Added static binary tools collection (originally in SVN archive)

static/PEiD-0.95-20081103/external.txt

@@ -0,0 +1,13 @@
+;The file userdb.txt is used to store the external signatures.
+;External signatures can be modified by the user as and when he requires.
+;The signatures are in the format
+
+[Name of the Packer v1.0]
+signature = 50 E8 ?? ?? ?? ?? 58 25 ?? F0 FF FF 8B C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3
+ep_only = true
+
+;The ?? in the signature represent wildcard bytes (they are skipped while scanning)
+;ep_only can be either true or false. When true, the signature is scanned for at the EntryPoint only.
+;Else it is scanned throughout the file.
+
+;A '*' in the results of PEiD signifies that the external database was used for scanning the file.

static/PEiD-0.95-20081103/plugins/kanal.htm

@@ -0,0 +1,109 @@
+<html>
+<head>
+<title>KANAL - Krypto Analyzer for PEiD</title>
+</head>
+
+<body>
+<h2><i>KANAL</i> - Krypto Analyzer for PEiD</h2>
+<h3>Version 2.92</h3>
+
+<p>
+This plugin searches for known crypto algorithms, functions and libraries inside
+of the specified module.
+</p>
+
+<p>
+<h4>Usage:</h4>
+Load the file into PEiD and select &quot;Krypto ANALyzer&quot; from the
+plugins menu. A new dialog will open and the detected crypto algorithms,
+constants, functions and libraries will be listed. The offset of the signature
+is displayed for every item; if the analyzed file is a PE executable, also
+the virtual address of the signature is displayed.
+So, the results look like
+<pre>Crypto name :: File offset :: Virtual address</pre>
+</p>
+
+<p>
+For PE executable files, <i>KANAL</i> searches for &quot;reasonable&quot; references
+of the detected piece of code or data. If, for example, some kind of crypto
+substitution table is detected, <i>KANAL</i> attempts to find the address
+where the table is referenced from. The references are displayed as subitems
+of the detected crypto item (so, you have to expand the item to see it).
+If no reference of the detected signature is found
+(e.g. because it's not a piece of data, but rather a constant contained inside
+of an assembly instruction), the text &quot;The reference is above&quot;
+is displayed.
+</p>
+
+<p>
+<h4>User interface:</h4>
+<ul>
+<li>Using the <b>Export</b> button, you can save the results to a file,
+or copy them to clipboard. The possible output formats are:
+  <ul>
+  <li><b>List of Items</b> - text file containing the list of detected crypto algorithms
+    with the corresponding addresses (i.e. what you see in the results window,
+    unexpanded items).</li>
+  <li><b>List of Items with References</b> - text file containing the list of detected
+    crypto algorithms with the corresponding addresses and references (i.e. what you see
+    in the results window, expanded items).</li>
+  <li><b>IDC Script - Bookmarks</b> - IDC script for IDA Pro; when executed,
+    it creates a list of bookmarks corresponding to the detected results.</li>
+  <li><b>IDC Script - Comments</b> - IDC script for IDA Pro; when executed,
+    it sets the comments (containing detected crypto algorithms and their description)
+    for the corresponding addresses.</li>
+  <li><b>IDC Script - Bookmarks &amp; Comments</b> - IDC script for IDA Pro;
+    when executed, it sets both the bookmarks of detected results and their comments.</li>
+  </ul>
+<li>When you <b>right click</b> on any line of the results, the corresponding address is
+copied into the clipboard (both for the crypto itself and for the references).</li>
+<li>When you <b>select</b> an item from the list, a simple description, corresponding
+to the crypto item, will be displayed in the bottom part of the window.</li>
+</ul>
+</p>
+
+<p>
+<h4>Limitations:</h4>
+<ul>
+<li>The detection of crypto algorithms is limited to those possible to identify
+by a specific signature (such as fixed s-boxes, permutation tables,
+initialization values, etc). Simple mathematical algorithms, such as RSA,
+cannot be detected in a generic way. Even some of the algorithms that normally
+can be detected by their tables (e.g. AES) can be implemented such that
+the tables are not static, but rather generated dynamically during the runtime
+using special formulas; in such cases they probably won't be recognized
+by <i>KANAL</i>.</li>
+<li>Some functions (even RSA) can be detected according to their implementation
+in specific crypto libraries. This kind of detection, however, depends on the
+compiler used, its optimization settings, etc - so it won't work in all cases.</li>
+<li>A few of the algorithms are detected by a single DWORD - so, they are
+susceptible to occasional false alarms.</li>
+<li>Some crypto algorithms share a common initialization code - so if multiple
+crypto algorithms are present in the file, they may be &quot;mixed up&quot;
+sometimes. The plugin tries to filter the results somehow (to guess which
+algorithm it actually is, using the &quot;shared&quot; code),
+but it may not be 100% accurate, of course.</li>
+</ul>
+</p>
+
+<p>
+<h4>Notes:</h4>
+<ul>
+<li>The processed file is just scanned for known patterns - no part of the file is
+executed. So, it's safe to use <i>KANAL</i> on malicious files.</li>
+</ul>
+</p>
+
+
+<hr>
+
+<p>
+<h4>Credits:</h4>
+<b>igNorAMUS</b> - maintaining the source and all the detections at the moment<br>
+<b>snaker</b> - the original coding and detections<br>
+<b>Maxx</b> - detection of various functions from common crypto libraries<br>
+<b>pusher</b> - testing and bug reports<br>
+</p>
+
+</body>
+</html>

