超级巡警病毒分析工具之File Format Identifier v1.4
大成天下-数据安全实验室(DSW LABS) 出品
本工具是一款辅助进行病毒分析的工具,它包括各种文件格式识别功能,使用超级巡警的格式识别引擎,集查壳、虚拟机脱壳、PE文件编辑、PE文件重建、导入表抓取(内置虚拟机解密某些加密导入表)、进程内存查看/DUMP、附加数据处理、文件地址转换、PEID插件支持、MD5计算以及快捷的第三方工具利用等功能,适合病毒分析中对一些病毒木马样本进行系统处理。
本软件产品为免费软件,用户可以非商业性地下载、安装、复制和散发本软件产品。如果需要进行商业性的销售、复制和散发,例如反病毒公司用来批量分析木马,必须获得DSWLAB的授权和许可,商业公司及团队使用本软件必须获得DSWLAB的授权和许可。
V1.4新增功能:
★新增自动获取导入表功能,该功能使用虚拟机虚拟执行技术来进行导入表的获取,具备自动解密功能,可以轻松获取ImportREC无法正确获取的导入表。(详见下面节九)对该功能有更多想法的人欢迎联系我们。
★增加的更多的细节描述,对PE文件进行更细致的解析,对错误文件/无效的PE文件/无法执行的PE文件报告错误原因。感谢Pedro Lopez建议此功能。
★新增皮肤功能,使得界面更漂亮,可在设置中切换自己喜欢的皮肤风格。感谢fly(unpack.cn)建议此功能。
★扩展签名库集成Fly收集的签名库。感谢fly(unpack.cn)授权。
★其他几个BUG修正。
V1.3新增功能:
★增加进程查看、终止功能,支持三种dump方式 ump Full、Dump Partial和Dump Region,支持自动修正模块内存镜像大小。(详见下面节八)
V1.2新增功能:
★全面支持PEID插件功能。使用前需要在设置中指定Load Plugins就可以使用PEid的插件功能,无需重启FFI,插件必须放plugins目录下,设置好后点Plugin>>就可看到相应插件。
★增加支持重建PE的功能,用以修复许多损坏的PE文件,或者脱壳后文件无法重新加壳的情况。
V1.1新增功能:
★增加使用VMUnpacker脱壳引擎进行脱壳的功能,对识别出来的壳可直接点击Unpack按钮脱掉,方便分析加壳木马,本版本脱壳引擎脱壳能力等同于VMUnpacker V1.4 。
★增加对附加数据的处理,可将附加数据直接删除或者保存为文件,方便进一步分析。
★增加PE文件的地址转换功能,可方便的换算RAV<->RAW 。
详细功能说明如下:
一、查壳功能:
支持文件拖拽,目录拖拽,可设置右键对文件和目录的查壳功能,除了FFI自带壳库unpack.avd外,还可以使用扩展壳库(必须命名为userdb.txt,此库格式兼容PEID库格式,可以把自己收集的userdb.txt放入增强壳检测功能)。
注:如果是使用扩展库里特征查出的壳,在壳信息后面会有 * 标志。
二、脱壳功能:
如果在查壳后,Unpack按钮可用,则表示可以对当前处理文件进行脱壳处理,采用虚拟机脱壳技术,您不必担心当前处理文件可能危害系统。
三、PE编辑功能:
本程序主界面可显示被检查的程序的入口点/入口点物理偏移,区段等信息,并且提供强大的编辑功能。
其中PE Section后按钮可以编辑当前文件的节表,点击后出现Sections Editor窗口。
主要功能有:
★显示详细的节段信息
★可查看编辑区段名称、大小、执行属性等相关信息。
★清除选定的区段名称
★对区段进行自动修复
★从磁盘加载区段
★保存区段到磁盘
★增加一个新的区段
★从文件中删除区段
★从PE头中删除区段(区段内容实质还在)
★用指定的数据填充区段
SubSystem后按钮可以显示PE文件的详细信息,支持详细编辑PE文件的Dos头,NT头等信息,支持查看PE文件的导出表、导入表信息,本项目功能太细致具体请参考界面。
四、附加数据检测:
可扫描应用程序是否包含附件数据,并提供了附加数据详细的起始位置和大小,可以用Del Overlay按钮和Save Overlay按钮进行相应的处理。
五、支持PEid插件:
点Options按钮选择Load Plugins就可以使用PEid的插件功能,无需重启FFI,插件必须放plugins目录下,然后点Plugin>>就可看到相应插件信息。
六、ReBuild PE 功能:
本功能主要是用来对脱壳后的PE文件进行修复,一般可用来解决脱壳后无法重新加壳等问题,使用ReguildPE按钮即可完成此功能。
七、第三方工具支持:
在Options按钮中,点Manage Tools按钮,可以用右键菜单添加/删除IDA/OllyDBG等第三方工具,这样就可以直接在FFI里启动OllyDBG、IDA这些工具来打开当前文件进行反汇编。
注:添加第三方工具后,点Plugin>>按钮就可以看到您添加的工具信息了,点击即可用此工具打开当前处理文件。
八、进程DUMP:
点TaskView按钮后,可以进行进程的终止,进程中模块内存的dump,目前支持三种dump方式ump Full、Dump Partial和Dump Region,还支持自动修正主模块内存镜像大小。
九、导入表抓取:
点Get IAT按钮后,选择进程后就可以抓取导入表,在DumpFixer前请填上正确的OEP信息。
如果出现不可识别的函数信息,您可以设置虚拟机解密步数,在导入表信息框中用右键点VM Decode尝试解密这个函数
如果您发现抓取的导入表信息有些不是您想要的,可以在导入表信息框中用右键点Del Thunk或者Cut Thunk让其消失。
如果您要对进程的非主模块抓取导入表,请在Manipulation records窗口中对相应模块信息点右键Load this module,这样抓取的导入表就是这个模块的了。
十、联系我们:
如果您遇到什么问题,或者有什么建议,或者需要我们在添加新功能,可以通过点Email to us发送邮件给我们,如果您认为当前处理文件对我们改进FFI功能或者修正其bug有益,也可以把它当作附件发送给我们。
超级巡警:彻底查杀各种木马,全面保护系统安全。
更多免费工具下载:http://www.sucop.com
专业的桌面与内容安全产品:http://www.unnoo.com
英文说明:)
Sucop virus analysis tool(File Format Identifier) v1.4
unnoo-dswlab products
It is an auxiliary tool for virus analysis, which includes variousfile format recognition engine code, sniffing packers, unpacking byvirtual machine, editing PE file, rebuilding PE file, obtaining theimport table(using virtual machine to decode the encode import table),dumpping memory, processesing the overlay, PE address conversion,supporting PEid plugins, computing MD5 and efficient use of third-partytools, and so on. It is also used for disposing the Trojan virussamples during virus analysis.
