Add Create Install 2003 detection, add resource checks (fixes #96)

2026-02-04 05:35:49 +00:00 · 2025-09-07 21:17:37 -04:00
parent 4420021cbe
commit 42dd33c8bd
3 changed files with 38 additions and 6 deletions
--- a/BinaryObjectScanner/Packer/GenteeInstaller.cs
+++ b/BinaryObjectScanner/Packer/GenteeInstaller.cs
@@ -1,4 +1,6 @@
+using System;
 using BinaryObjectScanner.Interfaces;
+using SabreTools.Models.PortableExecutable.ResourceEntries;
 using SabreTools.Serialization.Wrappers;

 namespace BinaryObjectScanner.Packer
@@ -21,9 +23,23 @@ namespace BinaryObjectScanner.Packer
                    return "Gentee Installer";
            }

-            // TODO: Add assembly identity name check as well: "Gentee.Installer.Install"
-            // Requires adding a helper to get the first Assembly Identity whose name is not null
-            // This was found in a "Create Install 2003"-made installer
+            // Get the resource data
+            // TODO: This should be replaced by a helper method on the wrapper
+            var resourceData = exe.ResourceData;
+            if (resourceData != null)
+            {
+                var resourceValue = Array.Find([.. resourceData.Values], rd => rd is AssemblyManifest);
+                if (resourceValue != null && resourceValue is AssemblyManifest manifest)
+                {
+                    var identities = manifest?.AssemblyIdentities ?? [];
+                    var nameIdentity = Array.Find(identities, ai => !string.IsNullOrEmpty(ai?.Name));
+
+                    // <see href="https://www.virustotal.com/gui/file/40e222d35fe8bdd94360462e2f2b870ec7e2c184873e2a481109408db790bfe8/details"/>
+                    // This was found in a "Create Install 2003"-made installer
+                    if (nameIdentity?.Name == "Gentee.Installer.Install")
+                        return "Gentee Installer";
+                }
+            }

            return null;
        }
--- a/BinaryObjectScanner/Packer/SpoonInstaller.cs
+++ b/BinaryObjectScanner/Packer/SpoonInstaller.cs
@@ -1,4 +1,6 @@
+using System;
 using BinaryObjectScanner.Interfaces;
+using SabreTools.Models.PortableExecutable.ResourceEntries;
 using SabreTools.Serialization.Wrappers;

 namespace BinaryObjectScanner.Packer
@@ -16,8 +18,22 @@ namespace BinaryObjectScanner.Packer
            if (name.OptionalEquals("Spoon Installer"))
                return "Spoon Installer";

-            // TODO: Add assembly identity name check as well: "Illustrate.Spoon.Installer"
-            // Requires adding a helper to get the first Assembly Identity whose name is not null
+            // Get the resource data
+            // TODO: This should be replaced by a helper method on the wrapper
+            var resourceData = exe.ResourceData;
+            if (resourceData != null)
+            {
+                var resourceValue = Array.Find([.. resourceData.Values], rd => rd is AssemblyManifest);
+                if (resourceValue != null && resourceValue is AssemblyManifest manifest)
+                {
+                    var identities = manifest?.AssemblyIdentities ?? [];
+                    var nameIdentity = Array.Find(identities, ai => !string.IsNullOrEmpty(ai?.Name));
+
+                    // <see href="https://www.virustotal.com/gui/file/ad876d9aa59a2c51af776ce7c095af69f41f2947c6a46cfe87a724ecf8745084/details"/>
+                    if (nameIdentity?.Name == "Illustrate.Spoon.Installer")
+                        return "Spoon Installer";
+                }
+            }

            return null;
        }
--- a/README.md
+++ b/README.md
@@ -154,7 +154,7 @@ Below is a list of executable packers detected by BinaryObjectScanner. The three
 | dotFuscator | Yes | No | No | |
 | Embedded File | Yes | No | Yes | Not technically a packer |
 | EXE Stealth | Yes | No | No | |
-| Gentee Installer | Yes | No | No | |
+| Gentee Installer | Yes | No | No | Includes "Create Install 2003" |
 | GkWare SFX | Yes | No | No | |
 | GP-Install | Yes | No | No | |
 | HyperTech CrackProof | Yes | No | No | |