static/PEiD-0.95-20081103/pluginsdk/C++/defs.h

@@ -0,0 +1,9 @@
+//#include <windows.h>
+#ifdef _DLLMACRO
+	#define	 DllExport	__declspec(dllexport)
+#else
+	#define	 DllExport	__declspec(dllimport)
+#endif
+
+DllExport DWORD DoMyJob(HWND hMainDlg, char *szFname, DWORD lpReserved, LPVOID lpParam);
+DllExport LPSTR LoadDll();

static/PEiD-0.95-20081103/pluginsdk/C++/null.c

@@ -0,0 +1,40 @@
+#include <windows.h>
+#include "defs.h"
+
+DWORD DoMyJob(HWND hMainDlg, char *szFname, DWORD lpReserved, LPVOID lpParam)
+{
+	//hMainDlg: HWND of PEiD window
+	//szFname: Filename
+	//lpReserved: PEiD passes 'PEiD' as the value
+	//lpParam: NULL passed, for future use
+ 
+	// Write your main code here
+
+	return 1;
+}
+
+LPSTR LoadDll()
+{
+	return "Name of the plugin";
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
+{
+	switch(fdwReason)
+	{
+		case DLL_PROCESS_ATTACH:
+		break;
+
+		case DLL_THREAD_ATTACH:
+		break;
+
+		case DLL_THREAD_DETACH:
+		break;
+		
+		case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+
+

static/PEiD-0.95-20081103/pluginsdk/Delphi/Sample.dpr

@@ -0,0 +1,30 @@
+//sample provided by _pusher_
+library Sample;
+
+uses
+  Windows;
+
+type DLL_RET_MSG = record
+szMsgText: PChar;
+szMsgHead: PChar;
+dRetVal: DWORD;
+dRetExVal: DWORD;
+dFlags: DWORD;
+end;
+
+function LoadDll:PChar;cdecl;
+begin
+result:='Name for Plugin';
+end;
+
+function DoMyJob(hMainDlg: HWND; szFname: PChar; lpReserved: DWORD; DRM: DLL_RET_MSG):DWORD; cdecl;
+begin
+Messagebox(hMainDlg,Pchar('hello world'+#13+#10+'FileName: '+szFname),'',MB_OK);
+result:=1; //this is like showing peid all went well.
+end;
+
+exports
+    DoMyJob,
+    LoadDll;
+
+end.

