DEXINFO_STRUCT result={};
12604
12605 XZip xzip(pDevice);
12606
12607 if(xzip.isValid())
12608 {
12609 QByteArray baRecordData=xzip.decompress(&(pZipInfo->listArchiveRecords),sFileName);
12610
12611 QBuffer buffer(&baRecordData);
12612
12613 if(buffer.open(QIODevice::ReadOnly))
12614 {
12615 result=getDEXInfo(&buffer,pZipInfo->basic_info.id,pOptions,0,pbIsStop);
12616
12617 buffer.close();
12618 }
12619 }
12620
12621 return result;
12622 }
12623
Binary_handle_FixDetects(QIODevice * pDevice,bool bIsImage,SpecAbstract::BINARYINFO_STRUCT * pBinaryInfo)12624 void SpecAbstract::Binary_handle_FixDetects(QIODevice *pDevice, bool bIsImage, SpecAbstract::BINARYINFO_STRUCT *pBinaryInfo)
12625 {
12626 Q_UNUSED(pDevice)
12627 Q_UNUSED(bIsImage)
12628
12629 if(pBinaryInfo->mapResultFormats.contains(RECORD_NAME_PDF))
12630 {
12631 pBinaryInfo->mapResultTexts.clear();
12632
12633 pBinaryInfo->mapResultFormats[RECORD_NAME_PDF].id.fileType=XBinary::FT_BINARY;
12634 pBinaryInfo->basic_info.id.fileType=XBinary::FT_BINARY;
12635 }
12636 }
12637
Binary_handleLanguages(QIODevice * pDevice,bool bIsImage,BINARYINFO_STRUCT * pBinaryInfo)12638 void SpecAbstract::Binary_handleLanguages(QIODevice *pDevice, bool bIsImage, BINARYINFO_STRUCT *pBinaryInfo)
12639 {
12640 Q_UNUSED(pDevice)
12641 Q_UNUSED(bIsImage)
12642
12643 // getLanguage(&(pBinaryInfo->mapResultCOMPackers),&(pBinaryInfo->mapResultLanguages));
12644 // getLanguage(&(pBinaryInfo->mapResultCOMProtectors),&(pBinaryInfo->mapResultLanguages));
12645 // TODO fixes
12646 }
12647
MSDOS_handle_OperationSystems(QIODevice * pDevice,bool bIsImage,SpecAbstract::MSDOSINFO_STRUCT * pMSDOSInfo)12648 void SpecAbstract::MSDOS_handle_OperationSystems(QIODevice *pDevice, bool bIsImage, SpecAbstract::MSDOSINFO_STRUCT *pMSDOSInfo)
12649 {
12650 Q_UNUSED(pDevice)
12651 Q_UNUSED(bIsImage)
12652
12653 _SCANS_STRUCT ssOperationSystem=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_OPERATIONSYSTEM,RECORD_NAME_MSDOS,"","",0);
12654
12655 pMSDOSInfo->mapResultOperationSystems.insert(ssOperationSystem.name,scansToScan(&(pMSDOSInfo->basic_info),&ssOperationSystem));
12656 }
12657
MSDOS_handle_Tools(QIODevice * pDevice,bool bIsImage,SpecAbstract::MSDOSINFO_STRUCT * pMSDOSInfo)12658 void SpecAbstract::MSDOS_handle_Tools(QIODevice *pDevice, bool bIsImage, SpecAbstract::MSDOSINFO_STRUCT *pMSDOSInfo)
12659 {
12660 XMSDOS msdos(pDevice,bIsImage);
12661
12662 if(msdos.isValid())
12663 {
12664 // IBM PC Pascal
12665 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_IBMPCPASCAL))
12666 {
12667 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_IBMPCPASCAL);
12668 pMSDOSInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12669 }
12670
12671 // WATCOM C
12672 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_WATCOMCCPP))
12673 {
12674 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_WATCOMCCPP);
12675 pMSDOSInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12676 }
12677
12678 // BAT2EXEC
12679 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_BAT2EXEC))
12680 {
12681 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_BAT2EXEC);
12682 pMSDOSInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12683 }
12684
12685 }
12686 }
12687
MSDOS_handle_Borland(QIODevice * pDevice,bool bIsImage,SpecAbstract::MSDOSINFO_STRUCT * pMSDOSInfo)12688 void SpecAbstract::MSDOS_handle_Borland(QIODevice *pDevice, bool bIsImage, SpecAbstract::MSDOSINFO_STRUCT *pMSDOSInfo)
12689 {
12690 XMSDOS msdos(pDevice,bIsImage);
12691
12692 if(msdos.isValid())
12693 {
12694 _SCANS_STRUCT ssLinker={};
12695 _SCANS_STRUCT ssCompiler={};
12696
12697 if(pMSDOSInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_TURBOLINKER))
12698 {
12699 _SCANS_STRUCT ss=pMSDOSInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_TURBOLINKER);
12700
12701 VI_STRUCT vi=get_TurboLinker_vi(pDevice,bIsImage);
12702
12703 if(vi.bIsValid)
12704 {
12705 ss.sVersion=vi.sVersion;
12706 }
12707
12708 ssLinker=ss;
12709 }
12710
12711 if(pMSDOSInfo->basic_info.bIsDeepScan)
12712 {
12713 qint64 _nOffset=0;
12714 qint64 _nSize=pMSDOSInfo->basic_info.nSize;
12715
12716 if(pMSDOSInfo->nOverlayOffset!=-1)
12717 {
12718 _nSize=pMSDOSInfo->nOverlayOffset;
12719 }
12720
12721 qint64 nOffsetTurboC=-1;
12722 qint64 nOffsetTurboCPP=-1;
12723 qint64 nOffsetBorlandCPP=-1;
12724
12725 nOffsetTurboC=msdos.find_ansiString(_nOffset,_nSize,"Turbo-C - ");
12726
12727 if(nOffsetTurboC!=-1)
12728 {
12729 QString sBorlandString=msdos.read_ansiString(nOffsetTurboC);
12730 // TODO version
12731 _SCANS_STRUCT ssCompiler=getScansStruct(0,XBinary::FT_MSDOS,RECORD_TYPE_COMPILER,RECORD_NAME_TURBOC,"","",0);
12732
12733 if(sBorlandString=="Turbo-C - Copyright (c) 1987 Borland Intl.")
12734 {
12735 ssCompiler.sVersion="1987";
12736 }
12737 else if(sBorlandString=="Turbo-C - Copyright (c) 1988 Borland Intl.")
12738 {
12739 ssCompiler.sVersion="1988";
12740 }
12741
12742 pMSDOSInfo->mapResultCompilers.insert(ssCompiler.name,scansToScan(&(pMSDOSInfo->basic_info),&ssCompiler));
12743 }
12744
12745 if(nOffsetTurboC==-1)
12746 {
12747 nOffsetTurboCPP=msdos.find_ansiString(_nOffset,_nSize,"Turbo C++ - ");
12748 }
12749
12750 if(nOffsetTurboCPP!=-1)
12751 {
12752 QString sBorlandString=msdos.read_ansiString(nOffsetTurboCPP);
12753 // TODO version
12754 _SCANS_STRUCT ssCompiler=getScansStruct(0,XBinary::FT_MSDOS,RECORD_TYPE_COMPILER,RECORD_NAME_TURBOCPP,"","",0);
12755
12756 if(sBorlandString=="Turbo C++ - Copyright 1990 Borland Intl.")
12757 {
12758 ssCompiler.sVersion="1990";
12759 }
12760
12761 pMSDOSInfo->mapResultCompilers.insert(ssCompiler.name,scansToScan(&(pMSDOSInfo->basic_info),&ssCompiler));
12762 }
12763
12764 if((nOffsetTurboC==-1)&&(nOffsetTurboCPP==-1))
12765 {
12766 nOffsetBorlandCPP=msdos.find_ansiString(_nOffset,_nSize,"Borland C++");
12767 }
12768
12769 if(nOffsetBorlandCPP!=-1)
12770 {
12771 QString sBorlandString=msdos.read_ansiString(nOffsetBorlandCPP);
12772 // TODO version
12773 _SCANS_STRUCT ssCompiler=getScansStruct(0,XBinary::FT_MSDOS,RECORD_TYPE_COMPILER,RECORD_NAME_BORLANDCPP,"","",0);
12774
12775 if(sBorlandString=="Borland C++ - Copyright 1991 Borland Intl.")
12776 {
12777 ssCompiler.sVersion="1991";
12778 }
12779 else if(sBorlandString=="Borland C++ - Copyright 1993 Borland Intl.")
12780 {
12781 ssCompiler.sVersion="1993";
12782 }
12783 else if(sBorlandString=="Borland C++ - Copyright 1994 Borland Intl.")
12784 {
12785 ssCompiler.sVersion="1994";
12786 }
12787 else if(sBorlandString=="Borland C++ - Copyright 1995 Borland Intl.")
12788 {
12789 ssCompiler.sVersion="1995";
12790 }
12791
12792 pMSDOSInfo->mapResultCompilers.insert(ssCompiler.name,scansToScan(&(pMSDOSInfo->basic_info),&ssCompiler));
12793 }
12794 }
12795
12796 if(ssCompiler.type==RECORD_TYPE_UNKNOWN)
12797 {
12798 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_TURBOCPP))
12799 {
12800 ssCompiler=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_TURBOCPP);
12801 }
12802 }
12803
12804 if(ssLinker.type==RECORD_TYPE_UNKNOWN)
12805 {
12806 if( (ssCompiler.name==RECORD_NAME_TURBOC)||
12807 (ssCompiler.name==RECORD_NAME_TURBOCPP)||
12808 (ssCompiler.name==RECORD_NAME_BORLANDCPP))
12809 {
12810 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_MSDOS,RECORD_TYPE_LINKER,RECORD_NAME_TURBOLINKER,"","",0);
12811
12812 // TODO Version
12813 // Turbo-C 1987 1.0
12814 // Turbo-C 1988 2.0
12815 // Borland C++ 1991 3.0-7.00?
12816
12817 ssLinker=ss;
12818 }
12819 }
12820
12821 if(ssLinker.type!=RECORD_TYPE_UNKNOWN)
12822 {
12823 pMSDOSInfo->mapResultLinkers.insert(ssLinker.name,scansToScan(&(pMSDOSInfo->basic_info),&ssLinker));
12824 }
12825
12826 if(ssCompiler.type!=RECORD_TYPE_UNKNOWN)
12827 {
12828 pMSDOSInfo->mapResultCompilers.insert(ssCompiler.name,scansToScan(&(pMSDOSInfo->basic_info),&ssCompiler));
12829 }
12830 }
12831 }
12832
MSDOS_handle_Protection(QIODevice * pDevice,bool bIsImage,SpecAbstract::MSDOSINFO_STRUCT * pMSDOSInfo)12833 void SpecAbstract::MSDOS_handle_Protection(QIODevice *pDevice, bool bIsImage, SpecAbstract::MSDOSINFO_STRUCT *pMSDOSInfo)
12834 {
12835 XMSDOS msdos(pDevice,bIsImage);
12836
12837 if(msdos.isValid())
12838 {
12839 if(pMSDOSInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_CRYEXE))
12840 {
12841 _SCANS_STRUCT ss=pMSDOSInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_CRYEXE);
12842 pMSDOSInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12843 }
12844
12845 if(pMSDOSInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_LSCRYPRT))
12846 {
12847 _SCANS_STRUCT ss=pMSDOSInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_LSCRYPRT);
12848 pMSDOSInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12849 }
12850
12851 if(pMSDOSInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_PACKWIN)||pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_PACKWIN))
12852 {
12853 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_PACKWIN);
12854
12855 if(pMSDOSInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_PACKWIN))
12856 {
12857 pMSDOSInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_PACKWIN);
12858 }
12859
12860 pMSDOSInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12861 }
12862
12863 if(pMSDOSInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_PKLITE))
12864 {
12865 // TODO more options
12866 _SCANS_STRUCT ss=pMSDOSInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_PKLITE);
12867 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12868 }
12869
12870 if(pMSDOSInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_WWPACK))
12871 {
12872 _SCANS_STRUCT ss=pMSDOSInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_WWPACK);
12873 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12874 }
12875
12876 if( pMSDOSInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_LZEXE)||
12877 pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_LZEXE))
12878 {
12879 bool bHeader=pMSDOSInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_LZEXE);
12880 bool bEP=pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_LZEXE);
12881
12882 _SCANS_STRUCT ss={};
12883
12884 if(bHeader&&bEP)
12885 {
12886 ss=pMSDOSInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_LZEXE);
12887 }
12888 else if(bEP)
12889 {
12890 ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_LZEXE);
12891 ss.sInfo=append(ss.sInfo,"modified header");
12892 }
12893 else if(bHeader)
12894 {
12895 ss=pMSDOSInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_LZEXE);
12896 ss.sInfo=append(ss.sInfo,"modified entrypoint");
12897 }
12898
12899 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12900 }
12901
12902 if( pMSDOSInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_RJCRUSH)||
12903 pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_RJCRUSH))
12904 {
12905 bool bHeader=pMSDOSInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_RJCRUSH);
12906 bool bEP=pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_RJCRUSH);
12907
12908 _SCANS_STRUCT ss={};
12909
12910 if(bHeader&&bEP)
12911 {
12912 ss=pMSDOSInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_RJCRUSH);
12913 }
12914 else if(bEP)
12915 {
12916 ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_RJCRUSH);
12917 ss.sInfo=append(ss.sInfo,"modified header");
12918 }
12919 else if(bHeader)
12920 {
12921 ss=pMSDOSInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_RJCRUSH);
12922 ss.sInfo=append(ss.sInfo,"modified entrypoint");
12923 }
12924
12925 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12926 }
12927
12928 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_AINEXE))
12929 {
12930 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_AINEXE);
12931 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12932 }
12933
12934 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_PGMPAK))
12935 {
12936 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_PGMPAK);
12937 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12938 }
12939
12940 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_JAM))
12941 {
12942 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_JAM);
12943 pMSDOSInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12944 }
12945
12946 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_LOCKTITE))
12947 {
12948 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_LOCKTITE);
12949 pMSDOSInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12950 }
12951
12952 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_PCOM))
12953 {
12954 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_PCOM);
12955 pMSDOSInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12956 }
12957
12958 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_AVPACK))
12959 {
12960 // TODO Check
12961 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_AVPACK);
12962 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12963 }
12964
12965 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_LGLZ))
12966 {
12967 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_LGLZ);
12968 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12969 }
12970
12971 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_PROPACK))
12972 {
12973 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_PROPACK);
12974 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12975 }
12976
12977 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_RELPACK))
12978 {
12979 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_RELPACK);
12980 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12981 }
12982
12983 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_SCRNCH))
12984 {
12985 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_SCRNCH);
12986 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12987 }
12988
12989 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_TINYPROG))
12990 {
12991 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_TINYPROG);
12992 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12993 }
12994
12995 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_UCEXE))
12996 {
12997 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_UCEXE);
12998 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
12999 }
13000
13001 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_APACK))
13002 {
13003 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_APACK);
13004 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13005 }
13006
13007 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_CCBYVORONTSOV))
13008 {
13009 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_CCBYVORONTSOV);
13010 pMSDOSInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13011 }
13012
13013 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_CRYPTCOM))
13014 {
13015 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_CRYPTCOM);
13016 pMSDOSInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13017 }
13018
13019 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_CRYPTORBYDISMEMBER))
13020 {
13021 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_CRYPTORBYDISMEMBER);
13022 pMSDOSInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13023 }
13024
13025 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_UPX))
13026 {
13027 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_UPX);
13028
13029 VI_STRUCT viUPX=get_UPX_vi(pDevice,bIsImage,0,pMSDOSInfo->basic_info.nSize,XBinary::FT_MSDOS);
13030
13031 if(viUPX.bIsValid)
13032 {
13033 if(viUPX.sVersion!="")
13034 {
13035 ss.sVersion=viUPX.sVersion;
13036 }
13037
13038 ss.sInfo=viUPX.sInfo;
13039 }
13040
13041 pMSDOSInfo->mapResultPackers.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13042 }
13043 }
13044 }
13045
MSDOS_handle_SFX(QIODevice * pDevice,bool bIsImage,SpecAbstract::MSDOSINFO_STRUCT * pMSDOSInfo)13046 void SpecAbstract::MSDOS_handle_SFX(QIODevice *pDevice, bool bIsImage, SpecAbstract::MSDOSINFO_STRUCT *pMSDOSInfo)
13047 {
13048 XMSDOS msdos(pDevice,bIsImage);
13049
13050 if(msdos.isValid())
13051 {
13052 if(pMSDOSInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_LHASSFX))
13053 {
13054 _SCANS_STRUCT ss=pMSDOSInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_LHASSFX);
13055 pMSDOSInfo->mapResultSFX.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13056 }
13057 else if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_ICE))
13058 {
13059 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_ICE);
13060 pMSDOSInfo->mapResultSFX.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13061 }
13062 else if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_PKZIPMINISFX))
13063 {
13064 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_PKZIPMINISFX);
13065 pMSDOSInfo->mapResultSFX.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13066 }
13067 }
13068 }
13069
MSDOS_handle_DosExtenders(QIODevice * pDevice,bool bIsImage,SpecAbstract::MSDOSINFO_STRUCT * pMSDOSInfo)13070 void SpecAbstract::MSDOS_handle_DosExtenders(QIODevice *pDevice, bool bIsImage, SpecAbstract::MSDOSINFO_STRUCT *pMSDOSInfo)
13071 {
13072 XMSDOS msdos(pDevice,bIsImage);
13073
13074 if(msdos.isValid())
13075 {
13076 if(pMSDOSInfo->mapEntryPointDetects.contains(RECORD_NAME_CAUSEWAY))
13077 {
13078 _SCANS_STRUCT ss=pMSDOSInfo->mapEntryPointDetects.value(RECORD_NAME_CAUSEWAY);
13079
13080 if(pMSDOSInfo->basic_info.bIsDeepScan)
13081 {
13082 qint64 nVersionOffset=msdos.find_ansiString(0,pMSDOSInfo->basic_info.nSize,"CauseWay DOS Extender v");
13083
13084 if(nVersionOffset!=-1)
13085 {
13086 QString sVersion=msdos.read_ansiString(nVersionOffset+23);
13087 sVersion=sVersion.section(" ",0,0);
13088
13089 if(sVersion!="")
13090 {
13091 ss.sVersion=sVersion;
13092 }
13093 }
13094 }
13095
13096 pMSDOSInfo->mapResultDosExtenders.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13097 }
13098
13099 // CWSDPMI
13100 if(pMSDOSInfo->basic_info.bIsDeepScan)
13101 {
13102 qint64 nVersionOffset=msdos.find_ansiString(0,0x100,"CWSDPMI");
13103
13104 if(nVersionOffset!=-1)
13105 {
13106 QString sCWSDPMI=msdos.read_ansiString(nVersionOffset);
13107
13108 if(sCWSDPMI.section(" ",0,0)=="CWSDPMI")
13109 {
13110 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_MSDOS,RECORD_TYPE_DOSEXTENDER,RECORD_NAME_CWSDPMI,"","",0);
13111
13112 ss.sVersion=sCWSDPMI.section(" ",1,1);
13113
13114 pMSDOSInfo->mapResultDosExtenders.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13115 }
13116 }
13117 }
13118 // PMODE/W
13119 QString sPMODEW=msdos.read_ansiString(0x55);
13120 QString sPMODE_W=sPMODEW.section(" ",0,0);
13121 if((sPMODE_W=="PMODE/W")||(sPMODE_W=="PMODE\\W"))
13122 {
13123 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_MSDOS,RECORD_TYPE_DOSEXTENDER,RECORD_NAME_PMODEW,"","",0);
13124
13125 ss.sVersion=sPMODEW.section(" ",1,1).remove("v");
13126
13127 pMSDOSInfo->mapResultDosExtenders.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13128 }
13129
13130 QString sWDOSX=msdos.read_ansiString(0x34);
13131
13132 if(sWDOSX.section(" ",0,0)=="WDOSX")
13133 {
13134 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_MSDOS,RECORD_TYPE_DOSEXTENDER,RECORD_NAME_WDOSX,"","",0);
13135
13136 ss.sVersion=sWDOSX.section(" ",1,1);
13137
13138 pMSDOSInfo->mapResultDosExtenders.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13139 }
13140
13141 // DOS/16M
13142 if(pMSDOSInfo->basic_info.bIsDeepScan)
13143 {
13144 qint64 nVersionOffset=msdos.find_ansiString(0,qMin(pMSDOSInfo->basic_info.nSize,(qint64)0x1000),"DOS/16M Copyright (C) Tenberry Software Inc");
13145
13146 if(nVersionOffset!=-1)
13147 {
13148 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_MSDOS,RECORD_TYPE_DOSEXTENDER,RECORD_NAME_DOS16M,"","",0);
13149 // TODO Version
13150 pMSDOSInfo->mapResultDosExtenders.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13151 }
13152 }
13153
13154 // DOS/4G
13155 if(pMSDOSInfo->basic_info.bIsDeepScan)
13156 {
13157 // TODO vi
13158 qint64 nVersionOffset=msdos.find_ansiString(0,qMin(pMSDOSInfo->basic_info.nSize,(qint64)0x1000),"DOS/4G");
13159
13160 if(nVersionOffset!=-1)
13161 {
13162 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_MSDOS,RECORD_TYPE_DOSEXTENDER,RECORD_NAME_DOS4G,"","",0);
13163 // TODO Version
13164 pMSDOSInfo->mapResultDosExtenders.insert(ss.name,scansToScan(&(pMSDOSInfo->basic_info),&ss));
13165 }
13166 }
13167 }
13168 }
13169
MSDOS_handleLanguages(QIODevice * pDevice,bool bIsImage,MSDOSINFO_STRUCT * pMSDOSInfo)13170 void SpecAbstract::MSDOS_handleLanguages(QIODevice *pDevice, bool bIsImage, MSDOSINFO_STRUCT *pMSDOSInfo)
13171 {
13172 Q_UNUSED(pDevice)
13173 Q_UNUSED(bIsImage)
13174
13175 getLanguage(&(pMSDOSInfo->mapResultLinkers),&(pMSDOSInfo->mapResultLanguages));
13176 getLanguage(&(pMSDOSInfo->mapResultCompilers),&(pMSDOSInfo->mapResultLanguages));
13177 getLanguage(&(pMSDOSInfo->mapResultLibraries),&(pMSDOSInfo->mapResultLanguages));
13178 getLanguage(&(pMSDOSInfo->mapResultTools),&(pMSDOSInfo->mapResultLanguages));
13179
13180 fixLanguage(&(pMSDOSInfo->mapResultLanguages));
13181 }
13182
MSDOS_handle_Recursive(QIODevice * pDevice,bool bIsImage,SpecAbstract::MSDOSINFO_STRUCT * pMSDOSInfo,SpecAbstract::SCAN_OPTIONS * pOptions,bool * pbIsStop)13183 void SpecAbstract::MSDOS_handle_Recursive(QIODevice *pDevice, bool bIsImage, SpecAbstract::MSDOSINFO_STRUCT *pMSDOSInfo,SpecAbstract::SCAN_OPTIONS *pOptions,bool *pbIsStop)
13184 {
13185 if(pOptions->bRecursiveScan)
13186 {
13187 XMSDOS msdos(pDevice,bIsImage);
13188
13189 if(msdos.isValid())
13190 {
13191 if(pMSDOSInfo->nOverlaySize)
13192 {
13193 SpecAbstract::SCAN_RESULT scanResult={0};
13194
13195 SpecAbstract::ID _parentId=pMSDOSInfo->basic_info.id;
13196 _parentId.filePart=SpecAbstract::RECORD_FILEPART_OVERLAY;
13197 scan(pDevice,&scanResult,pMSDOSInfo->nOverlayOffset,pMSDOSInfo->nOverlaySize,_parentId,pOptions,false,pbIsStop);
13198
13199 pMSDOSInfo->listRecursiveDetects.append(scanResult.listRecords);
13200 }
13201 }
13202 }
13203 }
13204
ELF_handle_OperationSystems(QIODevice * pDevice,bool bIsImage,SpecAbstract::ELFINFO_STRUCT * pELFInfo)13205 void SpecAbstract::ELF_handle_OperationSystems(QIODevice *pDevice, bool bIsImage, SpecAbstract::ELFINFO_STRUCT *pELFInfo)
13206 {
13207 XELF elf(pDevice,bIsImage);
13208
13209 if(elf.isValid())
13210 {
13211 _SCANS_STRUCT ssOperationSystem=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_OPERATIONSYSTEM,RECORD_NAME_UNIX,"","",0);
13212
13213 quint8 osabi=elf.getIdent_osabi();
13214
13215 if (osabi==XELF_DEF::ELFOSABI_HPUX) ssOperationSystem.name=RECORD_NAME_HPUX;
13216 else if (osabi==XELF_DEF::ELFOSABI_NETBSD) ssOperationSystem.name=RECORD_NAME_NETBSD;
13217 else if (osabi==XELF_DEF::ELFOSABI_LINUX) ssOperationSystem.name=RECORD_NAME_LINUX;
13218 else if (osabi==XELF_DEF::ELFOSABI_SOLARIS) ssOperationSystem.name=RECORD_NAME_SOLARIS;
13219 else if (osabi==XELF_DEF::ELFOSABI_AIX) ssOperationSystem.name=RECORD_NAME_AIX;
13220 else if (osabi==XELF_DEF::ELFOSABI_IRIX) ssOperationSystem.name=RECORD_NAME_IRIX;
13221 else if (osabi==XELF_DEF::ELFOSABI_FREEBSD) ssOperationSystem.name=RECORD_NAME_FREEBSD;
13222 else if (osabi==XELF_DEF::ELFOSABI_TRU64) ssOperationSystem.name=RECORD_NAME_TRU64;
13223 else if (osabi==XELF_DEF::ELFOSABI_MODESTO) ssOperationSystem.name=RECORD_NAME_MODESTO;
13224 else if (osabi==XELF_DEF::ELFOSABI_OPENBSD) ssOperationSystem.name=RECORD_NAME_OPENBSD;
13225 else if (osabi==XELF_DEF::ELFOSABI_OPENVMS) ssOperationSystem.name=RECORD_NAME_OPENVMS;
13226 else if (osabi==XELF_DEF::ELFOSABI_NSK) ssOperationSystem.name=RECORD_NAME_NSK;
13227 else if (osabi==XELF_DEF::ELFOSABI_AROS) ssOperationSystem.name=RECORD_NAME_AROS;
13228 else if (osabi==XELF_DEF::ELFOSABI_FENIXOS) ssOperationSystem.name=RECORD_NAME_FENIXOS;
13229
13230 if(ssOperationSystem.name==RECORD_NAME_UNIX)
13231 {
13232 if(XELF::isNotePresent(&(pELFInfo->listNotes),"Android"))
13233 {
13234 ssOperationSystem.name=RECORD_NAME_ANDROID;
13235
13236 XELF::NOTE note=XELF::getNote(&(pELFInfo->listNotes),"Android");
13237
13238 _SCANS_STRUCT ssAndroidSDK=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_TOOL,RECORD_NAME_ANDROIDSDK,"","",0);
13239 _SCANS_STRUCT ssAndroidNDK=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_TOOL,RECORD_NAME_ANDROIDNDK,"","",0);
13240
13241 if(note.nSize>=4)
13242 {
13243 quint32 nSDKVersion=elf.read_uint32(note.nDataOffset);
13244 ssAndroidSDK.sVersion=QString("API %1").arg(nSDKVersion);
13245
13246 ssOperationSystem.sVersion=getAndroidVersionFromApi(nSDKVersion);
13247 }
13248
13249 if(note.nSize>=4+64*2)
13250 {
13251 QString sNdkVersion=elf.read_ansiString(note.nDataOffset+4);
13252 QString sNdkBuild=elf.read_ansiString(note.nDataOffset+4+64);
13253
13254 ssAndroidNDK.sVersion=QString("%1(%2)").arg(sNdkVersion).arg(sNdkBuild);
13255 }
13256
13257 pELFInfo->mapResultTools.insert(ssAndroidSDK.name,scansToScan(&(pELFInfo->basic_info),&ssAndroidSDK));
13258 pELFInfo->mapResultTools.insert(ssAndroidNDK.name,scansToScan(&(pELFInfo->basic_info),&ssAndroidNDK));
13259 }
13260 }
13261
13262 if(ssOperationSystem.name==RECORD_NAME_UNIX)
13263 {
13264 if(XELF::isSectionNamePresent(".note.android.ident",&(pELFInfo->listSectionRecords)))
13265 {
13266 ssOperationSystem.name=RECORD_NAME_ANDROID;
13267 }
13268 }
13269
13270 if((ssOperationSystem.name==RECORD_NAME_UNIX)||(ssOperationSystem.name==RECORD_NAME_LINUX))
13271 {
13272 qint32 nNumberOfComments=pELFInfo->listComments.count();
13273
13274 for(int i=0; i<nNumberOfComments; i++)
13275 {
13276 bool bFound=false;
13277
13278 QString sComment=pELFInfo->listComments.at(i);
13279
13280 if(sComment.contains("Ubuntu")||sComment.contains("ubuntu"))
13281 {
13282 ssOperationSystem.name=RECORD_NAME_UBUNTULINUX;
13283
13284 if(sComment.contains("ubuntu1~"))
13285 {
13286 ssOperationSystem.sVersion=sComment.section("ubuntu1~",1,-1).section(")",0,0);
13287 }
13288
13289 bFound=true;
13290 }
13291 else if(sComment.contains("Debian")||sComment.contains("debian"))
13292 {
13293 ssOperationSystem.name=RECORD_NAME_DEBIANLINUX;
13294
13295 bFound=true;
13296 }
13297 else if(sComment.contains("StartOS"))
13298 {
13299 ssOperationSystem.name=RECORD_NAME_STARTOSLINUX;
13300
13301 bFound=true;
13302 }
13303 else if(sComment.contains("Gentoo"))
13304 {
