Initial addition of Rainbow Sentinel (#166)

* Initial addition of Rainbow Sentinel

* Basic detection based off of one sample, no specific research/notes.

* Update README.

* Add additional sample sources for Rainbow Sentinel

* Add additional sample sources for Rainbow Sentinel, with no new functionality.

* Add Rainbow Sentinel text checks

* Add Rainbow Sentinel text checks.

BurnOutSharp/FileType/Textfile.cs

@@ -43,6 +43,14 @@ namespace BurnOutSharp.FileType
             if (magic.StartsWith(new byte?[] { 0x61, 0x4C, 0x75, 0x5A }))
                 return true;
 
+            // Windows Help File
+            if (magic.StartsWith(new byte?[] { 0x3F, 0x5F, 0x03, 0x00 }))
+                return true;
+
+            // Setup information
+            if (string.Equals(extension?.TrimStart('.'), "inf", StringComparison.OrdinalIgnoreCase))
+                return true;
+
             // InstallShield Script
             if (string.Equals(extension?.TrimStart('.'), "ins", StringComparison.OrdinalIgnoreCase))
                 return true;
@@ -118,6 +126,15 @@ namespace BurnOutSharp.FileType
                 if (fileContent.Contains("phenoProtect"))
                     Utilities.AppendToDictionary(protections, file, "phenoProtect");
 
+                // Rainbow Sentinel
+                // Found in "SENTW95.HLP" and "SENTINEL.HLP" in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]".
+                if (fileContent.Contains("Rainbow Sentinel Driver Help"))
+                    Utilities.AppendToDictionary(protections, file, "Rainbow Sentinel");
+
+                // Found in "OEMSETUP.INF" in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]".
+                if (fileContent.Contains("Sentinel Driver Disk"))
+                    Utilities.AppendToDictionary(protections, file, "Rainbow Sentinel");
+
                 // The full line from a sample is as follows:
                 //
                 // The files securom_v7_01.dat and securom_v7_01.bak have been created during the installation of a SecuROM protected application.

