squash: feat/analyse-qt

pl4nty · pl4nty · commit 7f8f85864ec1 · 2026-01-29T10:11:16.000Z
diff --git a/src/analysis/installers/exe.rs b/src/analysis/installers/exe.rs
@@ -7,12 +7,12 @@ use winget_types::installer::{Architecture, Installer, InstallerSwitches, Instal
 use yara_x::mods::PE;
 
 use super::{
-    super::Installers, AdvancedInstaller, Burn, InstallShield, Nsis, SevenZipSfx, Squirrel,
+    super::Installers, AdvancedInstaller, Burn, InstallShield, Nsis, Qt, SevenZipSfx, Squirrel,
     installshield::InstallShieldError,
 };
 use crate::{
     analysis::installers::{
-        advanced::AdvancedInstallerError, burn::BurnError, nsis::NsisError,
+        advanced::AdvancedInstallerError, burn::BurnError, nsis::NsisError, qt::QtError,
         sevenzip_sfx::SevenZipSfxError, squirrel::SquirrelError,
     },
     traits::FromMachine,
@@ -28,6 +28,7 @@ pub enum Exe {
     Inno(Box<Inno>),
     InstallShield(Box<InstallShield>),
     Nsis(Nsis),
+    Qt(Qt),
     SevenZipSfx(Box<SevenZipSfx>),
     Squirrel(Squirrel),
     Generic(Box<Installer>),
@@ -65,6 +66,12 @@ impl Exe {
             Err(error) => return Err(error.into()),
         }
 
