package com.github.katjahahn.tools.anomalies;

import com.github.katjahahn.parser.IOUtil;
import com.github.katjahahn.parser.Location;
import com.github.katjahahn.parser.PhysicalLocation;
import com.github.katjahahn.parser.sections.SectionHeader;
import com.github.katjahahn.parser.sections.SectionLoader;
import com.github.katjahahn.parser.sections.idata.ImportDLL;
import com.github.katjahahn.parser.sections.idata.ImportSection;
import com.google.common.base.Optional;
import scala.Predef$;
import scala.Predef$ArrowAssoc$;
import scala.Tuple2;
import scala.collection.IterableLike;
import scala.collection.JavaConverters$;
import scala.collection.TraversableLike;
import scala.collection.TraversableOnce;
import scala.collection.immutable.$colon;
import scala.collection.immutable.HashMap;
import scala.collection.immutable.HashMap$;
import scala.collection.immutable.List;
import scala.collection.immutable.List$;
import scala.collection.immutable.Nil$;
import scala.collection.mutable.Buffer;
import scala.collection.mutable.ListBuffer;
import scala.collection.mutable.ListBuffer$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;

/* compiled from: ImportSectionScanning.scala */
@ScalaSignature(bytes = "\u0006\u0001a3qAC\u0006\u0011\u0002\u0007\u0005a\u0003C\u0003\u001c\u0001\u0011\u0005A\u0004\u0003\u0004$\u0001A%\t\u0001\n\u0005\u0007a\u0001\u0001J\u0011A\u0019\t\u000by\u0002A\u0011B \t\u000b-\u0003A\u0011\u0002'\t\u000b9\u0003A\u0011B(\t\u000bE\u0003A\u0011\u0002*\t\u0017Q\u0003\u0001\u0013aA\u0001\u0002\u0013%A%\u0016\u0005\f-\u0002\u0001\n1!A\u0001\n\u0013\ttKA\u000bJ[B|'\u000f^*fGRLwN\\*dC:t\u0017N\\4\u000b\u00051i\u0011!C1o_6\fG.[3t\u0015\tqq\"A\u0003u_>d7O\u0003\u0002\u0011#\u0005I1.\u0019;kC\"\f\u0007N\u001c\u0006\u0003%M\taaZ5uQV\u0014'\"\u0001\u000b\u0002\u0007\r|Wn\u0001\u0001\u0014\u0005\u00019\u0002C\u0001\r\u001a\u001b\u0005Y\u0011B\u0001\u000e\f\u00059\ten\\7bYf\u001c6-\u00198oKJ\fa\u0001J5oSR$C#A\u000f\u0011\u0005y\tS\"A\u0010\u000b\u0003\u0001\nQa]2bY\u0006L!AI\u0010\u0003\tUs\u0017\u000e^\u0001\u000bg\u000e\fgNU3q_J$H#A\u0013\u0011\u0005\u0019jcBA\u0014,!\tAs$D\u0001*\u0015\tQS#\u0001\u0004=e>|GOP\u0005\u0003Y}\ta\u0001\u0015:fI\u00164\u0017B\u0001\u00180\u0005\u0019\u0019FO]5oO*\u0011AfH\u0001\u0005g\u000e\fg\u000eF\u00013!\r\u0019\u0004h\u000f\b\u0003iYr!\u0001K\u001b\n\u0003\u0001J!aN\u0010\u0002\u000fA\f7m[1hK&\u0011\u0011H\u000f\u0002\u0005\u0019&\u001cHO\u0003\u00028?A\u0011\u0001\u0004P\u0005\u0003{-\u0011q!\u00118p[\u0006d\u00170\u0001\u000fdQ\u0016\u001c7\u000e\u0015:pG\u0016\u001c8/\u00138kK\u000e$\u0018n\u001c8J[B|'\u000f^:\u0015\u0005I\u0002\u0005\"B!\u0005\u0001\u0004\u0011\u0015!B5eCR\f\u0007CA\"J\u001b\u0005!%BA!F\u0015\t1u)\u0001\u0005tK\u000e$\u0018n\u001c8t\u0015\tAu\"\u0001\u0004qCJ\u001cXM]\u0005\u0003\u0015\u0012\u0013Q\"S7q_J$8+Z2uS>t\u0017aE2iK\u000e\\g+\u001b:uk\u0006d\u0017*\u001c9peR\u001cHC\u0001\u001aN\u0011\u0015\tU\u00011\u0001C\u0003a\u0019\u0007.Z2l\rJ\f7\r^5p]\u0006$X\rZ%na>\u0014Ho\u001d\u000b\u0003eACQ!\u0011\u0004A\u0002\t\u000bAc\u00195fG.\\UM\u001d8fYN\u0012\u0014*\u001c9peR\u001cHC\u0001\u001aT\u0011\u0015\tu\u00011\u0001C\u0003A\u0019X\u000f]3sIM\u001c\u0017M\u001c*fa>\u0014H/\u0003\u0002$3\u0005Q1/\u001e9fe\u0012\u001a8-\u00198\n\u0005AJ\u0002")
/* loaded from: input_file:com/github/katjahahn/tools/anomalies/ImportSectionScanning.class */
public interface ImportSectionScanning {
    /* synthetic */ String com$github$katjahahn$tools$anomalies$ImportSectionScanning$$super$scanReport();

