From d1398791f54aa03adc9589cd8525ec46220aeb5a Mon Sep 17 00:00:00 2001 From: Matt Nadareski Date: Mon, 8 Sep 2025 08:27:40 -0400 Subject: [PATCH] Add Ghost Installer detection (fixes #103) --- BinaryObjectScanner/Packer/GhostInstaller.cs | 32 ++++++++++++++++++++ README.md | 1 + 2 files changed, 33 insertions(+) create mode 100644 BinaryObjectScanner/Packer/GhostInstaller.cs diff --git a/BinaryObjectScanner/Packer/GhostInstaller.cs b/BinaryObjectScanner/Packer/GhostInstaller.cs new file mode 100644 index 00000000..e665ddbc --- /dev/null +++ b/BinaryObjectScanner/Packer/GhostInstaller.cs @@ -0,0 +1,32 @@ +using System; +using BinaryObjectScanner.Interfaces; +using SabreTools.Matching; +using SabreTools.Serialization.Wrappers; + +namespace BinaryObjectScanner.Packer +{ + /// + /// Ghost Installer + /// + public class GhostInstaller : IExecutableCheck + { + /// + public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug) + { + // + var overlayData = exe.OverlayData; + if (overlayData != null) + { + // GIPEND + if (overlayData.EndsWith([0x47, 0x49, 0x50, 0x45, 0x4E, 0x44])) + return "Ghost Installer"; + } + + // + if (exe.FindDialogBoxByItemTitle("Ghost Installer initializing...").Count > 0) + return "Ghost Installer"; + + return null; + } + } +} diff --git a/README.md b/README.md index 37e98823..3b3467e1 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,7 @@ Below is a list of executable packers detected by BinaryObjectScanner. The three | Embedded File | Yes | No | Yes | Not technically a packer | | EXE Stealth | Yes | No | No | | | Gentee Installer | Yes | No | No | Includes "Create Install 2003" | +| Ghost Installer | Yes | No | No | | | GkWare SFX | Yes | No | No | | | GP-Install | Yes | No | No | | | HyperTech CrackProof | Yes | No | No | |