Sucop virus analysis tool(File Format Identifier) v1.4

 http://www.google.cn/language_tools Dacheng world - Data Security Laboratory (DSW LABS) products This tool is a supplementary tool for the analysis of the virus, including file format recognition, the use of the format of Super Patrol Recognition Engine, set check carcasses, virtual machine Shelling, PE document editing, PE document reconstruction, grasping into Table admission (with some decrypt encrypted virtual machine into Table), the process of memory read / DUMP, additional data processing, the paper addresses conversion, PEID plug-in support, and MD5 quick calculation using the third-party tools, and other functions, suitable for analysis of virus Some of the Trojan virus samples for processing. The software products for free software, and non-commercial users can download, install, copy and distribute the software products. If the need for commercial sales, reproduce and distribute, such as anti-virus company to mass analysis Trojans, DSWLAB must have the authority and permission, commercial companies and team use the software must be DSWLAB authorization and permission. V1.4 new features: ★ automatic access into the new table function, the function of the use of virtual machine technology to the implementation of virtual table into the acquisition, with automatic encryption function that can easily access ImportREC unable to obtain the correct import table. (See section 9 below) to the function of the idea of more people welcome to contact us. ★ increase in more detail description of the PE file more detailed analysis of the wrong file / document invalid PE / PE unenforceable document reports wrong reasons. Pedro Lopez thanked the proposal this feature. ★ skin new features to make more beautiful interface can be set up to switch between their favorite style of the skin. Thank fly (unpack.cn) proposes this feature. ★ expand the integration Fly signatures collected the signatures. Thank fly (unpack.cn) authorized. ★ BUG several other amendments. V1.3 new features: ★ increase process Show, the termination function, supports three methods ump Full dump, and the Dump Region Dump Partial support automatically correct image size memory modules. (See section 8 below) V1.2 new features: ★ full support of plug-in function PEID. Use of the need to set up designated Load Plugins PEid can use the plug-in functions, without reopening FFI, plug-ins must be put plugins directory, set up after a good point Plugin>> you can see the corresponding plug-ins. ★ increased support for the reconstruction of PE function to repair damaged PE many documents, or after the document could not be re-Sabot Jiake situation. V1.1 new features: ★ increased use VMUnpacker Shelling engine shell function, the shell can be identified directly Unpack button click Remove to facilitate analysis Jiake Trojans, this version Shelling Shelling engine capacity equivalent to VMUnpacker V1.4. ★ Additional data on the increase in the handling of additional data can be deleted or stored document to facilitate further analysis. ★ increase PE documents address translation function can be conveniently converted RAV <-> RAW. Features detailed as follows: First, check Shell features: Supporting documents, drag, drag directory can be set up right on the files and directories searches shell function, in addition to the unpack.avd FFI since Shelled, but also can be used to expand the shell (to be named userdb.txt, the format of this PEID compatible with the format can be collected their shell userdb.txt Add to enhance detection function). Note: If you are using expanded Curry characteristics identified carcasses will be back in the shell * information signs. Second, the shell functions: If the check carcasses, Unpack buttons available, can be said of the current processing documents shell with a virtual machine sabot technology, you do not have to worry about dealing with the current document may endanger the system. Third, PE editing features: This procedure shows that the main interface can be checked at the entrance of the procedure / point of entry physical migration, section, and other information, and provide a powerful editing features. PE Section button which can later edit the current file of the table, after clicking on the Sections Editor window. Main features are: ★ show detailed segmental information ★ editor section to see the name, size, the implementation of attributes, and other related information. ★ remove the selected section title ★ with automated restoration of the section ★ from disk loading section ★ preservation section to disk ★ add a new section ★ deleted from the document section ★ first deleted from the PE section (section substance also) ★ filled with the specified data section SubSystem button after PE document can show detailed information to support detailed edit documents Dos PE first, NT priority information, support Show PE documents export tables, import sheet information, the project features too meticulous please refer to specific interface. Fourth, additional data detection: Application procedures can be scanned annex contains data, and to provide additional data in detail the initial location and size, can be used Del Overlay button and Save Overlay button corresponding treatment. 5. PEid support plug-ins: Point Options button to select Load Plugins PEid can use the plug-in functions, without reopening FFI, plug-ins must be put plugins directory, and then Plugin>> you can see the corresponding plug-in information. 6. ReBuild PE functions: This function is primarily used for the shell after the PE file repair, can be used to solve general Shelling Jiake after such issues can not be re-used ReguildPE button this feature. 7, third-party tools support: In the Options button, point Manage Tools button can be used to shortcut menu Add / Remove IDA / OllyDBG and other third-party tools, and that can be activated directly in the FFI, OllyDBG, IDA these tools to open the current file an anti-compilation. Note: Add third-party tools, point Plugin> "button can be seen on the tools you add the information, click on the tool can be used to open the documents. 8. Process DUMP: Point TaskView button, the process can be terminated, the process of the dump memory module currently supports three methods ump Full dump, and the Dump Partial Dump Region, also supports automatically correct image size of the main memory module. 9, crawl into Table: Get IAT button points, after the selection process can crawl into form, please fill in the former DumpFixer OEP correct information. If there can not be a function of identification information, you can set up virtual machine decryption step, in the form of information into the box by right point to decrypt the VM Decode function If you find crawling into the table some of the information is not what you want, in the form of information into the box by right point Del Thunk or Cut Thunk let disappear. If you are in the process of non-main module crawl into form, please Manipulation records window in the corresponding module information point right Load this module so that the crawl into this table is the module. 10, contact us at: If you encounter any problems or have any proposals, or we need to add new features, you can point Email to us send e-mail to us, if you think the current processing of documents on improving our FFI functions or revise its bug useful, can also treat it as Annex sent to us. http://u6.dswlab.com/ffi.zip http://rapidshare.com/files/91523894/ffi.zip