BurnOutSharp/ProtectionType/RainbowSentinel.cs

@@ -0,0 +1,164 @@
+using System;
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using BurnOutSharp.ExecutableType.Microsoft.PE;
+using BurnOutSharp.Interfaces;
+using BurnOutSharp.Matching;
+
+namespace BurnOutSharp.ProtectionType
+{
+    /// <summary>
+    /// Rainbow Technologies Sentinel (https://www.rainbow.com.my) is a family of DRM products.
+    /// Rainbow Sentinel SuperPro: https://www.rainbow.com.my/superpro.php
+    /// TODO: Investigate other versions/products.
+    /// TODO: See if this is at all related to https://cpl.thalesgroup.com/software-monetization/all-products/sentinel-hl.
+    /// </summary>
+    public class RainbowSentinel : IPathCheck, IPortableExecutableCheck
+    {
+        /// <inheritdoc/>
+        public string CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
+        {
+            // Get the sections from the executable, if possible
+            var sections = pex?.SectionTable;
+            if (sections == null)
+                return null;
+
+            // Get the .data section, if it exists
+            if (pex.DataSectionRaw != null)
+            {
+                var matchers = new List<ContentMatchSet>
+                {
+                    // Rainbow SentinelSuperPro
+                    // Found in "ADESKSYS.DLL"/"WINADMIN.EXE"/"WINQUERY.EXE" in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]", folder "\netsetup\SUPPORT\IPX".
+                    new ContentMatchSet(new byte?[]
+                    {
+                        0x52, 0x61, 0x69, 0x6E, 0x62, 0x6F, 0x77, 0x20,
+                        0x53, 0x65, 0x6E, 0x74, 0x69, 0x6E, 0x65, 0x6C,
+                        0x53, 0x75, 0x70, 0x65, 0x72, 0x50, 0x72, 0x6F
+                    }, "Rainbow Sentinel SuperPro"),
+                };
+
+                string match = MatchUtil.GetFirstMatch(file, pex.DataSectionRaw, matchers, includeDebug);
+                if (!string.IsNullOrWhiteSpace(match))
+                    return match;
+            }
+
+            // Get the .text section, if it exists
+            if (pex.TextSectionRaw != null)
+            {
+                var matchers = new List<ContentMatchSet>
+                {
+                    // SENTINEL.VXD
+                    // Found in "ACLT.HWL" in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]", folder "\aclt\DRV\W95LOCK".
+                    // Found in "ACAD.HWL" in BA entry "Autodesk AutoCAD r14 (1997)" and IA item "auto-cad-r14-cdrom".
+                    new ContentMatchSet(new byte?[]
+                    {
+                        0x53, 0x45, 0x4E, 0x54, 0x49, 0x4E, 0x45, 0x4C, 0x2E, 0x56, 0x58, 0x44
+                    }, "Rainbow Sentinel"),
+
+                    // Rainbow SentinelSuperPro
+                    // Found in "ADESKSYS.DLL" in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]", folder "\netsetup\SUPPORT\IPX".
+                    // TODO: Investigate "Elan License Manager" mentioned here.
+                    new ContentMatchSet(new byte?[]
+                    {
+                        0x52, 0x61, 0x69, 0x6E, 0x62, 0x6F, 0x77, 0x20, 
+                        0x53, 0x65, 0x6E, 0x74, 0x69, 0x6E, 0x65, 0x6C,
+                        0x53, 0x75, 0x70, 0x65, 0x72, 0x50, 0x72, 0x6F
+                    }, "Rainbow Sentinel SuperPro"),
+                };
+
+                string match = MatchUtil.GetFirstMatch(file, pex.TextSectionRaw, matchers, includeDebug);
+                if (!string.IsNullOrWhiteSpace(match))
+                    return match;
+            }
+
+            // TODO: Figure out why resources for "RNBOVTMP.DLL", "SENTTEMP.DLL", and "SNTI386.DLL" aren't getting read properly, causing checks for these files to not work.
+
+            string name = pex.FileDescription;
+
+            // Found in "RNBOVTMP.DLL" in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]".
+            if (name?.Equals("Rainbow Technologies Virtual Device Driver", StringComparison.OrdinalIgnoreCase) == true)
+                return $"Rainbow Sentinel {pex.ProductVersion}";
+
+            // Found in "SENTTEMP.DLL" in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]".
+            if (name?.Equals("Rainbow Technologies Sentinel Driver", StringComparison.OrdinalIgnoreCase) == true)
+                return $"Rainbow Sentinel {pex.ProductVersion}";
+
+            // Found in "SETUPX86.EXE"/"SENTW95.EXE" in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]".
+            if (name?.Equals("Sentinel Driver Setup DLL", StringComparison.OrdinalIgnoreCase) == true)
+                return $"Rainbow Sentinel {pex.ProductVersion}";
+
+            // Found in "SNTI386.DLL"/"SENTW95.DLL" in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]".
+            if (name?.Equals("Install, Setup - Sentinel Driver", StringComparison.OrdinalIgnoreCase) == true)
+                return $"Rainbow Sentinel {pex.ProductVersion}";
+
+            name = pex.ProductName;
+
+            // Found in multiple files in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]", including "RNBOVTMP.DLL", "SENTTEMP.DLL", and "SNTI386.DLL".
+            if (name?.Equals("Rainbow Technologies Sentinel", StringComparison.OrdinalIgnoreCase) == true)
+                return $"Rainbow Sentinel {pex.ProductVersion}";
+
+            // Found in "SETUPX86.EXE"/"SENTW95.EXE" in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]".
+            if (name?.Equals("Sentinel Driver Setup", StringComparison.OrdinalIgnoreCase) == true)
+                return $"Rainbow Sentinel {pex.ProductVersion}";
+
+            return null;
+        }
+
+        /// <inheritdoc/>
+        public ConcurrentQueue<string> CheckDirectoryPath(string path, IEnumerable<string> files)
+        {
+            var matchers = new List<PathMatchSet>
+            {
+                // Found in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]" and IA item "auto-cad-r14-cdrom".
+                new PathMatchSet(new PathMatch("SENTINEL.VXD", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("SENTSTRT.EXE", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("SENTW95.DLL", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("SENTW95.EXE", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("SENTW95.HLP", useEndsWith: true), "Rainbow Sentinel"),
+
+                // Found in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]" and in IA item "auto-cad-r14-cdrom".
+                new PathMatchSet(new PathMatch("SNTI386.DLL", useEndsWith: true), "Rainbow Sentinel"),
+
+                // Found in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]" and in IA item "auto-cad-r14-cdrom".
+                new PathMatchSet(new PathMatch("RNBOVTMP.DLL", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("SENTINEL.HLP", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("SENTTEMP.SYS", useEndsWith: true), "Rainbow Sentinel"),
+
+                // Found in BA entries "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]" and "Autodesk AutoCAD r14 (1997)", and IA item "auto-cad-r14-cdrom".
+                new PathMatchSet(new PathMatch("RAINB95.Z", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("RAINBNT.Z", useEndsWith: true), "Rainbow Sentinel"),
+            };
+
+            return MatchUtil.GetAllMatches(files, matchers, any: true);
+        }
+
+        /// <inheritdoc/>
+        public string CheckFilePath(string path)
+        {
+            var matchers = new List<PathMatchSet>
+            {
+                // Found in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]", folder "\aclt\DRV\W95LOCK".
+                new PathMatchSet(new PathMatch("SENTINEL.VXD", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("SENTSTRT.EXE", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("SENTW95.DLL", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("SENTW95.EXE", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("SENTW95.HLP", useEndsWith: true), "Rainbow Sentinel"),
+
+                // Found in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]", folder "\aclt\DRV\NTLOCK".
+                new PathMatchSet(new PathMatch("SNTI386.DLL", useEndsWith: true), "Rainbow Sentinel"),
+
+                // Found in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]", folder "\aclt\DRV\NTLOCK\I386".
+                new PathMatchSet(new PathMatch("RNBOVTMP.DLL", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("SENTINEL.HLP", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("SENTTEMP.SYS", useEndsWith: true), "Rainbow Sentinel"),
+
+                // Found in BA entry "Autodesk AutoCAD LT 98 (1998) (CD) [English] [Dutch]", folder "\data".
+                new PathMatchSet(new PathMatch("RAINB95.Z", useEndsWith: true), "Rainbow Sentinel"),
+                new PathMatchSet(new PathMatch("RAINBNT.Z", useEndsWith: true), "Rainbow Sentinel"),
+            };
+
+            return MatchUtil.GetFirstMatch(path, matchers, any: true);
+        }
+    }
+}

README.md

@@ -75,6 +75,7 @@ Below is a list of protections detected by BurnOutSharp. The two columns explain
 | ProtectDISC / VOB ProtectCD/DVD | True | False | |
 | Protect DVD-Video | False | True | Unconfirmed¹ |
 | PlayStation Anti-modchip | True | False | En/Jp, not "Red Hand"; PSX executables only |
+| Rainbow Sentinel | True | True | |
 | Ring PROTECH / ProRing | True | True | Partially unconfirmed² |
 | SafeDisc / SafeCast | True | True | Can't distinguish between some versions of SafeDisc and SafeCast |
 | SafeLock | False | True | |