Wish to contribute to the project by donating? Heads up to our Patreon -> https://www.patreon.com/skylordsreborn

Jump to content
BEWARE: Multiaccounting Will Cause Permabans! Read more... ×
Sign in to follow this  
Sykole

My Project v2

Recommended Posts

You may have seen my previous topic on this subject, which can be found here; https://forum.skylords.eu/index.php?/topic/2559-my-project/

I've been working on a project for quite some time now, not full time ofcourse but as a side hobby of mine which is learning more about PE structures. 

A true motive of mine to keep working on it is so simplify advanced features you might find in others tools, allowing as many as possible to understand the meaning of analysis and how important it is in our current day.

Let me start introducing the functionalities now~

Since last time, I've pushed alot of changes and updates, and they go as follow

-> Updated the GUI as I have seen fit. It was an issue in the previous versions, but I think it will be good for now. (Side functionalities are now also supported like exporting strings, colored strings for critical ones, closing/reloading opened file .. and so on)

-> A complete recode (It will receive a newer one, but I don't have time for it yet) - The new engine is faster, more efficient, and resource friendly 

-> Added the ability to configure nearly everything the tool has to offer, whether it is a notice message or a result.

   -> Following to configuration, I have even started working on a custom scripting engine to allow the user to have full control over the fired events, results and inputs/outputs. (And no, not CSPluginManager if you are wondering) 

A simple example of how the script may look like (Not implemented yet); - Side note; it will be even more simplified than that.

if [Module:<moduleName>] or [Function:<functionName>] 
	if ![File.Size > 30(mb)]
    	MessageBox("File Size is smaller than 30megabytes")
    end if
end if


//Explanation; 
if [condition..] [options..] [condition..] == true  //(either of the conditions are met, unless specified otherwise using an !operator)
<tab>	if [(variable.child) (operator) (integer)]	

-> Added the ability to browse an archive file and have the program automatically unpack and display all directories and files

-> Improved the heuristic scanning engine, and increased the signatures database (Packers, obfuscators etc)

And at last, the screenshots. Here I have analyzed a C# coded program called Fiddler ( Click to enlarge pictures );

Quick explanation of the buttons before we start;

C -> Close loaded file, R -> Reload loaded file, ... -> Browse a file

(.NET Analysis tab - Basically an overview of the information regarding the file, soon will allow complete decompilcation of the code by just selecting the module)

d6789f0579ae40ef85fea5d89cdcf9e4.png

(PE Strings tab - Shows the user all the important strings of a file, and highlights the ones that are critical as shown below in different colors. Currently I have it set on showing just links, emails, registry values etc. There are various scan types too incase you want a more specific field of strings)

cbe447e68c944a55a3acc3633e30be7d.png

(PE Modules tab - In a short explanation, every program coded requires a module to do a specific thing. For example, to modify Registry values you need to use a module called advapi32.dll (the one selected below), and a function called RegCloseKey.

This part of the tool is the most configurable since the user decides what Modules/Functions to show, which module and function relate to each other and what notes to show. PS -> By selecting a module, it will list all the used function of that specific module in the explanation box)

940c4470c97c4635b50e869935232285.png

(Configuration file of the modules if you are interestedhttp://pastebin.com/9sADEBqS - Explained too.)

 

That's all; In a few minutes you are able to analyze a file you downloaded and determine whether is it safe or not. :D 

 

(And here is a quick screenshot of how the archive extraction and display works, double click a file; trid.exe for example and the tool will load and analyze it)

20b717f3318d4399bc247238971637d8.png

For the sake of time and space of this topic I'll stop here, but if you have any questions I'd happily answer them below or privately! (PS - This will become a public release one day, hopefully)

Let me know your opinions please!

~Thank you

Share this post


Link to post
Share on other sites
11 hours ago, Sykole said:

Added the ability to browse an archive file and have the program automatically unpack and display all directories and files

Yay, new version of WinRar :kappa:

It looks amazing, mostly because I don't fully understand it, but yea, I do have some questions for you then, when it comes public. 

