/// <summary>
/// Processing function called when a file is being unpacked. Allows plugins to check the file
/// and see if it can handle the file for its intended purpose.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool CanProcessFile(string file)
{
try
{
// Load the file..
var f = new Pe64File(file);
if (!f.Parse())
{
this.Log("Can't parse as PE64", LogMessageType.Warning);
return(false);
}
if (!f.IsFile64Bit())
{
this.Log("Is not 64bit", LogMessageType.Warning);
return(false);
}
if (!f.HasSection(".bind"))
{
this.Log("Missing bind section", LogMessageType.Warning);
return(false);
}
// Check for the known 3.0 header sizes..
var headerSize = this.GetHeaderSize(f);
return(headerSize == 0xB0 || headerSize == 0xD0);
}
catch (Exception e)
{
this.Log(e.ToString(), LogMessageType.Warning);
return(false);
}
}
/// <summary>
/// Processing function called when a file is being unpacked. Allows plugins to check the file
/// and see if it can handle the file for its intended purpose.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool CanProcessFile(string file)
{
try
{
// Load the file..
var f = new Pe64File(file);
if (!f.Parse() || !f.IsFile64Bit() || !f.HasSection(".bind"))
{
return(false);
}
// Obtain the bind section data..
var bind = f.GetSectionData(".bind");
// Attempt to locate the known v3.x signature..
var varient = Pe64Helpers.FindPattern(bind, "E8 00 00 00 00 50 53 51 52 56 57 55 41 50");
if (varient == 0)
{
return(false);
}
// Attempt to determine the varient version..
var offset = Pe64Helpers.FindPattern(bind, "48 8D 91 ?? ?? ?? ?? 48"); // 3.0
if (offset == 0)
{
offset = Pe64Helpers.FindPattern(bind, "48 8D 91 ?? ?? ?? ?? 41"); // 3.1
}
if (offset == 0)
{
offset = Pe64Helpers.FindPattern(bind, "48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 48"); // 3.1.2
if (offset > 0)
{
offset += 5;
}
}
// Ensure a pattern was found..
if (offset == 0)
{
return(false);
}
// Read the header size.. (The header size is only 32bit!)
var headerSize = Math.Abs(BitConverter.ToInt32(bind, (int)offset + 3));
// Check for the known 3.1 header size..
return(headerSize == 0xF0);
}
catch
{
return(false);
}
}
/// <summary>
/// Processing function called when a file is being unpacked. Allows plugins to check the file
/// and see if it can handle the file for its intended purpose.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool CanProcessFile(string file)
{
try
{
// Load the file..
var f = new Pe64File(file);
if (!f.Parse() || !f.IsFile64Bit() || !f.HasSection(".bind"))
{
return(false);
}
// Check for the known 3.0 header sizes..
var headerSize = this.GetHeaderSize(f);
return(headerSize == 0xB0 || headerSize == 0xD0);
}
catch
{
return(false);
}
}