This software is free; you can download, install, copy anddistribute it noncommercially; For commercial sale, copy anddistribute, you should get the warranty and permission of DSWLABbefore(for example, if the anti-virus company want to use it toanalyses the Trojan horse in batches, he must get mandate andpermission of DSWLAB before).
v1.4 new features:
★add obtaining the import table function, for some encode importtable, you can decode it by the virutal machine. (See section 9following), welcome the contact us if you have more suggestions
★show more useful descriptions for the invalid pe file, thanks to Pedro Lopez for proposing it
★new skin to make more beautiful, you can switch skin style afterhitting option button, thanks to fly(unpack.cn) for proposing it
★add the external signatures library which collected by fly(unpack.cn), thanks for the authorization
★correct several bugs
v1.3 new features:
★add a task view which supports three functions:
a.terminate the process
b.corrent the image size of the module
c.dump the memory with three mode(Dump Full、Dump Partial and Dump Region)
v1.2 new features:
★support PEid plugins
★add a feature for rebuilding PE
v1.1 new features:
★add VMUnpacker unpack engine for unpacking, the unpacking capacity is equal VMUnpacker v1.4
★add some external signatures from the internet
★add a feature for deleting overlay and saving overlay
★add PE Address Conversion(RAV<->RAW)
First, Sniff Packers
Supporting file drag, directory drag, you can also install shellextensions to recognize file and directory. In order to recognize morepackers, you can use the external signatures library (must nameduserdb.txt, the library format is as same as the PEid's externalsignatures library).
Note: A '*' will appear if this packers was sniffed by the external signatures.
Second, Unpack
You can unpack the packer if the "unpack" button can hit. Thefucntion based on the technology of virtual machine, it could unpackvarious known & unknown packers. It is suitable for unpacking theprotected Trojan horse in virus analyses, and because all codes are rununder the virtual machine, so they will not take any danger to yoursystem.
Third, PE Editor
Hit the button after "PE Section", you can edit the information of the sections.
The mainly functions are:
★Display section information
★Can modify section name, section size, section attributes and other related information
★Remove the selected section name
★Automatic fix of the section
★Load section from the disk
★Save section to disk
★Add a new section
★Delete section from PE file
★Delete section only from PE header
★Fill section with the specified char
Hit the SubSystem button can get the detailed PE information, you can editor them.
Fourth, Delete & Save Overlay
You can hit "Del Overlay" button to delete the overlay if the PEfile has overlay, you also can hit "Save Overlay" button to save theoverlay.
Fifth, Support PEid plugins
Hit Options button to set using PEid plugins, without restart FFI,the PEid plugins must be put the directory named plugins, and then HitPlugin>>> to use PEid plugins.
sixth, ReBuild PE
This function is primarily used for repairing the PE file which was dumped from unpacking.
seventh, Support the third-party tools
Hit Manage Tools button after Hitting Options button, you can add /remove IDA / OllyDBG and other third-party tools to shell extensions,than you can activate the third-party tools in the FFI to open thetarget file directly.
Note: After add the third-party tools, you can hit Pulig>>>button to get their information, click them you can use the third-partyto open the target file.
eighth, Dump the memory of the process
Hit TaskView button,then you can terminate the process and dump thememory with three mode(Dump Full、Dump Partial and Dump Region), and youcan also corrent the image size of the module.
ninth, Get Import table
After hitting the Get IAT button, getting the import table afterchoose the process, input the right OEP information before hittingDumpFixer button.
If any undistinguished API appears, you can set virtual machine decode steps, and decode this item by hitting VM Decode menu.
If there is any information which you do not want, hit Del Thunk menu or Cut Thunk menu to delete it.
If you want to get the import table for the non-main module of theprocess, please use right button in Manipulation records frame, andhitting Load this module menu, that is the module's import tableobtained in this way.
Contact Us:
If you have any problems/suggestions in using or necessary us to addnew functions in it, send us email and we will try to help, if youthink the current file is good at that we modify the bug of FFI, youcan send to us too.
Supercop:Kill various kinds of Trojan horse completely, protect the security of system in an all-round way.
more free tools download:http://www.dswlab.com
Specialized desktop and safe products of content :http://www.unnoo.com
[ 本帖最后由 麦田的怪 于 2008-3-4 13:04 编辑 ] |
发表于 2008-3-3 15:20:20
发表于 2008-3-4 10:24:37
虚拟机脱壳,做好了应该很强大