...he-he,I'd like to add one more,lol...
I find ARiD to be a nice complement to TrID:
http://patkov-site.narod.ru/eng/programs.html(maybe I could also add the "file" utility from *nix systems...)
Ok,a small review regarding some of them...
PEPirate / SCANiT / gAPE -> PEiD Rip-offs,mixed with tons of false entries...
blindly adding whatever questionable semi-working sig someone finds on the net,
can only cause further confusion,by returning false positives...
PE Detective / CFF Explorer-> PE Detective just uses PEiD sigs,converted from plain old good text file to XML.
Once again,signatures are gathered from all over the net...
and in order to avoid confusion/colliding sigs,it has a "Best Match" feature:
exactly the same thing can be done in PEiD,
by using the excellent "Advanced Scan" plugin from
diablo2oo2...
http://diablo2oo2.di.funpic.de/download.htmCFF Explorer is the 2nd generation/incarnation of it...
which is a very nice and useful PE editing suite of tools.
Personally,I prefer it from say using Procdump,I find it more "modern",
but that's just a matter of personal taste...let's not forget...
old school is cool!
Packer detection is obviously the same as PE Detective described above.
RedCurtain-> ...not even gonna comment on this.Honestly.Period.
A-Ray Scanner-> It's meant only for CD protection schemes,and furthermore,it is abandoned:
ProtectionID can do this and also detect quite a few popular packers/cryptors as well,
so I don't really see a reason of preferring it instead...
...I could go on comparing various other tools (and rip-offs) out there,
but there's a variety of reasons I don't wanna do it...
it's the general idea that matters in the final end,and that's what I'm gonna describe.
Point is...well,just check the date stamps in the archives:
all these years,identifiers come and go...and what's left?
Buggy semi-working apps,which are rendered obsolete as time passes by.
The only app which somehow has turned itself to be considered as a standard,
it's the (although somehow limited) Unix
'file' tool.
My guess,because Linux systems slowly but steadily,
get adopted by even more people everyday...
Plurality is one thing...having a generally accepted standard though,is very different.
It's something that is earned through the challenges in time...and on win32 systems,
the only apps that have PROVED they can fulfill the requirements,
are TRiD for general files,and for executables,PEiD obviously...
...there is absolutely no need to waste time re-inventing the wheel here:
if there's one thing that needs to be done,is making the car better...
with that been said...I don't think anyone would visit his/her car sales representative,
complaining that the automobile he/she got doesn't fly...
ppl always say peid is easy to fool...
hehe give me another tool...i'll make it think a .exe is its mother
ROTFLMAO
...felt that I should also add a few words regarding fakers,
from a simple end-user's perspective...if it was that much easy to trick PEiD,
there wouldn't be a whole "trend" of releasing them,even commercial ones...
that's part of the game,a bet between reversers...what would be the fun after all?
What's not funny at all obviously,is when these are used on malware:
not really because they make unpacking that much more difficult,
as most of them just add an extra layer of "security through obscurity",
and not an actual protection...
It's the taxonomy of the samples that actually becomes a pain in the...
A good proof of this is all the fakers out there,
that don't actually make use of advanced techniques,
just simpler hacks/tricks like the section renaming mentioned above...
Even if they might appear to seem successful at a first glance,
meaning they were not flagged directly by original name as...
[Blahblahfaker 0.0.25012 beta -> PEiDFaker Corp. Inc]
Poof...and the 'magic' is gone,simply by right-clicking in Deep Scan option...
Topic: GT2 (Read 10910 times)
