PEiD是一款(kuǎn)著(zhe)名的查壳工具(jù),其功能强大,几乎可(kě)以侦测出所有的壳,其数量已超过470 种PE 文档 的(de)加壳类型和签名。PEiD 强大(dà)侦壳工(gōng)具0.95汉化绿色版本版本新增加WinNT平台下的自动脱壳器插件,可以应对现在大部分的软(ruǎn)件脱壳(包括(kuò)PEiD自身(shēn)的UPXShit0.06壳)! 现在软(ruǎn)件越(yuè)来越多的加壳了,给破(pò)解(jiě)带来非常(cháng)大的不便,但是(shì)这个软件可以(yǐ)检(jiǎn)测出 450种壳,非(fēi)常方便(biàn)!
PEiD是一款著名的查壳(ké)工具,PEiD功能(néng)强(qiáng)大(dà),几乎可(kě)以侦测出所有的壳,PEiD数量已超(chāo)过470 种PE 文(wén)档(dàng) 的(de)加壳类型和(hé)签名。PEiD内置有差错(cuò)控制的技术,所以一般(bān)能确保扫描结果的准确性。PEiD 可以(yǐ)探测大(dà)多数(shù)的 PE 文档封包器、加密器和编译器。当(dāng)前可以探测 600 多个(gè)不同签名,另外还可识别出(chū)EXE文件是用什么(me)语言编写(xiě)的,比如:VC++、Delphi、VB或Delphi等。PEiD汉(hàn)化版能检测大多数编译语言、病(bìng)毒和加密的壳,它(tā)主要利用查特征串搜索来完成识别工作的(de)。该PEiD汉化版为全插(chā)件(jiàn)版,是(shì)目前网络中(zhōng)最完美的(de)版本,插件(jiàn)是(shì)特别全面的,又(yòu)为广大的脱壳(ké)爱(ài)好者提供(gòng)了好工(gōng)具啦!
·新增加WinNT平台下的自动脱壳器插件,可以应对现在(zài)大部(bù)分的软件(jiàn)脱壳(包括PEiD自(zì)身的UPXShit0.06壳)!
·现在软件越来越多的加壳(ké)了,给破解带来非(fēi)常大的不便,但是(shì)这个(gè)软件可以检测出 450种壳,非常(cháng)方便!
·增加病毒扫描(miáo)功能,是目(mù)前各类查壳(ké)工具中,性能最强的。
·另外(wài)还可(kě)识(shí)别出(chū)EXE文件是用什么语言编写(xiě)的,比如:VC++、Delphi、VB或Delphi等。
·支持文件夹批量(liàng)扫描;
· 插件增(zēng)加到5个:General OEP、Kanal 1.3,FSG v1.33 Unpacker,CRC32(新增加(jiā)的),PEiD 通用脱壳器 Forwinnt2kxp(新增加的),
PEiD最常用的插件就(jiù)是(shì)脱壳,PEiD的插(chā)件里有个通用(yòng)脱壳器,能脱大部分的壳,如果(guǒ)脱壳后import表损害,还(hái)可以自动调(diào)用(yòng)ImportREC修复(fù)import表(biǎo),点击"=>"打开插件列表(biǎo),如(rú)图:
根(gēn)据插件列(liè)表(biǎo),还可以专门(mén)针对一些壳脱壳,效果比通用脱壳器(qì)会(huì)好
点击EP后的>可以展开Section块列(liè)表:
再在Section块表上右击鼠标,可以看到(dào)以下菜单选项:
点击搜索全0处,会把所有(yǒu)块中(zhōng)全(quán)0的区块搜出(chū)来,这(zhè)样(yàng)我们(men)可以(yǐ)在这些代码上(shàng)加(jiā)自己想(xiǎng)加的(de)code,非常方便(biàn):
直接用winhex改(gǎi)就行了,
正常扫描(miáo)模式(shì):可在PE文(wén)档(dàng)的入(rù)口点扫描所有记录的签名
深度扫描模式:可深度扫(sǎo)描所有记(jì)录的签名,这种模(mó)式要比上一种(zhǒng)的(de)扫描(miáo)范(fàn)围更广,更深入
核心扫描模式:可完整的扫描整个PE文(wén)档,但(dàn)相对有点慢
0.7 Beta -> First public release.
0.8 Public->Added support for 40 more packers. OEP finding module. Task viewing/control module.
GUI changes. General signature bug fixes. Multiple File and Directory Scanning module.
0.9 Recode->Completely recoded from scratch. New Plugin Interface which lets you use extra features.
Added more than 130 new signatures. Fixed many detections and general bugs.
0.91 Reborn-> Recoded everything again. New faster and better scanning engine. New internal signature system.
MFS v0.02 now supports Recursive Scanning. Commandline Parser now updated and more powerful.
Detections fine tuned and newer detections added. Very basic Heuristic scanning.
0.92 Classic->Added support for external database, independent of internal signatures. Added PE details lister.
Added Import, Export, TLS and Section viewers. Added Disassembler. Added Hex Viewer.
Added ability to use plugins from Multiscan window. Added exporting of Multiscan results.
Added ability to abort MultiScan without loosing results.
Added ability to show process icons in Task Viewer.
Added ability to show modules under a process in Task Viewer. Added some more detections.
0.93 Elixir->Added sorting of Plugin menu items. Submenus are created based on subfolders in the directory.
Added Brizo disassembler core. Added some more detections.
Fixed documented and undocumented vulnerability issues.
Fixed some general bugs.
Removed mismatch mode scanner which needs further improvements.
0.94 Flux->Too much is new to remember.
MFS, Task Viewer and Disassembler windows maximizable.
New smaller and lighter disassembler core CADT.
New KANAL 2.90 with much more detections and export features.
Added loads of new signatures. Thanks to all the external signature collections online.
String References integrated into disassembler.
Fixed documented and undocumented crashes.
Fixed some general bugs.
0.95 Phoenix -> Fixed some crashing bugs.
Minor Core update.
Crash Fix in Securom detection.