+        match Qt::new(&mut reader, pe) {
+            Ok(qt) => return Ok(Self::Qt(qt)),
+            Err(QtError::NotQtFile) => {}
+            Err(error) => return Err(error.into()),
+        }
+
         match SevenZipSfx::new(&mut reader, pe) {
             Ok(sfx) => return Ok(Self::SevenZipSfx(Box::new(sfx))),
             Err(SevenZipSfxError::NotSevenZipSfx) => {}
@@ -135,6 +142,7 @@ impl Installers for Exe {
             Self::Inno(inno) => inno.installers(),
             Self::InstallShield(installshield) => installshield.installers(),
             Self::Nsis(nsis) => nsis.installers(),
+            Self::Qt(qt) => qt.installers(),
             Self::SevenZipSfx(sfx) => sfx.installers(),
             Self::Squirrel(squirrel) => squirrel.installers(),
             Self::Generic(installer) => vec![*installer.clone()],
diff --git a/src/analysis/installers/mod.rs b/src/analysis/installers/mod.rs
@@ -6,6 +6,7 @@ mod installshield;
 mod msi;
 pub mod msix_family;
 pub mod nsis;
+mod qt;
 mod sevenzip_sfx;
 pub mod squirrel;
 pub mod utils;
@@ -17,6 +18,7 @@ pub use exe::Exe;
 pub use installshield::InstallShield;
 pub use msi::Msi;
 pub use nsis::Nsis;
+pub use qt::Qt;
 pub use sevenzip_sfx::SevenZipSfx;
 pub use squirrel::Squirrel;
 pub use zip::Zip;
diff --git a/src/analysis/installers/qt.rs b/src/analysis/installers/qt.rs
@@ -0,0 +1,151 @@
+use std::{
+    collections::BTreeSet,
+    io::{Read, Seek, SeekFrom},
+};
+
+use byteorder::{BigEndian, ReadBytesExt};
+use serde::Deserialize;
+use thiserror::Error;
+use winget_types::{
+    Version,
+    installer::{
+        AppsAndFeaturesEntries, AppsAndFeaturesEntry, Architecture, ExpectedReturnCodes,
+        InstallModes, Installer, InstallerReturnCode, InstallerSwitches, InstallerType,
+        ReturnResponse,
+    },
+};
+use yara_x::mods::PE;
+
+use crate::{analysis::Installers, traits::FromMachine};
+
+#[derive(Error, Debug)]
+pub enum QtError {
+    #[error("Not a Qt Installer Framework installer")]
+    NotQtFile,
+    #[error(transparent)]
+    Io(#[from] std::io::Error),
+}
+
+#[derive(Debug, Deserialize)]
+#[serde(rename = "Updates")]
+struct Updates {
+    #[serde(rename = "ApplicationName")]
+    application_name: Option<String>,
+    #[serde(rename = "ApplicationVersion")]
+    application_version: Option<String>,
+    #[serde(rename = "PackageUpdate")]
+    package_updates: Option<Vec<PackageUpdate>>,
+}
+
+#[derive(Debug, Deserialize)]
+struct PackageUpdate {
+    #[serde(rename = "DisplayName")]
+    display_name: Option<String>,
+    #[serde(rename = "Version")]
+    version: Option<String>,
+}
+
+pub struct Qt {
+    architecture: Architecture,
+    updates: Updates,
+}
+
+impl Qt {
+    // Detects Qt Installer Framework (IFW) by parsing Updates.xml from the PE overlay's QT resource (qres)
+    // Installer config.xml has Publisher and DefaultInstallDirectory, but we'd need to traverse the file tree
+    pub fn new<R: Read + Seek>(mut reader: R, pe: &PE) -> Result<Self, QtError> {
+        let overlay_offset = pe.overlay.offset.ok_or(QtError::NotQtFile)?;
+
+        reader.seek(SeekFrom::Start(overlay_offset))?;
+
+        let mut magic = [0u8; 4];
+        reader.read_exact(&mut magic)?;
+        if &magic != b"qres" {
+            return Err(QtError::NotQtFile);
+        }
+
+        reader.seek(SeekFrom::Current(8))?; // Skip version and tree_offset
+        let data_offset = reader.read_u32::<BigEndian>()?;
+
+        reader.seek(SeekFrom::Start(overlay_offset + u64::from(data_offset)))?;
+
+        let size = reader.read_u32::<BigEndian>()? as usize;
+        let mut data = vec![0u8; size];
+        reader.read_exact(&mut data)?;
+
+        let updates: Updates =
+            quick_xml::de::from_str(std::str::from_utf8(&data).map_err(|_| QtError::NotQtFile)?)
+                .map_err(|_| QtError::NotQtFile)?;
+
+        Ok(Self {
+            architecture: Architecture::from_machine(pe.machine()),
+            updates,
+        })
+    }
+}
+
+impl Installers for Qt {
+    fn installers(&self) -> Vec<Installer> {
+        let package = self
+            .updates
+            .package_updates
+            .as_ref()
+            .and_then(|p| p.first());
+
+        let display_name = self
+            .updates
+            .application_name
+            .clone()
+            .or_else(|| package.and_then(|p| p.display_name.clone()));
+
+        let version = self
+            .updates
+            .application_version
+            .clone()
+            .or_else(|| package.and_then(|p| p.version.clone()));
+
+        vec![Installer {
+            architecture: self.architecture,
+            r#type: Some(InstallerType::Exe),
+            install_modes: InstallModes::all(),
+            switches: InstallerSwitches::builder()
+                .silent(
+                    "install --accept-licenses --accept-messages --confirm-command --default-answer"
+                        .parse()
+                        .unwrap(),
+                )
+                .silent_with_progress(
+                    "install --accept-licenses --accept-messages --confirm-command --default-answer"
+                        .parse()
+                        .unwrap(),
+                )
+                .install_location("--root \"<INSTALLPATH>\"".parse().unwrap())
+                .build(),
+            expected_return_codes: expected_return_codes(),
+            apps_and_features_entries: AppsAndFeaturesEntries::from(
+                AppsAndFeaturesEntry::builder()
+                    .maybe_display_name(display_name)
+                    .maybe_display_version(version.and_then(|v| v.parse::<Version>().ok()))
+                    .build(),
+            ),
+            ..Installer::default()
+        }]
+    }
+}
+
+// https://doc.qt.io/qtinstallerframework/qinstaller-packagemanagercore.html#Status-enum
+fn expected_return_codes() -> BTreeSet<ExpectedReturnCodes> {
+    use ReturnResponse::*;
+    [
+        (1, ContactSupport),
+        (2, InstallInProgress),
+        (3, CancelledByUser),
+    ]
+    .into_iter()
+    .map(|(code, response)| ExpectedReturnCodes {
+        installer_return_code: InstallerReturnCode::new(code),
+        return_response: response,
+        return_response_url: None,
+    })
+    .collect()
+}