13305 ssOperationSystem.name=RECORD_NAME_GENTOOLINUX;
13306
13307 bFound=true;
13308 }
13309 else if(sComment.contains("Alpine"))
13310 {
13311 ssOperationSystem.name=RECORD_NAME_ALPINELINUX;
13312
13313 bFound=true;
13314 }
13315 else if(sComment.contains("Wind River Linux"))
13316 {
13317 ssOperationSystem.name=RECORD_NAME_WINDRIVERLINUX;
13318
13319 bFound=true;
13320 }
13321 else if(sComment.contains("SuSE")||sComment.contains("SUSE Linux"))
13322 {
13323 ssOperationSystem.name=RECORD_NAME_SUSELINUX;
13324
13325 bFound=true;
13326 }
13327 else if(sComment.contains("Mandrakelinux")||sComment.contains("Linux-Mandrake")||sComment.contains("Mandrake Linux"))
13328 {
13329 ssOperationSystem.name=RECORD_NAME_MANDRAKELINUX;
13330
13331 bFound=true;
13332 }
13333 else if(sComment.contains("ASPLinux"))
13334 {
13335 ssOperationSystem.name=RECORD_NAME_ASPLINUX;
13336
13337 bFound=true;
13338 }
13339 else if(sComment.contains("Red Hat"))
13340 {
13341 ssOperationSystem.name=RECORD_NAME_REDHATLINUX;
13342
13343 bFound=true;
13344 }
13345 else if(sComment.contains("Hancom Linux"))
13346 {
13347 ssOperationSystem.name=RECORD_NAME_HANCOMLINUX;
13348
13349 bFound=true;
13350 }
13351 else if(sComment.contains("TurboLinux"))
13352 {
13353 ssOperationSystem.name=RECORD_NAME_TURBOLINUX;
13354
13355 bFound=true;
13356 }
13357 else if(sComment.contains("Vine Linux"))
13358 {
13359 ssOperationSystem.name=RECORD_NAME_VINELINUX;
13360
13361 bFound=true;
13362 }
13363
13364 if(ssOperationSystem.name!=RECORD_NAME_LINUX)
13365 {
13366 if(sComment.contains("SunOS"))
13367 {
13368 ssOperationSystem.name=RECORD_NAME_SUNOS;
13369
13370 if(sComment.contains("@(#)SunOS "))
13371 {
13372 ssOperationSystem.sVersion=sComment.section("@(#)SunOS ",1,-1);
13373 }
13374
13375 bFound=true;
13376 }
13377 }
13378
13379 if(bFound)
13380 {
13381 break;
13382 }
13383 }
13384 }
13385
13386 if(ssOperationSystem.name==RECORD_NAME_UNIX)
13387 {
13388 ssOperationSystem.sVersion=QString("%1").arg(osabi);
13389 }
13390
13391 ssOperationSystem.sInfo=QString("%1, %2, %3").arg(elf.getArch(),(pELFInfo->bIs64)?("64-bit"):("32-bit"),elf.getTypeAsString());
13392
13393 pELFInfo->mapResultOperationSystems.insert(ssOperationSystem.name,scansToScan(&(pELFInfo->basic_info),&ssOperationSystem));
13394 }
13395 }
13396
ELF_handle_CommentSection(QIODevice * pDevice,bool bIsImage,SpecAbstract::ELFINFO_STRUCT * pELFInfo)13397 void SpecAbstract::ELF_handle_CommentSection(QIODevice *pDevice, bool bIsImage, SpecAbstract::ELFINFO_STRUCT *pELFInfo)
13398 {
13399 Q_UNUSED(pDevice)
13400 Q_UNUSED(bIsImage)
13401
13402 int nNumberOfComments=pELFInfo->listComments.count();
13403
13404 for(int i=0;i<nNumberOfComments;i++)
13405 {
13406 QString sComment=pELFInfo->listComments.at(i);
13407
13408 VI_STRUCT vi={};
13409 _SCANS_STRUCT ss={};
13410
13411 // Apple LLVM / clang
13412 if(!vi.bIsValid)
13413 {
13414 vi=_get_ByteGuard_string(sComment);
13415
13416 if(vi.bIsValid)
13417 {
13418 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_BYTEGUARD,vi.sVersion,vi.sInfo,0);
13419
13420 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13421 }
13422 }
13423
13424 if(!vi.bIsValid)
13425 {
13426 vi=_get_GCC_string(sComment); // TODO Max version
13427
13428 if(vi.bIsValid)
13429 {
13430 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_GCC,vi.sVersion,vi.sInfo,0);
13431
13432 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13433 }
13434 }
13435
13436 if(!vi.bIsValid)
13437 {
13438 vi=_get_AppleLLVM_string(sComment);
13439
13440 if(vi.bIsValid)
13441 {
13442 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_APPLELLVM,vi.sVersion,vi.sInfo,0);
13443
13444 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13445 }
13446 }
13447
13448 if(!vi.bIsValid)
13449 {
13450 vi=_get_AndroidClang_string(sComment);
13451
13452 if(vi.bIsValid)
13453 {
13454 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_ANDROIDCLANG,vi.sVersion,vi.sInfo,0);
13455
13456 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13457 }
13458 }
13459
13460 if(!vi.bIsValid)
13461 {
13462 vi=_get_PlexClang_string(sComment);
13463
13464 if(vi.bIsValid)
13465 {
13466 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_PLEXCLANG,vi.sVersion,vi.sInfo,0);
13467
13468 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13469 }
13470 }
13471
13472 if(!vi.bIsValid)
13473 {
13474 vi=_get_UbuntuClang_string(sComment);
13475
13476 if(vi.bIsValid)
13477 {
13478 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_UBUNTUCLANG,vi.sVersion,vi.sInfo,0);
13479
13480 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13481 }
13482 }
13483
13484 if(!vi.bIsValid)
13485 {
13486 vi=_get_ApportableClang_string(sComment);
13487
13488 if(vi.bIsValid)
13489 {
13490 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_APPORTABLECLANG,vi.sVersion,vi.sInfo,0);
13491
13492 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13493 }
13494 }
13495
13496 if(!vi.bIsValid)
13497 {
13498 vi=_get_ARMAssembler_string(sComment);
13499
13500 if(vi.bIsValid)
13501 {
13502 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_ARMASSEMBLER,vi.sVersion,vi.sInfo,0);
13503
13504 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13505 }
13506 }
13507
13508 if(!vi.bIsValid)
13509 {
13510 vi=_get_ARMLinker_string(sComment);
13511
13512 if(vi.bIsValid)
13513 {
13514 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_LINKER,RECORD_NAME_ARMLINKER,vi.sVersion,vi.sInfo,0);
13515
13516 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13517 }
13518 }
13519
13520 if(!vi.bIsValid)
13521 {
13522 vi=_get_ARMC_string(sComment);
13523
13524 if(vi.bIsValid)
13525 {
13526 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_ARMC,vi.sVersion,vi.sInfo,0);
13527
13528 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13529 }
13530 }
13531
13532 if(!vi.bIsValid)
13533 {
13534 vi=_get_ARMCCPP_string(sComment);
13535
13536 if(vi.bIsValid)
13537 {
13538 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_ARMCCPP,vi.sVersion,vi.sInfo,0);
13539
13540 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13541 }
13542 }
13543
13544 if(!vi.bIsValid)
13545 {
13546 vi=_get_ARMNEONCCPP_string(sComment);
13547
13548 if(vi.bIsValid)
13549 {
13550 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_ARMNEONCCPP,vi.sVersion,vi.sInfo,0);
13551
13552 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13553 }
13554 }
13555
13556 if(!vi.bIsValid)
13557 {
13558 vi=_get_ARMThumbCCPP_string(sComment);
13559
13560 if(vi.bIsValid)
13561 {
13562 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_ARMTHUMBCCPP,vi.sVersion,vi.sInfo,0);
13563
13564 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13565 }
13566 }
13567
13568 if(!vi.bIsValid)
13569 {
13570 vi=_get_ARMThumbMacroAssembler_string(sComment);
13571
13572 if(vi.bIsValid)
13573 {
13574 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_ARMTHUMBMACROASSEMBLER,vi.sVersion,vi.sInfo,0);
13575
13576 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13577 }
13578 }
13579
13580 if(!vi.bIsValid)
13581 {
13582 vi=_get_ThumbC_string(sComment);
13583
13584 if(vi.bIsValid)
13585 {
13586 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_THUMBC,vi.sVersion,vi.sInfo,0);
13587
13588 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13589 }
13590 }
13591
13592 if(!vi.bIsValid)
13593 {
13594 vi=_get_clang_string(sComment);
13595
13596 if(vi.bIsValid)
13597 {
13598 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_CLANG,vi.sVersion,vi.sInfo,0);
13599
13600 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13601 }
13602 }
13603
13604 if(!vi.bIsValid)
13605 {
13606 vi=_get_DynASM_string(sComment);
13607
13608 if(vi.bIsValid)
13609 {
13610 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_DYNASM,vi.sVersion,vi.sInfo,0);
13611
13612 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13613 }
13614 }
13615
13616 if(!vi.bIsValid)
13617 {
13618 vi=_get_Delphi_string(sComment);
13619
13620 if(vi.bIsValid)
13621 {
13622 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_EMBARCADEROOBJECTPASCAL,vi.sVersion,vi.sInfo,0);
13623
13624 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13625 }
13626 }
13627
13628 if(!vi.bIsValid)
13629 {
13630 vi=_get_LLD_string(sComment);
13631
13632 if(vi.bIsValid)
13633 {
13634 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_LINKER,RECORD_NAME_LLD,vi.sVersion,vi.sInfo,0);
13635
13636 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13637 }
13638 }
13639
13640 if(!vi.bIsValid)
13641 {
13642 vi=_get_OracleSolarisLinkEditors_string(sComment);
13643
13644 if(vi.bIsValid)
13645 {
13646 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_LINKER,RECORD_NAME_ORACLESOLARISLINKEDITORS,vi.sVersion,vi.sInfo,0);
13647
13648 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13649 }
13650 }
13651
13652 if(!vi.bIsValid)
13653 {
13654 vi=_get_SunWorkShop_string(sComment);
13655
13656 if(vi.bIsValid)
13657 {
13658 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_LINKER,RECORD_NAME_SUNWORKSHOP,vi.sVersion,vi.sInfo,0);
13659
13660 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13661 }
13662 }
13663
13664 if(!vi.bIsValid)
13665 {
13666 vi=_get_SnapdragonLLVMARM_string(sComment);
13667
13668 if(vi.bIsValid)
13669 {
13670 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_SNAPDRAGONLLVMARM,vi.sVersion,vi.sInfo,0);
13671
13672 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13673 }
13674 }
13675
13676 if(!vi.bIsValid)
13677 {
13678 vi=_get_NASM_string(sComment);
13679
13680 if(vi.bIsValid)
13681 {
13682 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_COMPILER,RECORD_NAME_NASM,vi.sVersion,vi.sInfo,0);
13683
13684 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13685 }
13686 }
13687
13688 if(!vi.bIsValid)
13689 {
13690 vi=_get_TencentLegu_string(sComment);
13691
13692 if(vi.bIsValid)
13693 {
13694 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_TENCENTLEGU,vi.sVersion,vi.sInfo,0);
13695
13696 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13697 }
13698 }
13699
13700 if(!vi.bIsValid)
13701 {
13702 vi=_get_AlipayObfuscator_string(sComment);
13703
13704 if(vi.bIsValid)
13705 {
13706 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_ALIPAYOBFUSCATOR,vi.sVersion,vi.sInfo,0);
13707
13708 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13709 }
13710 }
13711
13712 if(!vi.bIsValid)
13713 {
13714 vi=_get_wangzehuaLLVM_string(sComment);
13715
13716 if(vi.bIsValid)
13717 {
13718 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_WANGZEHUALLVM,vi.sVersion,vi.sInfo,0);
13719
13720 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13721 }
13722 }
13723
13724 if(!vi.bIsValid)
13725 {
13726 vi=_get_ObfuscatorLLVM_string(sComment);
13727
13728 if(vi.bIsValid)
13729 {
13730 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_OBFUSCATORLLVM,vi.sVersion,vi.sInfo,0);
13731
13732 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13733 }
13734 }
13735
13736 if(!vi.bIsValid)
13737 {
13738 vi=_get_NagainLLVM_string(sComment);
13739
13740 if(vi.bIsValid)
13741 {
13742 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_NAGAINLLVM,vi.sVersion,vi.sInfo,0);
13743
13744 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13745 }
13746 }
13747
13748 if(!vi.bIsValid)
13749 {
13750 vi=_get_iJiami_string(sComment);
13751
13752 if(vi.bIsValid)
13753 {
13754 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_IJIAMILLVM,vi.sVersion,vi.sInfo,0);
13755
13756 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13757 }
13758 }
13759
13760 if(!vi.bIsValid)
13761 {
13762 vi=_get_SafeengineLLVM_string(sComment);
13763
13764 if(vi.bIsValid)
13765 {
13766 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_SAFEENGINELLVM,vi.sVersion,vi.sInfo,0);
13767
13768 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13769 }
13770 }
13771
13772 if(!vi.bIsValid)
13773 {
13774 vi=_get_TencentObfuscation_string(sComment);
13775
13776 if(vi.bIsValid)
13777 {
13778 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_TENCENTPROTECTION,vi.sVersion,vi.sInfo,0);
13779
13780 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13781 }
13782 }
13783
13784 if(!vi.bIsValid)
13785 {
13786 vi=_get_AppImage_string(sComment);
13787
13788 if(vi.bIsValid)
13789 {
13790 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_TOOL,RECORD_NAME_APPIMAGE,vi.sVersion,vi.sInfo,0);
13791
13792 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13793 }
13794 }
13795
13796 {
13797 vi=_get_HikariObfuscator_string(sComment);
13798
13799 if(vi.bIsValid)
13800 {
13801 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_HIKARIOBFUSCATOR,vi.sVersion,vi.sInfo,0);
13802
13803 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13804 }
13805 }
13806
13807 {
13808 vi=_get_SnapProtect_string(sComment);
13809
13810 if(vi.bIsValid)
13811 {
13812 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_SNAPPROTECT,vi.sVersion,vi.sInfo,0);
13813
13814 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13815 }
13816 }
13817
13818 {
13819 vi=_get_ByteDanceSecCompiler_string(sComment);
13820
13821 if(vi.bIsValid)
13822 {
13823 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_BYTEDANCESECCOMPILER,vi.sVersion,vi.sInfo,0);
13824
13825 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13826 }
13827 }
13828
13829 {
13830 vi=_get_DingbaozengNativeObfuscator_string(sComment);
13831
13832 if(vi.bIsValid)
13833 {
13834 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_DINGBAOZENGNATIVEOBFUSCATOR,vi.sVersion,vi.sInfo,0);
13835
13836 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13837 }
13838 }
13839
13840 {
13841 vi=_get_OllvmTll_string(sComment);
13842
13843 if(vi.bIsValid)
13844 {
13845 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_OLLVMTLL,vi.sVersion,vi.sInfo,0);
13846
13847 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13848 }
13849 }
13850
13851 {
13852 vi=_get_SourceryCodeBench_string(sComment);
13853
13854 if(vi.bIsValid)
13855 {
13856 if(vi.sInfo=="lite")
13857 {
13858 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_TOOL,RECORD_NAME_SOURCERYCODEBENCHLITE,vi.sVersion,"",0);
13859 }
13860 else
13861 {
13862 ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_TOOL,RECORD_NAME_SOURCERYCODEBENCH,vi.sVersion,"",0);
13863 }
13864
13865 pELFInfo->mapCommentSectionDetects.insert(ss.name,ss);
13866 }
13867 }
13868
13869 if(pELFInfo->basic_info.bIsTest)
13870 {
13871 if(ss.name==RECORD_NAME_UNKNOWN)
13872 {
13873 if( (!vi.bIsValid)&&
13874 (!XBinary::isRegExpPresent(".o$",sComment))&&
13875 (!XBinary::isRegExpPresent(".c$",sComment))&&
13876 (!XBinary::isRegExpPresent(".S22$",sComment))&&
13877 (!XBinary::isRegExpPresent(".s$",sComment))&&
13878 (!XBinary::isRegExpPresent(".S$",sComment)))
13879 {
13880 _SCANS_STRUCT recordSS={};
13881
13882 recordSS.type=RECORD_TYPE_PROTECTOR;
13883 recordSS.name=(RECORD_NAME)(RECORD_NAME_UNKNOWN9+(RECORD_NAME)(i+1));
13884 recordSS.sVersion="COMMENT:"+sComment;
13885
13886 pELFInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pELFInfo->basic_info),&recordSS));
13887 }
13888 }
13889 }
13890 }
13891 }
13892
ELF_handle_Tools(QIODevice * pDevice,bool bIsImage,SpecAbstract::ELFINFO_STRUCT * pELFInfo)13893 void SpecAbstract::ELF_handle_Tools(QIODevice *pDevice, bool bIsImage, SpecAbstract::ELFINFO_STRUCT *pELFInfo)
13894 {
13895 XELF elf(pDevice,bIsImage);
13896
13897 if(elf.isValid())
13898 {
13899 // Qt
13900 if(XELF::isSectionNamePresent(".qtversion",&(pELFInfo->listSectionRecords)))
13901 {
13902 _SCANS_STRUCT recordSS={};
13903
13904 recordSS.type=SpecAbstract::RECORD_TYPE_LIBRARY;
13905 recordSS.name=SpecAbstract::RECORD_NAME_QT;
13906
13907 XELF::SECTION_RECORD record=XELF::getSectionRecord(".qtversion",&(pELFInfo->listSectionRecords));
13908
13909 quint64 nVersion=0;
13910
13911 if(pELFInfo->bIs64)
13912 {
13913 if(record.nSize==16)
13914 {
13915 nVersion=elf.read_uint64(record.nOffset+8,pELFInfo->bIsBigEndian);
13916 }
13917 }
13918 else
13919 {
13920 if(record.nSize==8)
13921 {
13922 nVersion=elf.read_uint32(record.nOffset+4,pELFInfo->bIsBigEndian);
13923 }
13924 }
13925
13926 if(nVersion)
13927 {
13928 recordSS.sVersion=XBinary::get_uint32_version(nVersion);
13929 }
13930
13931 pELFInfo->mapResultLibraries.insert(recordSS.name,scansToScan(&(pELFInfo->basic_info),&recordSS));
13932 }
13933 else if(XELF::isSectionNamePresent(".qtplugin",&(pELFInfo->listSectionRecords)))
13934 {
13935 XELF::SECTION_RECORD record=XELF::getSectionRecord(".qtplugin",&(pELFInfo->listSectionRecords));
13936
13937 _SCANS_STRUCT recordSS={};
13938
13939 recordSS.type=SpecAbstract::RECORD_TYPE_LIBRARY;
13940 recordSS.name=SpecAbstract::RECORD_NAME_QT;
13941
13942 QString sVersionString=elf.read_ansiString(record.nOffset);
13943 recordSS.sVersion=XBinary::regExp("version=(.*?)\\\n",sVersionString,1);
13944
13945 pELFInfo->mapResultLibraries.insert(recordSS.name,scansToScan(&(pELFInfo->basic_info),&recordSS));
13946 }
13947
13948 // gold
13949 if(XELF::isSectionNamePresent(".note.gnu.gold-version",&(pELFInfo->listSectionRecords)))
13950 {
13951 _SCANS_STRUCT recordSS={};
13952
13953 recordSS.type=SpecAbstract::RECORD_TYPE_LINKER;
13954 recordSS.name=SpecAbstract::RECORD_NAME_GOLD;
13955
13956 XELF::SECTION_RECORD record=XELF::getSectionRecord(".note.gnu.gold-version",&(pELFInfo->listSectionRecords));
13957
13958 SpecAbstract::VI_STRUCT vi=get_gold_vi(pDevice,bIsImage,record.nOffset,record.nSize);
13959
13960 if(vi.bIsValid)
13961 {
13962 recordSS.sVersion=vi.sVersion;
13963 }
13964
13965 pELFInfo->mapResultLinkers.insert(recordSS.name,scansToScan(&(pELFInfo->basic_info),&recordSS));
13966 }
13967
13968 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_SOURCERYCODEBENCH))
13969 {
13970 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_SOURCERYCODEBENCH);
13971
13972 pELFInfo->mapResultTools.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
13973 }
13974 else if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_SOURCERYCODEBENCHLITE))
13975 {
13976 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_SOURCERYCODEBENCHLITE);
13977
13978 pELFInfo->mapResultTools.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
13979 }
13980
13981 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_APPLELLVM))
13982 {
13983 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_APPLELLVM);
13984
13985 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
13986 }
13987
13988 // Android clang
13989 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_ANDROIDCLANG))
13990 {
13991 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_ANDROIDCLANG);
13992
13993 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
13994 }
13995
13996 // Plex clang
13997 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_PLEXCLANG))
13998 {
13999 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_PLEXCLANG);
14000
14001 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14002 }
14003
14004 // Ubuntu clang
14005 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_UBUNTUCLANG))
14006 {
14007 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_UBUNTUCLANG);
14008
14009 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14010 }
14011
14012 // Apportable clang
14013 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_APPORTABLECLANG))
14014 {
14015 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_APPORTABLECLANG);
14016
14017 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14018 }
14019
14020 // ARM Assembler
14021 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_ARMASSEMBLER))
14022 {
14023 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_ARMASSEMBLER);
14024
14025 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14026 }
14027
14028 // ARM C
14029 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_ARMC))
14030 {
14031 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_ARMC);
14032
14033 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14034 }
14035
14036 // ARM C/C++
14037 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_ARMCCPP))
14038 {
14039 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_ARMCCPP);
14040
14041 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14042 }
14043
14044 // ARM NEON C/C++
14045 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_ARMNEONCCPP))
14046 {
14047 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_ARMNEONCCPP);
14048
14049 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14050 }
14051
14052 // ARM/Thumb C/C++
14053 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_ARMTHUMBCCPP))
14054 {
14055 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_ARMTHUMBCCPP);
14056
14057 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14058 }
14059
14060 // Thumb C
14061 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_THUMBC))
14062 {
14063 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_THUMBC);
14064
14065 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14066 }
14067
14068 // ARM/Thumb Macro Assembler
14069 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_ARMTHUMBMACROASSEMBLER))
14070 {
14071 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_ARMTHUMBMACROASSEMBLER);
14072
14073 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14074 }
14075
14076 // ARM Linker
14077 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_ARMLINKER))
14078 {
14079 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_ARMLINKER);
14080
14081 pELFInfo->mapResultLinkers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14082 }
14083
14084 // clang
14085 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_CLANG))
14086 {
14087 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_CLANG);
14088
14089 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14090 }
14091
14092 // DynASM
14093 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_DYNASM))
14094 {
14095 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_DYNASM);
14096
14097 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14098 }
14099
14100 // Delphi
14101 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_EMBARCADEROOBJECTPASCAL))
14102 {
14103 _SCANS_STRUCT ssCompiler=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_EMBARCADEROOBJECTPASCAL);
14104
14105 pELFInfo->mapResultCompilers.insert(ssCompiler.name,scansToScan(&(pELFInfo->basic_info),&ssCompiler));
14106
14107 _SCANS_STRUCT ssTool=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_TOOL,RECORD_NAME_EMBARCADERODELPHI,_get_DelphiVersionFromCompiler(ssCompiler.sVersion).sVersion,"",0);
14108
14109 pELFInfo->mapResultTools.insert(ssTool.name,scansToScan(&(pELFInfo->basic_info),&ssTool));
14110 }
14111
14112 // LLD
14113 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_LLD))
14114 {
14115 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_LLD);
14116
14117 pELFInfo->mapResultLinkers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14118 }
14119
14120 // Oracle Solaris Link Editors
14121 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_ORACLESOLARISLINKEDITORS))
14122 {
14123 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_ORACLESOLARISLINKEDITORS);
14124
14125 pELFInfo->mapResultLinkers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14126 }
14127
14128 // Sun WorkShop
14129 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_SUNWORKSHOP))
14130 {
14131 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_SUNWORKSHOP);
14132
14133 pELFInfo->mapResultTools.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14134 }
14135
14136 // Snapdragon LLVM ARM
14137 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_SNAPDRAGONLLVMARM))
14138 {
14139 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_SNAPDRAGONLLVMARM);
14140
14141 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14142 }
14143
14144 // NASM
14145 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_NASM))
14146 {
14147 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_NASM);
14148
14149 pELFInfo->mapResultCompilers.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14150 }
14151 }
14152 }
14153
ELF_handle_GCC(QIODevice * pDevice,bool bIsImage,SpecAbstract::ELFINFO_STRUCT * pELFInfo)14154 void SpecAbstract::ELF_handle_GCC(QIODevice *pDevice, bool bIsImage, SpecAbstract::ELFINFO_STRUCT *pELFInfo)
14155 {
14156 XELF elf(pDevice,bIsImage);
14157
14158 if(elf.isValid())
14159 {
14160 _SCANS_STRUCT recordCompiler={};
14161 // GCC
14162 if(XELF::isSectionNamePresent(".gcc_except_table",&(pELFInfo->listSectionRecords))) // TODO
14163 {
14164 recordCompiler.type=SpecAbstract::RECORD_TYPE_COMPILER;
14165 recordCompiler.name=SpecAbstract::RECORD_NAME_GCC;
14166 }
14167
14168 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_GCC))
14169 {
14170 recordCompiler=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_GCC);
14171 }
14172
14173 if(recordCompiler.type!=SpecAbstract::RECORD_TYPE_UNKNOWN)
14174 {
14175 pELFInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pELFInfo->basic_info),&recordCompiler));
14176 }
14177 }
14178 }
14179
ELF_handle_Protection(QIODevice * pDevice,bool bIsImage,SpecAbstract::ELFINFO_STRUCT * pELFInfo)14180 void SpecAbstract::ELF_handle_Protection(QIODevice *pDevice, bool bIsImage, SpecAbstract::ELFINFO_STRUCT *pELFInfo)
14181 {
14182 Q_UNUSED(pELFInfo)
14183
14184 XELF elf(pDevice,bIsImage);
14185
14186 if(elf.isValid())
14187 {
14188 // UPX
14189 VI_STRUCT viUPXEnd=_get_UPX_vi(pDevice,bIsImage,pELFInfo->basic_info.nSize-0x24,0x24,XBinary::FT_ELF);
14190 VI_STRUCT viUPX=get_UPX_vi(pDevice,bIsImage,0,pELFInfo->basic_info.nSize,XBinary::FT_ELF);
14191
14192 if((viUPXEnd.bIsValid)||(viUPX.bIsValid))
14193 {
14194 _SCANS_STRUCT recordSS={};
14195
14196 recordSS.type=RECORD_TYPE_PACKER;
14197 recordSS.name=RECORD_NAME_UPX;
14198
14199 if(viUPXEnd.sVersion!="") recordSS.sVersion=viUPXEnd.sVersion;
14200 if(viUPX.sVersion!="") recordSS.sVersion=viUPX.sVersion;
14201
14202 if(viUPXEnd.sInfo!="") recordSS.sInfo=viUPXEnd.sInfo;
14203 if(viUPX.sInfo!="") recordSS.sInfo=viUPX.sInfo;
14204
14205 pELFInfo->mapResultPackers.insert(recordSS.name,scansToScan(&(pELFInfo->basic_info),&recordSS));
14206 }
14207
14208 if(viUPXEnd.nValue==0x21434553) // SEC!
