Any current Crypto Scanners or tools like KANAL in use?

[sh3dow]

Quote:

Originally Posted by TempoMat

Unfortunately there was no mention of the name of the plug-in so that it can be

The tool they developed wasn't open source and this is the problem of academic publishing. so the name of it wouldn't help you at all. though they mentioned many tools you find them here [https://ieeexplore.ieee.org/document/8866910/references#references]

I used my university email hoping he will send the code to me and I will share it here.

--


In the meantime there:

1- Findcrypt and Findcrypt2 and FindCrypt3

2- Findcrypt-yara (Yara based)

3- idascope
- https://hex-rays.com/contests_details/contest2012/#idascope
- https://pnx-tf.blogspot.com/2012/07/introducing-idascope.html
- https://danielplohmann.github.io/blog/2012/08/15/crypto_identification.html

4- IDAsignsrch, and its original commandline version
- http://www.macromonkey.com/bb/index.php/topic,22.0.html
- https://hex-rays.com/contests_details/contest2012/#IDA_Signsrch

[TempoMat]

Quote:

Originally Posted by sh3dow

Thanks for the links.

Sorry for forgetting to mention earlier that I have had and tried the FindCrypt and FindCrypt2 plugins already.
They were mostly useless in detecting cryptos in most of the apps I have tried them on, so I rarely use them.

FindCrypt3 is for v7.x so I can't test it right now.

I downloaded and tried to use the ida-sigsearch plugin without success.
It turned out it was not compatible to the IDA 6.1, which was the version I was using until now.
I managed to get a v6.8 (as the author of the plugin had stated that it was tested on v6.5) and was able to invoke it.
However the result wasn’t all that promising.
There was even a false positive for a TEA hit on a modified MD5 Init Table with the TEA key schedule const 0x9E3779B9

Running Idascope.py script gives errors on line 41 in idscope.py, and subsequently in WinApiProvider.py (on line 36) and Downloader.py (on line 32).
If am able to resolve the issues to run it successfully, I will report back with my findings.

[sh3dow]

Quote:

Originally Posted by TempoMat

Thanks for the links.
Running Idascope.py script gives errors on line 41 in idscope.py, and subsequently in WinApiProvider.py (on line 36) and Downloader.py (on line 32).
If am able to resolve the issues to run it successfully, I will report back with my findings.

Install Requests library.

PHP Code:

python -m pip install requests 


[TempoMat]

Quote:

Originally Posted by sh3dow

Install Requests library.

PHP Code:

python -m pip install requests 


I have tried to install the requests on different WinOS without success.

In the meantime, I’ve spent some time reading different papers on the strength of Yara and decided to try to write some rules for OnGuard, Matrix Decryption and TRegware for the start.
It was during this time that I realized for the first time that x64Dbg at least up to the snapshot from March, 28 2019 had Yara implemented as dll.
So I decided to test my attempts of the yara rules in it.

It worked most of the times in x64Dbg if I don’t use the “pe” and “math” options in the rules, which I needed, to limit the scanning only to MZ header files.
Also the version in x64Dbg only scans the file in its current active CPU, even if you select a different directory to scan, and this I presume could be the reason the "pe" option fails.

So in the end I was able to write - thanks to some code snippets from the net - a wrapper in classic VB to execute and capture the result of the console version of the latest compiled yara32.
Tries were made with single files as well as nested folders with pretty decent results in timing and hits in the results I have added rules of the signatures of these three modules to the “crypto_signatures.yara” found example @ https://github.com/Yara-Rules/rules/tree/master/crypto