Review article copied (brazenly) from fiks-ru.net
PEID 0.95
PEID- the most popular analyzer of executable files. The latest version is 0.95 from November 2008. The analysis is performed on the internal and external database of signatures, there are several levels of scanning from fast to deep, you can process entire directories. The functionality is easily extended by external plugins, the signatures are stored in a separate text file, so you can easily add your own there. A special program was written to work with the signature database. PEiDSO. Plugin developers are provided with an SDK with examples in different programming languages and a description of the API. The off-site of the program ordered the campaign to live for a long time, but in any case, it is better to download it here, because otherwise you would have to assemble the necessary set of plug-ins and signatures yourself, but here it is decently equipped.
The PEiD manual can be read
DiE 0.65 Rus
Detect it Easy (DiE), domestic development, I translated the latest version 0.65 into Russian at my leisure (if you don’t like the translation, throw the DiE.RU file out of the directory - it will be Eng). An emulator was added to version 0.65. Similar to PEiD, but the main focus is on its own heuristic analyzers, and only then on signature analysis. The program also provides some useful functions: viewing imports, sections, viewing a file in hex mode, a disassembler, viewing the main characteristics of PE, obtaining an MD5 hash and CRC-32. The functionality is extended with plugins.
Off-site program
DiE (Detect it Easy) 0.70 alpha 12
Update DiE (Detect it Easy) up to version 0.70. The program has been completely rewritten - before it was in Borland Delphi, and now in Microsoft Visual C++. In this connection, I consider its further translation into Russian inexpedient, since you can’t give a dump anymore, and it’s probably not worth it to “torment” hard-coded strings in a HEX editor. The off-site of the program is now located. You can download the new version directly from the off-site (I did not add it to the archive).
P.S. Thanks to a friend from exelab.ru for providing information about the new version.
ExeInfo PE 0.0.3.2
ExeInfo PE also very similar to PEiD, latest version 0.0.3.2 dated September 11, 2012. Built-in signatures (667 pieces). The program has an interesting feature: if the protector is defined, it gives information about which tool can be used to try to unpack it. For beginners, this information will be very useful. Also useful tools include a ripper of archives from SFX modules, search for text strings, registry calls, OEP adjustment, and others. You can download from offsite. You can also download a plug-in adapter for PEiD and DiE from the off-site, which allows you to scan files through ExeInfo PE.
PE Scan 3.31
Pe Scan by snyper, latest version 3.31, offsite has ceased to exist. With a minimum size, the program has great potential. This is a heuristic and signature analyzer of executable files, unpacker of some packers, dynamic OEP search. In addition to the above tools, Pe-Scan has a unique probabilistic analyzer for unfamiliar packers and file encrypters ("adv.scan" button). It shows in percentage terms which of the packers known to him is similar to the investigated unknown. Helps identify common UPX packers treated with various scramblers and modifiers.
Stud PE 2.6.1.0
Stud PE, latest version 2.6.1.0 dated June 2, 2012. A very good program, in addition to analyzing what the file is packed with, shows a lot of other useful information: sections, resources, import and export tables, DOS header. The HEX editor built into Stud_PE highlights the selected fields of the file header, which is very convenient when analyzing its structure. There is also a process manager with a built-in dumper. The functionality is extended with the help of plugins, and plugins from PEiD are suitable. A description of the API and SDK for developers is included in the package.
File Format Identifier 1.4
File Format Identifier- a very successful development of the Chinese antivirus company SUCOP, the latest version is 1.4 from 2008. The analyzer works on external signatures in the PEiD format, but the main value is the built-in static unpacker of simple packers. The unpacker works on the technology of a virtual machine, that is, no code is actually executed, which is especially important when investigating malware. Other useful tools in the program include an import reconstructor, an executable file rebuilder, an offset calculator, and an overlay extractor. If you understand Chinese, you can download it from offsite, but I recommend taking this assembly from the archive at the end of the post. Everything superfluous has been removed in it, the unpacker engine has been replaced with a commercial one with improved functions, and an external signature database has been added. File Format Identifier is recommended to always have at hand.
