Well, after a lot of time of development (a couple of months) I've decided to speak in public about my new tool.
This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA
Just watch the howto movie for usage.
im looking for a tool that might automate the use of google in malware search. Does any1 has sth like this or know where to look for it?
In generally i would use very much any "proffesional" advice in this subj.
here is a python tool for windows PE investigators i've just released.
Phydra uses the pefile module from E.Carrera.
I hope it gonna be useful.
i reallllllly need an assembler! so if anyone could post a link for any (clean) TASM or MASM, or any disasemblers, would be very much appreciated!
While analysing a new BZUP variant I came across the situation that IDA in some cases fails to recognize the right MFC42 names, thus just showing something like this:
So I've coded a small IDAPython script which fixes this problem.
Hope it's useful for others as well.
I have constructed an NSRL (http://www.nsrl.nist.gov/) query page at
It is loaded with the current release, 2.15. Which may be of some use, especially if you don't happen to have the RDS dataset to hand.
There is also an xml-rpc interface to this, but I think that it would be impractical to use it for querying multiple files in quick succession.
Lastly, the server will not see continuous uptime; it is more of a test / ad-hoc tool.
IDAAPIHelp is a small IDAPython script, that saves time when searching for API Information while e.g. analyzing a malware with IDA Pro. It looks at cursor position for a valid api call and if found it tries to show you the eligible API Info from the provided helpfile.
I'm dealing with a large amount of files every day (guess which kind of files), and major part are different kind of installers (Wise, Inno Setup, NSIS...).
Some of them can be unpacked by using specialized tools. The problem is that none of those tools are updated recently, or they do not support all the versions of the installer they claim to unpack.
During the time, on my HDD was growing a collection of installers that I could not unpack.
Yesterday I got to an idea :)
Someone here may remember the old DOS days. There was a program named Ripper (latest version I have had was 2.91), that could rip multimedia files from the games.
Ero Carrera created an excellent portable executable parser for python called PEFile. We've taken his file and run it across our entire malware collection for use in a future version of our malware analyzer. Attached is a collection of all the bug fixes we've made. If anyone has any comments on the modifications, I would very much appreciate hearing them.
Read the full article for all the bugs that have been fixed.