    /* synthetic */ List com$github$katjahahn$tools$anomalies$ImportSectionScanning$$super$scan();

    static /* synthetic */ String scanReport$(ImportSectionScanning importSectionScanning) {
        return importSectionScanning.scanReport();
    }

    default String scanReport() {
        return new StringBuilder(23).append("Applied Import Scanning").append(IOUtil.NL).append(com$github$katjahahn$tools$anomalies$ImportSectionScanning$$super$scanReport()).toString();
    }

    static /* synthetic */ List scan$(ImportSectionScanning importSectionScanning) {
        return importSectionScanning.scan();
    }

    /* JADX WARN: Multi-variable type inference failed */
    default List<Anomaly> scan() {
        Optional<ImportSection> maybeLoadImportSection = new SectionLoader(((AnomalyScanner) this).data()).maybeLoadImportSection();
        if (!maybeLoadImportSection.isPresent()) {
            return Nil$.MODULE$.$colon$colon$colon(com$github$katjahahn$tools$anomalies$ImportSectionScanning$$super$scan());
        }
        ImportSection importSection = (ImportSection) maybeLoadImportSection.get();
        ListBuffer apply = ListBuffer$.MODULE$.apply(Nil$.MODULE$);
        apply.$plus$plus$eq(checkFractionatedImports(importSection));
        apply.$plus$plus$eq(checkKernel32Imports(importSection));
        apply.$plus$plus$eq(checkVirtualImports(importSection));
        apply.$plus$plus$eq(checkProcessInjectionImports(importSection));
        return apply.toList().$colon$colon$colon(com$github$katjahahn$tools$anomalies$ImportSectionScanning$$super$scan());
    }

