Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-15-2016, 01:58
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 59 Times in 20 Posts
n00b Reputation: 26
DNiD 2 (modified by mammon)

https://bitbucket.org/styx2007/mu.dnid

This is not just a simple modification, it is a total re-write of the old project by Rue.
It even now has similar features that of PEiD holds - the project will be weekly updated till I feel I'm happy with it, and there will be plugin support in the very near future

Feel free to check it out, the actual binary-search engine is held back as closed-source in its own external DLL file for now - it may be open source'd one day too... Hint; its using multi-CPU when available

Anyways, enjoy folks - I've tried to create it as simplistic and alike as PEiD, but this tool is primarily for .NET compiled binaries (but it will work with other PE files aswell + PEiD's signatures works too )
Reply With Quote
The Following 2 Users Gave Reputation+1 to n00b For This Useful Post:
b30wulf (01-15-2016), Levis (01-15-2016)
The Following 8 Users Say Thank You to n00b For This Useful Post:
alekine322 (01-24-2016), an0rma1 (01-16-2016), besoeso (01-15-2016), blue_devil (04-26-2017), nikkapedd (01-18-2016), rasta (03-17-2016), romero (04-09-2016), serseri_1453 (01-16-2016)
  #2  
Old 01-15-2016, 05:44
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 59 Times in 20 Posts
n00b Reputation: 26
Currently planned features for the next update: (Already in the works!)
*Complete PEiD plugin(s) support...
*Complete x64/x86 Native & .NET plugin(s) support...
*Add simple hex-viewer...
*Add simple disassembly-viewer...

And if no objections, or errors are found - I will also add the binary-search algorithm to the actual source also on the next update
Reply With Quote
  #3  
Old 01-15-2016, 11:15
Apuromafo Apuromafo is offline
Family
 
Join Date: Nov 2010
Location: Chile
Posts: 112
Rept. Given: 28
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 210
Thanks Rcvd at 168 Times in 60 Posts
Apuromafo Reputation: 26
im using windows 8.1 x64 when execute the app DNiD2.exe and press the "..." not work, when execute as admin, not work,
only can use the drag and drop ...

BR, Apuromafo
Reply With Quote
The Following User Says Thank You to Apuromafo For This Useful Post:
n00b (01-15-2016)
  #4  
Old 01-16-2016, 20:24
an0rma1 an0rma1 is offline
Friend
 
Join Date: Feb 2002
Posts: 202
Rept. Given: 101
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 350
Thanks Rcvd at 99 Times in 40 Posts
an0rma1 Reputation: 29
n00B: something is wrong here, i run it and only got a "vshost32.exe stop working", "windows can find a solution online...." blablalbla...

first i run the exe in the bin\release folder, but then i thought some dlls were missing, so i copied files mu.mulib.dll and reapertheme.dll in the folder, but still don't work.

Also running here Windows 8.1 x64 fully updated
Reply With Quote
  #5  
Old 01-17-2016, 04:02
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@n00b: nice project!

Here is my implementation of a parallel signature finder, it should be quite easy to add a few things to support parsing from PEID patterns. My pattern finder also supports nibble wildcards (for the slightly more fine grained requirements).

https://github.com/mrexodia/PatternFinder

Also checked your implementation. It can be heavily optimised by taking the retrieval of the entry point out of the Parallel.ForEach loop, now it is executed every time. My pattern finder could be used easily for this by simply checking the Signature.FoundOffset > File.EntryPoint.

Feel free to use it if you want to
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
n00b (01-17-2016)
  #6  
Old 01-17-2016, 21:10
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 59 Times in 20 Posts
n00b Reputation: 26
Quote:
+Added complete PEiD plugin(s) support... (this is a bit buggy!)
*Fixed "Open File" issue... (thx Apuromafo)
*Changed the binary-search algorithm to now be
part of main-assembly... (less size!)
*Changed alot of the "foreach" loops with "Parallel"'s, instead...
And yeah I know, I should have added support for .NET plugins aswell - but fear not, the ability will be added soon

@Apuromafo: Yeah I noticed, seems I forgot to add the OpenFileDialog function there :P

@an0rma1: I have seriously no idea why you get that error, seems to me that you have some issues with your locally installed .NET Framework or something...

@mr.exodia: Yeah thanks man, I'm gonna do you a better one - next version I'll add the possibility of choosing what pattern-finder algorithm one wishes to use - so for instance they wanna use yours, they can - and vice versa... Just to make the possibilites endless
Reply With Quote
  #7  
Old 01-17-2016, 21:22
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@n00b: Nah don't bother with multiple pattern finders, use my code or take the ideas you like and discard it I just did it for fun and benefit of the open source community. You might also wanna look into Yara, it basically does all your scanner does, but with a script language plus you can load those signature files in x64dbg. Worth checking out I'd say.
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
n00b (01-17-2016)
  #8  
Old 01-17-2016, 22:50
an0rma1 an0rma1 is offline
Friend
 
Join Date: Feb 2002
Posts: 202
Rept. Given: 101
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 350
Thanks Rcvd at 99 Times in 40 Posts
an0rma1 Reputation: 29
@n00b: my .net installations are ok, all programs works perfect (except yours)

anyways, anyone knows if anyone has implemented advanced algos for exe/files id'ing ?
i mean, aho-corasick for example?,

more info here: http://webglimpse.net/pubs/TR94-17.pdf (also paralellizable with multicores) (look for it in google)
i used some ideas long time ago for a spellchecker (finally used binary parallel search with k-mistmaches, a 32bit word able me to search for 32letter words)

but it seems these are better...