14209 {
14210 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_SECNEO,"Old","UPX",0);
14211 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14212 }
14213 else if(viUPXEnd.nValue==0x00010203)
14214 {
14215 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_SECNEO,"","UPX",0);
14216 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14217 }
14218 else if(viUPXEnd.nValue==0x214d4a41) // "AJM!"
14219 {
14220 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_ELF,RECORD_TYPE_PROTECTOR,RECORD_NAME_IJIAMI,"","UPX",0);
14221 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14222 }
14223
14224 // Obfuscator-LLVM
14225 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_OBFUSCATORLLVM))
14226 {
14227 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_OBFUSCATORLLVM);
14228 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14229 }
14230
14231 // wangzehua LLVM
14232 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_WANGZEHUALLVM))
14233 {
14234 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_WANGZEHUALLVM);
14235 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14236 }
14237
14238 // Byteguard
14239 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_BYTEGUARD))
14240 {
14241 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_BYTEGUARD);
14242 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14243 }
14244
14245 // Alipay Obfuscator
14246 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_ALIPAYOBFUSCATOR))
14247 {
14248 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_ALIPAYOBFUSCATOR);
14249 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14250 }
14251
14252 // Tencent Legu
14253 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_TENCENTLEGU))
14254 {
14255 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_TENCENTLEGU);
14256 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14257 }
14258
14259 // Safeengine LLVM
14260 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_SAFEENGINELLVM))
14261 {
14262 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_SAFEENGINELLVM);
14263 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14264 }
14265
14266 // Tencent-Obfuscation
14267 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_TENCENTPROTECTION))
14268 {
14269 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_TENCENTPROTECTION);
14270 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14271 }
14272
14273 // AppImage
14274 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_APPIMAGE)) // Check overlay
14275 {
14276 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_APPIMAGE);
14277 pELFInfo->mapResultTools.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14278 }
14279
14280 // HikariObfuscator
14281 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_HIKARIOBFUSCATOR))
14282 {
14283 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_HIKARIOBFUSCATOR);
14284 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14285 }
14286
14287 // SnapProtect
14288 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_SNAPPROTECT))
14289 {
14290 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_SNAPPROTECT);
14291 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14292 }
14293
14294 // ByteDance-SecCompiler
14295 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_BYTEDANCESECCOMPILER))
14296 {
14297 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_BYTEDANCESECCOMPILER);
14298 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14299 }
14300
14301 // Dingbaozeng native obfuscator
14302 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_DINGBAOZENGNATIVEOBFUSCATOR))
14303 {
14304 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_DINGBAOZENGNATIVEOBFUSCATOR);
14305
14306 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14307 }
14308
14309 // Nagain LLVM
14310 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_NAGAINLLVM))
14311 {
14312 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_NAGAINLLVM);
14313
14314 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14315 }
14316
14317 // iJiami LLVM
14318 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_IJIAMILLVM))
14319 {
14320 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_IJIAMILLVM);
14321
14322 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14323 }
14324
14325 // LLVM 6.0 + Ollvm + Armariris
14326 if(pELFInfo->mapCommentSectionDetects.contains(RECORD_NAME_OLLVMTLL))
14327 {
14328 _SCANS_STRUCT ss=pELFInfo->mapCommentSectionDetects.value(RECORD_NAME_OLLVMTLL);
14329
14330 pELFInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pELFInfo->basic_info),&ss));
14331 }
14332 }
14333 }
14334
ELF_handle_UnknownProtection(QIODevice * pDevice,bool bIsImage,SpecAbstract::ELFINFO_STRUCT * pELFInfo)14335 void SpecAbstract::ELF_handle_UnknownProtection(QIODevice *pDevice, bool bIsImage, SpecAbstract::ELFINFO_STRUCT *pELFInfo)
14336 {
14337 Q_UNUSED(pELFInfo)
14338
14339 XELF elf(pDevice,bIsImage);
14340
14341 if(elf.isValid())
14342 {
14343 if(pELFInfo->basic_info.bIsTest)
14344 {
14345 // TODO names of note sections
14346
14347 QList<QString> list=pELFInfo->listComments;
14348
14349 QSet<QString> stRecords;
14350
14351 for(int i=0;i<list.count();i++)
14352 {
14353 if(!stRecords.contains(list.at(i)))
14354 {
14355 _SCANS_STRUCT recordSS={};
14356
14357 recordSS.type=RECORD_TYPE_LIBRARY;
14358 recordSS.name=(RECORD_NAME)(RECORD_NAME_UNKNOWN9+i+1);
14359 recordSS.sVersion=list.at(i);
14360
14361 pELFInfo->mapResultLibraries.insert(recordSS.name,scansToScan(&(pELFInfo->basic_info),&recordSS));
14362
14363 stRecords.insert(list.at(i));
14364 }
14365 }
14366 }
14367 }
14368 }
14369
ELF_handle_FixDetects(QIODevice * pDevice,bool bIsImage,SpecAbstract::ELFINFO_STRUCT * pELFInfo)14370 void SpecAbstract::ELF_handle_FixDetects(QIODevice *pDevice, bool bIsImage, SpecAbstract::ELFINFO_STRUCT *pELFInfo)
14371 {
14372 Q_UNUSED(pDevice)
14373 Q_UNUSED(bIsImage)
14374
14375 if( pELFInfo->mapResultCompilers.contains(RECORD_NAME_GCC)||
14376 pELFInfo->mapResultCompilers.contains(RECORD_NAME_APPORTABLECLANG))
14377 {
14378 if(pELFInfo->mapResultCompilers.value(RECORD_NAME_GCC).sVersion=="")
14379 {
14380 pELFInfo->mapResultCompilers.remove(RECORD_NAME_GCC);
14381 }
14382 }
14383 }
14384
ELF_handleLanguages(QIODevice * pDevice,bool bIsImage,ELFINFO_STRUCT * pELFInfo)14385 void SpecAbstract::ELF_handleLanguages(QIODevice *pDevice, bool bIsImage, ELFINFO_STRUCT *pELFInfo)
14386 {
14387 Q_UNUSED(pDevice)
14388 Q_UNUSED(bIsImage)
14389
14390 getLanguage(&(pELFInfo->mapResultLinkers),&(pELFInfo->mapResultLanguages));
14391 getLanguage(&(pELFInfo->mapResultCompilers),&(pELFInfo->mapResultLanguages));
14392 getLanguage(&(pELFInfo->mapResultLibraries),&(pELFInfo->mapResultLanguages));
14393 getLanguage(&(pELFInfo->mapResultTools),&(pELFInfo->mapResultLanguages));
14394
14395 fixLanguage(&(pELFInfo->mapResultLanguages));
14396 }
14397
MACHO_handle_Tools(QIODevice * pDevice,bool bIsImage,SpecAbstract::MACHOINFO_STRUCT * pMACHInfo)14398 void SpecAbstract::MACHO_handle_Tools(QIODevice *pDevice, bool bIsImage, SpecAbstract::MACHOINFO_STRUCT *pMACHInfo)
14399 {
14400 XMACH mach(pDevice,bIsImage);
14401
14402 if(mach.isValid())
14403 {
14404 _SCANS_STRUCT recordOS={};
14405 recordOS.type=SpecAbstract::RECORD_TYPE_OPERATIONSYSTEM;
14406 recordOS.name=RECORD_NAME_MACOS;
14407 recordOS.sInfo=QString("%1, %2, %3").arg(mach.getArch(),(pMACHInfo->bIs64)?("64-bit"):("32-bit"),mach.getTypeAsString());
14408
14409 // XCODE
14410 qint64 nVersionMinOffset=-1;
14411
14412 RECORD_NAME osName=RECORD_NAME_UNKNOWN;
14413
14414 if(mach.isCommandPresent(XMACH_DEF::S_LC_VERSION_MIN_IPHONEOS,&(pMACHInfo->listCommandRecords)))
14415 {
14416 nVersionMinOffset=mach.getCommandRecordOffset(XMACH_DEF::S_LC_VERSION_MIN_IPHONEOS,0,&(pMACHInfo->listCommandRecords));
14417 osName=RECORD_NAME_IOS;
14418 }
14419 else if(mach.isCommandPresent(XMACH_DEF::S_LC_VERSION_MIN_MACOSX,&(pMACHInfo->listCommandRecords)))
14420 {
14421 nVersionMinOffset=mach.getCommandRecordOffset(XMACH_DEF::S_LC_VERSION_MIN_MACOSX,0,&(pMACHInfo->listCommandRecords));
14422 osName=RECORD_NAME_MACOS;
14423 }
14424 else if(mach.isCommandPresent(XMACH_DEF::S_LC_VERSION_MIN_TVOS,&(pMACHInfo->listCommandRecords)))
14425 {
14426 nVersionMinOffset=mach.getCommandRecordOffset(XMACH_DEF::S_LC_VERSION_MIN_TVOS,0,&(pMACHInfo->listCommandRecords));
14427 osName=RECORD_NAME_TVOS;
14428 }
14429 else if(mach.isCommandPresent(XMACH_DEF::S_LC_VERSION_MIN_WATCHOS,&(pMACHInfo->listCommandRecords)))
14430 {
14431 nVersionMinOffset=mach.getCommandRecordOffset(XMACH_DEF::S_LC_VERSION_MIN_WATCHOS,0,&(pMACHInfo->listCommandRecords));
14432 osName=RECORD_NAME_WATCHOS;
14433 }
14434
14435 if(nVersionMinOffset!=-1)
14436 {
14437 XMACH_DEF::version_min_command version_min=mach._read_version_min_command(nVersionMinOffset);
14438
14439 _SCANS_STRUCT recordXcode={};
14440
14441 recordXcode.type=SpecAbstract::RECORD_TYPE_TOOL;
14442 recordXcode.name=SpecAbstract::RECORD_NAME_XCODE;
14443
14444 if(version_min.sdk)
14445 {
14446 recordXcode.sVersion=XBinary::get_uint32_version(version_min.sdk);
14447 }
14448
14449 pMACHInfo->mapResultTools.insert(recordXcode.name,scansToScan(&(pMACHInfo->basic_info),&recordXcode));
14450
14451 recordOS.name=osName;
14452 recordOS.sVersion=XBinary::get_uint32_version(version_min.version);
14453 }
14454
14455 pMACHInfo->mapResultOperationSystems.insert(recordOS.name,scansToScan(&(pMACHInfo->basic_info),&recordOS));
14456
14457 // GCC
14458 if( XMACH::isSectionNamePresent("__gcc_except_tab",&(pMACHInfo->listSectionRecords))||
14459 XMACH::isLibraryRecordNamePresent("libgcc_s.1.dylib",&(pMACHInfo->listLibraryRecords)))
14460 {
14461 _SCANS_STRUCT recordSS={};
14462
14463 recordSS.type=SpecAbstract::RECORD_TYPE_COMPILER;
14464 recordSS.name=SpecAbstract::RECORD_NAME_GCC;
14465
14466 pMACHInfo->mapResultCompilers.insert(recordSS.name,scansToScan(&(pMACHInfo->basic_info),&recordSS));
14467 }
14468
14469 // Swift
14470 if( XMACH::isSectionNamePresent("__swift2_proto",&(pMACHInfo->listSectionRecords))||
14471 XMACH::isLibraryRecordNamePresent("libswiftCore.dylib",&(pMACHInfo->listLibraryRecords))) // TODO
14472 {
14473 _SCANS_STRUCT recordSS={};
14474
14475 recordSS.type=SpecAbstract::RECORD_TYPE_LANGUAGE;
14476 recordSS.name=SpecAbstract::RECORD_NAME_SWIFT;
14477
14478 pMACHInfo->mapResultLanguages.insert(recordSS.name,scansToScan(&(pMACHInfo->basic_info),&recordSS));
14479 }
14480 else if(XMACH::isSectionNamePresent("__objc_selrefs",&(pMACHInfo->listSectionRecords))||
14481 XMACH::isSegmentNamePresent("__OBJC",&(pMACHInfo->listSegmentRecords))||
14482 XMACH::isLibraryRecordNamePresent("libobjc.A.dylib",&(pMACHInfo->listLibraryRecords)))
14483 {
14484 _SCANS_STRUCT recordSS={};
14485
14486 recordSS.type=SpecAbstract::RECORD_TYPE_LANGUAGE;
14487 recordSS.name=SpecAbstract::RECORD_NAME_OBJECTIVEC;
14488
14489 pMACHInfo->mapResultLanguages.insert(recordSS.name,scansToScan(&(pMACHInfo->basic_info),&recordSS));
14490 }
14491
14492 // Qt
14493 if(XMACH::isLibraryRecordNamePresent("QtCore",&(pMACHInfo->listLibraryRecords)))
14494 {
14495 XMACH::LIBRARY_RECORD lr=XMACH::getLibraryRecordByName("QtCore",&(pMACHInfo->listLibraryRecords));
14496
14497 _SCANS_STRUCT recordSS={};
14498
14499 recordSS.type=SpecAbstract::RECORD_TYPE_LIBRARY;
14500 recordSS.name=SpecAbstract::RECORD_NAME_QT;
14501 recordSS.sVersion=XBinary::get_uint32_version(lr.current_version);
14502
14503 pMACHInfo->mapResultLibraries.insert(recordSS.name,scansToScan(&(pMACHInfo->basic_info),&recordSS));
14504 }
14505 // Carbon
14506 if(XMACH::isLibraryRecordNamePresent("Carbon",&(pMACHInfo->listLibraryRecords)))
14507 {
14508 // XMACH::LIBRARY_RECORD lr=XMACH::getLibraryRecordByName(&(pMACHInfo->listLibraryRecords),"Carbon");
14509
14510 _SCANS_STRUCT recordSS={};
14511
14512 recordSS.type=SpecAbstract::RECORD_TYPE_LIBRARY;
14513 recordSS.name=SpecAbstract::RECORD_NAME_CARBON;
14514
14515 pMACHInfo->mapResultLibraries.insert(recordSS.name,scansToScan(&(pMACHInfo->basic_info),&recordSS));
14516 }
14517 // Cocoa
14518 if(XMACH::isLibraryRecordNamePresent("Cocoa",&(pMACHInfo->listLibraryRecords)))
14519 {
14520 // XMACH::LIBRARY_RECORD lr=XMACH::getLibraryRecordByName(&(pMACHInfo->listLibraryRecords),"Cocoa");
14521
14522 _SCANS_STRUCT recordSS={};
14523
14524 recordSS.type=SpecAbstract::RECORD_TYPE_LIBRARY;
14525 recordSS.name=SpecAbstract::RECORD_NAME_COCOA;
14526
14527 pMACHInfo->mapResultLibraries.insert(recordSS.name,scansToScan(&(pMACHInfo->basic_info),&recordSS));
14528 }
14529 }
14530 }
14531
MACHO_handle_Protection(QIODevice * pDevice,bool bIsImage,SpecAbstract::MACHOINFO_STRUCT * pMACHInfo)14532 void SpecAbstract::MACHO_handle_Protection(QIODevice *pDevice, bool bIsImage, SpecAbstract::MACHOINFO_STRUCT *pMACHInfo)
14533 {
14534 XMACH mach(pDevice,bIsImage);
14535
14536 if(mach.isValid())
14537 {
14538 // VMProtect
14539 if(XMACH::isLibraryRecordNamePresent("libVMProtectSDK.dylib",&(pMACHInfo->listLibraryRecords)))
14540 {
14541 // XMACH::LIBRARY_RECORD lr=XMACH::getLibraryRecordByName(&(pMACHInfo->listLibraryRecords),"libVMProtectSDK.dylib");
14542
14543 _SCANS_STRUCT recordSS={};
14544
14545 recordSS.type=SpecAbstract::RECORD_TYPE_PROTECTOR;
14546 recordSS.name=SpecAbstract::RECORD_NAME_VMPROTECT;
14547
14548 pMACHInfo->mapResultProtectors.insert(recordSS.name,scansToScan(&(pMACHInfo->basic_info),&recordSS));
14549 }
14550 }
14551 }
14552
MACHO_handle_FixDetects(QIODevice * pDevice,bool bIsImage,SpecAbstract::MACHOINFO_STRUCT * pMACHInfo)14553 void SpecAbstract::MACHO_handle_FixDetects(QIODevice *pDevice, bool bIsImage, SpecAbstract::MACHOINFO_STRUCT *pMACHInfo)
14554 {
14555 XMACH mach(pDevice,bIsImage);
14556
14557 if(mach.isValid())
14558 {
14559 if(pMACHInfo->basic_info.bIsTest)
14560 {
14561 QMap<quint64,QString> mapCommands=XMACH::getLoadCommandTypesS();
14562
14563 QList<XMACH::COMMAND_RECORD> list=mach.getCommandRecords();
14564
14565 QSet<quint32> stRecords;
14566
14567 for(int i=0;i<list.count();i++)
14568 {
14569 if(!stRecords.contains(list.at(i).nType))
14570 {
14571 _SCANS_STRUCT recordSS={};
14572
14573 recordSS.type=RECORD_TYPE_LIBRARY;
14574 recordSS.name=(RECORD_NAME)(RECORD_NAME_UNKNOWN9+i+1);
14575 recordSS.sVersion=mapCommands.value(list.at(i).nType);
14576
14577 pMACHInfo->mapResultLibraries.insert(recordSS.name,scansToScan(&(pMACHInfo->basic_info),&recordSS));
14578
14579 stRecords.insert(list.at(i).nType);
14580 }
14581 }
14582 }
14583 }
14584 }
14585
MACHO_handleLanguages(QIODevice * pDevice,bool bIsImage,MACHOINFO_STRUCT * pMACHInfo)14586 void SpecAbstract::MACHO_handleLanguages(QIODevice *pDevice, bool bIsImage, MACHOINFO_STRUCT *pMACHInfo)
14587 {
14588 Q_UNUSED(pDevice)
14589 Q_UNUSED(bIsImage)
14590
14591 getLanguage(&(pMACHInfo->mapResultLinkers),&(pMACHInfo->mapResultLanguages));
14592 getLanguage(&(pMACHInfo->mapResultCompilers),&(pMACHInfo->mapResultLanguages));
14593 getLanguage(&(pMACHInfo->mapResultLibraries),&(pMACHInfo->mapResultLanguages));
14594 getLanguage(&(pMACHInfo->mapResultTools),&(pMACHInfo->mapResultLanguages));
14595
14596 fixLanguage(&(pMACHInfo->mapResultLanguages));
14597 }
14598
LE_handle_Microsoft(QIODevice * pDevice,bool bIsImage,LEINFO_STRUCT * pLEInfo,bool * pbIsStop)14599 void SpecAbstract::LE_handle_Microsoft(QIODevice *pDevice, bool bIsImage, LEINFO_STRUCT *pLEInfo, bool *pbIsStop)
14600 {
14601 XLE le(pDevice,bIsImage);
14602
14603 if(le.isValid())
14604 {
14605 _SCANS_STRUCT recordLinker={};
14606 _SCANS_STRUCT recordCompiler={};
14607
14608 if((pLEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MICROSOFTLINKER))&&(!pLEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GENERICLINKER)))
14609 {
14610 recordLinker.type=RECORD_TYPE_LINKER;
14611 recordLinker.name=RECORD_NAME_MICROSOFTLINKER;
14612 }
14613
14614 // Rich
14615 int nRichSignaturesCount=pLEInfo->listRichSignatures.count();
14616
14617 if(nRichSignaturesCount)
14618 {
14619 recordLinker.name=RECORD_NAME_MICROSOFTLINKER;
14620 recordLinker.type=SpecAbstract::RECORD_TYPE_LINKER;
14621 }
14622
14623 QList<_SCANS_STRUCT> listRichDescriptions;
14624
14625 for(int i=0;i<nRichSignaturesCount;i++)
14626 {
14627 listRichDescriptions.append(MSDOS_richScan(pLEInfo->listRichSignatures.at(i).nId,pLEInfo->listRichSignatures.at(i).nVersion,_MS_rich_records,sizeof(_MS_rich_records),pLEInfo->basic_info.id.fileType,XBinary::FT_MSDOS,&(pLEInfo->basic_info),DETECTTYPE_RICH,pbIsStop));
14628 }
14629
14630 int nRichDescriptionsCount=listRichDescriptions.count();
14631
14632 for(int i=nRichDescriptionsCount-1;i>=0;i--)
14633 {
14634 if(listRichDescriptions.at(i).type==SpecAbstract::RECORD_TYPE_LINKER)
14635 {
14636 recordLinker.name=listRichDescriptions.at(i).name;
14637 recordLinker.sVersion=listRichDescriptions.at(i).sVersion;
14638 recordLinker.sInfo=listRichDescriptions.at(i).sInfo;
14639 recordLinker.type=listRichDescriptions.at(i).type;
14640 }
14641
14642 if(listRichDescriptions.at(i).type==SpecAbstract::RECORD_TYPE_COMPILER)
14643 {
14644 if(listRichDescriptions.at(i).name==RECORD_NAME_UNIVERSALTUPLECOMPILER)
14645 {
14646 recordCompiler.name=RECORD_NAME_VISUALCCPP;
14647 recordCompiler.sVersion=listRichDescriptions.at(i).sVersion;
14648 recordCompiler.sInfo=listRichDescriptions.at(i).sInfo;
14649 recordCompiler.type=listRichDescriptions.at(i).type;
14650 }
14651 else
14652 {
14653 recordCompiler.name=listRichDescriptions.at(i).name;
14654 recordCompiler.sVersion=listRichDescriptions.at(i).sVersion;
14655 recordCompiler.sInfo=listRichDescriptions.at(i).sInfo;
14656 recordCompiler.type=listRichDescriptions.at(i).type;
14657 }
14658 }
14659 }
14660
14661 if(recordLinker.type!=RECORD_TYPE_UNKNOWN)
14662 {
14663 pLEInfo->mapResultLinkers.insert(recordLinker.name,scansToScan(&(pLEInfo->basic_info),&recordLinker));
14664 }
14665
14666 if(recordCompiler.type!=RECORD_TYPE_UNKNOWN)
14667 {
14668 pLEInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pLEInfo->basic_info),&recordCompiler));
14669 }
14670 }
14671 }
14672
LE_handle_Borland(QIODevice * pDevice,bool bIsImage,SpecAbstract::LEINFO_STRUCT * pLEInfo)14673 void SpecAbstract::LE_handle_Borland(QIODevice *pDevice, bool bIsImage, SpecAbstract::LEINFO_STRUCT *pLEInfo)
14674 {
14675 XLE le(pDevice,bIsImage);
14676
14677 if(le.isValid())
14678 {
14679 _SCANS_STRUCT recordLinker={};
14680
14681 if(pLEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_TURBOLINKER))
14682 {
14683 _SCANS_STRUCT ss=pLEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_TURBOLINKER);
14684
14685 VI_STRUCT vi=get_TurboLinker_vi(pDevice,bIsImage);
14686
14687 if(vi.bIsValid)
14688 {
14689 ss.sVersion=vi.sVersion;
14690 }
14691
14692 recordLinker=ss;
14693 }
14694
14695 if(recordLinker.type!=RECORD_TYPE_UNKNOWN)
14696 {
14697 pLEInfo->mapResultLinkers.insert(recordLinker.name,scansToScan(&(pLEInfo->basic_info),&recordLinker));
14698 }
14699 }
14700 }
14701
LE_handleLanguages(QIODevice * pDevice,bool bIsImage,LEINFO_STRUCT * pLEInfo)14702 void SpecAbstract::LE_handleLanguages(QIODevice *pDevice, bool bIsImage, LEINFO_STRUCT *pLEInfo)
14703 {
14704 Q_UNUSED(pDevice)
14705 Q_UNUSED(bIsImage)
14706
14707 getLanguage(&(pLEInfo->mapResultLinkers),&(pLEInfo->mapResultLanguages));
14708 getLanguage(&(pLEInfo->mapResultCompilers),&(pLEInfo->mapResultLanguages));
14709 getLanguage(&(pLEInfo->mapResultLibraries),&(pLEInfo->mapResultLanguages));
14710 getLanguage(&(pLEInfo->mapResultTools),&(pLEInfo->mapResultLanguages));
14711
14712 fixLanguage(&(pLEInfo->mapResultLanguages));
14713 }
14714
NE_handle_Borland(QIODevice * pDevice,bool bIsImage,SpecAbstract::NEINFO_STRUCT * pNEInfo)14715 void SpecAbstract::NE_handle_Borland(QIODevice *pDevice, bool bIsImage, SpecAbstract::NEINFO_STRUCT *pNEInfo)
14716 {
14717 XNE ne(pDevice,bIsImage);
14718
14719 if(ne.isValid())
14720 {
14721 _SCANS_STRUCT recordLinker={};
14722
14723 if(pNEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_TURBOLINKER))
14724 {
14725 _SCANS_STRUCT ss=pNEInfo->basic_info.mapHeaderDetects.value(RECORD_NAME_TURBOLINKER);
14726
14727 VI_STRUCT vi=get_TurboLinker_vi(pDevice,bIsImage);
14728
14729 if(vi.bIsValid)
14730 {
14731 ss.sVersion=vi.sVersion;
14732 }
14733
14734 recordLinker=ss;
14735 }
14736
14737 if(recordLinker.type!=RECORD_TYPE_UNKNOWN)
14738 {
14739 pNEInfo->mapResultLinkers.insert(recordLinker.name,scansToScan(&(pNEInfo->basic_info),&recordLinker));
14740 }
14741 }
14742 }
14743
NE_handleLanguages(QIODevice * pDevice,bool bIsImage,NEINFO_STRUCT * pNEInfo)14744 void SpecAbstract::NE_handleLanguages(QIODevice *pDevice, bool bIsImage, NEINFO_STRUCT *pNEInfo)
14745 {
14746 Q_UNUSED(pDevice)
14747 Q_UNUSED(bIsImage)
14748
14749 getLanguage(&(pNEInfo->mapResultLinkers),&(pNEInfo->mapResultLanguages));
14750 getLanguage(&(pNEInfo->mapResultCompilers),&(pNEInfo->mapResultLanguages));
14751 getLanguage(&(pNEInfo->mapResultLibraries),&(pNEInfo->mapResultLanguages));
14752 getLanguage(&(pNEInfo->mapResultTools),&(pNEInfo->mapResultLanguages));
14753
14754 fixLanguage(&(pNEInfo->mapResultLanguages));
14755 }
14756
DEX_handle_Tools(QIODevice * pDevice,SpecAbstract::DEXINFO_STRUCT * pDEXInfo,bool * pbIsStop)14757 void SpecAbstract::DEX_handle_Tools(QIODevice *pDevice, SpecAbstract::DEXINFO_STRUCT *pDEXInfo, bool *pbIsStop)
14758 {
14759 Q_UNUSED(pbIsStop)
14760
14761 XDEX dex(pDevice);
14762
14763 if(dex.isValid())
14764 {
14765 _SCANS_STRUCT recordAndroidSDK=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_TOOL,RECORD_NAME_ANDROIDSDK,"","",0);
14766 _SCANS_STRUCT recordAndroid=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_OPERATIONSYSTEM,RECORD_NAME_ANDROID,"","",0);
14767
14768 QString sDDEXVersion=dex.getVersion();
14769
14770 // https://source.android.com/devices/tech/dalvik/dex-format
14771 if(sDDEXVersion=="035")
14772 {
14773 recordAndroidSDK.sVersion="API 14";
14774 recordAndroid.sVersion=getAndroidVersionFromApi(14);
14775 }
14776 // else if (sDDEXVersion=="036")
14777 // {
14778 // // Due to a Dalvik bug present in older versions of Android, Dex version 036 has been skipped.