    private default List<Anomaly> checkProcessInjectionImports(ImportSection importSection) {
        Buffer buffer = (Buffer) JavaConverters$.MODULE$.asScalaBufferConverter(importSection.getImports()).asScala();
        ListBuffer apply = ListBuffer$.MODULE$.apply(Nil$.MODULE$);
        HashMap apply2 = HashMap$.MODULE$.apply(Predef$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("Process32First"), "is used to obtain handle to victim process"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("Process32Next"), "is used to obtain handle to victim process"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("CreateToolhelp32snapshot"), "is used to obtain handle to victim process"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("CreateRemoteThread"), "is used to open and execute a thread in the victim process"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("CreateThread"), "is used to open and execute a thread in the victim process"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("RtlCreateUserThread"), "is used to open and execute a thread in the victim process"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("UnmapViewOfSection"), "may be used to carve out a process for process hollowing"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("LoadLibrary"), "maps module into the address space of the calling process"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("GlobalAddAtom"), "used for AtomBombing injection"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("GlobalGetAtomName"), "used for AtomBombing injection"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("QueueUserApc"), "adds APC object to queue"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("QueueApcThread"), "adds APC object to queue"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("CreateProcess"), "creates a process (check if SUSPENDED flag is used)"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("OpenProcess"), "opens a process (check if PROCESS_ALL_ACCESS is set)"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("VirtualAlloc"), "allocates memory"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("AllocateVirtualMemory"), "allocates memory"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("MapViewOfSection"), "allocates memory"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("ProtectVirtualMemory"), "may set PAGE_EXECUTE flag for memory region"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("VirtualProtect"), "may set PAGE_EXECUTE flag for memory region"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("WriteProcessMemory"), "writes to memory"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("Thread32First"), "obtains thread ID of target process"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("Thread32Next"), "obtains thread ID of target process"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("SetWindowsHook"), "injects DLL into process by hooking a Windows message"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("SuspendThread"), "may suspend a thread as preparation to write to memory"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("ResumeThread"), "may resume thread after injection"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("GetThreadContext"), "may be used to extract the EIP of the thread"), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("SetThreadContext"), "may be used to change EIP to continue execution in injected code")}));
        buffer.foreach(importDLL -> {
            $anonfun$checkProcessInjectionImports$1(apply2, apply, importDLL);
            return BoxedUnit.UNIT;
        });
        return apply.toList();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private default List<Anomaly> checkVirtualImports(ImportSection importSection) {
        long length = ((AnomalyScanner) this).data().getFile().length();
        Buffer buffer = (Buffer) JavaConverters$.MODULE$.asScalaBufferConverter(importSection.getImports()).asScala();
        ListBuffer apply = ListBuffer$.MODULE$.apply(Nil$.MODULE$);
        buffer.foreach(importDLL -> {
            if (!isVirtual$1(importDLL, length)) {
                return BoxedUnit.UNIT;
            }
            return apply.$plus$eq(new ImportAnomaly(new $colon.colon(importDLL, Nil$.MODULE$), new StringBuilder(32).append("Import DLL has virtual imports: ").append(importDLL.getName()).toString(), AnomalySubType.VIRTUAL_IMPORTS, PEStructureKey.IMPORT_SECTION));
        });
        return apply.toList();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private default List<Anomaly> checkFractionatedImports(ImportSection importSection) {
        Buffer buffer = (Buffer) JavaConverters$.MODULE$.asScalaBufferConverter(importSection.getPhysicalLocations()).asScala();
        ListBuffer apply = ListBuffer$.MODULE$.apply(Nil$.MODULE$);
        SectionLoader sectionLoader = new SectionLoader(((AnomalyScanner) this).data());
        Optional<SectionHeader> maybeGetSectionHeaderByOffset = sectionLoader.maybeGetSectionHeaderByOffset(importSection.getOffset());
        if (!maybeGetSectionHeaderByOffset.isPresent()) {
            BoxedUnit boxedUnit = BoxedUnit.UNIT;
        } else if (((TraversableOnce) buffer.filter(physicalLocation -> {
            return BoxesRunTime.boxToBoolean($anonfun$checkFractionatedImports$1(this, maybeGetSectionHeaderByOffset, sectionLoader, physicalLocation));
        })).toList().isEmpty()) {
            BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
        } else {
            List list = ((TraversableOnce) ((TraversableLike) JavaConverters$.MODULE$.asScalaBufferConverter(importSection.getImports()).asScala()).filter(importDLL -> {
                return BoxesRunTime.boxToBoolean($anonfun$checkFractionatedImports$2(this, maybeGetSectionHeaderByOffset, sectionLoader, importDLL));
            })).toList();
            apply.$plus$eq(new ImportAnomaly(list, new StringBuilder(48).append("Imports are fractionated! Affected import DLLs: ").append(((TraversableOnce) list.map(importDLL2 -> {
                return importDLL2.getName();
            }, List$.MODULE$.canBuildFrom())).mkString(", ")).toString(), AnomalySubType.FRACTIONATED_DATADIR, PEStructureKey.IMPORT_SECTION));
        }
        return apply.toList();
    }

    private default List<Anomaly> checkKernel32Imports(ImportSection importSection) {
        List list = ((TraversableOnce) ((TraversableLike) JavaConverters$.MODULE$.asScalaBufferConverter(importSection.getImports()).asScala()).filter(importDLL -> {
            return BoxesRunTime.boxToBoolean($anonfun$checkKernel32Imports$1(importDLL));
        })).toList();
        ListBuffer apply = ListBuffer$.MODULE$.apply(Nil$.MODULE$);
        if (list.isEmpty()) {
            BoxedUnit boxedUnit = BoxedUnit.UNIT;
        } else {
            apply.$plus$eq(new ImportAnomaly(list, new StringBuilder(46).append("Imports from Kernel32.dll by ordinal, namely: ").append(list.mkString(", ")).toString(), AnomalySubType.KERNEL32_BY_ORDINAL_IMPORTS, PEStructureKey.IMPORT_DLL));
        }
        return apply.toList();
    }