Protection ID 0.6.4.1
Protection ID, latest version 0.6.4.0 Not a bad program mainly used for analyzing protected CD/DVD discs. In addition, it defines about 350 packers, dongles, installers of executable files. It does not require additional files to work, but it is not possible to add your own signatures. In recent versions, the author has noticed a bad tendency to push a bunch of unnecessary junk into the utility, such as a system load indicator, a process manager, a memory optimizer and other excesses.
RDG Packer Detector v.0.7.0
RDG Packer Detector , latest version 0.7.0 dated December 27, 2012. A good idea, but a monstrous implementation, another example of what developers should NOT turn their programs into. If you understand the ugly interface, then in addition to the analyzer you will get a few more tools like OEP Detector, Cryptographic Analyzer, which didn’t work for me normally. The latest version has been added to the archive.
FastScanner v.3.0
FastScanner by AT4RE cracker team, latest version 3.0 Scanner works with signatures from PEiD, supports plugins. Beautiful interface, but the result of checking files is often erroneous. Of the useful features, there is a good PE editor - files in the form of a plugin.
Bit Detector 2.8.5.6
Bit Detector- a new development, also from the Arab cracker team Under SEH Team, the latest public version is 2.8.5.6 from June 2012. In addition to the function of determining the compiler and packer, it carries several useful and not very useful tools on board.
MiTeC EXE Explorer
MiTeC EXE Explorer- a small free viewer of the structure of executable files. Shows information from the file header, import and export table, TLS, file version, Delphi forms, resource tree with the ability to view pictures and dialogs in a convenient form and save them to disk, and there is also a convenient search function for text strings in the file.
The Ultimate Hellspawn's EXE Analyzer 0.6
The Ultimate Hellspawn's EXE Analyzer- DiE analyzer prototype. It will be more useful for a collection than for practical use, because it is very outdated. Shows the main characteristics of an EXE file, heuristically detects some packers and protectors.
file insPector XL
file insPector XL from ViPER - an old analyzer from 2001, has not been updated since then. Heuristically detects packers and compilers of executable files, shows basic data from PE header, section, import and export table. In addition to the analyzer, it includes several useful tools, for example, adding an empty section to a file or new functions to import, an RVA to Offset calculator, changing the date and time of a file, OEP redirection, a process manager, and others. Supports plugins and multilingual interface. It is useful not only for collection, but also for practical use.
SCANIT 1.85
SCANiT- file analyzer from the cracker team tPORT. The functionality is small, it scans the file using signatures from PE Tools, it supports plug-ins of some incomprehensible format.
PE Pirate 0.51
PE Pirate from kosfiz - a detector of protectors, compilers, packers that can pack PE files. Written in assembler, can scan directories, read file entropy. Often mistaken, despite assurances of 95-99% hit accuracy.
GAPE 1.01
gAPE- analyzer from the cracker team TLG. Supports signatures from PE Tools and plugins from PEiD. Of the tools, there is a working entropy calculator and a curve displacement calculator in the file. Useful for collection.
PeStudio 7.95
I have long wanted to write about the program PeStudio, but all hands did not reach. Off-site of the program has moved ==> HERE<== версии там последнее время идут одна за одной, просто обновлять не успеваю - уже 7.95 натикало. Было немного времени, глянул у проги ресурсы на предмет локализации. В самом исполняемом файле можно разве что менюшку перекинуть, да и то смысла почти нет - на русском всего несколько слов появится (значит кириллицу до сих пор поддерживает), а вот все остальное у ней походу большей частью в файле PeStudioIndicators.xml lies, and when I try to change them to Russian, I generally have all the values, for example, immediately disappeared even without kryakozyabry. Of course, you can still be smarter - like changing the encoding from the notorious utf-8 to hard windows-1251 and resaving the document from unicode to ANSI (you can use an ordinary Windows notepad), but alas, there is no time for experiments, and there will be little sense from them - the versions are now jumping one by one. In short, anyone who is interested can try, but English does not interfere with me in this program either - and so everything seems to be visible.