static/PEiD-0.95-20081103/pluginsdk/MASM/compile.bat

@@ -0,0 +1,4 @@
+\masm32\bin\ml /c /coff /Cp masm_plugin.asm
+\masm32\bin\link /dll /DEF:masm_plugin.def /subsystem:windows /libpath:\masm32\lib masm_plugin.obj
+
+pause

static/PEiD-0.95-20081103/pluginsdk/MASM/masm_plugin.asm

@@ -0,0 +1,75 @@
+;******************************************************************************
+;* PEiD Plugin Example by diablo2oo2                                          *
+;******************************************************************************
+.586p
+.mmx			
+.model flat, stdcall
+option casemap :none
+
+
+;******************************************************************************
+;* INCLUDES                                                                   *
+;******************************************************************************
+include				\masm32\include\windows.inc
+include				\masm32\macros\macros.asm
+
+include				\masm32\include\user32.inc
+include				\masm32\include\kernel32.inc
+include				\masm32\include\shell32.inc
+include				\masm32\include\advapi32.inc
+include				\masm32\include\gdi32.inc
+include				\masm32\include\comctl32.inc
+include				\masm32\include\comdlg32.inc
+include				\masm32\include\masm32.inc
+
+includelib			\masm32\lib\user32.lib
+includelib			\masm32\lib\kernel32.lib
+includelib			\masm32\lib\shell32.lib
+includelib			\masm32\lib\advapi32.lib
+includelib			\masm32\lib\gdi32.lib
+includelib			\masm32\lib\comctl32.lib
+includelib			\masm32\lib\comdlg32.lib
+includelib			\masm32\lib\masm32.lib
+
+
+;******************************************************************************
+;* DATA & CONSTANTS                                                           *
+;******************************************************************************
+.const
+
+.data
+
+.data?
+hInstance			dd ?
+
+
+;******************************************************************************
+;* CODE                                                                       *
+;******************************************************************************
+.code
+align 16
+DllEntry proc _hInstance:HINSTANCE, _reason:DWORD, _reserved1:DWORD
+	m2m hInstance,_hInstance
+	mov eax,TRUE
+	ret
+DllEntry endp
+
+align 16
+LoadDll proc
+	;---Name of the plugin---
+	mov eax,chr$("MASM Plugin Example")
+	ret
+LoadDll endp
+
+align 16
+DoMyJob proc _hwnd:dword,_filename:dword,_lpreserved:dword,_lpparam:dword	
+	
+	invoke MessageBox,_hwnd,_filename,chr$("MASM Plugin Example"),MB_OK
+	
+	;---job done!---
+	pop ebp		;stack fix
+	mov eax,1
+	retn		;stack fix
+DoMyJob endp
+	
+end DllEntry