14779 // // Dex version 036 is not valid for any version of Android and never will be.
14780 // }
14781 else if(sDDEXVersion=="037")
14782 {
14783 recordAndroidSDK.sVersion="API 24";
14784 recordAndroid.sVersion=getAndroidVersionFromApi(24);
14785 }
14786 else if(sDDEXVersion=="038")
14787 {
14788 recordAndroidSDK.sVersion="API 26";
14789 recordAndroid.sVersion=getAndroidVersionFromApi(26);
14790 }
14791 else if(sDDEXVersion=="039")
14792 {
14793 recordAndroidSDK.sVersion="API 28";
14794 recordAndroid.sVersion=getAndroidVersionFromApi(28);
14795 }
14796 else
14797 {
14798 recordAndroidSDK.sVersion=sDDEXVersion;
14799 }
14800
14801 pDEXInfo->mapResultTools.insert(recordAndroidSDK.name,scansToScan(&(pDEXInfo->basic_info),&recordAndroidSDK));
14802
14803 if(recordAndroid.sVersion!="")
14804 {
14805 pDEXInfo->mapResultOperationSystems.insert(recordAndroid.name,scansToScan(&(pDEXInfo->basic_info),&recordAndroid));
14806 }
14807
14808 QList<XDEX_DEF::MAP_ITEM> listMaps=dex.getMapItems();
14809
14810 // int nNumberOfMapItems=listMaps.count();
14811
14812 // dx
14813 // https://github.com/aosp-mirror/platform_dalvik/blob/master/dx/src/com/android/dx/dex/file/DexFile.java#L122
14814 // QList<quint16> listDx;
14815 // listDx.append(XDEX_DEF::TYPE_HEADER_ITEM);
14816 // listDx.append(XDEX_DEF::TYPE_STRING_ID_ITEM);
14817 // listDx.append(XDEX_DEF::TYPE_TYPE_ID_ITEM);
14818 // listDx.append(XDEX_DEF::TYPE_PROTO_ID_ITEM);
14819 // listDx.append(XDEX_DEF::TYPE_FIELD_ID_ITEM);
14820 // listDx.append(XDEX_DEF::TYPE_METHOD_ID_ITEM);
14821 // listDx.append(XDEX_DEF::TYPE_CLASS_DEF_ITEM);
14822 // listDx.append(XDEX_DEF::TYPE_CALL_SITE_ID_ITEM); // Optional API 26+
14823 // listDx.append(XDEX_DEF::TYPE_METHOD_HANDLE_ITEM); // Optional API 26+
14824 // listDx.append(XDEX_DEF::TYPE_CODE_ITEM);
14825 // listDx.append(XDEX_DEF::TYPE_TYPE_LIST);
14826 // listDx.append(XDEX_DEF::TYPE_STRING_DATA_ITEM);
14827 // listDx.append(XDEX_DEF::TYPE_ENCODED_ARRAY_ITEM);
14828 // listDx.append(XDEX_DEF::TYPE_CLASS_DATA_ITEM);
14829 // listDx.append(XDEX_DEF::TYPE_MAP_LIST);
14830 QList<quint16> listDx;
14831 listDx.append(XDEX_DEF::TYPE_HEADER_ITEM);
14832 listDx.append(XDEX_DEF::TYPE_STRING_ID_ITEM);
14833 listDx.append(XDEX_DEF::TYPE_TYPE_ID_ITEM);
14834 listDx.append(XDEX_DEF::TYPE_PROTO_ID_ITEM);
14835 listDx.append(XDEX_DEF::TYPE_FIELD_ID_ITEM);
14836 listDx.append(XDEX_DEF::TYPE_METHOD_ID_ITEM);
14837 listDx.append(XDEX_DEF::TYPE_CLASS_DEF_ITEM);
14838 listDx.append(XDEX_DEF::TYPE_CALL_SITE_ID_ITEM); // Optional API 26+
14839 listDx.append(XDEX_DEF::TYPE_METHOD_HANDLE_ITEM); // Optional API 26+
14840 listDx.append(XDEX_DEF::TYPE_ANNOTATION_SET_REF_LIST);
14841 listDx.append(XDEX_DEF::TYPE_ANNOTATION_SET_ITEM);
14842 listDx.append(XDEX_DEF::TYPE_CODE_ITEM);
14843 listDx.append(XDEX_DEF::TYPE_ANNOTATIONS_DIRECTORY_ITEM);
14844 listDx.append(XDEX_DEF::TYPE_TYPE_LIST);
14845 listDx.append(XDEX_DEF::TYPE_STRING_DATA_ITEM);
14846 listDx.append(XDEX_DEF::TYPE_DEBUG_INFO_ITEM);
14847 listDx.append(XDEX_DEF::TYPE_ANNOTATION_ITEM);
14848 listDx.append(XDEX_DEF::TYPE_ENCODED_ARRAY_ITEM);
14849 listDx.append(XDEX_DEF::TYPE_CLASS_DATA_ITEM);
14850 listDx.append(XDEX_DEF::TYPE_MAP_LIST);
14851
14852 // DexLib
14853 // https://android.googlesource.com/platform/external/smali/+/9a12fbef9912a824a4824e392f0d2fdd5319f580/dexlib/src/main/java/org/jf/dexlib/DexFile.java?autodive=0%2F#210
14854 QList<quint16> listDexLib;
14855 listDexLib.append(XDEX_DEF::TYPE_HEADER_ITEM);
14856 listDexLib.append(XDEX_DEF::TYPE_STRING_ID_ITEM);
14857 listDexLib.append(XDEX_DEF::TYPE_TYPE_ID_ITEM);
14858 listDexLib.append(XDEX_DEF::TYPE_PROTO_ID_ITEM);
14859 listDexLib.append(XDEX_DEF::TYPE_FIELD_ID_ITEM);
14860 listDexLib.append(XDEX_DEF::TYPE_METHOD_ID_ITEM);
14861 listDexLib.append(XDEX_DEF::TYPE_CLASS_DEF_ITEM);
14862 listDexLib.append(XDEX_DEF::TYPE_ANNOTATION_SET_REF_LIST);
14863 listDexLib.append(XDEX_DEF::TYPE_ANNOTATION_SET_ITEM);
14864 listDexLib.append(XDEX_DEF::TYPE_CODE_ITEM);
14865 listDexLib.append(XDEX_DEF::TYPE_ANNOTATIONS_DIRECTORY_ITEM);
14866 listDexLib.append(XDEX_DEF::TYPE_TYPE_LIST);
14867 listDexLib.append(XDEX_DEF::TYPE_STRING_DATA_ITEM);
14868 listDexLib.append(XDEX_DEF::TYPE_ANNOTATION_ITEM);
14869 listDexLib.append(XDEX_DEF::TYPE_ENCODED_ARRAY_ITEM);
14870 listDexLib.append(XDEX_DEF::TYPE_CLASS_DATA_ITEM);
14871 listDexLib.append(XDEX_DEF::TYPE_DEBUG_INFO_ITEM);
14872 listDexLib.append(XDEX_DEF::TYPE_MAP_LIST);
14873
14874 // dexlib2
14875 // https://github.com/JesusFreke/smali/blob/master/dexlib2/src/main/java/org/jf/dexlib2/writer/DexWriter.java#L1465
14876 QList<quint16> listDexLib2;
14877 listDexLib2.append(XDEX_DEF::TYPE_HEADER_ITEM);
14878 listDexLib2.append(XDEX_DEF::TYPE_STRING_ID_ITEM);
14879 listDexLib2.append(XDEX_DEF::TYPE_TYPE_ID_ITEM);
14880 listDexLib2.append(XDEX_DEF::TYPE_PROTO_ID_ITEM);
14881 listDexLib2.append(XDEX_DEF::TYPE_FIELD_ID_ITEM);
14882 listDexLib2.append(XDEX_DEF::TYPE_METHOD_ID_ITEM);
14883 listDexLib2.append(XDEX_DEF::TYPE_CLASS_DEF_ITEM);
14884 listDexLib2.append(XDEX_DEF::TYPE_CALL_SITE_ID_ITEM);
14885 listDexLib2.append(XDEX_DEF::TYPE_METHOD_HANDLE_ITEM);
14886 listDexLib2.append(XDEX_DEF::TYPE_STRING_DATA_ITEM);
14887 listDexLib2.append(XDEX_DEF::TYPE_TYPE_LIST);
14888 listDexLib2.append(XDEX_DEF::TYPE_ENCODED_ARRAY_ITEM);
14889 listDexLib2.append(XDEX_DEF::TYPE_ANNOTATION_ITEM);
14890 listDexLib2.append(XDEX_DEF::TYPE_ANNOTATION_SET_ITEM);
14891 listDexLib2.append(XDEX_DEF::TYPE_ANNOTATION_SET_REF_LIST);
14892 listDexLib2.append(XDEX_DEF::TYPE_ANNOTATIONS_DIRECTORY_ITEM);
14893 listDexLib2.append(XDEX_DEF::TYPE_DEBUG_INFO_ITEM);
14894 listDexLib2.append(XDEX_DEF::TYPE_CODE_ITEM);
14895 listDexLib2.append(XDEX_DEF::TYPE_CLASS_DATA_ITEM);
14896 listDexLib2.append(XDEX_DEF::TYPE_HIDDENAPI_CLASS_DATA_ITEM); // Optional
14897 listDexLib2.append(XDEX_DEF::TYPE_MAP_LIST);
14898
14899 QList<quint16> listDexLib2heur;
14900 listDexLib2heur.append(XDEX_DEF::TYPE_HEADER_ITEM);
14901 listDexLib2heur.append(XDEX_DEF::TYPE_STRING_ID_ITEM);
14902 listDexLib2heur.append(XDEX_DEF::TYPE_TYPE_ID_ITEM);
14903 listDexLib2heur.append(XDEX_DEF::TYPE_PROTO_ID_ITEM);
14904 listDexLib2heur.append(XDEX_DEF::TYPE_FIELD_ID_ITEM);
14905 listDexLib2heur.append(XDEX_DEF::TYPE_METHOD_ID_ITEM);
14906 listDexLib2heur.append(XDEX_DEF::TYPE_CLASS_DEF_ITEM);
14907 listDexLib2heur.append(XDEX_DEF::TYPE_STRING_DATA_ITEM);
14908
14909 // r8
14910 // https://r8.googlesource.com/r8/+/refs/heads/master/src/main/java/com/android/tools/r8/dex/FileWriter.java#752
14911 QList<quint16> listR8;
14912 listR8.append(XDEX_DEF::TYPE_HEADER_ITEM);
14913 listR8.append(XDEX_DEF::TYPE_STRING_ID_ITEM);
14914 listR8.append(XDEX_DEF::TYPE_TYPE_ID_ITEM);
14915 listR8.append(XDEX_DEF::TYPE_PROTO_ID_ITEM);
14916 listR8.append(XDEX_DEF::TYPE_FIELD_ID_ITEM);
14917 listR8.append(XDEX_DEF::TYPE_METHOD_ID_ITEM);
14918 listR8.append(XDEX_DEF::TYPE_CLASS_DEF_ITEM);
14919 listR8.append(XDEX_DEF::TYPE_CALL_SITE_ID_ITEM); // Optional
14920 listR8.append(XDEX_DEF::TYPE_METHOD_HANDLE_ITEM); // Optional
14921 listR8.append(XDEX_DEF::TYPE_CODE_ITEM);
14922 listR8.append(XDEX_DEF::TYPE_DEBUG_INFO_ITEM);
14923 listR8.append(XDEX_DEF::TYPE_TYPE_LIST);
14924 listR8.append(XDEX_DEF::TYPE_STRING_DATA_ITEM);
14925 listR8.append(XDEX_DEF::TYPE_ANNOTATION_ITEM);
14926 listR8.append(XDEX_DEF::TYPE_CLASS_DATA_ITEM);
14927 listR8.append(XDEX_DEF::TYPE_ENCODED_ARRAY_ITEM);
14928 listR8.append(XDEX_DEF::TYPE_ANNOTATION_SET_ITEM);
14929 listR8.append(XDEX_DEF::TYPE_ANNOTATION_SET_REF_LIST); // Check
14930 listR8.append(XDEX_DEF::TYPE_ANNOTATIONS_DIRECTORY_ITEM);
14931 listR8.append(XDEX_DEF::TYPE_MAP_LIST);
14932
14933 // DexMerge
14934 // https://github.com/aosp-mirror/platform_dalvik/blob/master/dx/src/com/android/dx/merge/DexMerger.java#L95
14935 QList<quint16> listDexMerge;
14936 listDexMerge.append(XDEX_DEF::TYPE_HEADER_ITEM);
14937 listDexMerge.append(XDEX_DEF::TYPE_STRING_ID_ITEM);
14938 listDexMerge.append(XDEX_DEF::TYPE_TYPE_ID_ITEM);
14939 listDexMerge.append(XDEX_DEF::TYPE_PROTO_ID_ITEM);
14940 listDexMerge.append(XDEX_DEF::TYPE_FIELD_ID_ITEM);
14941 listDexMerge.append(XDEX_DEF::TYPE_METHOD_ID_ITEM);
14942 listDexMerge.append(XDEX_DEF::TYPE_CLASS_DEF_ITEM);
14943 listDexMerge.append(XDEX_DEF::TYPE_MAP_LIST);
14944 listDexMerge.append(XDEX_DEF::TYPE_TYPE_LIST);
14945 listDexMerge.append(XDEX_DEF::TYPE_ANNOTATION_SET_REF_LIST);
14946 listDexMerge.append(XDEX_DEF::TYPE_ANNOTATION_SET_ITEM);
14947 listDexMerge.append(XDEX_DEF::TYPE_CLASS_DATA_ITEM);
14948 listDexMerge.append(XDEX_DEF::TYPE_CODE_ITEM);
14949 listDexMerge.append(XDEX_DEF::TYPE_STRING_DATA_ITEM);
14950 listDexMerge.append(XDEX_DEF::TYPE_DEBUG_INFO_ITEM);
14951 listDexMerge.append(XDEX_DEF::TYPE_ANNOTATION_ITEM);
14952 listDexMerge.append(XDEX_DEF::TYPE_ENCODED_ARRAY_ITEM);
14953 listDexMerge.append(XDEX_DEF::TYPE_ANNOTATIONS_DIRECTORY_ITEM);
14954
14955 // fast-proxy
14956 // https://github.com/int02h/fast-proxy/blob/master/fastproxy/src/main/java/com/dpforge/fastproxy/dex/writer/DexWriter.java#L57
14957 // TODO more researches
14958 QList<quint16> listFastProxy;
14959 listFastProxy.append(XDEX_DEF::TYPE_HEADER_ITEM);
14960 listFastProxy.append(XDEX_DEF::TYPE_STRING_ID_ITEM);
14961 listFastProxy.append(XDEX_DEF::TYPE_TYPE_ID_ITEM);
14962 listFastProxy.append(XDEX_DEF::TYPE_PROTO_ID_ITEM);
14963 listFastProxy.append(XDEX_DEF::TYPE_FIELD_ID_ITEM);
14964 listFastProxy.append(XDEX_DEF::TYPE_METHOD_ID_ITEM);
14965 listFastProxy.append(XDEX_DEF::TYPE_CLASS_DEF_ITEM);
14966 listFastProxy.append(XDEX_DEF::TYPE_STRING_DATA_ITEM);
14967 listFastProxy.append(XDEX_DEF::TYPE_TYPE_LIST);
14968 listFastProxy.append(XDEX_DEF::TYPE_CODE_ITEM);
14969 listFastProxy.append(XDEX_DEF::TYPE_CLASS_DATA_ITEM);
14970 listFastProxy.append(XDEX_DEF::TYPE_MAP_LIST);
14971
14972 // TODO Check https://github.com/facebookexperimental/r8
14973 // TODO https://github.com/davidbrazdil/dexter-backup/blob/e09c9397aa727f6180799254fb08e15955c1a89e/src/org/jf/dexlib/DexFromMemory.java
14974 // TODO https://github.com/rchiossi/dexterity/blob/ce66ca62a6df4c6d913bdde1d7d91f5fa90ff916/dx/dxlib.py#L505
14975 // TODO https://github.com/rchiossi/dexterity/blob/ce66ca62a6df4c6d913bdde1d7d91f5fa90ff916/lib/dex_builder.c#L404
14976 // TODO redex https://github.com/lzoghbi/thesis
14977 // TODO https://github.com/zyq8709/DexHunter/tree/master/dalvik/dx
14978
14979 // https://r8.googlesource.com/r8/+/refs/heads/master/src/main/java/com/android/tools/r8/dex/Marker.java
14980 // Example: X~~D8{"compilation-mode":"release","has-checksums":false,"min-api":14,"version":"2.0.88"}
14981
14982 VI_STRUCT viR8=get_R8_marker_vi(pDevice,false,0,pDEXInfo->basic_info.nSize);
14983 bool bR8_map=XDEX::compareMapItems(&listMaps,&listR8);
14984 bool bDX_map=XDEX::compareMapItems(&listMaps,&listDx);
14985 // bool bDexLib_map=XDEX::compareMapItems(&listMaps,&listDexLib);
14986 bool bDexLib2_map=XDEX::compareMapItems(&listMaps,&listDexLib2);
14987 bool bDexLib2heur_map=XDEX::compareMapItems(&listMaps,&listDexLib2heur);
14988 bool bDexMerge_map=XDEX::compareMapItems(&listMaps,&listDexMerge);
14989 bool bFastProxy_map=XDEX::compareMapItems(&listMaps,&listFastProxy);
14990
14991 if(viR8.bIsValid)
14992 {
14993 _SCANS_STRUCT recordCompiler=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_COMPILER,RECORD_NAME_R8,"","",0);
14994 recordCompiler.sVersion=viR8.sVersion;
14995 recordCompiler.sInfo=viR8.sInfo;
14996 pDEXInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pDEXInfo->basic_info),&recordCompiler));
14997 }
14998 else if(!(pDEXInfo->bIsStringPoolSorted))
14999 {
15000 _SCANS_STRUCT recordCompiler=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_COMPILER,RECORD_NAME_DEXLIB,"","",0);
15001 pDEXInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pDEXInfo->basic_info),&recordCompiler));
15002 }
15003 else if(bDX_map)
15004 {
15005 _SCANS_STRUCT recordCompiler=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_COMPILER,RECORD_NAME_DX,"","",0);
15006 pDEXInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pDEXInfo->basic_info),&recordCompiler));
15007 }
15008 else if(bDexLib2_map)
15009 {
15010 _SCANS_STRUCT recordCompiler=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_COMPILER,RECORD_NAME_DEXLIB2,"","",0);
15011 pDEXInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pDEXInfo->basic_info),&recordCompiler));
15012 }
15013 else if(bR8_map)
15014 {
15015 _SCANS_STRUCT recordCompiler=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_COMPILER,RECORD_NAME_R8,"","",0);
15016 pDEXInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pDEXInfo->basic_info),&recordCompiler));
15017 }
15018 else if(bDexLib2heur_map)
15019 {
15020 _SCANS_STRUCT recordCompiler=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_COMPILER,RECORD_NAME_DEXLIB2,"","",0);
15021 pDEXInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pDEXInfo->basic_info),&recordCompiler));
15022 }
15023 else if(bFastProxy_map)
15024 {
15025 _SCANS_STRUCT recordCompiler=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_COMPILER,RECORD_NAME_FASTPROXY,"","",0);
15026 pDEXInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pDEXInfo->basic_info),&recordCompiler));
15027 }
15028
15029 if(bDexMerge_map)
15030 {
15031 _SCANS_STRUCT recordCompiler=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_COMPILER,RECORD_NAME_DEXMERGE,"","",0);
15032 pDEXInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pDEXInfo->basic_info),&recordCompiler));
15033 }
15034
15035 if(viR8.bIsValid&&(!bR8_map))
15036 {
15037 _SCANS_STRUCT recordCompiler=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_COMPILER,RECORD_NAME_R8,"","",0);
15038 recordCompiler.sVersion=viR8.sVersion;
15039 recordCompiler.sInfo=append(recordCompiler.sInfo,"CHECK !!!");
15040 pDEXInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pDEXInfo->basic_info),&recordCompiler));
15041 }
15042
15043 if(pDEXInfo->basic_info.bIsDeepScan)
15044 {
15045 qint32 nJackIndex=dex.getStringNumberFromListExp(&(pDEXInfo->listStrings),"^emitter: jack");
15046
15047 if(nJackIndex!=-1)
15048 {
15049 _SCANS_STRUCT recordCompiler=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_COMPILER,RECORD_NAME_JACK,"","",0);
15050 recordCompiler.sVersion=pDEXInfo->listStrings.at(nJackIndex).section("-",1,-1);
15051 pDEXInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pDEXInfo->basic_info),&recordCompiler));
15052 }
15053 }
15054
15055 if(pDEXInfo->mapResultCompilers.size()==0)
15056 {
15057 _SCANS_STRUCT recordCompiler=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_COMPILER,RECORD_NAME_UNKNOWN,QString("%1").arg(dex.getMapItemsHash()),"",0);
15058 pDEXInfo->mapResultCompilers.insert(recordCompiler.name,scansToScan(&(pDEXInfo->basic_info),&recordCompiler));
15059 }
15060
15061 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_APKTOOLPLUS))
15062 {
15063 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_APKTOOLPLUS);
15064 pDEXInfo->mapResultTools.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15065 }
15066
15067 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_UNICOMSDK))
15068 {
15069 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_UNICOMSDK);
15070 pDEXInfo->mapResultLibraries.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15071 }
15072
15073 if(pDEXInfo->basic_info.bIsDeepScan)
15074 {
15075 bool bIsFieldNamesUnicode=dex.isFieldNamesUnicode(&(pDEXInfo->listFieldIDs),&(pDEXInfo->listStrings));
15076 bool bIsMethodNamesUnicode=dex.isMethodNamesUnicode(&(pDEXInfo->listMethodIDs),&(pDEXInfo->listStrings));
15077
15078 bool bInvalidHeaderSize=(pDEXInfo->header.header_size!=0x70);
15079 bool bLink=(pDEXInfo->header.link_off||pDEXInfo->header.link_size);
15080
15081 QString sOverlay;
15082
15083 if(pDEXInfo->basic_info.bIsTest)
15084 {
15085 sOverlay=QString("Maps %1").arg(dex.getMapItemsHash());
15086
15087 if(pDEXInfo->bIsOverlayPresent)
15088 {
15089 sOverlay=append(sOverlay,"Overlay");
15090 }
15091
15092 if(bInvalidHeaderSize)
15093 {
15094 sOverlay=append(sOverlay,"Invalid header size");
15095 }
15096
15097 if(bLink)
15098 {
15099 sOverlay=append(sOverlay,QString("Invalid Link(%1,%2)").arg(pDEXInfo->header.link_size).arg(pDEXInfo->header.link_off));
15100 }
15101
15102 if(bIsFieldNamesUnicode)
15103 {
15104 sOverlay=append(sOverlay,"bIsFieldNamesUnicode");
15105 }
15106
15107 if(bIsMethodNamesUnicode)
15108 {
15109 sOverlay=append(sOverlay,"bIsMethodNamesUnicode");
15110 }
15111
15112 if(viR8.bIsValid)
15113 {
15114 if(bDX_map)
15115 {
15116 sOverlay=append(sOverlay,"DX");
15117 }
15118
15119 if(bDexLib2_map)
15120 {
15121 sOverlay=append(sOverlay,"DexLib2");
15122 }
15123
15124 if(!(pDEXInfo->bIsStringPoolSorted))
15125 {
15126 sOverlay=append(sOverlay,"DexLib");
15127 }
15128
15129 if(bDexMerge_map)
15130 {
15131 sOverlay=append(sOverlay,"DexMerge");
15132 }
15133 }
15134 }
15135
15136 int nNumberOfRecords=pDEXInfo->listStrings.count();
15137
15138 for(int i=0;(i<nNumberOfRecords);i++)
15139 {
15140 if(pDEXInfo->basic_info.bIsTest)
15141 {
15142 // TODO find!
15143 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_APK,RECORD_TYPE_PROTECTOR,RECORD_NAME_UNKNOWN,"","",0);
15144
15145 if( pDEXInfo->listStrings.at(i).contains("agconfig")||
15146 pDEXInfo->listStrings.at(i).contains("AntiSkid")||
15147 pDEXInfo->listStrings.at(i).contains("ALLATORI")||
15148 pDEXInfo->listStrings.at(i).contains("AppSuit")||
15149 pDEXInfo->listStrings.at(i).contains("appsuit")||
15150 pDEXInfo->listStrings.at(i).contains("gemalto")||
15151 pDEXInfo->listStrings.at(i).contains("WapperApplication")||
15152 pDEXInfo->listStrings.at(i).contains("AppSealing")||
15153 pDEXInfo->listStrings.at(i).contains("whitecryption")||
15154 pDEXInfo->listStrings.at(i).contains("ModGuard")||
15155 pDEXInfo->listStrings.at(i).contains("InjectedActivity"))
15156 {
15157 ss.sVersion=pDEXInfo->listStrings.at(i);
15158 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15159 ss.sInfo=append(ss.sInfo,sOverlay);
15160
15161 break;
15162 }
15163 }
15164 }
15165 }
15166 // Check Ljava/lang/ClassLoader;
15167 }
15168 }
15169
DEX_handle_Dexguard(QIODevice * pDevice,SpecAbstract::DEXINFO_STRUCT * pDEXInfo,bool * pbIsStop)15170 void SpecAbstract::DEX_handle_Dexguard(QIODevice *pDevice, SpecAbstract::DEXINFO_STRUCT *pDEXInfo, bool *pbIsStop)
15171 {
15172 XDEX dex(pDevice);
15173
15174 if(dex.isValid())
15175 {
15176 if(pDEXInfo->basic_info.bIsDeepScan)
15177 {
15178 if(XBinary::isStringInListPresentExp(&(pDEXInfo->listTypeItemStrings),"dexguard\\/",pbIsStop))
15179 {
15180 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_PROTECTOR,RECORD_NAME_DEXGUARD,"","",0);
15181 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15182 }
15183
15184 if(!pDEXInfo->mapTypeDetects.contains(RECORD_NAME_DEXGUARD))
15185 {
15186 int nNumberOfTypes=pDEXInfo->listTypeItemStrings.count();
15187
15188 for(int i=0;(i<nNumberOfTypes)&&(!(*pbIsStop));i++)
15189 {
15190 QString sType=pDEXInfo->listTypeItemStrings.at(i);
15191
15192 // TODO Check!
