private ScanResult[] ScanAllNormal(Stream stream) { stream.Seek(0,SeekOrigin.Begin); long section_offset = 0; long section_size = 0; long ep_offset = 0; using (ExeReader reader = ExeReader.FromStream(stream,false)) { uint ep_address = reader.NTHeaders.OptionalHeader.AddressOfEntryPoint; Section section = reader.Sections.RVAToSection(ep_address); uint delta = ep_address - section.TableEntry.VirtualAddress; section_offset = section.TableEntry.PointerToRawData; section_size = section.TableEntry.SizeOfRawData; ep_offset = section_offset + delta; } stream.Seek(ep_offset,SeekOrigin.Begin); byte[] buffer = new byte[max_sig_length]; int num_read = stream.Read(buffer,0,buffer.Length); if (num_read < min_sig_length) return null; List<ScanResult> results = new List<ScanResult>(); List<Signature> signatures = new List<Signature>(); Match(buffer,num_read,0,ep_tree,signatures); foreach(Signature signature in signatures) { byte[] data = new byte[signature.Pattern.Length]; Array.Copy(buffer,0,data,0,data.Length); ScanResult result = new ScanResult() { Offset = ep_offset, Data = data, Signature = signature }; results.Add(result); } return results.ToArray(); }
private ScanResult[] ScanAllHardcore(Stream stream) { List<ScanResult> results = new List<ScanResult>(); var positions = Utils.IRange(0,stream.Length - min_sig_length); foreach(long position in positions) { stream.Seek(position,SeekOrigin.Begin); byte[] buffer = new byte[max_sig_length]; int num_read = stream.Read(buffer,0,buffer.Length); if (num_read < min_sig_length) return null; List<Signature> signatures = new List<Signature>(); Match(buffer,num_read,0,non_ep_tree,signatures); foreach(Signature signature in signatures) { byte[] data = new byte[signature.Pattern.Length]; Array.Copy(buffer,0,data,0,data.Length); ScanResult result = new ScanResult() { Offset = position, Data = data, Signature = signature }; results.Add(result); } } return results.ToArray(); }