Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add PackerScan #355

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add PackerScan #355

wants to merge 1 commit into from

Conversation

dhondta
Copy link

@dhondta dhondta commented Jan 26, 2025

Added a third reference application beside ProtectionScan and ExtractionTool called PackerScan that provides a CLI tool to scan for packers from BinaryObjectScanner.Packer.

Summary of changes

  • New PackerScan folder with a program based on ProtectionScan and adapted with the BinaryObjectScanner.Packer API
  • publish-nix.sh and publish-win.ps1 scripts adapted to also build PackerScan and create packages
  • README.md adapted to include the third application in the first paragraph.

@mnadareski
Copy link
Collaborator

What is the purpose of this tool? It appears to only be a subset of what ProtectionScan already does.

@dhondta
Copy link
Author

dhondta commented Jan 26, 2025
edited
Loading

@mnadareski I tried ProtectionScan actually ; it did not output any packer. Because this is the functionality I need, I made a third application dedicated to packer scanning. BTW this is just another example application made with BinaryObjectScanner.

@mnadareski
Copy link
Collaborator

This tells me that either the detections for the packers you cares about are lacking (which is likely) or there's a problem in the automatic enumeration of scans to use internally. All game engines, packers, and protections are scanned by default using ProtectionScan.exe.

@dhondta
Copy link
Author

dhondta commented Jan 26, 2025
edited
Loading

I see nowhere in Scanner.cs or ProtectionScan's Program.cs the use of CheckExecutable like in ExtractionTool.
Is it possible that Scanner.cs does not make use of Packers ?
NB : My knowledge is poor with C#, hence I may have made a mistake, but when I tried ProtectionScan, I didn't find any result for packers on UPX-packed samples while with the PackerScan I propose you, it did.

@mnadareski
Copy link
Collaborator

To answer where it's invoked:
Look at FileType.Executable.RunExecutableChecks for where all of the various check classes are run for an executable.

StaticChecks.PortableExecutableCheckClasses should pick up anything that constitutes an Executable check. If, for some reason, this isn't the case, then it's a regression. I haven't observed such a regression from local testing, however.

@dhondta
Copy link
Author

dhondta commented Feb 12, 2025

The point is that I tested the other tools (ExtractionTool and ProtectionScan on multiple UPX-packed samples and never saw any input containing "UPX", hence I created a separate program PackerScan. I may not have explored all the options however. But yet, I don't see any reference in the code of both tools to a check function being called for whatever supported option.
Is it so bad that we just add the program PackerScan aside both others in the root of your repo ?

@mnadareski
Copy link
Collaborator

I would prefer not to have additional executables that need maintenance in the future if the better solution is to fix the existing tools instead. In this case, if UPX isn't being picked up, then something needs to change because that represents ProtectionScan not working as intended.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dhondta @mnadareski