Add PackerScan

[dhondta]

Added a third reference application beside ProtectionScan and ExtractionTool called PackerScan that provides a CLI tool to scan for packers from BinaryObjectScanner.Packer.

Summary of changes

• New PackerScan folder with a program based on ProtectionScan and adapted with the BinaryObjectScanner.Packer API
• publish-nix.sh and publish-win.ps1 scripts adapted to also build PackerScan and create packages
• README.md adapted to include the third application in the first paragraph.

[mnadareski]

What is the purpose of this tool? It appears to only be a subset of what ProtectionScan already does.

[dhondta]

@mnadareski I tried ProtectionScan actually ; it did not output any packer. Because this is the functionality I need, I made a third application dedicated to packer scanning. BTW this is just another example application made with BinaryObjectScanner.

[mnadareski]

This tells me that either the detections for the packers you cares about are lacking (which is likely) or there's a problem in the automatic enumeration of scans to use internally. All game engines, packers, and protections are scanned by default using ProtectionScan.exe.

[dhondta]

I see nowhere in Scanner.cs or ProtectionScan's Program.cs the use of CheckExecutable like in ExtractionTool.
Is it possible that Scanner.cs does not make use of Packers ?
NB : My knowledge is poor with C#, hence I may have made a mistake, but when I tried ProtectionScan, I didn't find any result for packers on UPX-packed samples while with the PackerScan I propose you, it did.

[mnadareski]

To answer where it's invoked:
Look at FileType.Executable.RunExecutableChecks for where all of the various check classes are run for an executable.

StaticChecks.PortableExecutableCheckClasses should pick up anything that constitutes an Executable check. If, for some reason, this isn't the case, then it's a regression. I haven't observed such a regression from local testing, however.

[dhondta]

The point is that I tested the other tools (ExtractionTool and ProtectionScan on multiple UPX-packed samples and never saw any input containing "UPX", hence I created a separate program PackerScan. I may not have explored all the options however. But yet, I don't see any reference in the code of both tools to a check function being called for whatever supported option.
Is it so bad that we just add the program PackerScan aside both others in the root of your repo ?

[mnadareski]

I would prefer not to have additional executables that need maintenance in the future if the better solution is to fix the existing tools instead. In this case, if UPX isn't being picked up, then something needs to change because that represents ProtectionScan not working as intended.

[mnadareski]

Since there has been no movement on this PR since I gave my feedback, I'm going to be closing it. If you want to open something similar in the future with my comments in mind, I will appreciate the contributions.