Unable to run static scan on in-memory data

[skolpadda]

With the following code:

            SpecAbstract::SCAN_OPTIONS pScanOptions = {};
            QFile file(sFileName);
            if (!file.open(QIODevice::ReadOnly)) {
              return;
            }
            QByteArray fileContents = file.readAll();
            file.close();

            SpecAbstract::SCAN_RESULT scanResult = StaticScan::processMemory(fileContents.data(), fileContents.size(), &pScanOptions);
            for (int i = 0; i < scanResult.listRecords.size(); ++i) {
              qDebug("(%d) (%s) (%s)", i,
                     scanResult.listRecords[i].sInfo.toLatin1().data(),
                     SpecAbstract::recordNameIdToString(scanResult.listRecords[i].name).toLatin1().data());
            }

I get the following output:

QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open
QIODevice::seek (QBuffer): The device is not open (repeated many more times)
(0) () (Unknown)

However, with the following:

            SpecAbstract::SCAN_OPTIONS pScanOptions = {};
            SpecAbstract::SCAN_RESULT scanResult = {};
            StaticScan staticScan;
            staticScan.setData(sFileName, &pScanOptions, &scanResult);
            staticScan.process();
            staticScan.stop();

            for (int i = 0; i < scanResult.listRecords.size(); ++i) {
              qDebug("(%d) (%s) (%s)", i,
                     scanResult.listRecords[i].sInfo.toLatin1().data(),
                     SpecAbstract::recordNameIdToString(scanResult.listRecords[i].name).toLatin1().data());
            }

I get

Import hash: 6dc0ba9c9 1a6ff5f
KERNEL32.DLL LoadLibraryA
KERNEL32.DLL GetProcAddress
KERNEL32.DLL VirtualProtect
KERNEL32.DLL VirtualAlloc
KERNEL32.DLL VirtualFree
KERNEL32.DLL ExitProcess
advapi32.dll RegCloseKey
comctl32.dll ImageList_Add
gdi32.dll SaveDC
oleaut32.dll VariantCopy
user32.dll GetDC
version.dll VerQueryValueA
=====================================================================
Import hash: 7bc87a20
KERNEL32.DLL LoadLibraryA
KERNEL32.DLL GetProcAddress
KERNEL32.DLL VirtualProtect
KERNEL32.DLL VirtualAlloc
KERNEL32.DLL VirtualFree
KERNEL32.DLL ExitProcess
Import hash: 6e41b036
advapi32.dll RegCloseKey
Import hash: 4024bd8d
comctl32.dll ImageList_Add
Import hash: b6bee3d3
gdi32.dll SaveDC
Import hash: f6fecd5
oleaut32.dll VariantCopy
Import hash: 3ca3511b
user32.dll GetDC
Import hash: 6b623ce5
version.dll VerQueryValueA
SIGNATURE SCAN: Linker: Turbo linker()[]
SIGNATURE SCAN: Packer: UPX(0.81-3.81+)[exe]
SIGNATURE SCAN: Packer: Generic()[]
SIGNATURE SCAN: Certificate: Windows Authenticode(2.0)[PKCS #7]
CONST SCAN: Packer: UPX(2.90-3.XX)[exe]
CONST SCAN: Packer: NsPack()[]
RESOURCES SCAN: Library: Visual Component Library()[]
QSet()
(0) (I386, 32-bit, GUI) (Windows)
(1) () (Turbo linker)
(2) () (Borland Object Pascal(Delphi))
(3) () (Object Pascal(Delphi))
(4) () (Visual Component Library)
(5) () (Borland Delphi)
(6) (PKCS #7) (Windows Authenticode)
(7) (NRV2E_LE32,brute) (UPX)

Now my C++ may not be the sharpest but I would expect the same results for both approaches. Is there something I'm doing wrong?

[horsicq]

You are doing all absolutely right! I fixed this bug. https://github.com/horsicq/StaticScan/commit/7ed0baeb1e78e01f998bc8f32f82c14c95c638bc

Now your code should work. Just download the source code of DiE again.

[skolpadda]

Working great now, thanks!