#1
|
|||
|
|||
DNiD 2 (modified by mammon)
https://bitbucket.org/styx2007/mu.dnid
This is not just a simple modification, it is a total re-write of the old project by Rue. It even now has similar features that of PEiD holds - the project will be weekly updated till I feel I'm happy with it, and there will be plugin support in the very near future Feel free to check it out, the actual binary-search engine is held back as closed-source in its own external DLL file for now - it may be open source'd one day too... Hint; its using multi-CPU when available Anyways, enjoy folks - I've tried to create it as simplistic and alike as PEiD, but this tool is primarily for .NET compiled binaries (but it will work with other PE files aswell + PEiD's signatures works too ) |
The Following 8 Users Say Thank You to n00b For This Useful Post: | ||
alekine322 (01-24-2016), an0rma1 (01-16-2016), besoeso (01-15-2016), blue_devil (04-26-2017), nikkapedd (01-18-2016), rasta (03-17-2016), romero (04-09-2016), serseri_1453 (01-16-2016) |
#2
|
|||
|
|||
Currently planned features for the next update: (Already in the works!)
*Complete PEiD plugin(s) support... *Complete x64/x86 Native & .NET plugin(s) support... *Add simple hex-viewer... *Add simple disassembly-viewer... And if no objections, or errors are found - I will also add the binary-search algorithm to the actual source also on the next update |
#3
|
|||
|
|||
im using windows 8.1 x64 when execute the app DNiD2.exe and press the "..." not work, when execute as admin, not work,
only can use the drag and drop ... BR, Apuromafo |
The Following User Says Thank You to Apuromafo For This Useful Post: | ||
n00b (01-15-2016) |
#4
|
|||
|
|||
n00B: something is wrong here, i run it and only got a "vshost32.exe stop working", "windows can find a solution online...." blablalbla...
first i run the exe in the bin\release folder, but then i thought some dlls were missing, so i copied files mu.mulib.dll and reapertheme.dll in the folder, but still don't work. Also running here Windows 8.1 x64 fully updated |
#5
|
|||
|
|||
@n00b: nice project!
Here is my implementation of a parallel signature finder, it should be quite easy to add a few things to support parsing from PEID patterns. My pattern finder also supports nibble wildcards (for the slightly more fine grained requirements). https://github.com/mrexodia/PatternFinder Also checked your implementation. It can be heavily optimised by taking the retrieval of the entry point out of the Parallel.ForEach loop, now it is executed every time. My pattern finder could be used easily for this by simply checking the Signature.FoundOffset > File.EntryPoint. Feel free to use it if you want to |
The Following User Says Thank You to mr.exodia For This Useful Post: | ||
n00b (01-17-2016) |
#6
|
|||
|
|||
Quote:
@Apuromafo: Yeah I noticed, seems I forgot to add the OpenFileDialog function there :P @an0rma1: I have seriously no idea why you get that error, seems to me that you have some issues with your locally installed .NET Framework or something... @mr.exodia: Yeah thanks man, I'm gonna do you a better one - next version I'll add the possibility of choosing what pattern-finder algorithm one wishes to use - so for instance they wanna use yours, they can - and vice versa... Just to make the possibilites endless |
#7
|
|||
|
|||
@n00b: Nah don't bother with multiple pattern finders, use my code or take the ideas you like and discard it I just did it for fun and benefit of the open source community. You might also wanna look into Yara, it basically does all your scanner does, but with a script language plus you can load those signature files in x64dbg. Worth checking out I'd say.
|
The Following User Says Thank You to mr.exodia For This Useful Post: | ||
n00b (01-17-2016) |
#8
|
|||
|
|||
@n00b: my .net installations are ok, all programs works perfect (except yours)
anyways, anyone knows if anyone has implemented advanced algos for exe/files id'ing ? i mean, aho-corasick for example?, more info here: http://webglimpse.net/pubs/TR94-17.pdf (also paralellizable with multicores) (look for it in google) i used some ideas long time ago for a spellchecker (finally used binary parallel search with k-mistmaches, a 32bit word able me to search for 32letter words) but it seems these are better... Last edited by an0rma1; 01-17-2016 at 22:58. |
#9
|
|||
|
|||
@an0rma1: I looked into horspool-and-friends but it didn't want to work very well with nibble wildcards in the minimal time I spent on it. It might be worth looking into, but I doubt anyone is ever going to run into huge performance issues with a tool like this.
Yara uses Aho-Corasick for pattern finding. |
The Following User Says Thank You to mr.exodia For This Useful Post: | ||
zeffy (01-16-2020) |
#10
|
|||
|
|||
+Added a simple disassembly-view window...
+Added a simple error-report window... *Fixed occuring errors on re-launching, due to parallelization... *Changed so all Native DLL methods are located in 1 place... *Changed compilation mode to x86 - and it still is able to scan x64 binaries... Woah! Another update for you peeps |
The Following User Gave Reputation+1 to n00b For This Useful Post: | ||
mr.exodia (01-27-2016) |
The Following User Says Thank You to n00b For This Useful Post: | ||
Daz Hat (09-18-2022) |
#11
|
|||
|
|||
@noob thanks for updating!!
(sorry for the offtopic) @mrexodia, Yara is great!, it reminds in some way to SQL, very easy syntax, simple, but huuuuuge powerful When i read it months ago i wonder why anyone has come with something like that in all these years of virus/malware/etc research Talking about multistring wildcard searching, i guess this is how antivirus always worked? years ago read the clam antivirus source, but i can't remind right now. I know they also search for hashes, and obviously, the inner workings are much much more complex, but never read too much about it And old kaspersky source was leaked years ago... |
The Following User Says Thank You to an0rma1 For This Useful Post: | ||
mr.exodia (01-21-2016) |
#12
|
|||
|
|||
[2016/01/23] - 2.0.4.0: (by mammon)
======================= +Added a simple hex-view window... +Added Be.Windows.Forms.HexBox as an included project in the solution... *Changed disassembler method to use SharpDisasm instead... *Minor code-cleanup performed... -Removed BeaEngine fully from the project... |
#13
|
|||
|
|||
I think, initially it was based on Kumar & Spaflord article "A Generic Virus Scanner in C++".
|
#14
|
|||
|
|||
Quote:
NB: The build is failing on AppVeyor because it fails to add the "DllExport" package to the included Sample Plugin automatically... |
#15
|
|||
|
|||
Quote:
|
The Following User Gave Reputation+1 to n00b For This Useful Post: | ||
tonyweb (04-03-2016) |
Thread Tools | |
Display Modes | |
|
|