static/PEiD-0.95-20081103/pluginsdk/MASM/masm_plugin.def

@@ -0,0 +1,4 @@
+LIBRARY masm_plugin
+EXPORTS
+LoadDll
+DoMyJob

static/PEiD-0.95-20081103/pluginsdk/PowerBASIC/PEiD_Plugin.bas

@@ -0,0 +1,84 @@
+' =================================================
+'
+' PEiD's Plugin skeleton for PowerBASIC
+' (C) 2004 by Marco Pontello - http://mark0.net
+'
+' This code is to be considered "public domain".
+' Feel free to do what you want with it.
+'
+' -------------------------------------------------
+'
+' PEiD is a file identifier especially tailored for
+' PE (Portable executable) files. It detects most
+' common packers, cryptors and compilers. It also 
+' sports a range of useful tools and plugins.
+' 
+' PEiD's home: http://peid.has.it/
+' 
+' =================================================
+
+#COMPILE DLL
+#DIM ALL
+
+$PROGRAMVER = "1.0"
+$PROGRAMTITLE = "MyPlugin"
+
+#INCLUDE "WIN32API.INC"
+
+' --- Global declarations
+
+GLOBAL ghDLLInstance AS LONG                                   
+GLOBAL ghPEiDDialog AS LONG                                   
+
+' --- Exported functions
+
+DECLARE FUNCTION DoMyJob CDECL ALIAS "DoMyJob" (BYVAL hMainDlg AS DWORD, _
+                         BYREF szfName AS ASCIIZ, BYVAL lpReserved AS DWORD, _
+                         BYVAL lpVoid AS DWORD) AS DWORD
+DECLARE FUNCTION LoadDll CDECL ALIAS "LoadDll" () AS DWORD
+
+' --- Return Plugin Name to PEiD
+'     PEiD call this at startup to build a list with the name of all
+'     available Plugins
+
+FUNCTION LoadDll CDECL ALIAS "LoadDll" () EXPORT AS DWORD
+
+  STATIC szPluginName AS ASCIIZ * 256
+  szPluginName = $PROGRAMTITLE
+  FUNCTION = VARPTR(szPluginName)
+
+END FUNCTION
+
+' --- Main Plugin routine
+'     This is called by PEiD when the Plugin is selected/run
+
+FUNCTION DoMyJob CDECL ALIAS "DoMyJob" (BYVAL hMainDlg AS DWORD, _
+                 BYREF szfName AS ASCIIZ, BYVAL lpReserved AS DWORD, _
+                 BYVAL lpVoid AS DWORD) EXPORT AS DWORD
+  
+  ghPEiDDialog = hMainDlg
+  MsgBox "PEiD's file: " & szfName, %MB_SYSTEMMODAL, $PROGRAMTITLE
+  FUNCTION = 1 
+  EXIT FUNCTION
+
+END FUNCTION
+                                                       
+' --- Main DLL entry
+
+FUNCTION LibMain (BYVAL hInstance AS LONG, BYVAL fwdReason AS LONG, _
+                  BYVAL lpvReserved AS LONG) AS LONG
+
+  SELECT CASE fwdReason
+  CASE %DLL_PROCESS_ATTACH
+     ghDLLInstance = hInstance
+     FUNCTION = 1
+  CASE %DLL_PROCESS_DETACH
+     FUNCTION = 1
+  CASE %DLL_THREAD_ATTACH
+     FUNCTION = 1
+  CASE %DLL_THREAD_DETACH
+     FUNCTION = 1
+  END SELECT     
+  EXIT FUNCTION
+
+END FUNCTION

static/PEiD-0.95-20081103/pluginsdk/readme.txt

@@ -0,0 +1,6 @@
+The Sample sources were provided by
+
+PowerBASIC, Mark0
+C++ , snaker
+Delphi, _pusher_
+MASM, diablo2oo2

