v 2.4.0.1 [2 apr 2008]
-fixed a bug with imported functions name lenght;
-added external signature verifier; writed a note about signatures;
-fixed RVA2RAW for UPACK which has EP inside PE HEADER; now imports are shown fine;
-added basic disassembler from hexeditor right click menu;
-fixed showing which export is in fact a forwarder to other dll; like HeapAlloc in kernel.dll;
-added process memory dumper/viewer; right click on the process you want to inspect; you can
use dissasambler (from right click menu inside the hexeditor) to see how the code looks at
certain VA; the difference from other (dumpers LordPE, ProcDump, PETools) is that it can dump/view
code blocks protected with PAGE_GUARD or NOACCESS flags.
Note about external signatures
——————————
-we have 2 kind of signatures :
1. relative to entry point (ep_only=true); a number of bytes searched only at a location;
2. absolute (ep_only=false); a number of bytes searched in entire file;
-relative signature can start with an offset (negative or positive) specified by
(offset=x , x can be ie. 5 or -7 relative to entry point); in addition the relative
signature can start with a number of unknown bytes (?? ?? ?? 3E 45 etc), in this case,
the starting number of those bytes will be considered as an positif offset; but remember,
this is only for (ep_only=true);
Signature rules:-sections with different names; section is ie:”[Name of the Packer v1.0]“
-sections with different signatures; for not wasting time;
-signature bytes must be hex represended (0-9,A-F);
-each signature lenght must be a multiple of 2;
-you can use as separator an empty space between each byte (2 hex char)
for good understanding (like: ”signature = 00 A2 3F” , the same as
”signature = 00A23F”;
-you can use wildcards as ”??” if the byte can be everething inside a signature;
-only relative signatures (ep_only=true) can start with ”??”;
-when you fix external signatures file, you must fix first!!, section names (otherwise will
have checking mistakes for next verifications!!),then signature correctitude,then overlaping
signatures; you will have on clipboard the section’s name or signature when an error is
found; just paste it to search box in notepad; if you have multiple sections with the same
name and different signatures, just rename it like mepacker_s1, mepacker_s2 etc.;
-avoid adding large signature; it will be a time killer; be smart!
-add signature at the end of the file (EOF) then see if your file is detected, for avoiding
signatures overlaping;
-the signatures verification is done only for those signatures starting at entry point! for
different offsets ( ie signatures starting with ”?? ?? A2″ etc. or offset=x) the code it
becomes to complicate, so it is easy to add those signatures at the EOF and see if it works;
-what is overlapping: look next 2 signatures ”EB 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? F6″ and
”EB 02 ?? ?? EB 02″; it covers the same range of bytes; the short one is covered by longest;
in this case you may escape a packer because of this, depending of which is searched first;
it’s recommended to put the longest first;-
Created by Daniel Pistelli, a freeware PE identifier. This tool was originally designed to be part of the Explorer Suite II, but it can be downloaded separately as well. The PE Detective can scan single PE files or entire directories (also recursevely) and generate complete reports. The PE Detective is deployed along with the Signature Explorer, which is an advanced signature manager to check collisions, handle, update and retrieve signatures.
To scan a file is very easy with the PE Detective tool: just drag & drop a file on the interface and press scan. If there are multiple results, all of them will be listed in descending priority. The data for each result shows the signature name, the number of matches (meaning how many bytes in the signature match, wildcards aren’t counted) and possible comments regarding the signature.
filedeleted….
Hello , i cant down the link was broken