15193 if(sType.size()<=7)
15194 {
15195 if(XBinary::isRegExpPresent("^Lo/",sType))
15196 {
15197 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_PROTECTOR,RECORD_NAME_DEXGUARD,"","",0);
15198 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15199
15200 break;
15201 }
15202 }
15203 }
15204 }
15205 }
15206 }
15207 }
15208
DEX_handle_Protection(QIODevice * pDevice,SpecAbstract::DEXINFO_STRUCT * pDEXInfo,bool * pbIsStop)15209 void SpecAbstract::DEX_handle_Protection(QIODevice *pDevice, SpecAbstract::DEXINFO_STRUCT *pDEXInfo, bool *pbIsStop)
15210 {
15211 XDEX dex(pDevice);
15212
15213 if(dex.isValid())
15214 {
15215 // DexProtect
15216 // 070002000000020083dc63003e000000120113000e0048000500e0000010011239022a001232d563ff0048030503d533ff00e1040608d544ff0048040504d544ff00e0040408b643e1040610d544ff0048040504d544ff00e0040410b643e1040618d544ff0048000504e0000018b6300f000d023901feff1221dd02067f48000502e100000828f50d0328cb0d000000
15217 if(pDEXInfo->bIsOverlayPresent)
15218 {
15219 if(dex.getOverlaySize()==0x60)
15220 {
15221 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_PROTECTOR,RECORD_NAME_DEXPROTECTOR,"","",0);
15222 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15223 }
15224 }
15225 else
15226 {
15227 if(pDEXInfo->basic_info.bIsDeepScan)
15228 {
15229 if(XBinary::isStringInListPresentExp(&(pDEXInfo->listTypeItemStrings),"\\/dexprotector\\/",pbIsStop))
15230 {
15231 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_PROTECTOR,RECORD_NAME_DEXPROTECTOR,"","",0);
15232 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15233 }
15234 }
15235 }
15236
15237 if(pDEXInfo->mapStringDetects.contains(RECORD_NAME_EASYPROTECTOR))
15238 {
15239 _SCANS_STRUCT ss=pDEXInfo->mapStringDetects.value(RECORD_NAME_EASYPROTECTOR);
15240 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15241 }
15242
15243 if(pDEXInfo->mapStringDetects.contains(RECORD_NAME_QDBH))
15244 {
15245 _SCANS_STRUCT ss=pDEXInfo->mapStringDetects.value(RECORD_NAME_QDBH);
15246 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15247 }
15248
15249 if(pDEXInfo->mapStringDetects.contains(RECORD_NAME_JIAGU))
15250 {
15251 _SCANS_STRUCT ss=pDEXInfo->mapStringDetects.value(RECORD_NAME_JIAGU);
15252 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15253 }
15254
15255 if(pDEXInfo->mapStringDetects.contains(RECORD_NAME_BANGCLEPROTECTION))
15256 {
15257 _SCANS_STRUCT ss=pDEXInfo->mapStringDetects.value(RECORD_NAME_BANGCLEPROTECTION);
15258 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15259 }
15260
15261 if(pDEXInfo->mapStringDetects.contains(RECORD_NAME_ALLATORIOBFUSCATOR))
15262 {
15263 _SCANS_STRUCT ss=pDEXInfo->mapStringDetects.value(RECORD_NAME_ALLATORIOBFUSCATOR);
15264 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15265 }
15266
15267 if(pDEXInfo->mapStringDetects.contains(RECORD_NAME_PANGXIE))
15268 {
15269 _SCANS_STRUCT ss=pDEXInfo->mapStringDetects.value(RECORD_NAME_PANGXIE);
15270 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15271 }
15272
15273 if(pDEXInfo->mapStringDetects.contains(RECORD_NAME_NAGAPTPROTECTION))
15274 {
15275 _SCANS_STRUCT ss=pDEXInfo->mapStringDetects.value(RECORD_NAME_NAGAPTPROTECTION);
15276 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15277 }
15278
15279 if(pDEXInfo->mapStringDetects.contains(RECORD_NAME_MODGUARD))
15280 {
15281 _SCANS_STRUCT ss=pDEXInfo->mapStringDetects.value(RECORD_NAME_MODGUARD);
15282 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15283 }
15284
15285 if(pDEXInfo->mapStringDetects.contains(RECORD_NAME_KIWIVERSIONOBFUSCATOR))
15286 {
15287 _SCANS_STRUCT ss=pDEXInfo->mapStringDetects.value(RECORD_NAME_KIWIVERSIONOBFUSCATOR);
15288 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15289 }
15290
15291 if(pDEXInfo->mapStringDetects.contains(RECORD_NAME_APKPROTECT))
15292 {
15293 _SCANS_STRUCT ss=pDEXInfo->mapStringDetects.value(RECORD_NAME_APKPROTECT);
15294 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15295 }
15296 else
15297 {
15298 if(pDEXInfo->basic_info.bIsDeepScan)
15299 {
15300 if(XBinary::isStringInListPresentExp(&(pDEXInfo->listStrings),"http://www.apkprotect.net/",pbIsStop))
15301 {
15302 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_PROTECTOR,RECORD_NAME_APKPROTECT,"","",0);
15303 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15304 }
15305 }
15306 }
15307
15308 if(pDEXInfo->basic_info.bIsHeuristicScan)
15309 {
15310 if(pDEXInfo->mapStringDetects.contains(RECORD_NAME_AESOBFUSCATOR))
15311 {
15312 _SCANS_STRUCT ss=pDEXInfo->mapStringDetects.value(RECORD_NAME_AESOBFUSCATOR);
15313 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15314 }
15315 else
15316 {
15317 if(pDEXInfo->basic_info.bIsDeepScan)
15318 {
15319 if(XBinary::isStringInListPresentExp(&(pDEXInfo->listStrings),"licensing/AESObfuscator;",pbIsStop))
15320 {
15321 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_PROTECTOR,RECORD_NAME_AESOBFUSCATOR,"","",0);
15322 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15323 }
15324 }
15325 }
15326 }
15327
15328 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_BTWORKSCODEGUARD))
15329 {
15330 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_BTWORKSCODEGUARD);
15331 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15332 }
15333
15334 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_QIHOO360PROTECTION)) // Check overlay
15335 {
15336 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_QIHOO360PROTECTION);
15337 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15338 }
15339
15340 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_ALIBABAPROTECTION)) // Check overlay
15341 {
15342 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_ALIBABAPROTECTION);
15343 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15344 }
15345
15346 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_BAIDUPROTECTION)) // Check overlay
15347 {
15348 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_BAIDUPROTECTION);
15349 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15350 }
15351
15352 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_TENCENTPROTECTION)) // Check overlay
15353 {
15354 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_TENCENTPROTECTION);
15355 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15356 }
15357
15358 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_SECNEO))
15359 {
15360 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_SECNEO);
15361 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15362 }
15363
15364 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_LIAPP))
15365 {
15366 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_LIAPP);
15367 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15368 }
15369
15370 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_VDOG))
15371 {
15372 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_VDOG);
15373 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15374 }
15375
15376 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_APPSOLID))
15377 {
15378 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_APPSOLID);
15379 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15380 }
15381
15382 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_MEDUSAH))
15383 {
15384 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_MEDUSAH);
15385 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15386 }
15387
15388 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_NQSHIELD))
15389 {
15390 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_NQSHIELD);
15391 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15392 }
15393
15394 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_YIDUN))
15395 {
15396 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_YIDUN);
15397 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15398 }
15399
15400 if(pDEXInfo->mapTypeDetects.contains(RECORD_NAME_APKENCRYPTOR))
15401 {
15402 _SCANS_STRUCT ss=pDEXInfo->mapTypeDetects.value(RECORD_NAME_APKENCRYPTOR);
15403 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15404 }
15405
15406 if(pDEXInfo->basic_info.bIsDeepScan)
15407 {
15408 if(XBinary::isStringInListPresentExp(&(pDEXInfo->listTypeItemStrings),"\\/proguard\\/",pbIsStop))
15409 {
15410 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_PROTECTOR,RECORD_NAME_PROGUARD,"","",0);
15411 pDEXInfo->mapResultProtectors.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15412 }
15413 }
15414 }
15415 }
15416
DEX_handleLanguages(QIODevice * pDevice,DEXINFO_STRUCT * pDEXInfo)15417 void SpecAbstract::DEX_handleLanguages(QIODevice *pDevice, DEXINFO_STRUCT *pDEXInfo)
15418 {
15419 Q_UNUSED(pDevice)
15420
15421 _SCANS_STRUCT ss=getScansStruct(0,XBinary::FT_DEX,RECORD_TYPE_LANGUAGE,RECORD_NAME_DALVIK,"","",0);
15422 pDEXInfo->mapResultLanguages.insert(ss.name,scansToScan(&(pDEXInfo->basic_info),&ss));
15423
15424 getLanguage(&(pDEXInfo->mapResultLinkers),&(pDEXInfo->mapResultLanguages));
15425 getLanguage(&(pDEXInfo->mapResultCompilers),&(pDEXInfo->mapResultLanguages));
15426 getLanguage(&(pDEXInfo->mapResultLibraries),&(pDEXInfo->mapResultLanguages));
15427 getLanguage(&(pDEXInfo->mapResultTools),&(pDEXInfo->mapResultLanguages));
15428
15429 fixLanguage(&(pDEXInfo->mapResultLanguages));
15430 }
15431
15432 //void SpecAbstract::fixDetects(SpecAbstract::PEINFO_STRUCT *pPEInfo)
15433 //{
15434 // if(pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_MICROSOFTLINKER)&&pPEInfo->basic_info.mapHeaderDetects.contains(RECORD_NAME_GENERICLINKER))
15435 // {
15436 // pPEInfo->basic_info.mapHeaderDetects.remove(RECORD_NAME_MICROSOFTLINKER);
15437 // }
15438
15439 // if(pPEInfo->_mapImportDetects.contains(RECORD_NAME_C)&&pPEInfo->_mapImportDetects.contains(RECORD_NAME_VISUALCPP))
15440 // {
15441 // pPEInfo->_mapImportDetects.remove(RECORD_NAME_VISUALCPP);
15442 // }
15443
15444 // if(pPEInfo->mapSpecialDetects.contains(RECORD_NAME_ENIGMA))
15445 // {
15446 // pPEInfo->mapEntryPointDetects.remove(RECORD_NAME_BORLANDCPP);
15447 // }
15448 //}
15449
updateVersion(QMap<SpecAbstract::RECORD_NAME,SpecAbstract::SCAN_STRUCT> * pMap,SpecAbstract::RECORD_NAME name,QString sVersion)15450 void SpecAbstract::updateVersion(QMap<SpecAbstract::RECORD_NAME, SpecAbstract::SCAN_STRUCT> *pMap, SpecAbstract::RECORD_NAME name, QString sVersion)
15451 {
15452 if(pMap->contains(name))
15453 {
15454 SpecAbstract::SCAN_STRUCT record=pMap->value(name);
15455 record.sVersion=sVersion;
15456 pMap->insert(name,record);
15457 }
15458 }
15459
updateInfo(QMap<SpecAbstract::RECORD_NAME,SpecAbstract::SCAN_STRUCT> * pMap,SpecAbstract::RECORD_NAME name,QString sInfo)15460 void SpecAbstract::updateInfo(QMap<SpecAbstract::RECORD_NAME, SpecAbstract::SCAN_STRUCT> *pMap, SpecAbstract::RECORD_NAME name, QString sInfo)
15461 {
15462 if(pMap->contains(name))
15463 {
15464 SpecAbstract::SCAN_STRUCT record=pMap->value(name);
15465 record.sInfo=sInfo;
15466 pMap->insert(name,record);
15467 }
15468 }
15469
updateVersionAndInfo(QMap<SpecAbstract::RECORD_NAME,SpecAbstract::SCAN_STRUCT> * pMap,SpecAbstract::RECORD_NAME name,QString sVersion,QString sInfo)15470 void SpecAbstract::updateVersionAndInfo(QMap<SpecAbstract::RECORD_NAME, SpecAbstract::SCAN_STRUCT> *pMap, SpecAbstract::RECORD_NAME name, QString sVersion, QString sInfo)
15471 {
15472 if(pMap->contains(name))
15473 {
15474 SpecAbstract::SCAN_STRUCT record=pMap->value(name);
15475 record.sVersion=sVersion;
15476 record.sInfo=sInfo;
15477 pMap->insert(name,record);
15478 }
15479 }
15480
isScanStructPresent(QList<SpecAbstract::SCAN_STRUCT> * pListScanStructs,XBinary::FT fileType,SpecAbstract::RECORD_TYPE type,SpecAbstract::RECORD_NAME name,QString sVersion,QString sInfo)15481 bool SpecAbstract::isScanStructPresent(QList<SpecAbstract::SCAN_STRUCT> *pListScanStructs, XBinary::FT fileType, SpecAbstract::RECORD_TYPE type, SpecAbstract::RECORD_NAME name, QString sVersion, QString sInfo)
15482 {
15483 bool bResult=false;
15484
15485 int nNumberOfRecords=pListScanStructs->count();
15486
15487 for(int i=0; i<nNumberOfRecords; i++)
15488 {
15489 if( ((pListScanStructs->at(i).id.fileType==fileType)||(fileType==XBinary::FT_UNKNOWN))
15490 && ((pListScanStructs->at(i).type==type)||(type==SpecAbstract::RECORD_TYPE_UNKNOWN))
15491 && ((pListScanStructs->at(i).name==name)||(name==SpecAbstract::RECORD_NAME_UNKNOWN))
15492 && ((pListScanStructs->at(i).sVersion==sVersion)||(sVersion==""))
15493 && ((pListScanStructs->at(i).sInfo==sInfo)||(sInfo=="")))
15494 {
15495 bResult=true;
15496 break;
15497 }
15498 }
15499
15500 return bResult;
15501 }
15502
checkVersionString(QString sVersion)15503 bool SpecAbstract::checkVersionString(QString sVersion)
15504 {
15505 bool bResult=false;
15506
15507 if(sVersion.trimmed()!="")
15508 {
15509 bResult=true;
15510
15511 int nStringSize=sVersion.size();
15512
15513 // TODO
15514 for(int i=0; i<nStringSize; i++)
15515 {
15516 QChar _char=sVersion.at(i);
15517
15518 if((_char>=QChar('0'))&&(_char<=QChar('9')))
15519 {
15520
15521 }
15522 else if(_char==QChar('.'))
15523 {
15524
15525 }
15526 else
15527 {
15528 bResult=false;
15529 break;
15530 }
15531 }
15532 }
15533
15534
15535
15536 return bResult;
15537 }
15538
get_UPX_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize,XBinary::FT fileType)15539 SpecAbstract::VI_STRUCT SpecAbstract::get_UPX_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize,XBinary::FT fileType)
15540 {
15541 // TODO unknown version
15542 VI_STRUCT result={};
15543
15544 XBinary binary(pDevice,bIsImage);
15545
15546 // TODO make both
15547 qint64 nStringOffset1=binary.find_ansiString(nOffset,nSize,"$Id: UPX");
15548 qint64 nStringOffset2=binary.find_ansiString(nOffset,nSize,"UPX!");
15549
15550 if(nStringOffset1!=-1)
15551 {
15552 result.bIsValid=true;
15553
15554 result.sVersion=binary.read_ansiString(nStringOffset1+9,10);
15555 result.sVersion=result.sVersion.section(" ",0,0);
15556
15557 if(!checkVersionString(result.sVersion))
15558 {
15559 result.sVersion="";
15560 }
15561
15562 // NRV
15563 qint64 nNRVStringOffset1=binary.find_array(nOffset,nSize,"\x24\x49\x64\x3a\x20\x4e\x52\x56\x20",9);
15564
15565 if(nNRVStringOffset1!=-1)
15566 {
15567 QString sNRVVersion=binary.read_ansiString(nNRVStringOffset1+9,10);
15568 sNRVVersion=sNRVVersion.section(" ",0,0);
15569
15570 if(checkVersionString(sNRVVersion))
15571 {
15572 result.sInfo=QString("NRV %1").arg(sNRVVersion);
15573 }
15574 }
15575 }
15576
15577 if(nStringOffset2!=-1)
15578 {
15579 VI_STRUCT viUPX=_get_UPX_vi(pDevice,bIsImage,nStringOffset2,0x24,fileType);
15580
15581 if(viUPX.bIsValid)
15582 {
15583 result.sInfo=append(result.sInfo,viUPX.sInfo);
15584
15585 if(result.sVersion=="")
15586 {
15587 result.sVersion=viUPX.sVersion;
15588 }
15589 }
15590
15591 result.bIsValid=true; // TODO Check
15592 // TODO 1 function
15593
15594 if(result.sVersion=="")
15595 {
15596 result.sVersion=binary.read_ansiString(nStringOffset2-5,4);
15597 }
15598 }
15599
15600 if(!checkVersionString(result.sVersion))
15601 {
15602 result.sVersion="";
15603 }
15604
15605 return result;
15606 }
15607
_get_UPX_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize,XBinary::FT fileType)15608 SpecAbstract::VI_STRUCT SpecAbstract::_get_UPX_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize, XBinary::FT fileType)
15609 {
15610 VI_STRUCT result={};
15611
15612 XBinary binary(pDevice,bIsImage);
15613
15614 if(binary.isOffsetAndSizeValid(nOffset,nSize))
15615 {
15616 if(nSize>=22)
15617 {
15618 result.bIsValid=true;
15619
15620 quint8 nVersion=binary.read_uint8(nOffset+4);
15621 quint8 nFormat=binary.read_uint8(nOffset+5);
15622 quint8 nMethod=binary.read_uint8(nOffset+6);
15623 quint8 nLevel=binary.read_uint8(nOffset+7);
15624
15625 quint32 nULen=0;
15626 quint32 nCLen=0;
15627 quint32 nUAdler=0;
15628 quint32 nCAdler=0;
15629 quint32 nFileSize=0;
15630 quint8 nFilter=0;
15631 quint8 nFilterCTO=0;
15632 quint8 nMRU=0;
15633 quint8 nHeaderChecksum=0;
15634
15635 if(nFormat<128)
15636 {
15637 if((nFormat==1)||(nFormat==2)) // UPX_F_DOS_COM, UPX_F_DOS_SYS
15638 {
15639 if(nSize>=22)
15640 {
15641 nULen=binary.read_uint16(nOffset+16);
15642 nCLen=binary.read_uint16(nOffset+18);
15643 nFilter=binary.read_uint8(nOffset+20);
15644 nHeaderChecksum=binary.read_uint8(nOffset+21);
15645 }
15646 else
15647 {
15648 result.bIsValid=false;
15649 }
15650 }
15651 else if(nFormat==3) // UPX_F_DOS_EXE
15652 {
15653 if(nSize>=27)
15654 {
15655 nULen=binary.read_uint24(nOffset+16);
15656 nCLen=binary.read_uint24(nOffset+19);
15657 nFileSize=binary.read_uint24(nOffset+22);
15658 nFilter=binary.read_uint8(nOffset+25);
15659 nHeaderChecksum=binary.read_uint8(nOffset+26);
15660 }
15661 else
15662 {
15663 result.bIsValid=false;
15664 }
15665 }
15666 else
15667 {
15668 if(nSize>=32)
15669 {
15670 nULen=binary.read_uint32(nOffset+16);
15671 nCLen=binary.read_uint32(nOffset+20);
15672 nFileSize=binary.read_uint32(nOffset+24);
15673 nFilter=binary.read_uint8(nOffset+28);
15674 nFilterCTO=binary.read_uint8(nOffset+29);
15675 nMRU=binary.read_uint8(nOffset+30);
15676 nHeaderChecksum=binary.read_uint8(nOffset+31);
15677 }
15678 else
15679 {
15680 result.bIsValid=false;
15681 }
15682 }
15683
15684 if(result.bIsValid)
15685 {
15686 nUAdler=binary.read_uint32(nOffset+8);
15687 nCAdler=binary.read_uint32(nOffset+12);
15688 }
15689 }
15690 else
15691 {
15692 if(nSize>=32)
15693 {
15694 nULen=binary.read_uint32(nOffset+8,true);
15695 nCLen=binary.read_uint32(nOffset+12,true);
15696 nUAdler=binary.read_uint32(nOffset+16,true);
15697 nCAdler=binary.read_uint32(nOffset+20,true);
15698 nFileSize=binary.read_uint32(nOffset+24,true);
15699 nFilter=binary.read_uint8(nOffset+28);
15700 nFilterCTO=binary.read_uint8(nOffset+29);
15701 nMRU=binary.read_uint8(nOffset+30);
15702 nHeaderChecksum=binary.read_uint8(nOffset+31);
15703 }
15704 else
15705 {
15706 result.bIsValid=false;
15707 }
15708 }
15709
15710 Q_UNUSED(nUAdler)
15711 Q_UNUSED(nCAdler)
15712 Q_UNUSED(nFileSize)
15713 Q_UNUSED(nFilter)
15714 Q_UNUSED(nFilterCTO)
15715 Q_UNUSED(nMRU)
15716 Q_UNUSED(nHeaderChecksum)
15717
15718 if(result.bIsValid)
15719 {
15720 // Check Executable formats
15721 if(nFormat==0) result.bIsValid=false;
15722 if((nFormat>42)&&(nFormat<129)) result.bIsValid=false;
15723 if(nFormat>142) result.bIsValid=false;
15724 if(nFormat==7) result.bIsValid=false; // UPX_F_DOS_EXEH OBSOLETE
15725 if(nFormat==6) result.bIsValid=false; // UPX_F_VXD_LE NOT IMPLEMENTED
15726 if(nFormat==11) result.bIsValid=false; // UPX_F_WIN16_NE NOT IMPLEMENTED
15727 if(nFormat==13) result.bIsValid=false; // UPX_F_LINUX_SEP_i386 NOT IMPLEMENTED
15728 if(nFormat==17) result.bIsValid=false; // UPX_F_ELKS_8086 NOT IMPLEMENTED
15729 if(nFormat==130) result.bIsValid=false; // UPX_F_SOLARIS_SPARC NOT IMPLEMENTED
15730
15731 if(fileType==XBinary::FT_COM)
15732 {
15733 if( (nFormat!=1)&& // UPX_F_DOS_COM
15734 (nFormat!=2)) // UPX_F_DOS_SYS
15735 {
15736 result.bIsValid=false;
15737 }
15738 }
15739 else if(fileType==XBinary::FT_MSDOS)
15740 {
15741 if( (nFormat!=3)) // UPX_F_DOS_EXE
15742 {
15743 result.bIsValid=false;
15744 }
15745 }
15746 else if((fileType==XBinary::FT_LE)||(fileType==XBinary::FT_LX))
15747 {
15748 if( (nFormat!=5)) // UPX_F_WATCOM_LE
15749 {
15750 result.bIsValid=false;
15751 }
15752 }
15753 else if(fileType==XBinary::FT_PE)
15754 {
15755 if( (nFormat!=9)&& // UPX_F_WIN32_PE
15756 (nFormat!=21)&& // UPX_F_WINCE_ARM_PE
15757 (nFormat!=36)) // UPX_F_WIN64_PEP
15758 {
15759 result.bIsValid=false;
15760 }
15761 }
15762 else if(fileType==XBinary::FT_MACHO)
15763 {
15764 if( (nFormat!=29)&& // UPX_F_MACH_i386
15765 (nFormat!=32)&& // UPX_F_MACH_ARMEL
15766 (nFormat!=33)&& // UPX_F_DYLIB_i386
15767 (nFormat!=34)&& // UPX_F_MACH_AMD64
15768 (nFormat!=35)&& // UPX_F_DYLIB_AMD64
15769 (nFormat!=37)&& // UPX_F_MACH_ARM64EL
15770 (nFormat!=38)&& // UPX_F_MACH_PPC64LE
15771 (nFormat!=41)&& // UPX_F_DYLIB_PPC64LE
15772 (nFormat!=131)&& // UPX_F_MACH_PPC32
15773 (nFormat!=134)&& // UPX_F_MACH_FAT
15774 (nFormat!=138)&& // UPX_F_DYLIB_PPC32
15775 (nFormat!=139)&& // UPX_F_MACH_PPC64
15776 (nFormat!=142)) // UPX_F_DYLIB_PPC64
15777 {
15778 result.bIsValid=false;
15779 }
15780 }
15781 else if(fileType==XBinary::FT_ELF)
15782 {
15783 if( (nFormat!=10)&& // UPX_F_LINUX_i386
15784 (nFormat!=12)&& // UPX_F_LINUX_ELF_i386
15785 (nFormat!=14)&& // UPX_F_LINUX_SH_i386
15786 (nFormat!=15)&& // UPX_F_VMLINUZ_i386
15787 (nFormat!=16)&& // UPX_F_BVMLINUZ_i386
15788 (nFormat!=19)&& // UPX_F_VMLINUX_i386
15789 (nFormat!=20)&& // UPX_F_LINUX_ELFI_i386
15790 (nFormat!=22)&& // UPX_F_LINUX_ELF64_AMD
15791 (nFormat!=23)&& // UPX_F_LINUX_ELF32_ARMEL
15792 (nFormat!=24)&& // UPX_F_BSD_i386
15793 (nFormat!=25)&& // UPX_F_BSD_ELF_i386
15794 (nFormat!=26)&& // UPX_F_BSD_SH_i386
15795 (nFormat!=27)&& // UPX_F_VMLINUX_AMD64
15796 (nFormat!=28)&& // UPX_F_VMLINUX_ARMEL
15797 (nFormat!=30)&& // UPX_F_LINUX_ELF32_MIPSEL
15798 (nFormat!=31)&& // UPX_F_VMLINUZ_ARMEL
15799 (nFormat!=39)&& // UPX_F_LINUX_ELFPPC64LE
15800 (nFormat!=40)&& // UPX_F_VMLINUX_PPC64LE
15801 (nFormat!=42)&& // UPX_F_LINUX_ELF64_ARM
15802 (nFormat!=132)&& // UPX_F_LINUX_ELFPPC32
15803 (nFormat!=133)&& // UPX_F_LINUX_ELF32_ARMEB
15804 (nFormat!=135)&& // UPX_F_VMLINUX_ARMEB
15805 (nFormat!=136)&& // UPX_F_VMLINUX_PPC32
15806 (nFormat!=137)&& // UPX_F_LINUX_ELF32_MIPSEB
15807 (nFormat!=140)&& // UPX_F_LINUX_ELFPPC64
15808 (nFormat!=141)) // UPX_F_VMLINUX_PPC64
15809 {
15810 result.bIsValid=false;
15811 }
15812 }
15813
15814 // Check Version
15815 if(nVersion>14)
15816 {
15817 result.bIsValid=false;
15818 }
15819
15820 // Check Methods
15821 if((nMethod<2)||(nMethod>15))
15822 {
15823 result.bIsValid=false;
15824 }
15825
15826 // Check Level
15827 // https://github.com/upx/upx/blob/d7ba31cab8ce8d95d2c10e88d2ec787ac52005ef/src/compress_lzma.cpp#L137
15828 if(nLevel>10)
15829 {
15830 result.bIsValid=false;
15831 }
15832
15833 // Check size
15834 if(nCLen>nULen)
15835 {
15836 result.bIsValid=false;
15837 }
15838 }
15839
15840 if(result.bIsValid)
15841 {
15842 // TODO
15843 // switch(nVersion)
15844 // {
15845 // case 11: result.sVersion="1.10-"; break;
15846 // case 12: result.sVersion="1.10-"; break;
15847 // case 13: result.sVersion="1.90+"; break;
15848 // }
15849
15850 switch(nMethod) // From https://github.com/upx/upx/blob/master/src/conf.h
15851 {
15852
15853 //#define M_CL1B_LE32 11
15854 //#define M_CL1B_8 12
15855 //#define M_CL1B_LE16 13
15856 case 2: result.sInfo=append(result.sInfo,"NRV2B_LE32"); break;
15857 case 3: result.sInfo=append(result.sInfo,"NRV2B_8"); break;
15858 case 4: result.sInfo=append(result.sInfo,"NRV2B_LE16"); break;
15859 case 5: result.sInfo=append(result.sInfo,"NRV2D_LE32"); break;
15860 case 6: result.sInfo=append(result.sInfo,"NRV2D_8"); break;
15861 case 7: result.sInfo=append(result.sInfo,"NRV2D_LE16"); break;
15862 case 8: result.sInfo=append(result.sInfo,"NRV2E_LE32"); break;
15863 case 9: result.sInfo=append(result.sInfo,"NRV2E_8"); break;
15864 case 10: result.sInfo=append(result.sInfo,"NRV2E_LE16"); break;
15865 case 14: result.sInfo=append(result.sInfo,"LZMA"); break;
15866 case 15: result.sInfo=append(result.sInfo,"zlib"); break;
15867 }
15868
15869 if(result.sInfo!="")
15870 {
15871 if(nLevel==8)
15872 {
15873 result.sInfo=append(result.sInfo,"best");
15874 }
15875 else
15876 {
15877 result.sInfo=append(result.sInfo,"brute");
15878 }
15879 }
15880
15881 result.nValue=binary.read_uint32(nOffset);
15882
15883 if(result.nValue!=0x21585055) // UPX!
