From e5e3f3e3eff9e154d721d93285066bcb85d63ebd Mon Sep 17 00:00:00 2001 From: TheRogueArchivist <24215969+TheRogueArchivist@users.noreply.github.com> Date: Wed, 17 Apr 2024 17:30:57 -0600 Subject: [PATCH] Add check for StarForce driver removal tool (#301) --- BinaryObjectScanner/Protection/StarForce.cs | 54 +++++++++++---------- 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/BinaryObjectScanner/Protection/StarForce.cs b/BinaryObjectScanner/Protection/StarForce.cs index 0086b8c7..e0089ae3 100644 --- a/BinaryObjectScanner/Protection/StarForce.cs +++ b/BinaryObjectScanner/Protection/StarForce.cs @@ -27,7 +27,35 @@ namespace BinaryObjectScanner.Protection if (sections == null) return null; - var name = pex.LegalCopyright; + // TODO: Find what fvinfo field actually maps to this + var name = pex.FileDescription; + + // There are some File Description checks that are currently too generic to use. + // "Host Library" - Found in "protect.dll" in Redump entry 81756. + // "User Interface Application" - Found in "protect.exe" in Redump entry 81756. + // "Helper Application" - Found in "protect.x64" and "protect.x86" in Redump entry 81756. + + // Found in "sfdrvrem.exe" in Redump entry 102677. + if (name?.Contains("FrontLine Drivers Removal Tool") == true) + return $"StarForce FrontLine Driver Removal Tool"; + + // Found in "protect.exe" in Redump entry 94805. + if (name?.Contains("FrontLine Protection GUI Application") == true) + return $"StarForce {pex.GetInternalVersion()}"; + + // Found in "protect.dll" in Redump entry 94805. + if (name?.Contains("FrontLine Protection Library") == true) + return $"StarForce {pex.GetInternalVersion()}"; + + // Found in "protect.x64" and "protect.x86" in Redump entry 94805. + if (name?.Contains("FrontLine Helper") == true) + return $"StarForce {pex.GetInternalVersion()}"; + + // TODO: Find a sample of this check. + if (name?.Contains("Protected Module") == true) + return $"StarForce 5"; + + name = pex.LegalCopyright; if (name?.StartsWith("(c) Protection Technology") == true) // (c) Protection Technology (StarForce)? return $"StarForce {pex.GetInternalVersion()}"; else if (name?.Contains("Protection Technology") == true) // Protection Technology (StarForce)? @@ -61,30 +89,6 @@ namespace BinaryObjectScanner.Protection return $"StarForce {pex.GetInternalVersion()}"; } - // TODO: Find what fvinfo field actually maps to this - name = pex.FileDescription; - - // There are some File Description checks that are currently too generic to use. - // "Host Library" - Found in "protect.dll" in Redump entry 81756. - // "User Interface Application" - Found in "protect.exe" in Redump entry 81756. - // "Helper Application" - Found in "protect.x64" and "protect.x86" in Redump entry 81756. - - // Found in "protect.exe" in Redump entry 94805. - if (name?.Contains("FrontLine Protection GUI Application") == true) - return $"StarForce {pex.GetInternalVersion()}"; - - // Found in "protect.dll" in Redump entry 94805. - if (name?.Contains("FrontLine Protection Library") == true) - return $"StarForce {pex.GetInternalVersion()}"; - - // Found in "protect.x64" and "protect.x86" in Redump entry 94805. - if (name?.Contains("FrontLine Helper") == true) - return $"StarForce {pex.GetInternalVersion()}"; - - // TODO: Find a sample of this check. - if (name?.Contains("Protected Module") == true) - return $"StarForce 5"; - // TODO: Check to see if there are any missing checks // https://github.com/horsicq/Detect-It-Easy/blob/master/db/PE/StarForce.2.sg