You may have seen my previous topic on this subject, which can be found here; https://forum.skylords.eu/index.php?/topic/2559-my-project/
I've been working on a project for quite some time now, not full time ofcourse but as a side hobby of mine which is learning more about PE structures.
A true motive of mine to keep working on it is so simplify advanced features you might find in others tools, allowing as many as possible to understand the meaning of analysis and how important it is in our current day.
Let me start introducing the functionalities now~
Since last time, I've pushed alot of changes and updates, and they go as follow;
-> Updated the GUI as I have seen fit. It was an issue in the previous versions, but I think it will be good for now. (Side functionalities are now also supported like exporting strings, colored strings for critical ones, closing/reloading opened file .. and so on)
-> A complete recode (It will receive a newer one, but I don't have time for it yet) - The new engine is faster, more efficient, and resource friendly
-> Added the ability to configure nearly everything the tool has to offer, whether it is a notice message or a result.
-> Following to configuration, I have even started working on a custom scripting engine to allow the user to have full control over the fired events, results and inputs/outputs. (And no, not CSPluginManager if you are wondering)
A simple example of how the script may look like (Not implemented yet); - Side note; it will be even more simplified than that.
if [Module:<moduleName>] or [Function:<functionName>]
if ![File.Size > 30(mb)]
MessageBox("File Size is smaller than 30megabytes")
end if
end if
//Explanation;
if [condition..] [options..] [condition..] == true //(either of the conditions are met, unless specified otherwise using an !operator)
<tab> if [(variable.child) (operator) (integer)]
-> Added the ability to browse an archive file and have the program automatically unpack and display all directories and files
-> Improved the heuristic scanning engine, and increased the signatures database (Packers, obfuscators etc)
And at last, the screenshots. Here I have analyzed a C# coded program called Fiddler ( Click to enlarge pictures );
Quick explanation of the buttons before we start;
C -> Close loaded file, R -> Reload loaded file, ... -> Browse a file
(.NET Analysis tab - Basically an overview of the information regarding the file, soon will allow complete decompilcation of the code by just selecting the module)
(PE Strings tab - Shows the user all the important strings of a file, and highlights the ones that are critical as shown below in different colors. Currently I have it set on showing just links, emails, registry values etc. There are various scan types too incase you want a more specific field of strings)
(PE Modules tab - In a short explanation, every program coded requires a module to do a specific thing. For example, to modify Registry values you need to use a module called advapi32.dll (the one selected below), and a function called RegCloseKey.
This part of the tool is the most configurable since the user decides what Modules/Functions to show, which module and function relate to each other and what notes to show. PS -> By selecting a module, it will list all the used function of that specific module in the explanation box)
(Configuration file of the modules if you are interested; http://pastebin.com/9sADEBqS - Explained too.)
That's all; In a few minutes you are able to analyze a file you downloaded and determine whether is it safe or not.
(And here is a quick screenshot of how the archive extraction and display works, double click a file; trid.exe for example and the tool will load and analyze it)
For the sake of time and space of this topic I'll stop here, but if you have any questions I'd happily answer them below or privately! (PS - This will become a public release one day, hopefully)
Let me know your opinions please!
~Thank you