15884 {
15885 result.sInfo=append(result.sInfo,QString("Modified(%1)").arg(XBinary::valueToHex((quint32)result.nValue)));
15886 }
15887 }
15888 }
15889 }
15890
15891 return result;
15892 }
15893
get_GCC_vi1(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)15894 SpecAbstract::VI_STRUCT SpecAbstract::get_GCC_vi1(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
15895 {
15896 VI_STRUCT result={};
15897
15898 XBinary binary(pDevice,bIsImage);
15899
15900 // TODO get max version
15901 qint64 nOffset_Version=binary.find_ansiString(nOffset,nSize,"GCC:");
15902
15903 if(nOffset_Version!=-1)
15904 {
15905 QString sVersionString=binary.read_ansiString(nOffset_Version);
15906
15907 result=_get_GCC_string(sVersionString);
15908 }
15909
15910 return result;
15911 }
15912
get_GCC_vi2(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)15913 SpecAbstract::VI_STRUCT SpecAbstract::get_GCC_vi2(QIODevice *pDevice,bool bIsImage, qint64 nOffset, qint64 nSize)
15914 {
15915 VI_STRUCT result={};
15916
15917 XBinary binary(pDevice,bIsImage);
15918
15919 // TODO get max version
15920 qint64 nOffset_Version=binary.find_ansiString(nOffset,nSize,"gcc-");
15921
15922 if(nOffset_Version!=-1)
15923 {
15924 result.bIsValid=true;
15925 QString sVersionString=binary.read_ansiString(nOffset_Version);
15926 result.sVersion=sVersionString.section("-",1,1).section("/",0,0);
15927 }
15928
15929 return result;
15930 }
15931
get_Nim_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)15932 SpecAbstract::VI_STRUCT SpecAbstract::get_Nim_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
15933 {
15934 VI_STRUCT result={};
15935
15936 XBinary binary(pDevice,bIsImage);
15937
15938 qint64 nOffset_Version=binary.find_ansiString(nOffset,nSize,"\\lib\\system\\io.nim");
15939
15940 if(nOffset_Version!=-1)
15941 {
15942 result.bIsValid=true;
15943 // TODO Version
15944 }
15945
15946 return result;
15947 }
15948
get_Zig_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)15949 SpecAbstract::VI_STRUCT SpecAbstract::get_Zig_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
15950 {
15951 VI_STRUCT result={};
15952
15953 XBinary binary(pDevice,bIsImage);
15954
15955 qint64 nOffset_Version=binary.find_unicodeString(nOffset,nSize,"ZIG_DEBUG_COLOR");
15956
15957 if(nOffset_Version!=-1)
15958 {
15959 result.bIsValid=true;
15960 // TODO Version
15961 }
15962
15963 return result;
15964 }
15965
get_PyInstaller_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)15966 SpecAbstract::VI_STRUCT SpecAbstract::get_PyInstaller_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
15967 {
15968 VI_STRUCT result={};
15969
15970 XBinary binary(pDevice,bIsImage);
15971
15972 qint64 nOffset_Version=binary.find_ansiString(nOffset,nSize,"PyInstaller: FormatMessageW failed.");
15973
15974 if(nOffset_Version!=-1)
15975 {
15976 result.bIsValid=true;
15977 // TODO Version
15978 }
15979
15980 return result;
15981 }
15982
_get_GCC_string(QString sString)15983 SpecAbstract::VI_STRUCT SpecAbstract::_get_GCC_string(QString sString)
15984 {
15985 VI_STRUCT result={};
15986
15987 if(sString.contains("GCC:"))
15988 {
15989 result.bIsValid=true;
15990
15991 // TODO MinGW-w64
15992 if(sString.contains("MinGW"))
15993 {
15994 result.sInfo="MinGW";
15995 }
15996 else if(sString.contains("MSYS2"))
15997 {
15998 result.sInfo="MSYS2";
15999 }
16000 else if(sString.contains("Cygwin"))
16001 {
16002 result.sInfo="Cygwin";
16003 }
16004
16005 if( (sString.contains("(experimental)"))||
16006 (sString.contains("(prerelease)")))
16007 {
16008 result.sVersion=sString.section(" ",-3,-1); // TODO Check
16009 }
16010 else if(sString.contains("(GNU) c "))
16011 {
16012 result.sVersion=sString.section("(GNU) c ",1,-1);
16013 }
16014 else if(sString.contains("GNU"))
16015 {
16016 result.sVersion=sString.section(" ",2,-1);
16017 }
16018 else if(sString.contains("Rev1, Built by MSYS2 project"))
16019 {
16020 result.sVersion=sString.section(" ",-2,-1);
16021 }
16022 else if(sString.contains("(Ubuntu "))
16023 {
16024 result.sVersion=sString.section(") ",1,1).section(" ",0,0);
16025 }
16026 else if(sString.contains("StartOS)"))
16027 {
16028 result.sVersion=sString.section(")",1,1).section(" ",0,0);
16029 }
16030 else if(sString.contains("GCC: (c) "))
16031 {
16032 result.sVersion=sString.section("GCC: (c) ",1,1);
16033 }
16034 else
16035 {
16036 result.sVersion=sString.section(" ",-1,-1);
16037 }
16038 }
16039
16040 return result;
16041 }
16042
get_WindowsInstaller_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)16043 SpecAbstract::VI_STRUCT SpecAbstract::get_WindowsInstaller_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
16044 {
16045 VI_STRUCT result={};
16046
16047 XBinary binary(pDevice,bIsImage);
16048
16049 qint64 nStringOffset=binary.find_ansiString(nOffset,nSize,"Windows Installer");
16050
16051 if(nStringOffset!=-1)
16052 {
16053 result.bIsValid=true;
16054
16055 QString _sString=binary.read_ansiString(nStringOffset);
16056
16057 if(_sString.contains("xml",Qt::CaseInsensitive))
16058 {
16059 result.sInfo="XML";
16060 }
16061
16062 QString sVersion=XBinary::regExp("\\((.*?)\\)",_sString,1);
16063
16064 if(sVersion!="")
16065 {
16066 result.sVersion=sVersion;
16067 }
16068 }
16069
16070 return result;
16071 }
16072
get_gold_vi(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize)16073 SpecAbstract::VI_STRUCT SpecAbstract::get_gold_vi(QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize)
16074 {
16075 VI_STRUCT result={};
16076
16077 XBinary binary(pDevice,bIsImage);
16078
16079 // TODO get max version
16080 qint64 nOffset_Version=binary.find_ansiString(nOffset,nSize,"gold ");
16081
16082 if(nOffset_Version!=-1)
16083 {
16084 result.bIsValid=true;
16085 QString sVersionString=binary.read_ansiString(nOffset_Version,nSize-(nOffset_Version-nOffset));
16086 result.sVersion=sVersionString.section(" ",1,1);
16087 }
16088
16089 return result;
16090 }
16091
get_TurboLinker_vi(QIODevice * pDevice,bool bIsImage)16092 SpecAbstract::VI_STRUCT SpecAbstract::get_TurboLinker_vi(QIODevice *pDevice, bool bIsImage)
16093 {
16094 VI_STRUCT result={};
16095
16096 XBinary binary(pDevice,bIsImage);
16097
16098 if(binary.read_uint8(0x1E)==0xFB)
16099 {
16100 result.bIsValid=true;
16101
16102 result.sVersion=QString::number((double)binary.read_uint8(0x1F)/16,'f',1);
16103 }
16104
16105 return result;
16106 }
16107
PE_isValid_UPX(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)16108 bool SpecAbstract::PE_isValid_UPX(QIODevice *pDevice,bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
16109 {
16110 Q_UNUSED(pDevice)
16111 Q_UNUSED(bIsImage)
16112
16113 bool bResult=false;
16114
16115 if(pPEInfo->listSectionHeaders.count()>=3)
16116 {
16117 // pPEInfo->listSections.at(0).SizeOfRawData!=0 dump file
16118 if((pPEInfo->listSectionHeaders.at(0).SizeOfRawData==0)&&((pPEInfo->nResourceSection==-1)||(pPEInfo->nResourceSection==2)))
16119 {
16120 bResult=true;
16121 }
16122 }
16123
16124 return bResult;
16125 }
16126
PE_x86Emul(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)16127 void SpecAbstract::PE_x86Emul(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
16128 {
16129 XBinary binary(pDevice,bIsImage);
16130
16131 qint64 nAddress=pPEInfo->nImageBaseAddress+pPEInfo->nEntryPointAddress;
16132
16133 QString sSignature;
16134
16135 bool bSuccess=true;
16136 bool bVMProtect=true;
16137
16138 int nCount=10;
16139
16140 for(int i=0;i<nCount;i++)
16141 {
16142 qint64 nOffset=XBinary::addressToOffset(&(pPEInfo->basic_info.memoryMap),nAddress);
16143
16144 if(nOffset==-1)
16145 {
16146 bSuccess=false;
16147 break;
16148 }
16149
16150 quint8 nByte=binary.read_uint8(nOffset);
16151 nAddress++;
16152 nOffset++;
16153
16154 if(nByte==0x9c) // pushf
16155 {
16156 sSignature+="9C";
16157 }
16158 else if(nByte==0x60) // pusha
16159 {
16160 sSignature+="60";
16161 }
16162 else if(nByte==0xe9) // jmp ..
16163 {
16164 sSignature+="E9$$$$$$$$";
16165 nAddress+=(4+binary.read_int32(nOffset));
16166 }
16167 else if(nByte==0xe8) // call ..
16168 {
16169 sSignature+="E8$$$$$$$$";
16170 nAddress+=(4+binary.read_int32(nOffset));
16171 }
16172 else if(nByte==0x68) // push ..
16173 {
16174 sSignature+="68........";
16175 nAddress+=4;
16176 }
16177 else if(nByte==0x53) // push ebx
16178 {
16179 sSignature+="53";
16180 }
16181 else if(nByte==0xC7) // mov DWORD PTR [reg+],imm
16182 {
16183 sSignature+="C7";
16184 quint8 nMODRM=binary.read_uint8(nOffset);
16185
16186 nAddress++;
16187 nOffset++;
16188
16189 if((nMODRM==0x04)||(nMODRM==0x44))
16190 {
16191 sSignature+=XBinary::valueToHex(nMODRM).toUpper();
16192 quint8 nSIB=binary.read_uint8(nOffset);
16193
16194 nAddress++;
16195 nOffset++;
16196
16197 if(nSIB==0x24) // ESP+
16198 {
16199 sSignature+="24";
16200
16201 if(nMODRM==0x44)
16202 {
16203 // quint8 nDISP=binary.read_uint8(nOffset);
16204
16205 sSignature+="..";
16206
16207 nAddress++;
16208 nOffset++;
16209 }
16210
16211 sSignature+="........";
16212
16213 nAddress+=4;
16214 nOffset+=4;
16215 }
16216 else
16217 {
16218 bVMProtect=false;
16219 }
16220 }
16221 else
16222 {
16223 bVMProtect=false;
16224 }
16225 }
16226 else if(nByte==0x8D) // lea esp,dword ptr[esp+]
16227 {
16228 sSignature+="8D";
16229 quint8 nMODRM=binary.read_uint8(nOffset);
16230
16231 nAddress++;
16232 nOffset++;
16233
16234 if(nMODRM==0x64)
16235 {
16236 sSignature+=XBinary::valueToHex(nMODRM).toUpper();
16237 quint8 nSIB=binary.read_uint8(nOffset);
16238
16239 nAddress++;
16240 nOffset++;
16241
16242 if(nSIB==0x24) // ESP+
16243 {
16244 sSignature+="24";
16245
16246 if(nMODRM==0x64)
16247 {
16248 // quint8 nDISP=binary.read_uint8(nOffset);
16249
16250 sSignature+="..";
16251
16252 nAddress++;
16253 nOffset++;
16254 }
16255 }
16256 else
16257 {
16258 bVMProtect=false;
16259 }
16260 }
16261 else
16262 {
16263 bVMProtect=false;
16264 }
16265 }
16266 else
16267 {
16268 bVMProtect=false;
16269 }
16270
16271 if(!bVMProtect)
16272 {
16273 break;
16274 }
16275 }
16276
16277 if(!bSuccess)
16278 {
16279 bVMProtect=false;
16280 }
16281 }
16282
PE_get_PECompact_vi(QIODevice * pDevice,bool bIsImage,SpecAbstract::PEINFO_STRUCT * pPEInfo)16283 SpecAbstract::VI_STRUCT SpecAbstract::PE_get_PECompact_vi(QIODevice *pDevice, bool bIsImage, SpecAbstract::PEINFO_STRUCT *pPEInfo)
16284 {
16285 Q_UNUSED(pDevice)
16286 Q_UNUSED(bIsImage)
16287
16288 VI_STRUCT result={};
16289
16290 if(pPEInfo->listSectionHeaders.count()>=2)
16291 {
16292 if(pPEInfo->listSectionHeaders.at(0).PointerToRelocations==0x32434550)
16293 {
16294 result.bIsValid=true;
16295
16296 quint32 nBuildNumber=pPEInfo->listSectionHeaders.at(0).PointerToLinenumbers;
16297
16298 // TODO !!! more build versions
16299 switch(nBuildNumber)
16300 {
16301 case 20206: result.sVersion="2.70"; break;
16302 case 20240: result.sVersion="2.78a"; break;
16303 case 20243: result.sVersion="2.79b1"; break;
16304 case 20245: result.sVersion="2.79bB"; break;
16305 case 20247: result.sVersion="2.79bD"; break;
16306 case 20252: result.sVersion="2.80b1"; break;
16307 case 20256: result.sVersion="2.80b5"; break;
16308 case 20261: result.sVersion="2.82"; break;
16309 case 20285: result.sVersion="2.92.0"; break;
16310 case 20288: result.sVersion="2.93b3"; break;
16311 case 20294: result.sVersion="2.96.2"; break;
16312 case 20295: result.sVersion="2.97b1"; break;
16313 case 20296: result.sVersion="2.98"; break;
16314 case 20300: result.sVersion="2.98.04"; break;
16315 case 20301: result.sVersion="2.98.05"; break;
16316 case 20302: result.sVersion="2.98.06"; break;
16317 case 20303: result.sVersion="2.99b"; break;
16318 case 20308: result.sVersion="3.00.2"; break;
16319 case 20312: result.sVersion="3.01.3"; break;
16320 case 20317: result.sVersion="3.02.1"; break;
16321 case 20318: result.sVersion="3.02.2"; break;
16322 case 20323: result.sVersion="3.03.5b"; break;
16323 case 20327: result.sVersion="3.03.9b"; break;
16324 case 20329: result.sVersion="3.03.10b"; break;
16325 case 20334: result.sVersion="3.03.12b"; break;
16326 case 20342: result.sVersion="3.03.18b"; break;
16327 case 20343: result.sVersion="3.03.19b"; break;
16328 case 20344: result.sVersion="3.03.20b"; break;
16329 case 20345: result.sVersion="3.03.21b"; break;
16330 case 20348: result.sVersion="3.03.23b"; break;
16331 default:
16332 {
16333 if(nBuildNumber>20308)
16334 {
16335 result.sVersion=QString("3.X(build %1)").arg(nBuildNumber);
16336 }
16337 else if(nBuildNumber==0)
16338 {
16339 result.sVersion="2.20-2.68";
16340 }
16341 else
16342 {
16343 result.sVersion=QString("2.X(build %1)").arg(nBuildNumber);
16344 }
16345 }
16346 }
16347
16348 // qDebug("nVersion: %d",nVersion);
16349 }
16350 }
16351
16352 return result;
16353 }
16354
scansToScan(SpecAbstract::BASIC_INFO * pBasicInfo,SpecAbstract::_SCANS_STRUCT * pScansStruct)16355 SpecAbstract::SCAN_STRUCT SpecAbstract::scansToScan(SpecAbstract::BASIC_INFO *pBasicInfo, SpecAbstract::_SCANS_STRUCT *pScansStruct)
16356 {
16357 SCAN_STRUCT result={};
16358
16359 result.id=pBasicInfo->id;
16360 result.nSize=pBasicInfo->nSize;
16361 result.nOffset=pBasicInfo->nOffset;
16362 result.parentId=pBasicInfo->parentId;
16363 result.type=pScansStruct->type;
16364 result.name=pScansStruct->name;
16365 result.sVersion=pScansStruct->sVersion;
16366 result.sInfo=pScansStruct->sInfo;
16367 result.bIsHeuristic=pScansStruct->bIsHeuristic;
16368 result.sArch=pBasicInfo->memoryMap.sArch;
16369
16370 return result;
16371 }
16372
_BasicPEInfoToArray(SpecAbstract::BASIC_PE_INFO * pInfo)16373 QByteArray SpecAbstract::_BasicPEInfoToArray(SpecAbstract::BASIC_PE_INFO *pInfo)
16374 {
16375 QByteArray baResult;
16376 QDataStream ds(&baResult,QIODevice::ReadWrite);
16377
16378 ds<<pInfo->nEntryPoint;
16379
16380 return baResult;
16381 }
16382
_ArrayToBasicPEInfo(const QByteArray * pbaArray)16383 SpecAbstract::BASIC_PE_INFO SpecAbstract::_ArrayToBasicPEInfo(const QByteArray *pbaArray)
16384 {
16385 BASIC_PE_INFO result={};
16386
16387 QDataStream ds((QByteArray *)pbaArray,QIODevice::ReadOnly);
16388
16389 ds>>result.nEntryPoint;
16390
16391 return result;
16392 }
16393
memoryScan(QMap<RECORD_NAME,_SCANS_STRUCT> * pMmREcords,QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize,SIGNATURE_RECORD * pRecords,int nRecordsSize,XBinary::FT fileType1,XBinary::FT fileType2,BASIC_INFO * pBasicInfo,DETECTTYPE detectType,bool * pbIsStop)16394 void SpecAbstract::memoryScan(QMap<RECORD_NAME, _SCANS_STRUCT> *pMmREcords, QIODevice *pDevice, bool bIsImage, qint64 nOffset, qint64 nSize, SIGNATURE_RECORD *pRecords, int nRecordsSize, XBinary::FT fileType1, XBinary::FT fileType2, BASIC_INFO *pBasicInfo, DETECTTYPE detectType, bool *pbIsStop)
16395 {
16396 if(nSize)
16397 {
16398 XBinary binary(pDevice,bIsImage);
16399
16400 int nSignaturesCount=nRecordsSize/sizeof(SIGNATURE_RECORD);
16401
16402 for(int i=0; (i<nSignaturesCount)&&(!(*pbIsStop)); i++)
16403 {
16404 if((pRecords[i].basicInfo.fileType==fileType1)||(pRecords[i].basicInfo.fileType==fileType2))
16405 {
16406 if((!pMmREcords->contains(pRecords[i].basicInfo.name))||(pBasicInfo->bShowDetects))
16407 {
16408 qint64 _nOffset=binary.find_signature(&(pBasicInfo->memoryMap),nOffset,nSize,(char *)pRecords[i].pszSignature);
16409
16410 if(_nOffset!=-1)
16411 {
16412 if(!pMmREcords->contains(pRecords[i].basicInfo.name))
16413 {
16414 _SCANS_STRUCT record={};
16415 record.nVariant=pRecords[i].basicInfo.nVariant;
16416 record.fileType=pRecords[i].basicInfo.fileType;
16417 record.type=pRecords[i].basicInfo.type;
16418 record.name=pRecords[i].basicInfo.name;
16419 record.sVersion=pRecords[i].basicInfo.pszVersion;
16420 record.sInfo=pRecords[i].basicInfo.pszInfo;
16421 record.nOffset=_nOffset;
16422
16423 pMmREcords->insert(record.name,record);
16424 }
16425
16426 if(pBasicInfo->bShowDetects)
16427 {
16428 DETECT_RECORD heurRecord={};
16429
16430 heurRecord.nVariant=pRecords[i].basicInfo.nVariant;
16431 heurRecord.fileType=pRecords[i].basicInfo.fileType;
16432 heurRecord.type=pRecords[i].basicInfo.type;
16433 heurRecord.name=pRecords[i].basicInfo.name;
16434 heurRecord.sVersion=pRecords[i].basicInfo.pszVersion;
16435 heurRecord.sInfo=pRecords[i].basicInfo.pszInfo;
16436 heurRecord.nOffset=_nOffset;
16437 heurRecord.filepart=pBasicInfo->id.filePart;
16438 heurRecord.detectType=detectType;
16439 heurRecord.sValue=pRecords[i].pszSignature;
16440
16441 pBasicInfo->listHeurs.append(heurRecord);
16442 }
16443 }
16444 }
16445 }
16446 }
16447 }
16448 }
16449
signatureScan(QMap<RECORD_NAME,_SCANS_STRUCT> * pMapRecords,QString sSignature,SpecAbstract::SIGNATURE_RECORD * pRecords,int nRecordsSize,XBinary::FT fileType1,XBinary::FT fileType2,BASIC_INFO * pBasicInfo,DETECTTYPE detectType,bool * pbIsStop)16450 void SpecAbstract::signatureScan(QMap<RECORD_NAME, _SCANS_STRUCT> *pMapRecords, QString sSignature, SpecAbstract::SIGNATURE_RECORD *pRecords, int nRecordsSize, XBinary::FT fileType1, XBinary::FT fileType2, BASIC_INFO *pBasicInfo, DETECTTYPE detectType, bool *pbIsStop)
16451 {
16452 int nSignaturesCount=nRecordsSize/(int)sizeof(SIGNATURE_RECORD);
16453
16454 for(int i=0; (i<nSignaturesCount)&&(!(*pbIsStop)); i++)
16455 {
16456 if((pRecords[i].basicInfo.fileType==fileType1)||(pRecords[i].basicInfo.fileType==fileType2))
16457 {
16458 if((!pMapRecords->contains(pRecords[i].basicInfo.name))||(pBasicInfo->bShowDetects))
16459 {
16460 if(XBinary::compareSignatureStrings(sSignature,pRecords[i].pszSignature))
16461 {
16462 if(!pMapRecords->contains(pRecords[i].basicInfo.name))
16463 {
16464 _SCANS_STRUCT record={};
16465 record.nVariant=pRecords[i].basicInfo.nVariant;
16466 record.fileType=pRecords[i].basicInfo.fileType;
16467 record.type=pRecords[i].basicInfo.type;
16468 record.name=pRecords[i].basicInfo.name;
16469 record.sVersion=pRecords[i].basicInfo.pszVersion;
16470 record.sInfo=pRecords[i].basicInfo.pszInfo;
16471
16472 record.nOffset=0;
16473
16474 pMapRecords->insert(record.name,record);
16475
16476 #ifdef QT_DEBUG
16477 qDebug("SIGNATURE SCAN: %s",_SCANS_STRUCT_toString(&record).toLatin1().data());
16478 #endif
16479 }
16480
16481 if(pBasicInfo->bShowDetects)
16482 {
16483 DETECT_RECORD heurRecord={};
16484
16485 heurRecord.nVariant=pRecords[i].basicInfo.nVariant;
16486 heurRecord.fileType=pRecords[i].basicInfo.fileType;
16487 heurRecord.type=pRecords[i].basicInfo.type;
16488 heurRecord.name=pRecords[i].basicInfo.name;
16489 heurRecord.sVersion=pRecords[i].basicInfo.pszVersion;
16490 heurRecord.sInfo=pRecords[i].basicInfo.pszInfo;
16491 heurRecord.nOffset=0;
16492 heurRecord.filepart=pBasicInfo->id.filePart;
16493 heurRecord.detectType=detectType;
16494 heurRecord.sValue=pRecords[i].pszSignature;
16495
16496 pBasicInfo->listHeurs.append(heurRecord);
16497 }
16498 }
16499 }
16500 }
16501 }
16502 }
16503
PE_resourcesScan(QMap<SpecAbstract::RECORD_NAME,SpecAbstract::_SCANS_STRUCT> * pMapRecords,QList<XPE::RESOURCE_RECORD> * pListResources,PE_RESOURCES_RECORD * pRecords,int nRecordsSize,XBinary::FT fileType1,XBinary::FT fileType2,BASIC_INFO * pBasicInfo,DETECTTYPE detectType,bool * pbIsStop)16504 void SpecAbstract::PE_resourcesScan(QMap<SpecAbstract::RECORD_NAME, SpecAbstract::_SCANS_STRUCT> *pMapRecords, QList<XPE::RESOURCE_RECORD> *pListResources, PE_RESOURCES_RECORD *pRecords, int nRecordsSize, XBinary::FT fileType1, XBinary::FT fileType2, BASIC_INFO *pBasicInfo, DETECTTYPE detectType, bool *pbIsStop)
16505 {
16506 int nSignaturesCount=nRecordsSize/sizeof(PE_RESOURCES_RECORD);
16507
16508 for(int i=0; (i<nSignaturesCount)&&(!(*pbIsStop)); i++)
16509 {
16510 if((pRecords[i].basicInfo.fileType==fileType1)||(pRecords[i].basicInfo.fileType==fileType2))
16511 {
16512 if((!pMapRecords->contains(pRecords[i].basicInfo.name))||(pBasicInfo->bShowDetects))
16513 {
16514 bool bSuccess=false;
16515
16516 QString sValue;
16517
16518 if(pRecords[i].bIsString1)
16519 {
16520 if(pRecords[i].bIsString2)
16521 {
16522 bSuccess=XPE::isResourcePresent(pRecords[i].pszName1,pRecords[i].pszName2,pListResources);
16523
16524 sValue=QString("%1 %2").arg(pRecords[i].pszName1).arg(pRecords[i].pszName2);
16525 }
16526 else
16527 {
16528 bSuccess=XPE::isResourcePresent(pRecords[i].pszName1,pRecords[i].nID2,pListResources);
16529
16530 sValue=QString("%1 %2").arg(pRecords[i].pszName1).arg(pRecords[i].nID2);
16531 }
16532 }
16533 else
16534 {
16535 if(pRecords[i].bIsString2)
16536 {
16537 bSuccess=XPE::isResourcePresent(pRecords[i].nID1,pRecords[i].pszName2,pListResources);
16538
16539 sValue=QString("%1 %2").arg(pRecords[i].nID1).arg(pRecords[i].pszName2);
16540 }
16541 else
16542 {
16543 bSuccess=XPE::isResourcePresent(pRecords[i].nID1,pRecords[i].nID2,pListResources);
16544
16545 sValue=QString("%1 %2").arg(pRecords[i].nID1).arg(pRecords[i].nID2);
16546 }
16547 }
16548
16549 if(bSuccess)
16550 {
16551 if(!pMapRecords->contains(pRecords[i].basicInfo.name))
16552 {
16553 _SCANS_STRUCT record={};
16554 record.nVariant=pRecords[i].basicInfo.nVariant;
16555 record.fileType=pRecords[i].basicInfo.fileType;
16556 record.type=pRecords[i].basicInfo.type;
16557 record.name=pRecords[i].basicInfo.name;
16558 record.sVersion=pRecords[i].basicInfo.pszVersion;
16559 record.sInfo=pRecords[i].basicInfo.pszInfo;
16560 record.nOffset=0;
16561
16562 pMapRecords->insert(record.name,record);
16563
16564 #ifdef QT_DEBUG
16565 qDebug("RESOURCES SCAN: %s",_SCANS_STRUCT_toString(&record).toLatin1().data());
16566 #endif
16567 }
16568
16569 if(pBasicInfo->bShowDetects)
16570 {
16571 DETECT_RECORD heurRecord={};
16572
16573 heurRecord.nVariant=pRecords[i].basicInfo.nVariant;
16574 heurRecord.fileType=pRecords[i].basicInfo.fileType;
16575 heurRecord.type=pRecords[i].basicInfo.type;
16576 heurRecord.name=pRecords[i].basicInfo.name;
16577 heurRecord.sVersion=pRecords[i].basicInfo.pszVersion;
16578 heurRecord.sInfo=pRecords[i].basicInfo.pszInfo;
16579 heurRecord.nOffset=0;
16580 heurRecord.filepart=pBasicInfo->id.filePart;
16581 heurRecord.detectType=detectType;
16582 heurRecord.sValue=sValue;
16583
16584 pBasicInfo->listHeurs.append(heurRecord);
16585 }
16586 }
16587 }
16588 }
16589 }
16590 }
16591
stringScan(QMap<SpecAbstract::RECORD_NAME,SpecAbstract::_SCANS_STRUCT> * pMapRecords,QList<QString> * pListStrings,SpecAbstract::STRING_RECORD * pRecords,int nRecordsSize,XBinary::FT fileType1,XBinary::FT fileType2,BASIC_INFO * pBasicInfo,DETECTTYPE detectType,bool * pbIsStop)16592 void SpecAbstract::stringScan(QMap<SpecAbstract::RECORD_NAME, SpecAbstract::_SCANS_STRUCT> *pMapRecords, QList<QString> *pListStrings, SpecAbstract::STRING_RECORD *pRecords, int nRecordsSize, XBinary::FT fileType1, XBinary::FT fileType2, BASIC_INFO *pBasicInfo, DETECTTYPE detectType, bool *pbIsStop)
16593 {
16594 QList<quint32> listStringCRC;
16595 QList<quint32> listSignatureCRC;
16596
16597 int nNumberOfStrings=pListStrings->count();
16598 int nNumberOfSignatures=nRecordsSize/sizeof(STRING_RECORD);
16599
16600 for(int i=0; i<nNumberOfStrings; i++)
16601 {
16602 quint32 nCRC=XBinary::getStringCustomCRC32(pListStrings->at(i));
16603 listStringCRC.append(nCRC);
16604 }
16605
16606 for(int i=0; i<nNumberOfSignatures; i++)
16607 {
16608 quint32 nCRC=XBinary::getStringCustomCRC32(pRecords[i].pszString);
16609 listSignatureCRC.append(nCRC);
16610 }
16611
16612 for(int i=0; (i<nNumberOfStrings)&&(!(*pbIsStop)); i++)
16613 {
16614 for(int j=0; j<nNumberOfSignatures; j++)
16615 {
16616 if((pRecords[j].basicInfo.fileType==fileType1)||(pRecords[j].basicInfo.fileType==fileType2))
16617 {
16618 if((!pMapRecords->contains(pRecords[j].basicInfo.name))||(pBasicInfo->bShowDetects))
16619 {
16620 quint32 nCRC1=listStringCRC[i];
16621 quint32 nCRC2=listSignatureCRC[j];
16622
16623 if(nCRC1==nCRC2)
16624 {
16625 if(!pMapRecords->contains(pRecords[j].basicInfo.name))
16626 {
16627 _SCANS_STRUCT record={};
16628 record.nVariant=pRecords[j].basicInfo.nVariant;
16629 record.fileType=pRecords[j].basicInfo.fileType;
16630 record.type=pRecords[j].basicInfo.type;
16631 record.name=pRecords[j].basicInfo.name;
16632 record.sVersion=pRecords[j].basicInfo.pszVersion;
16633 record.sInfo=pRecords[j].basicInfo.pszInfo;
16634
16635 record.nOffset=0;
16636
16637 pMapRecords->insert(record.name,record);
16638
16639 #ifdef QT_DEBUG
16640 qDebug("STRING SCAN: %s",_SCANS_STRUCT_toString(&record).toLatin1().data());
16641 #endif
16642 }
16643
16644 if(pBasicInfo->bShowDetects)
16645 {
16646 DETECT_RECORD heurRecord={};
16647
16648 heurRecord.nVariant=pRecords[j].basicInfo.nVariant;
16649 heurRecord.fileType=pRecords[j].basicInfo.fileType;
16650 heurRecord.type=pRecords[j].basicInfo.type;
16651 heurRecord.name=pRecords[j].basicInfo.name;
16652 heurRecord.sVersion=pRecords[j].basicInfo.pszVersion;
16653 heurRecord.sInfo=pRecords[j].basicInfo.pszInfo;
16654 heurRecord.nOffset=0;
16655 heurRecord.filepart=pBasicInfo->id.filePart;
16656 heurRecord.detectType=detectType;
16657 heurRecord.sValue=pRecords[j].pszString;
16658
16659 pBasicInfo->listHeurs.append(heurRecord);
16660 }
16661 }
16662 }
16663 }
16664 }
16665 }
16666 }
16667
constScan(QMap<SpecAbstract::RECORD_NAME,SpecAbstract::_SCANS_STRUCT> * pMapRecords,quint64 nCost1,quint64 nCost2,SpecAbstract::CONST_RECORD * pRecords,int nRecordsSize,XBinary::FT fileType1,XBinary::FT fileType2,BASIC_INFO * pBasicInfo,DETECTTYPE detectType,bool * pbIsStop)16668 void SpecAbstract::constScan(QMap<SpecAbstract::RECORD_NAME, SpecAbstract::_SCANS_STRUCT> *pMapRecords, quint64 nCost1, quint64 nCost2, SpecAbstract::CONST_RECORD *pRecords, int nRecordsSize, XBinary::FT fileType1, XBinary::FT fileType2, BASIC_INFO *pBasicInfo, DETECTTYPE detectType, bool *pbIsStop)
16669 {
16670 int nSignaturesCount=nRecordsSize/(int)sizeof(CONST_RECORD);
16671
16672 for(int i=0; (i<nSignaturesCount)&&(!(*pbIsStop)); i++)
16673 {
16674 if((pRecords[i].basicInfo.fileType==fileType1)||(pRecords[i].basicInfo.fileType==fileType2))
16675 {
16676 if((!pMapRecords->contains(pRecords[i].basicInfo.name))||(pBasicInfo->bShowDetects))
16677 {
16678 bool bSuccess=false;
16679
16680 bSuccess= ((pRecords[i].nConst1==nCost1)||(pRecords[i].nConst1==0xFFFFFFFF))&&
16681 ((pRecords[i].nConst2==nCost2)||(pRecords[i].nConst2==0xFFFFFFFF));
16682
16683 if(bSuccess)
16684 {
16685 if(!pMapRecords->contains(pRecords[i].basicInfo.name))
16686 {
16687 _SCANS_STRUCT record={};
16688 record.nVariant=pRecords[i].basicInfo.nVariant;
16689 record.fileType=pRecords[i].basicInfo.fileType;
16690 record.type=pRecords[i].basicInfo.type;
16691 record.name=pRecords[i].basicInfo.name;
16692 record.sVersion=pRecords[i].basicInfo.pszVersion;
16693 record.sInfo=pRecords[i].basicInfo.pszInfo;
16694
16695 record.nOffset=0;
16696
16697 pMapRecords->insert(record.name,record);
16698
16699 #ifdef QT_DEBUG
16700 qDebug("CONST SCAN: %s",_SCANS_STRUCT_toString(&record).toLatin1().data());
16701 #endif
16702 }
16703
16704 if(pBasicInfo->bShowDetects)
16705 {
16706 DETECT_RECORD heurRecord={};
16707
16708 heurRecord.nVariant=pRecords[i].basicInfo.nVariant;
16709 heurRecord.fileType=pRecords[i].basicInfo.fileType;
16710 heurRecord.type=pRecords[i].basicInfo.type;
16711 heurRecord.name=pRecords[i].basicInfo.name;
16712 heurRecord.sVersion=pRecords[i].basicInfo.pszVersion;
16713 heurRecord.sInfo=pRecords[i].basicInfo.pszInfo;
16714 heurRecord.nOffset=0;
16715 heurRecord.filepart=pBasicInfo->id.filePart;
16716 heurRecord.detectType=detectType;
16717 heurRecord.sValue=QString("%1 %2").arg(XBinary::valueToHex(pRecords[i].nConst1)).arg(XBinary::valueToHex(pRecords[i].nConst2));
16718
16719 pBasicInfo->listHeurs.append(heurRecord);
16720 }
16721 }
16722 }
16723 }
16724 }
16725 }
16726
MSDOS_richScan(QMap<SpecAbstract::RECORD_NAME,SpecAbstract::_SCANS_STRUCT> * pMapRecords,quint16 nID,quint32 nBuild,SpecAbstract::MSRICH_RECORD * pRecords,int nRecordsSize,XBinary::FT fileType1,XBinary::FT fileType2,BASIC_INFO * pBasicInfo,DETECTTYPE detectType,bool * pbIsStop)16727 void SpecAbstract::MSDOS_richScan(QMap<SpecAbstract::RECORD_NAME, SpecAbstract::_SCANS_STRUCT> *pMapRecords, quint16 nID, quint32 nBuild, SpecAbstract::MSRICH_RECORD *pRecords, int nRecordsSize, XBinary::FT fileType1, XBinary::FT fileType2, BASIC_INFO *pBasicInfo, DETECTTYPE detectType, bool *pbIsStop)
16728 {
16729 int nSignaturesCount=nRecordsSize/(int)sizeof(MSRICH_RECORD);
16730
16731 for(int i=0; (i<nSignaturesCount)&&(!(*pbIsStop)); i++)
16732 {
16733 if((!pMapRecords->contains(pRecords[i].basicInfo.name))||(pBasicInfo->bShowDetects))
16734 {
16735 _SCANS_STRUCT record={};
16736
16737 if(PE_compareRichRecord(&record,&(pRecords[i]),nID,nBuild,fileType1,fileType2))
16738 {
16739 if(!pMapRecords->contains(pRecords[i].basicInfo.name))
16740 {
16741 pMapRecords->insert(record.name,record);
16742 }
16743
16744 if(pBasicInfo->bShowDetects)
16745 {
16746 DETECT_RECORD heurRecord={};
16747
16748 heurRecord.nVariant=pRecords[i].basicInfo.nVariant;
16749 heurRecord.fileType=pRecords[i].basicInfo.fileType;
16750 heurRecord.type=pRecords[i].basicInfo.type;
16751 heurRecord.name=pRecords[i].basicInfo.name;
16752 heurRecord.sVersion=pRecords[i].basicInfo.pszVersion;
16753 heurRecord.sInfo=pRecords[i].basicInfo.pszInfo;
16754 heurRecord.nOffset=0;
16755 heurRecord.filepart=pBasicInfo->id.filePart;
16756 heurRecord.detectType=detectType;
16757 heurRecord.sValue=QString("%1 %2").arg(XBinary::valueToHex(pRecords[i].nID)).arg(XBinary::valueToHex(pRecords[i].nBuild));
16758
16759 pBasicInfo->listHeurs.append(heurRecord);
16760 }
16761 }
16762 }
16763 }
16764 }
16765
archiveScan(QMap<SpecAbstract::RECORD_NAME,SpecAbstract::_SCANS_STRUCT> * pMapRecords,QList<XArchive::RECORD> * pListArchiveRecords,SpecAbstract::STRING_RECORD * pRecords,int nRecordsSize,XBinary::FT fileType1,XBinary::FT fileType2,SpecAbstract::BASIC_INFO * pBasicInfo,SpecAbstract::DETECTTYPE detectType,bool * pbIsStop)16766 void SpecAbstract::archiveScan(QMap<SpecAbstract::RECORD_NAME, SpecAbstract::_SCANS_STRUCT> *pMapRecords, QList<XArchive::RECORD> *pListArchiveRecords, SpecAbstract::STRING_RECORD *pRecords, int nRecordsSize, XBinary::FT fileType1, XBinary::FT fileType2, SpecAbstract::BASIC_INFO *pBasicInfo, SpecAbstract::DETECTTYPE detectType,bool *pbIsStop)
16767 {
16768 QList<quint32> listStringCRC;
16769 QList<quint32> listSignatureCRC;
16770
16771 int nNumberOfArchives=pListArchiveRecords->count();
16772 int nNumberOfSignatures=nRecordsSize/sizeof(STRING_RECORD);
16773
16774 for(int i=0; i<nNumberOfArchives; i++)
16775 {
16776 // qDebug("%s", pListArchiveRecords->at(i).sFileName.toLatin1().data());
16777 quint32 nCRC=XBinary::getStringCustomCRC32(pListArchiveRecords->at(i).sFileName);
16778 listStringCRC.append(nCRC);
16779 }
16780
16781 for(int i=0; i<nNumberOfSignatures; i++)
16782 {
16783 // qDebug("%s", pRecords[i].pszString);
16784 quint32 nCRC=XBinary::getStringCustomCRC32(pRecords[i].pszString);
16785 listSignatureCRC.append(nCRC);
16786 }
16787
16788 for(int i=0; (i<nNumberOfArchives)&&(!(*pbIsStop)); i++)
16789 {
16790 for(int j=0; (j<nNumberOfSignatures)&&(!(*pbIsStop)); j++)
16791 {
16792 if((pRecords[j].basicInfo.fileType==fileType1)||(pRecords[j].basicInfo.fileType==fileType2))
16793 {
16794 if((!pMapRecords->contains(pRecords[j].basicInfo.name))||(pBasicInfo->bShowDetects))
16795 {
16796 quint32 nCRC1=listStringCRC[i];
16797 quint32 nCRC2=listSignatureCRC[j];
16798
16799 if(nCRC1==nCRC2)
16800 {
16801 if(!pMapRecords->contains(pRecords[j].basicInfo.name))
16802 {
16803 _SCANS_STRUCT record={};
16804 record.nVariant=pRecords[j].basicInfo.nVariant;
16805 record.fileType=pRecords[j].basicInfo.fileType;
16806 record.type=pRecords[j].basicInfo.type;
16807 record.name=pRecords[j].basicInfo.name;
16808 record.sVersion=pRecords[j].basicInfo.pszVersion;
16809 record.sInfo=pRecords[j].basicInfo.pszInfo;
16810
16811 record.nOffset=0;
16812
16813 pMapRecords->insert(record.name,record);
16814
16815 #ifdef QT_DEBUG
16816 qDebug("ARCHIVE SCAN: %s",_SCANS_STRUCT_toString(&record).toLatin1().data());
16817 #endif
16818 }
16819
16820 if(pBasicInfo->bShowDetects)
16821 {
16822 DETECT_RECORD heurRecord={};
16823
16824 heurRecord.nVariant=pRecords[j].basicInfo.nVariant;
16825 heurRecord.fileType=pRecords[j].basicInfo.fileType;
16826 heurRecord.type=pRecords[j].basicInfo.type;
16827 heurRecord.name=pRecords[j].basicInfo.name;
16828 heurRecord.sVersion=pRecords[j].basicInfo.pszVersion;
16829 heurRecord.sInfo=pRecords[j].basicInfo.pszInfo;
16830 heurRecord.nOffset=0;
16831 heurRecord.filepart=pBasicInfo->id.filePart;
16832 heurRecord.detectType=detectType;
16833 heurRecord.sValue=pRecords[j].pszString;
16834
16835 pBasicInfo->listHeurs.append(heurRecord);
16836 }
16837 }
16838 }
16839 }
16840 }
16841 }
16842 }
16843
archiveExpScan(QMap<SpecAbstract::RECORD_NAME,SpecAbstract::_SCANS_STRUCT> * pMapRecords,QList<XArchive::RECORD> * pListArchiveRecords,SpecAbstract::STRING_RECORD * pRecords,int nRecordsSize,XBinary::FT fileType1,XBinary::FT fileType2,SpecAbstract::BASIC_INFO * pBasicInfo,SpecAbstract::DETECTTYPE detectType,bool * pbIsStop)16844 void SpecAbstract::archiveExpScan(QMap<SpecAbstract::RECORD_NAME, SpecAbstract::_SCANS_STRUCT> *pMapRecords, QList<XArchive::RECORD> *pListArchiveRecords, SpecAbstract::STRING_RECORD *pRecords, int nRecordsSize, XBinary::FT fileType1, XBinary::FT fileType2, SpecAbstract::BASIC_INFO *pBasicInfo, SpecAbstract::DETECTTYPE detectType, bool *pbIsStop)
16845 {
16846 int nNumberOfArchives=pListArchiveRecords->count();
16847 int nNumberOfSignatures=nRecordsSize/sizeof(STRING_RECORD);
16848
16849 for(int i=0; (i<nNumberOfArchives)&&(!(*pbIsStop)); i++)
16850 {
16851 for(int j=0; (j<nNumberOfSignatures)&&(!(*pbIsStop)); j++)
16852 {
16853 if((pRecords[j].basicInfo.fileType==fileType1)||(pRecords[j].basicInfo.fileType==fileType2))
16854 {
16855 if((!pMapRecords->contains(pRecords[j].basicInfo.name))||(pBasicInfo->bShowDetects))
16856 {
16857 if(XBinary::isRegExpPresent(pRecords[j].pszString,pListArchiveRecords->at(i).sFileName))
16858 {
16859 if(!pMapRecords->contains(pRecords[j].basicInfo.name))
16860 {
16861 _SCANS_STRUCT record={};
16862 record.nVariant=pRecords[j].basicInfo.nVariant;
16863 record.fileType=pRecords[j].basicInfo.fileType;
16864 record.type=pRecords[j].basicInfo.type;
16865 record.name=pRecords[j].basicInfo.name;
16866 record.sVersion=pRecords[j].basicInfo.pszVersion;
16867 record.sInfo=pRecords[j].basicInfo.pszInfo;
16868
16869 record.nOffset=0;
16870
16871 pMapRecords->insert(record.name,record);
16872
16873 #ifdef QT_DEBUG
16874 qDebug("ARCHIVE SCAN: %s",_SCANS_STRUCT_toString(&record).toLatin1().data());
16875 #endif
16876 }
16877
16878 if(pBasicInfo->bShowDetects)
16879 {
16880 DETECT_RECORD heurRecord={};
16881
16882 heurRecord.nVariant=pRecords[j].basicInfo.nVariant;
16883 heurRecord.fileType=pRecords[j].basicInfo.fileType;
16884 heurRecord.type=pRecords[j].basicInfo.type;
16885 heurRecord.name=pRecords[j].basicInfo.name;
16886 heurRecord.sVersion=pRecords[j].basicInfo.pszVersion;
16887 heurRecord.sInfo=pRecords[j].basicInfo.pszInfo;
16888 heurRecord.nOffset=0;
16889 heurRecord.filepart=pBasicInfo->id.filePart;
16890 heurRecord.detectType=detectType;
16891 heurRecord.sValue=pRecords[j].pszString;
16892
16893 pBasicInfo->listHeurs.append(heurRecord);
16894 }
16895 }
16896 }
16897 }
16898 }
16899 }
16900 }
16901
signatureExpScan(XBinary * pXBinary,XBinary::_MEMORY_MAP * pMemoryMap,QMap<SpecAbstract::RECORD_NAME,SpecAbstract::_SCANS_STRUCT> * pMapRecords,qint64 nOffset,SpecAbstract::SIGNATURE_RECORD * pRecords,int nRecordsSize,XBinary::FT fileType1,XBinary::FT fileType2,BASIC_INFO * pBasicInfo,DETECTTYPE detectType,bool * pbIsStop)16902 void SpecAbstract::signatureExpScan(XBinary *pXBinary, XBinary::_MEMORY_MAP *pMemoryMap, QMap<SpecAbstract::RECORD_NAME, SpecAbstract::_SCANS_STRUCT> *pMapRecords, qint64 nOffset, SpecAbstract::SIGNATURE_RECORD *pRecords, int nRecordsSize, XBinary::FT fileType1, XBinary::FT fileType2, BASIC_INFO *pBasicInfo, DETECTTYPE detectType, bool *pbIsStop)
16903 {
16904 int nSignaturesCount=nRecordsSize/(int)sizeof(SIGNATURE_RECORD);
16905
16906 for(int i=0; (i<nSignaturesCount)&&(!(*pbIsStop)); i++)
16907 {
16908 if((pRecords[i].basicInfo.fileType==fileType1)||(pRecords[i].basicInfo.fileType==fileType2))
16909 {
16910 if((!pMapRecords->contains(pRecords[i].basicInfo.name))||(pBasicInfo->bShowDetects))
16911 {
16912 if(pXBinary->compareSignature(pMemoryMap,pRecords[i].pszSignature,nOffset))
16913 {
16914 if(!pMapRecords->contains(pRecords[i].basicInfo.name))
16915 {
16916 _SCANS_STRUCT record={};
16917 record.nVariant=pRecords[i].basicInfo.nVariant;
16918 record.fileType=pRecords[i].basicInfo.fileType;
16919 record.type=pRecords[i].basicInfo.type;
16920 record.name=pRecords[i].basicInfo.name;
16921 record.sVersion=pRecords[i].basicInfo.pszVersion;
16922 record.sInfo=pRecords[i].basicInfo.pszInfo;
16923
16924 record.nOffset=0;
16925
16926 pMapRecords->insert(record.name,record);
16927
16928 #ifdef QT_DEBUG
16929 qDebug("SIGNATURE EXP SCAN: %s",_SCANS_STRUCT_toString(&record).toLatin1().data());
16930 #endif
16931 }
16932
16933 if(pBasicInfo->bShowDetects)
16934 {
16935 DETECT_RECORD heurRecord={};
16936
16937 heurRecord.nVariant=pRecords[i].basicInfo.nVariant;
16938 heurRecord.fileType=pRecords[i].basicInfo.fileType;
16939 heurRecord.type=pRecords[i].basicInfo.type;
16940 heurRecord.name=pRecords[i].basicInfo.name;
16941 heurRecord.sVersion=pRecords[i].basicInfo.pszVersion;
16942 heurRecord.sInfo=pRecords[i].basicInfo.pszInfo;
16943 heurRecord.nOffset=0;
16944 heurRecord.filepart=pBasicInfo->id.filePart;
16945 heurRecord.detectType=detectType;
16946 heurRecord.sValue=pRecords[i].pszSignature;
16947
16948 pBasicInfo->listHeurs.append(heurRecord);
16949 }
16950 }
16951 }
16952 }
16953 }
16954 }
16955
MSDOS_richScan(quint16 nID,quint32 nBuild,SpecAbstract::MSRICH_RECORD * pRecords,int nRecordsSize,XBinary::FT fileType1,XBinary::FT fileType2,BASIC_INFO * pBasicInfo,DETECTTYPE detectType,bool * pbIsStop)16956 QList<SpecAbstract::_SCANS_STRUCT> SpecAbstract::MSDOS_richScan(quint16 nID, quint32 nBuild, SpecAbstract::MSRICH_RECORD *pRecords, int nRecordsSize, XBinary::FT fileType1, XBinary::FT fileType2, BASIC_INFO *pBasicInfo, DETECTTYPE detectType, bool *pbIsStop)
16957 {
16958 QList<_SCANS_STRUCT> listResult;
16959
16960 int nSignaturesCount=nRecordsSize/(int)sizeof(MSRICH_RECORD);
16961
16962 for(int i=0; (i<nSignaturesCount)&&(!(*pbIsStop)); i++)
16963 {
16964 _SCANS_STRUCT record={};
16965
16966 if(PE_compareRichRecord(&record,&(pRecords[i]),nID,nBuild,fileType1,fileType2))
16967 {
16968 listResult.append(record);
16969
16970 if(pBasicInfo->bShowDetects)
16971 {
16972 DETECT_RECORD heurRecord={};
16973
16974 heurRecord.nVariant=pRecords[i].basicInfo.nVariant;
16975 heurRecord.fileType=pRecords[i].basicInfo.fileType;
16976 heurRecord.type=pRecords[i].basicInfo.type;
16977 heurRecord.name=pRecords[i].basicInfo.name;
16978 heurRecord.sVersion=pRecords[i].basicInfo.pszVersion;
16979 heurRecord.sInfo=pRecords[i].basicInfo.pszInfo;
16980 heurRecord.nOffset=0;
16981 heurRecord.filepart=pBasicInfo->id.filePart;
16982 heurRecord.detectType=detectType;
16983 heurRecord.sValue=QString("%1 %2").arg(XBinary::valueToHex(pRecords[i].nID)).arg(XBinary::valueToHex(pRecords[i].nBuild));
16984
16985 pBasicInfo->listHeurs.append(heurRecord);
16986 }
16987 }
16988 }
16989
16990 return listResult;
16991 }
16992
serializeScanStruct(SCAN_STRUCT scanStruct,bool bIsHeader)16993 QByteArray SpecAbstract::serializeScanStruct(SCAN_STRUCT scanStruct, bool bIsHeader)
16994 {
16995 QByteArray baResult;
16996
16997 QDataStream ds(baResult);
16998
16999 ds << scanStruct.nSize;
17000 ds << scanStruct.nOffset;
17001 ds << scanStruct.id.sUuid;
17002 ds << (quint32)scanStruct.id.fileType;
17003 ds << (quint32)scanStruct.id.filePart;
17004 ds << scanStruct.parentId.sUuid;
17005 ds << (quint32)scanStruct.parentId.fileType;
17006 ds << (quint32)scanStruct.parentId.filePart;
17007 ds << (quint32)scanStruct.type;
17008 ds << (quint32)scanStruct.name;
17009 ds << scanStruct.sVersion;
17010 ds << scanStruct.sInfo;
17011 ds << bIsHeader;
17012
17013 return baResult;
17014 }
17015
deserializeScanStruct(QByteArray baData,bool * pbIsHeader)17016 SpecAbstract::SCAN_STRUCT SpecAbstract::deserializeScanStruct(QByteArray baData, bool *pbIsHeader)
17017 {
17018 SCAN_STRUCT ssResult={};
17019
17020 QDataStream ds(baData);
17021
17022 quint32 nTemp=0;
17023
17024 ds >> ssResult.nSize;
17025 ds >> ssResult.nOffset;
17026 ds >> ssResult.id.sUuid;
17027 ds >> nTemp;
17028 ssResult.id.fileType=(XBinary::FT)nTemp;
17029 ds >> nTemp;