static/PEiD-0.95-20081103/readme.txt

@@ -0,0 +1,166 @@
+PE iDentifier v0.95 (2008.11.03) by snaker, Qwerton, Jibz & xineohP
+------------------------------------------------------
+
+PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.
+
+PEiD is special in some aspects when compared to other identifiers already out there!
+
+1. It has a superb GUI and the interface is really intuitive and simple.
+2. Detection rates are amongst the best given by any other identifier.
+3. Special scanning modes for *advanced* detections of modified and unknown files.
+4. Shell integration, Command line support, Always on top and Drag'n'Drop capabilities.
+5. Multiple file and directory scanning with recursion.
+6. Task viewer and controller.
+7. Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer.
+8. Extra scanning techniques used for even better detections.
+9. Heuristic Scanning options.
+10. New PE details, Imports, Exports and TLS viewers
+11. New built in quick disassembler.
+12. New built in hex viewer.
+13. External signature interface which can be updated by the user.
+
+
+There are 3 different and unique scanning modes in PEiD.
+
+The *Normal Mode* scans the PE files at their Entry Point for all documented signatures. This is what all other identifiers also do.
+
+The *Deep Mode* scans the PE file's Entry Point containing section for all the documented signatures. This ensures detection of around 80% of modified and scrambled files.
+
+The *Hardcore Mode* does a complete scan of the entire PE file for the documented signatures. You should use this mode as a last option as the small signatures often tend to occur a lot in many files and so erroneous outputs may result.
+
+The scanner's inbuilt scanning techniques have error control methods which generally ensure correct outputs even if the last mode is chosen. The first two methods produce almost instantaneous outputs but the last method is a bit slow due to obvious reasons!
+
+
+Command line Options
+--------------------
+
+PEiD now fully supports commandline parameters.
+
+peid -time	// Show statistics before quitting
+peid -r		// Recurse through subdirectories
+peid -nr	// Don't scan subdirectories even if its set
+peid -hard	// Scan files in Hardcore Mode
+peid -deep	// Scan files in Deep Mode
+peid -norm	// Scan files in Normal Mode
+
+peid <file1> <file2> <dir1> <dir2>
+
+You can combine one or more of the parameters.
+
+
+For example.
+
+peid -hard -time -r c:\windows\system32
+peid -time -deep c:\windows\system32\*.dll
+
+
+Task Viewing / Control Module
+-----------------------------
+
+You can scan currently running tasks with PEiD. The files are scanned from memory. Processes can also be terminated. You can also optionally dump a module and scan the dumped image. You can also view all dependant modules of the processes.
+
+
+Multiple File Scan Module
+-------------------------
+
+You can scan multiple files at one go with PEiD. Just drag and drop the files on the PEiD main dialog and the Multiple File Scan Dialog will popup displaying the results. You can keep dragging and dropping files onto this dialog as well. It also offers you to choose from the different scanning modes and optionally load a single file in PEiD. It allows you to skip the non PE files so that the list looks clean. You can also scan the contents of a directory choosing files of custom extension if required. MFS v0.02 now supports recursive directory scanning.
+
+
+Disassembler Module
+-------------------
+
+You can have a quick disassembly of the file loaded in PEiD. Double click to follow JMPs and CALLs and use the Back button to trace back to the original positions. You can copy disassembled output to the clipboard. A new CADT core with custom String Reference Finder has been cooked up.
+CADT is coded by Ms-Rem.
+
+
+Hex Viewer Module
+-------------------
+
+You can have a quick hex view of the file loaded in PEiD. A modified version of 16Edit by y0da is used for this purpose.
+
+
+We intend to update the signatures quite often to keep pace with this ever evolving scene :)
+
+
+Please report bugs, ideas, new signatures or packer info to: 
+pusher	-> sir.pusher(at)gmail(dot)com ( Administration / Coder )
+snaker	-> snaker(at)myrealbox(dot)com
+Jibz	-> peid(at)ibsensoftware(dot)com
+Qwerton -> qwaci(at)gmx(dot)net