Share this post


Link to post
Share on other sites

Looks like a cool little project. I hope you have success with this, while youre developing you might want to look for investors or some people that could publish it for you. Just my opinion of course.
 

Although I have no idea what any of the coding means other than some of the basics, I should really get off my lazy ass and start learning to program shouldnt I?...

Share this post


Link to post
Share on other sites
4 minutes ago, PlainVenom said:

Looks like a cool little project. I hope you have success with this, while youre developing you might want to look for investors or some people that could publish it for you. Just my opinion of course.
 

Although I have no idea what any of the coding means other than some of the basics, I should really get off my lazy ass and start learning to program shouldnt I?...

Yeah, coding is really fun. Gets your mind to think alot and burns time too :P

Share this post


Link to post
Share on other sites
On 2/21/2017 at 11:16 AM, Sykole said:

Yeah, coding is really fun. Gets your mind to think alot and burns time too :P

Oh hell yes, it burns time. It rekts time.

3h real time = 15min programming lmao

Anyways, nice little project, good luck! :)

Share this post


Link to post
Share on other sites

Update - Had just a bit of time to be able to work on the scripting engine the past two days and this is the start, created a documentation to help mainly me in case I set the project aside and decide to return to it later . (Total hours: ~6h, Total Lines: ~650)

By no means this it the final product, still has a long way to go. Posting it here to get suggestions and feedback on improvements.

GitHub documentation: https://github.com/Mayion/fileinspect/blob/master/README.md

Simplified the actual scripting compared to the prototype I had in the main topic a bunch to help not make things complicated.

I'd love to hear back from you; @fiki574 @anonyme0273 @sylvix95 @Eddio and anybody else interested in giving their input on anything related to the project

:D

Edited by Sykole

Share this post


Link to post
Share on other sites
10 hours ago, Sykole said:

Update - Had just a bit of time to be able to work on the scripting engine the past two days and this is the start, created a documentation to help mainly me in case I set the project aside and decide to return to it later . (Total hours: ~6h, Total Lines: ~650)

By no means this it the final product, still has a long way to go. Posting it here to get suggestions and feedback on improvements.

GitHub documentation: https://github.com/Mayion/fileinspect/blob/master/README.md

Simplified the actual scripting compared to the prototype I had in the main topic a bunch to help not make things complicated.

I'd love to hear back from you; @fiki574 @anonyme0273 @sylvix95 @Eddio and anybody else interested in giving their input on anything related to the project

:D

Like it so far (gj on docs as well), though would be good if you treated strings with " " instead of without, I mean it's okay like that as well, but looks nicer with "string". Also, have you though about making your own or using existing syntax highlighter?

Share this post


Link to post
Share on other sites
40 minutes ago, fiki574 said:

Like it so far (gj on docs as well), though would be good if you treated strings with " " instead of without, I mean it's okay like that as well, but looks nicer with "string". Also, have you though about making your own or using existing syntax highlighter?

Yeah, the original example required strings to be surrounded by " " but when I showed it to people who have no prior experience in coding, it caused them confusion which was what led me to simplify it in that way.

My idea is to have it as flexible as possible, meaning whether a string is treated with " " or not, it will still parse, or do you think otherwise? Also yeah, thought of making a  "script builder" where it highlights the syntax & pre-parse the code (without executing) to show if there are any errors 

Share this post


Link to post
Share on other sites
21 hours ago, Sykole said:

Yeah, the original example required strings to be surrounded by " " but when I showed it to people who have no prior experience in coding, it caused them confusion which was what led me to simplify it in that way.

My idea is to have it as flexible as possible, meaning whether a string is treated with " " or not, it will still parse, or do you think otherwise? Also yeah, thought of making a  "script builder" where it highlights the syntax & pre-parse the code (without executing) to show if there are any errors 

If " " were causing confusion, then programming is not for people that are not capable of understanding string principles. And go for highlighter and compiler for your language, fun stuff to do.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.