Add Ghost Installer detection (fixes #103)

Author: mnadareski

BinaryObjectScanner/Packer/GhostInstaller.cs

@@ -0,0 +1,32 @@
+using System;
+using BinaryObjectScanner.Interfaces;
+using SabreTools.Matching;
+using SabreTools.Serialization.Wrappers;
+
+namespace BinaryObjectScanner.Packer
+{
+    /// <summary>
+    /// Ghost Installer
+    /// </summary>
+    public class GhostInstaller : IExecutableCheck<PortableExecutable>
+    {
+        /// <inheritdoc/>
+        public string? CheckExecutable(string file, PortableExecutable exe, bool includeDebug)
+        {
+            // <see href="https://www.virustotal.com/gui/file/b2fc4cffe5131195baf419e96c9fa68c3f23208986fb14e3c5b458b1e7d6af89/details"/>
+            var overlayData = exe.OverlayData;
+            if (overlayData != null)
+            {
+                // GIPEND
+                if (overlayData.EndsWith([0x47, 0x49, 0x50, 0x45, 0x4E, 0x44]))
+                    return "Ghost Installer";
+            }
+
+            // <see href="https://www.virustotal.com/gui/file/b2fc4cffe5131195baf419e96c9fa68c3f23208986fb14e3c5b458b1e7d6af89/details"/>
+            if (exe.FindDialogBoxByItemTitle("Ghost Installer initializing...").Count > 0)
+                return "Ghost Installer";
+
+            return null;
+        }
+    }
+}

README.md

@@ -155,6 +155,7 @@ Below is a list of executable packers detected by BinaryObjectScanner. The three
 | Embedded File | Yes | No | Yes | Not technically a packer |
 | EXE Stealth | Yes | No | No | |
 | Gentee Installer | Yes | No | No | Includes "Create Install 2003" |
+| Ghost Installer | Yes | No | No | |
 | GkWare SFX | Yes | No | No | |
 | GP-Install | Yes | No | No | |
 | HyperTech CrackProof | Yes | No | No | |