+
+ALL SUGGESTIONS, IDEAS, BUG REPORTS AND CRITICS ARE WELCOME.
+
+
+History
+-------
+
+0.7 Beta 	-> 	First public release.
+
+0.8 Public	->	Added support for 40 more packers. OEP finding module. Task viewing/control module.
+			GUI changes. General signature bug fixes. Multiple File and Directory Scanning module.
+
+0.9 Recode	->	Completely recoded from scratch.  New Plugin Interface which lets you use extra features.
+			Added more than 130 new signatures. Fixed many detections and general bugs.
+
+0.91 Reborn	-> 	Recoded everything again. New faster and better scanning engine. New internal signature system.
+ 			MFS v0.02 now supports Recursive Scanning. Commandline Parser now updated and more powerful.
+			Detections fine tuned and newer detections added. Very basic Heuristic scanning.
+
+0.92 Classic	->	Added support for external database, independent of internal signatures. Added PE details lister.
+			Added Import, Export, TLS and Section viewers. Added Disassembler. Added Hex Viewer.
+			Added ability to use plugins from Multiscan window. Added exporting of Multiscan results.
+			Added ability to abort MultiScan without loosing results.
+			Added ability to show process icons in Task Viewer.
+			Added ability to show modules under a process in Task Viewer. Added some more detections.
+
+0.93 Elixir	->	Added sorting of Plugin menu items. Submenus are created based on subfolders in the directory.
+			Added Brizo disassembler core. Added some more detections.
+			Fixed documented and undocumented vulnerability issues.
+			Fixed some general bugs.
+			Removed mismatch mode scanner which needs further improvements.
+
+0.94 Flux	->	Too much is new to remember.
+			MFS, Task Viewer and Disassembler windows maximizable.
+			New smaller and lighter disassembler core CADT.
+			New KANAL 2.90 with much more detections and export features.
+			Added loads of new signatures. Thanks to all the external signature collections online.
+			String References integrated into disassembler.
+			Fixed documented and undocumented crashes.
+			Fixed some general bugs.
+
+0.95 Phoenix	->	Fixed some crashing bugs.
+			Minor Core update.
+			Crash Fix in Securom detection.
+
+
+Greets
+------
+
+Qwerton, Jibz, CHRiST0PH, uno, DAEMON, MackT, VAG, SAC, Gamumba, SnowP and all the rest at uG, Michael Hering, tE!, pusher, {igNo}, Maxx, CoDE, BaND, Snacker, skamer, HypnZ, ParaBytes, Clansman, BuLLeT, Devine9, innuendo, Corby, cokine, AiRW0lF, fxfighter, GodsJiva, Carpathia, _death, artik, r!sc, NoodleSPA, SiR_dReaM, CHoRDLeSS, NeOXQuiCk, un4Giv3n, RZX, 7xS, LibX and all who helped with PEiD :)
+
+snaker, Jibz, cokine, Iczelion, Clansman, Z-Wing, Unknown One/TMG, PeeWee, DnNuke, sinny/BAFH, all the other nice people in CiA, uG and all of you who helped us develope PEiD. Thanks.
+
+snaker, Qwerton, DAEMON, VaG, Parabytes, bse, f0dder, Stone, Michael Hering, Iczelion, Steve Hutchesson, Eugene Suslikov, and everybody in #unpacking and #compression.
+
+
+Qwerton		- Hope you get time someday again, was nice working with you :)
+Jibz		- You rock evil friend. Thanks for all your help. It's a pleasure working with you. Hope things work out!
+Michael Hering	- FILE INFO is still the absolute best. Your suggestions rock :)
+uG2oo6		- Delicious Slumber!
+MackT		- Thanks for all your help and for ImpREC of course ;)
+Unknown One	- Spend more time with us :)
+BaND		- Thanks for all your testing and help.
+pusher		- Thanks for your help and all the testing and the constant encouragment ;)
+Maxx		- Thanks for the encouragment, your code and suggestions should be added next time :)
+Kaparo & Aaron	- Thanks for your sites :)
+BoB		- Thanks for taking over the PEiD project, and the contribution.
+
+
+We would also like to thank the *few* people who sent us their comments and feedback about PEiD. 
+Also greetings to everyone who has supported PEiD till date. Without you this new release would never be possible.
+
+
+You can check out the PEiD homepage at http://www.peid.info and the PEiD Forums at http://www.peid.info/forum
+
+snaker, Qwerton, Jibz & xineohP Productions
+	     -2008-

static/PEiD-0.95-20081103/userdb.txt

@@ -0,0 +1,5 @@
+[Name of the Packer v1.0]
+signature = 50 E8 ?? ?? ?? ?? 58 25 ?? F0 FF FF 8B C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3
+ep_only = true
+
+