    static /* synthetic */ void $anonfun$checkProcessInjectionImports$1(HashMap hashMap, ListBuffer listBuffer, ImportDLL importDLL) {
        ((Buffer) JavaConverters$.MODULE$.asScalaBufferConverter(importDLL.getNameImports()).asScala()).foreach(nameImport -> {
            String name = nameImport.getName();
            String str = name;
            if (name.endsWith("A") || name.endsWith("W")) {
                str = name.substring(0, name.length() - 1);
            }
            if (name.endsWith("Ex")) {
                str = name.substring(0, name.length() - 2);
            }
            if (name.startsWith("Nt") || name.startsWith("Zw")) {
                str = name.substring(2);
            }
            String str2 = str;
            if (!hashMap.contains(str2)) {
                return BoxedUnit.UNIT;
            }
            return listBuffer.$plus$eq(new ImportAnomaly(new $colon.colon(importDLL, Nil$.MODULE$), new StringBuilder(45).append("Import function typical for code injection: ").append(name).append(" ").append(hashMap.apply(str2)).toString(), AnomalySubType.PROCESS_INJECTION_IMPORT, PEStructureKey.IMPORT_SECTION));
        });
    }

    static /* synthetic */ boolean $anonfun$checkVirtualImports$1(long j, PhysicalLocation physicalLocation) {
        return physicalLocation.from() + physicalLocation.size() > j;
    }

    private static boolean isVirtual$1(ImportDLL importDLL, long j) {
        return ((Buffer) JavaConverters$.MODULE$.asScalaBufferConverter(importDLL.getLocations()).asScala()).exists(physicalLocation -> {
            return BoxesRunTime.boxToBoolean($anonfun$checkVirtualImports$1(j, physicalLocation));
        });
    }

    /* JADX WARN: Multi-variable type inference failed */
    private default boolean isWithinIData$1(Location location, Optional optional, SectionLoader sectionLoader) {
        long alignedPointerToRaw = ((SectionHeader) optional.get()).getAlignedPointerToRaw(Predef$.MODULE$.boolean2Boolean(((AnomalyScanner) this).data().getOptionalHeader().isLowAlignmentMode()));
        return location.from() >= ((AnomalyScanner) this).data().getFile().length() || location.from() == -1 || (location.from() >= alignedPointerToRaw && location.from() + location.size() <= alignedPointerToRaw + sectionLoader.getReadSize((SectionHeader) optional.get()));
    }

    static /* synthetic */ boolean $anonfun$checkFractionatedImports$1(ImportSectionScanning importSectionScanning, Optional optional, SectionLoader sectionLoader, PhysicalLocation physicalLocation) {
        return !importSectionScanning.isWithinIData$1(physicalLocation, optional, sectionLoader);
    }

    static /* synthetic */ boolean $anonfun$checkFractionatedImports$3(ImportSectionScanning importSectionScanning, Optional optional, SectionLoader sectionLoader, PhysicalLocation physicalLocation) {
        return !importSectionScanning.isWithinIData$1(physicalLocation, optional, sectionLoader);
    }

    static /* synthetic */ boolean $anonfun$checkFractionatedImports$2(ImportSectionScanning importSectionScanning, Optional optional, SectionLoader sectionLoader, ImportDLL importDLL) {
        return ((IterableLike) JavaConverters$.MODULE$.asScalaBufferConverter(importDLL.getLocations()).asScala()).exists(physicalLocation -> {
            return BoxesRunTime.boxToBoolean($anonfun$checkFractionatedImports$3(importSectionScanning, optional, sectionLoader, physicalLocation));
        });
    }

    static /* synthetic */ boolean $anonfun$checkKernel32Imports$1(ImportDLL importDLL) {
        return importDLL.getName().equalsIgnoreCase("kernel32.dll") && importDLL.getOrdinalImports().size() > 0;
    }

    static void $init$(ImportSectionScanning importSectionScanning) {
    }
}