17030 ssResult.id.filePart=(RECORD_FILEPART)nTemp;
17031 ds >> ssResult.parentId.sUuid;
17032 ds >> nTemp;
17033 ssResult.parentId.fileType=(XBinary::FT)nTemp;
17034 ds >> nTemp;
17035 ssResult.parentId.filePart=(RECORD_FILEPART)nTemp;
17036 ds >> nTemp;
17037 ssResult.type=(RECORD_TYPE)nTemp;
17038 ds >> nTemp;
17039 ssResult.name=(RECORD_NAME)nTemp;
17040 ds >> ssResult.sVersion;
17041 ds >> ssResult.sInfo;
17042 ds >> *pbIsHeader;
17043
17044 return ssResult;
17045 }
17046
getAndroidVersionFromApi(quint32 nAPI)17047 QString SpecAbstract::getAndroidVersionFromApi(quint32 nAPI)
17048 {
17049 QString sResult="Unknown";
17050
17051 if(nAPI==3) sResult="1.5";
17052 if(nAPI==4) sResult="1.6";
17053 if(nAPI==5) sResult="2.0";
17054 if(nAPI==6) sResult="2.0.1";
17055 if(nAPI==7) sResult="2.1";
17056 if(nAPI==8) sResult="2.2.X";
17057 if(nAPI==9) sResult="2.3-2.3.2";
17058 if(nAPI==10) sResult="2.3.3-2.3.7";
17059 if(nAPI==11) sResult="3.0";
17060 if(nAPI==12) sResult="3.1";
17061 if(nAPI==13) sResult="3.2.X";
17062 if(nAPI==14) sResult="4.0.1-4.0.2";
17063 if(nAPI==15) sResult="4.0.3-4.0.4";
17064 if(nAPI==16) sResult="4.1.X";
17065 if(nAPI==17) sResult="4.2.X";
17066 if(nAPI==18) sResult="4.3.X";
17067 if(nAPI==19) sResult="4.4-4.4.4";
17068 if(nAPI==20) sResult="4.4W";
17069 if(nAPI==21) sResult="5.0";
17070 if(nAPI==22) sResult="5.1";
17071 if(nAPI==23) sResult="6.0";
17072 if(nAPI==24) sResult="7.0";
17073 if(nAPI==25) sResult="7.1";
17074 if(nAPI==26) sResult="8.0";
17075 if(nAPI==27) sResult="8.1";
17076 if(nAPI==28) sResult="9.0";
17077 if(nAPI==29) sResult="10.0";
17078 if(nAPI==30) sResult="11.0";
17079
17080 return sResult;
17081 }
17082
getLanguage(QMap<RECORD_NAME,SCAN_STRUCT> * pMapDetects,QMap<RECORD_NAME,SCAN_STRUCT> * pMapLanguages)17083 void SpecAbstract::getLanguage(QMap<RECORD_NAME, SCAN_STRUCT> *pMapDetects, QMap<RECORD_NAME, SCAN_STRUCT> *pMapLanguages)
17084 {
17085 QMapIterator<RECORD_NAME,SCAN_STRUCT> i(*pMapDetects);
17086 while (i.hasNext())
17087 {
17088 i.next();
17089
17090 SCAN_STRUCT ssDetect=i.value();
17091 _SCANS_STRUCT ssLanguage=getScansStruct(0,ssDetect.id.fileType,RECORD_TYPE_LANGUAGE,RECORD_NAME_UNKNOWN,"","",0);
17092
17093 switch(ssDetect.name)
17094 {
17095 case RECORD_NAME_C:
17096 case RECORD_NAME_ARMC:
17097 case RECORD_NAME_LCCLNK:
17098 case RECORD_NAME_LCCWIN:
17099 case RECORD_NAME_MICROSOFTC:
17100 case RECORD_NAME_THUMBC:
17101 case RECORD_NAME_TINYC:
17102 case RECORD_NAME_TURBOC:
17103 case RECORD_NAME_WATCOMC:
17104 ssLanguage.name=RECORD_NAME_C;
17105 break;
17106 case RECORD_NAME_CCPP:
17107 case RECORD_NAME_ARMCCPP:
17108 case RECORD_NAME_ARMNEONCCPP:
17109 case RECORD_NAME_ARMTHUMBCCPP:
17110 case RECORD_NAME_BORLANDCCPP:
17111 case RECORD_NAME_CLANG:
17112 case RECORD_NAME_GCC:
17113 case RECORD_NAME_MINGW:
17114 case RECORD_NAME_MSYS:
17115 case RECORD_NAME_MSYS2:
17116 case RECORD_NAME_VISUALCCPP:
17117 case RECORD_NAME_WATCOMCCPP:
17118 ssLanguage.name=RECORD_NAME_CCPP;
17119 break;
17120 case RECORD_NAME_CPP:
17121 case RECORD_NAME_BORLANDCPP:
17122 case RECORD_NAME_BORLANDCPPBUILDER:
17123 case RECORD_NAME_CODEGEARCPP:
17124 case RECORD_NAME_CODEGEARCPPBUILDER:
17125 case RECORD_NAME_EMBARCADEROCPP:
17126 case RECORD_NAME_EMBARCADEROCPPBUILDER:
17127 case RECORD_NAME_MICROSOFTCPP:
17128 case RECORD_NAME_TURBOCPP:
17129 ssLanguage.name=RECORD_NAME_CPP;
17130 break;
17131 case RECORD_NAME_ASSEMBLER:
17132 case RECORD_NAME_ARMTHUMBMACROASSEMBLER:
17133 case RECORD_NAME_FASM:
17134 case RECORD_NAME_GNUASSEMBLER:
17135 case RECORD_NAME_GOASM:
17136 case RECORD_NAME_MASM:
17137 case RECORD_NAME_MASM32:
17138 case RECORD_NAME_NASM:
17139 ssLanguage.name=RECORD_NAME_ASSEMBLER;
17140 break;
17141 case RECORD_NAME_AUTOIT:
17142 ssLanguage.name=RECORD_NAME_AUTOIT;
17143 break;
17144 case RECORD_NAME_OBJECTPASCAL:
17145 case RECORD_NAME_BORLANDDELPHI:
17146 case RECORD_NAME_BORLANDDELPHIDOTNET:
17147 case RECORD_NAME_BORLANDOBJECTPASCAL:
17148 case RECORD_NAME_CODEGEARDELPHI:
17149 case RECORD_NAME_CODEGEAROBJECTPASCAL:
17150 case RECORD_NAME_EMBARCADERODELPHI:
17151 case RECORD_NAME_EMBARCADERODELPHIDOTNET:
17152 case RECORD_NAME_EMBARCADEROOBJECTPASCAL:
17153 case RECORD_NAME_LAZARUS:
17154 case RECORD_NAME_FPC:
17155 case RECORD_NAME_VIRTUALPASCAL:
17156 case RECORD_NAME_IBMPCPASCAL:
17157 ssLanguage.name=RECORD_NAME_OBJECTPASCAL;
17158 break;
17159 case RECORD_NAME_D:
17160 case RECORD_NAME_DMD32D:
17161 ssLanguage.name=RECORD_NAME_D;
17162 break;
17163 case RECORD_NAME_CSHARP:
17164 case RECORD_NAME_DOTNET:
17165 ssLanguage.name=RECORD_NAME_CSHARP;
17166 break;
17167 case RECORD_NAME_GO:
17168 ssLanguage.name=RECORD_NAME_GO;
17169 break;
17170 case RECORD_NAME_JAVA:
17171 case RECORD_NAME_JVM:
17172 case RECORD_NAME_JDK:
17173 case RECORD_NAME_OPENJDK:
17174 case RECORD_NAME_IBMJDK:
17175 case RECORD_NAME_APPLEJDK:
17176 ssLanguage.name=RECORD_NAME_JAVA;
17177 break;
17178 case RECORD_NAME_KOTLIN:
17179 ssLanguage.name=RECORD_NAME_KOTLIN;
17180 break;
17181 case RECORD_NAME_FORTRAN:
17182 case RECORD_NAME_LAYHEYFORTRAN90:
17183 ssLanguage.name=RECORD_NAME_FORTRAN;
17184 break;
17185 case RECORD_NAME_NIM:
17186 ssLanguage.name=RECORD_NAME_NIM;
17187 break;
17188 case RECORD_NAME_OBJECTIVEC:
17189 ssLanguage.name=RECORD_NAME_OBJECTIVEC;
17190 break;
17191 case RECORD_NAME_BASIC:
17192 case RECORD_NAME_BASIC4ANDROID:
17193 case RECORD_NAME_POWERBASIC:
17194 case RECORD_NAME_PUREBASIC:
17195 case RECORD_NAME_TURBOBASIC:
17196 case RECORD_NAME_VBNET:
17197 case RECORD_NAME_VISUALBASIC:
17198 ssLanguage.name=RECORD_NAME_BASIC;
17199 break;
17200 case RECORD_NAME_RUST:
17201 ssLanguage.name=RECORD_NAME_RUST;
17202 break;
17203 case RECORD_NAME_RUBY:
17204 ssLanguage.name=RECORD_NAME_RUBY;
17205 break;
17206 case RECORD_NAME_PYTHON:
17207 case RECORD_NAME_PYINSTALLER:
17208 ssLanguage.name=RECORD_NAME_PYTHON;
17209 break;
17210 case RECORD_NAME_SWIFT:
17211 ssLanguage.name=RECORD_NAME_SWIFT;
17212 break;
17213 }
17214
17215 if(ssLanguage.name!=RECORD_NAME_UNKNOWN)
17216 {
17217 SCAN_STRUCT ss=ssDetect;
17218 ss.type=ssLanguage.type;
17219 ss.name=ssLanguage.name;
17220 ss.sInfo="";
17221 ss.sVersion="";
17222
17223 pMapLanguages->insert(ss.name,ss);
17224 }
17225 }
17226 }
17227
fixLanguage(QMap<RECORD_NAME,SCAN_STRUCT> * pMapLanguages)17228 void SpecAbstract::fixLanguage(QMap<RECORD_NAME, SCAN_STRUCT> *pMapLanguages)
17229 {
17230 if(pMapLanguages->contains(RECORD_NAME_C)&&pMapLanguages->contains(RECORD_NAME_CPP))
17231 {
17232 SCAN_STRUCT ss=pMapLanguages->value(RECORD_NAME_C);
17233 ss.name=RECORD_NAME_CCPP;
17234 pMapLanguages->insert(ss.name,ss);
17235 }
17236
17237 if(pMapLanguages->contains(RECORD_NAME_C)&&pMapLanguages->contains(RECORD_NAME_CCPP))
17238 {
17239 pMapLanguages->remove(RECORD_NAME_C);
17240 }
17241
17242 if(pMapLanguages->contains(RECORD_NAME_CPP)&&pMapLanguages->contains(RECORD_NAME_CCPP))
17243 {
17244 pMapLanguages->remove(RECORD_NAME_CPP);
17245 }
17246
17247 // if(pMapLanguages->contains(RECORD_NAME_OBJECTIVEC)&&pMapLanguages->contains(RECORD_NAME_CCPP))
17248 // {
17249 // pMapLanguages->remove(RECORD_NAME_CCPP);
17250 // }
17251 }
17252
PE_compareRichRecord(_SCANS_STRUCT * pResult,SpecAbstract::MSRICH_RECORD * pRecord,quint16 nID,quint32 nBuild,XBinary::FT fileType1,XBinary::FT fileType2)17253 bool SpecAbstract::PE_compareRichRecord(_SCANS_STRUCT *pResult,SpecAbstract::MSRICH_RECORD *pRecord, quint16 nID, quint32 nBuild, XBinary::FT fileType1, XBinary::FT fileType2)
17254 {
17255 bool bResult=false;
17256
17257 if((pRecord->basicInfo.fileType==fileType1)||(pRecord->basicInfo.fileType==fileType2))
17258 {
17259 bool bCheck=false;
17260
17261 bCheck= ((pRecord->nID==nID)||(pRecord->nID==(quint16)-1))&&
17262 ((pRecord->nBuild==nBuild)||(pRecord->nBuild==(quint32)-1));
17263
17264 if(bCheck)
17265 {
17266 _SCANS_STRUCT record={};
17267 record.nVariant=pRecord->basicInfo.nVariant;
17268 record.fileType=pRecord->basicInfo.fileType;
17269 record.type=pRecord->basicInfo.type;
17270 record.name=pRecord->basicInfo.name;
17271 record.sVersion=pRecord->basicInfo.pszVersion;
17272 record.sInfo=pRecord->basicInfo.pszInfo;
17273
17274 if(pRecord->nBuild==(quint32)-1)
17275 {
17276 record.sVersion+=QString(".%1").arg(nBuild);
17277 }
17278
17279 record.nOffset=0;
17280
17281 #ifdef QT_DEBUG
17282 qDebug("RICH SCAN: %s",_SCANS_STRUCT_toString(&record).toLatin1().data());
17283 #endif
17284 *pResult=record;
17285
17286 bResult=true;
17287 }
17288 }
17289
17290 return bResult;
17291 }
17292
filterResult(QList<SpecAbstract::SCAN_STRUCT> * pListRecords,QSet<SpecAbstract::RECORD_TYPE> stRecordTypes)17293 void SpecAbstract::filterResult(QList<SpecAbstract::SCAN_STRUCT> *pListRecords, QSet<SpecAbstract::RECORD_TYPE> stRecordTypes)
17294 {
17295 QList<SpecAbstract::SCAN_STRUCT> listRecords;
17296 int nNumberOfRecords=pListRecords->count();
17297
17298 for(int i=0;i<nNumberOfRecords;i++)
17299 {
17300 if(stRecordTypes.contains(pListRecords->at(i).type))
17301 {
17302 listRecords.append(pListRecords->at(i));
17303 }
17304 }
17305
17306 *pListRecords=listRecords;
17307 }
17308
PE_getVCLstruct(QIODevice * pDevice,bool bIsImage,qint64 nOffset,qint64 nSize,bool bIs64)17309 QList<SpecAbstract::VCL_STRUCT> SpecAbstract::PE_getVCLstruct(QIODevice *pDevice,bool bIsImage,qint64 nOffset,qint64 nSize,bool bIs64)
17310 {
17311 QList<VCL_STRUCT> listResult;
17312
17313 XPE pe(pDevice,bIsImage);
17314
17315 qint64 _nOffset=nOffset;
17316 qint64 _nSize=nSize;
17317
17318 int nAddressSize=bIs64?8:4;
17319
17320 while(_nSize>0)
17321 {
17322 qint64 nClassOffset=pe.find_array(_nOffset,_nSize,"\x07\x08\x54\x43\x6f\x6e\x74\x72\x6f\x6c",10); // 0708'TControl'
17323
17324 if(nClassOffset==-1)
17325 {
17326 break;
17327 }
17328
17329 quint32 nDword=pe.read_uint32(nClassOffset+10);
17330 qint64 nClassOffset2=pe.addressToOffset(nDword);
17331
17332 if(nClassOffset2!=-1)
17333 {
17334 for(int i=0; i<20; i++)
17335 {
17336 quint32 nValue=pe.read_uint32(nClassOffset2-nAddressSize*(i+1));
17337
17338 if(nValue<=0xFFFF)
17339 {
17340 VCL_STRUCT record={};
17341
17342 record.nValue=nValue;
17343 record.nOffset=nAddressSize*(i+1);
17344 record.bIs64=bIs64;
17345
17346 listResult.append(record);
17347
17348 break;
17349 }
17350 }
17351 }
17352
17353 qint64 nDelta=(nClassOffset-_nOffset)+1;
17354
17355 _nOffset+=nDelta;
17356 _nSize-=nDelta;
17357 }
17358
17359 return listResult;
17360 }
17361
PE_getVCLPackageInfo(QIODevice * pDevice,bool bIsImage,QList<XPE::RESOURCE_RECORD> * pListResources)17362 SpecAbstract::VCL_PACKAGEINFO SpecAbstract::PE_getVCLPackageInfo(QIODevice *pDevice,bool bIsImage, QList<XPE::RESOURCE_RECORD> *pListResources)
17363 {
17364 VCL_PACKAGEINFO result={};
17365
17366 XPE pe(pDevice,bIsImage);
17367
17368 if(pe.isValid())
17369 {
17370 XPE::RESOURCE_RECORD rh=pe.getResourceRecord(10,"PACKAGEINFO",pListResources);
17371
17372 if((rh.nOffset!=-1)&&(rh.nSize))
17373 {
17374 qint64 nOffset=rh.nOffset;
17375 quint32 nFlags=pe.read_uint32(nOffset);
17376
17377 quint32 _nFlags=nFlags&0xFF00;
17378
17379 if(_nFlags==0)
17380 {
17381 result.nFlags=nFlags;
17382 nOffset+=4;
17383 result.nUnknown=pe.read_uint32(nOffset);
17384
17385 if(result.nUnknown==0)
17386 {
17387 nOffset+=4;
17388 result.nRequiresCount=pe.read_uint32(nOffset);
17389 nOffset+=4;
17390 }
17391 else
17392 {
17393 nOffset+=3;
17394 }
17395
17396 int nCount=result.nRequiresCount?result.nRequiresCount:1000;
17397
17398 for(int i=0; i<nCount; i++)
17399 {
17400 if(nOffset-rh.nOffset>rh.nSize)
17401 {
17402 break;
17403 }
17404
17405 VCL_PACKAGEINFO_MODULE vpm=VCL_PACKAGEINFO_MODULE();
17406 vpm.nFlags=pe.read_uint8(nOffset);
17407 nOffset++;
17408 vpm.nHashCode=pe.read_uint8(nOffset);
17409 nOffset++;
17410 vpm.sName=pe.read_ansiString(nOffset);
17411 nOffset+=vpm.sName.length()+1;
17412
17413 result.listModules.append(vpm);
17414 }
17415 }
17416 }
17417 }
17418
17419 return result;
17420 }
17421
PE_getRichSignatureDescription(QIODevice * pDevice,bool bIsImage,PEINFO_STRUCT * pPEInfo,quint32 nRichID)17422 SpecAbstract::_SCANS_STRUCT SpecAbstract::PE_getRichSignatureDescription(QIODevice *pDevice,bool bIsImage,PEINFO_STRUCT *pPEInfo,quint32 nRichID)
17423 {
17424 _SCANS_STRUCT result={};
17425
17426 XPE pe(pDevice,bIsImage);
17427
17428 if(pe.isValid())
17429 {
17430 if(nRichID)
17431 {
17432 quint32 nMajor=nRichID>>16;
17433 quint32 nMinor=nRichID&0xFFFF;
17434
17435 switch(nMajor)
17436 {
17437 case 0x00D:
17438 result.type=SpecAbstract::RECORD_TYPE_COMPILER;
17439 result.name=SpecAbstract::RECORD_NAME_VISUALBASIC;
17440 break;
17441
17442 case 0x006:
17443 case 0x045:
17444 case 0x05e:
17445 case 0x07c:
17446 case 0x094:
17447 case 0x09a:
17448 case 0x0c9:
17449 case 0x0db:
17450 case 0x0ff:
17451 result.type=SpecAbstract::RECORD_TYPE_CONVERTER;
17452 result.name=SpecAbstract::RECORD_NAME_RESOURCE;
17453 break;
17454
17455 case 0x03f:
17456 case 0x05c:
17457 case 0x07a:
17458 case 0x092:
17459 case 0x09b:
17460 case 0x0ca:
17461 case 0x0dc:
17462 case 0x100:
17463 result.type=SpecAbstract::RECORD_TYPE_LIBRARY;
17464 result.name=SpecAbstract::RECORD_NAME_EXPORT;
17465 break;
17466
17467 // case 0x001: Total Import
17468 case 0x002:
17469 case 0x019:
17470 case 0x09c:
17471 case 0x05d:
17472 case 0x07b:
17473 case 0x093:
17474 case 0x0cb:
17475 case 0x0dd:
17476 case 0x101:
17477 result.type=SpecAbstract::RECORD_TYPE_LIBRARY;
17478 result.name=SpecAbstract::RECORD_NAME_IMPORT;
17479 break;
17480
17481 case 0x004:
17482 case 0x013:
17483 case 0x03d:
17484 case 0x05a:
17485 case 0x078:
17486 case 0x091:
17487 case 0x09d:
17488 case 0x0cc:
17489 case 0x0de:
17490 case 0x102:
17491 result.type=SpecAbstract::RECORD_TYPE_LINKER;
17492 result.name=SpecAbstract::RECORD_NAME_MICROSOFTLINKER;
17493 break;
17494
17495 case 0x00f:
17496 case 0x012:
17497 case 0x040:
17498 case 0x07d:
17499 case 0x095:
17500 case 0x09e:
17501 case 0x0cd:
17502 case 0x0df:
17503 case 0x103:
17504 result.type=SpecAbstract::RECORD_TYPE_COMPILER;
17505 result.name=SpecAbstract::RECORD_NAME_MASM;
17506 break;
17507
17508 case 0x00a:
17509 case 0x015:
17510 case 0x01c:
17511 case 0x05f:
17512 case 0x06d:
17513 case 0x083:
17514 case 0x0aa:
17515 case 0x0ce:
17516 case 0x0e0:
17517 case 0x104:
17518 result.type=SpecAbstract::RECORD_TYPE_COMPILER;
17519 // result.name=SpecAbstract::RECORD_NAME_MICROSOFTC;
17520 result.name=SpecAbstract::RECORD_NAME_VISUALCCPP; // TODO Visual C++
17521 result.sInfo="C";
17522 break;
17523
17524 case 0x00b:
17525 case 0x016:
17526 case 0x01d:
17527 case 0x060:
17528 case 0x06e:
17529 case 0x084:
17530 case 0x0ab:
17531 case 0x0cf:
17532 case 0x0e1:
17533 case 0x105:
17534 result.type=SpecAbstract::RECORD_TYPE_COMPILER;
17535 result.name=SpecAbstract::RECORD_NAME_VISUALCCPP;
17536 result.sInfo="C++";
17537 break;
17538
17539 case 0x089:
17540 result.type=SpecAbstract::RECORD_TYPE_COMPILER;
17541 result.name=SpecAbstract::RECORD_NAME_VISUALCCPP;
17542 result.sInfo="C/LTCG";
17543 break;
17544
17545 case 0x08a:
17546 result.type=SpecAbstract::RECORD_TYPE_COMPILER;
17547 result.name=SpecAbstract::RECORD_NAME_VISUALCCPP;
17548 result.sInfo="C++/LTCG";
17549 break;
17550
17551 //
17552 case 0x085: // auto
17553 case 0x086: // auto
17554 case 0x087: // auto
17555 case 0x088: // auto
17556
17557 //
17558 case 0x0d0: // auto
17559 case 0x0d1: // auto
17560 case 0x0d2: // auto
17561 case 0x0d3: // auto
17562 case 0x0d4: // auto
17563 case 0x0d5: // auto
17564 case 0x0d6: // auto
17565
17566 //
17567 case 0x0e2: // auto
17568 case 0x0e3: // auto
17569 case 0x0e4: // auto
17570 case 0x0e5: // auto
17571 case 0x0e6: // auto
17572 case 0x0e7: // auto
17573 case 0x0e8: // auto
17574
17575 //
17576 case 0x0ac:
17577 case 0x0ad:
17578 case 0x0ae:
17579 case 0x0af:
17580 case 0x0b0:
17581 case 0x0b1:
17582 case 0x0b2:
17583
17584 //
17585 case 0x106:
17586 case 0x107:
17587 case 0x108:
17588 case 0x109:
17589 case 0x10a:
17590 case 0x10b:
17591 case 0x10c:
17592 result.type=SpecAbstract::RECORD_TYPE_COMPILER;
17593 result.name=SpecAbstract::RECORD_NAME_VISUALCCPP;
17594 break;
17595 }
17596
17597 switch(nMajor)
17598 {
17599 case 0x006:
17600 result.sVersion="5.00";
17601 break;
17602
17603 case 0x002:
17604 result.sVersion="5.10";
17605 break;
17606
17607 case 0x013:
17608 result.sVersion="5.12";
17609 break;
17610
17611 case 0x004:
17612 case 0x00d:
17613 result.sVersion="6.00";
17614 break;
17615
17616 case 0x00a:
17617 case 0x00b:
17618 case 0x015:
17619 case 0x016:
17620 result.sVersion="12.00";
17621 break;
17622
17623 case 0x012:
17624 result.sVersion="6.14";
17625 break;
17626
17627 case 0x040:
17628 case 0x03d:
17629 case 0x045:
17630 case 0x03f:
17631 case 0x019:
17632 result.sVersion="7.00";
17633 break;
17634
17635 case 0x01c:
17636 case 0x01d:
17637 result.sVersion="13.00";
17638 break;
17639
17640 case 0x00f:
17641 case 0x05e:
17642 case 0x05c:
17643 case 0x05d:
17644 case 0x05a:
17645 result.sVersion="7.10";
17646 break;
17647
17648 case 0x05f:
17649 case 0x060:
17650 result.sVersion="13.10";
17651 break;
17652
17653 case 0x078:
17654 case 0x07a:
17655 case 0x07b:
17656 case 0x07c:
17657 case 0x07d:
17658 result.sVersion="8.00";
17659 break;
17660
17661 case 0x06d:
17662 case 0x06e:
17663 result.sVersion="14.00";
17664 break;
17665
17666 case 0x091:
17667 case 0x092:
17668 case 0x093:
17669 case 0x094:
17670 case 0x095:
17671 result.sVersion="9.00";
17672 break;
17673
17674 case 0x083:
17675 case 0x084:
17676 case 0x085: // auto
17677 case 0x086: // auto
17678 case 0x087: // auto
17679 case 0x088: // auto
17680 case 0x089:
17681 case 0x08a:
17682 result.sVersion="15.00";
17683 break;
17684
17685 case 0x09a:
17686 case 0x09b:
17687 case 0x09c:
17688 case 0x09d:
17689 case 0x09e:
17690 result.sVersion="10.00";
17691 break;
17692
17693 case 0x0aa:
17694 case 0x0ab:
17695 case 0x0ac:
17696 case 0x0ad:
17697 case 0x0ae:
17698 case 0x0af:
17699 case 0x0b0:
17700 case 0x0b1:
17701 case 0x0b2:
17702 result.sVersion="16.00";
17703 break;
17704
17705 case 0x0c9:
17706 case 0x0ca:
17707 case 0x0cb:
17708 case 0x0cc:
17709 case 0x0cd:
17710 result.sVersion="11.00";
17711 break;
17712
17713 case 0x0ce:
17714 case 0x0cf:
17715 case 0x0d0: // auto
17716 case 0x0d1: // auto
17717 case 0x0d2: // auto
17718 case 0x0d3: // auto
17719 case 0x0d4: // auto
17720 case 0x0d5: // auto
17721 case 0x0d6: // auto
17722 result.sVersion="17.00";
17723 break;
17724
17725 case 0x0db:
17726 case 0x0dc:
17727 case 0x0dd:
17728 case 0x0de:
17729 case 0x0df:
17730 result.sVersion="12.00";
17731 break;
17732
17733 case 0x0e0:
17734 case 0x0e1:
17735 case 0x0e2: // auto
17736 case 0x0e3: // auto
17737 case 0x0e4: // auto
17738 case 0x0e5: // auto
17739 case 0x0e6: // auto
17740 case 0x0e7: // auto
17741 case 0x0e8: // auto
17742 result.sVersion="18.00";
17743 break;
17744
17745 case 0x0ff:
17746 case 0x100:
17747 case 0x101:
17748 case 0x102:
17749 case 0x103:
17750 result.sVersion="14.00";
17751 break;
17752
17753 case 0x104:
17754 case 0x105:
17755 case 0x106:
17756 case 0x107:
17757 case 0x108:
17758 case 0x109:
17759 case 0x10a:
17760 case 0x10b:
17761 case 0x10c:
17762 result.sVersion="19.00";
17763 break;
17764 }
17765
17766 if(nMinor>=25008)
17767 {
17768 if(result.sVersion=="14.00")
17769 {
17770 result.sVersion=QString("14.%1").arg(pPEInfo->nMinorLinkerVersion,2,10,QChar('0'));
17771 }
17772 else if(result.sVersion=="19.00")
17773 {
17774 result.sVersion=QString("19.%1").arg(pPEInfo->nMinorLinkerVersion,2,10,QChar('0'));
17775 }
17776 }
17777
17778 if(result.type!=SpecAbstract::RECORD_TYPE_UNKNOWN)
17779 {
17780 result.sVersion+=QString(".%1").arg(nMinor,2,10,QChar('0'));
17781 }
17782 }
17783 }
17784
17785 return result;
17786 }
17787
_errorMessage(QString sErrorMessage)17788 void SpecAbstract::_errorMessage(QString sErrorMessage)
17789 {
17790 #ifdef QT_DEBUG
17791 qDebug("Error: %s",sErrorMessage.toLatin1().data());
17792 #endif
17793 emit errorMessage(sErrorMessage);
17794 }
17795
_infoMessage(QString sInfoMessage)17796 void SpecAbstract::_infoMessage(QString sInfoMessage)
17797 {
17798 #ifdef QT_DEBUG
17799 qDebug("Info: %s",sInfoMessage.toLatin1().data());
17800 #endif
17801 emit infoMessage(sInfoMessage);
17802 }
17803