InspectExe
InspectExe adds additional tabs to the properties window of executable files to view sections, import table, resources, manifest and other data.
DNiD 1.0
DNiD- a program similar to PEiD, but focused on .NET applications. Allows you to define dozens of different versions of compilers, protectors, packers and obfuscators of .NET programs.
A-Ray Scanner 2.0.2.2
A-Ray Scanner, the project has not been updated for a long time, the latest version is 2.0.2.2 from 2005. The program is intended only for scanning CD/DVDs and defines several dozens of disc copy protections. Also defines some packers and protectors for executable files.
ClonyXXL 2.0.1.5
Clony XXL- a utility that determines the type of CD protection. Like the previous program, it has not been updated for a long time, the latest version is 2.0.1.5 from 2003. Defines protections: SafeDisc, SecuROM, Discguard, LaserLok, Psx/Lybcrypt, Cactus Data Shield (Audio CDs), Lock Blocks, CD Check, ProtectetCD-VOB, CD-Extra and protection based on non-standard placement of information on the disk. By default, the interface is in German, but in the settings it switches to English.
Edit system configuration files, after which the system crashes or does not work correctly. It also happens that it is problematic to restore the system with commands, and it is troublesome for users. A reinstall Linux OS takes a lot of time. IN Windows There are programs such as Acronis, but unfortunately these programs are not free. After searching in Internet discovered a wonderful program similar to Acronis, this program is called PING (Party Is Not Ghost).
Download ISO image can be found here:
Program PING designed for duplication and recovery of entire systems over a network or removable media (for example, CD, DVD or other storage devices).
Attention! Found that the program does not work with the file system Ext4 .
so you downloaded ISO image and burn it to disk.
Creating an image
Now let's look at creating a copy of your system step by step.
Install the disk and restart the computer. Naturally, in BIOS you should be primary CD or DVD disk.
Program PING is loading.
Click Enter to get started.
In the next window, we read a warning. The essence of this warning is that if you decide to restore a hard disk from an image, then all data contained on this computer may be lost forever during the recovery process. You can still interrupt this process.
Click Enter to continue our process.
In the next window, you need to select the program action after the end of the image creation process:
Get a shell (root)- shell entry (root);
Reboot the system- reboot the system;
shutdown- switch off.
We choose an item cursor keys and press Enter.
In the next window, you have to choose where you want to save the image or take the image for recovery. Here we consider two options local and network.
In this article, we will consider creating a local image, which means we choose and click Enter.
In the next window that opens, you can see all available sections.
Use the cursor keys to select the partition you want to back up. The selection is made with a space.
Click Enter.
In the next window, select the name of the directory where we chose to save "\" (slash without quotes).
In the next window, in the list of available images for recovery, select the item and click Enter.
In the next window, enter an arbitrary name for the directory. A directory with this name will be created, and the backup files will already be located in it. In this case, we named it copy.
no and click Enter.
In the next window, we choose how to compress or not compress our image, here act arbitrarily at your discretion. In this example, we have chosen to compress gzip . It should be noted that saving without compression, i.e. item selection no compression , will significantly speed up the process of creating an image, but will increase the size, which means it will take up more space on your hard drive or other media. Click Enter.
Here we choose and click Enter.
In the next window, select no and click Enter.
Now you will have to wait a few minutes while the program creates a backup (image) of your partition.
Restoring data from an image
Now let's look at restoring your system from a backup step by step.
Paste CD or DVD disk and restart the computer.
Program PING is loading.
We wait. Click Enter to get started.
Read the warning and click Enter to continue.