Last edited by an0rma1; 01-17-2016 at 22:58.
Reply With Quote
  #9  
Old 01-18-2016, 00:19
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@an0rma1: I looked into horspool-and-friends but it didn't want to work very well with nibble wildcards in the minimal time I spent on it. It might be worth looking into, but I doubt anyone is ever going to run into huge performance issues with a tool like this.

Yara uses Aho-Corasick for pattern finding.
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
zeffy (01-16-2020)
  #10  
Old 01-20-2016, 12:16
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 59 Times in 20 Posts
n00b Reputation: 26
+Added a simple disassembly-view window...
+Added a simple error-report window...
*Fixed occuring errors on re-launching, due to parallelization...
*Changed so all Native DLL methods are located in 1 place...
*Changed compilation mode to x86 - and it still is able to scan x64 binaries...

Woah! Another update for you peeps
Reply With Quote
The Following User Gave Reputation+1 to n00b For This Useful Post:
mr.exodia (01-27-2016)
The Following User Says Thank You to n00b For This Useful Post:
Daz Hat (09-18-2022)
  #11  
Old 01-21-2016, 17:02
an0rma1 an0rma1 is offline
Friend
 
Join Date: Feb 2002
Posts: 202
Rept. Given: 101
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 350
Thanks Rcvd at 99 Times in 40 Posts
an0rma1 Reputation: 29
@noob thanks for updating!!

(sorry for the offtopic)
@mrexodia, Yara is great!, it reminds in some way to SQL, very easy syntax, simple, but huuuuuge powerful
When i read it months ago i wonder why anyone has come with something like that in all these years of virus/malware/etc research

Talking about multistring wildcard searching, i guess this is how antivirus always worked? years ago read the clam antivirus source, but i can't remind right now.
I know they also search for hashes, and obviously, the inner workings are much much more complex, but never read too much about it

And old kaspersky source was leaked years ago...
Reply With Quote
The Following User Says Thank You to an0rma1 For This Useful Post:
mr.exodia (01-21-2016)
  #12  
Old 01-23-2016, 17:10
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 59 Times in 20 Posts
n00b Reputation: 26
[2016/01/23] - 2.0.4.0: (by mammon)
=======================
+Added a simple hex-view window...
+Added Be.Windows.Forms.HexBox as an included project in the solution...
*Changed disassembler method to use SharpDisasm instead...
*Minor code-cleanup performed...
-Removed BeaEngine fully from the project...
Reply With Quote
  #13  
Old 01-24-2016, 08:24
alephz alephz is offline
VIP
 
Join Date: May 2002
Location: Israel
Posts: 390
Rept. Given: 126
Rept. Rcvd 291 Times in 93 Posts
Thanks Given: 180
Thanks Rcvd at 69 Times in 23 Posts
alephz Reputation: 200-299 alephz Reputation: 200-299 alephz Reputation: 200-299
Quote:
Originally Posted by an0rma1 View Post
read the clam antivirus source, but i can't remind right now.
I think, initially it was based on Kumar & Spaflord article "A Generic Virus Scanner in C++".
Reply With Quote
  #14  
Old 01-26-2016, 11:43
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 59 Times in 20 Posts
n00b Reputation: 26
Quote:
[2016/01/26] - 2.0.5.0: (by mammon)
=======================
+Added sample plugin... (works with both DNiD & PEiD!)
+Added small console-tool to set DNiD2 to Explorer's context menu...
+Added context menu to SecView - you can now directly Disassemble or
read any of the section in Hex...
+Added Debug Assertion on debug build on all methods...
*Fixed so project doesn't copy SharpDisasm to bin dir...
*Fixed plugins loader code...
*Changed plugins directory to load from; %dnid2_dir%\plugins\...
Also, pre-compiled download: https://bitbucket.org/styx2007/mu.dn...2016.01.26.rar

NB: The build is failing on AppVeyor because it fails to add the "DllExport" package to the included Sample Plugin automatically...
Reply With Quote
The Following 3 Users Say Thank You to n00b For This Useful Post:
Daz Hat (09-18-2022), Kjacky (01-28-2016), romero (02-28-2016)
  #15  
Old 04-02-2016, 14:34
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 59 Times in 20 Posts
n00b Reputation: 26
Quote:
[2016/04/02] - 2.0.6.0: (by mammon)
=======================
+Added 4 more signatures to the internal database...
+Added a simple PE Details form...
*Fixed issue where menu didn't close when loading plugin...
*Fixed issue when using context menu to scan binary, not loading plugins...
Pre-compiled download: https://bitbucket.org/styx2007/mu.dnid/downloads/2.0.6.0_2016.04.02.rar
Reply With Quote
The Following User Gave Reputation+1 to n00b For This Useful Post:
tonyweb (04-03-2016)
The Following 5 Users Say Thank You to n00b For This Useful Post:
besoeso (04-02-2016), pnta (04-18-2016), romero (04-09-2016), sendersu (04-03-2016), tonyweb (04-03-2016)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 19:12.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )