Request: anti-virus scanner working with MultiArc unpackers

[buzzlightyear]

Hello,

it has come to my attraction that nearly none of my favourite anti-virus tools can scan inside 7-Zip archives. Besides Kaspersky, most anti-virus scanner engines have serious problems with scanning

- not only ZIP, but also RAR and 7Z archives
- nested archives (e.g. rar inside a zip)
- self extracting archives (SFX)
- installer archives (MSI, CAB)
- packed executables (UPX, ASProtect, ...)

I'm looking for a way to combine the power of the multiarc plugin with an command line virus scanner. For me, it would be sufficient if I mark directories and/or files in TC and then issue a command Scan with <path to command line scanner>. Every archive and packes executable should be automatically unpacked before it is passed to the scanner. Any help is greatly appreciated.

Regards,
Martin

[ZoSTeR]

You might want to give Universal Extractor a try.

It combines several archivers and certain TC-WCXs to extract almost any packed file.

[buzzlightyear]

You might want to give Universal Extractor a try.

Thanks. While looking for some Win2K / IE6 slipstreaming stuff, I also came to this site. Universal Extractor basically consists of a set of AutoIt scripts and shell extensions wrapped around Marco Pontello's TrID File Identifier. It sounds like this tool can identify the vast majority of packer, installer and archive formats. As of today, TrID recognizes 2867 file types! For that, at least to me it looks like the ideal companion for TC / Mulitarc and any anti-virus tool.

TrID is a command line tool and should thus easily integrate with multiarc (or even replace it). Anyone interested in further digging into this?

Regards,
Martin[/url]

[gigaman]

it has come to my attraction that nearly none of my favourite anti-virus tools can scan inside 7-Zip archives. Besides Kaspersky, most anti-virus scanner engines have serious problems with scanning

- not only ZIP, but also RAR and 7Z archives
- nested archives (e.g. rar inside a zip)
- self extracting archives (SFX)
- installer archives (MSI, CAB)
- packed executables (UPX, ASProtect, ...)

avast! scans all of those you mentioned, btw.

You might want to give Universal Extractor a try.

It combines several archivers and certain TC-WCXs to extract almost any packed file.

I wouldn't recommend using Universal Extractor to scan "suspicous files". The thing is that Universal Extractor is a collection of 3rd party tools - and you cannot be sure what any of them does. For example, the included ASPackDie tool is not a static unpacker for ASPack-ed files, but rather a dumper - meaning that it executes the file, and tries to dump it at a particular state of execution. This might fail, of course, and the file simply runs and performs whatever it's programmed to (which would be nasty stuff in case of malware).

So, Universal Extractor might be a nice tool for trusted files, but using it as a supplement for an antivirus (expecting that the antivirus doesn't support some of the (un)packers Universal Extractor does and trying to improve the antivirus detection capabilities this way) is not a good idea - you may end up activating the infected file instead of scannig it.

[buzzlightyear]

I wouldn't recommend using Universal Extractor to scan "suspicous files". The thing is that Universal Extractor is a collection of 3rd party tools - and you cannot be sure what any of them does. For example, the included ASPackDie tool is not a static unpacker for ASPack-ed files, but rather a dumper - meaning that it executes the file, and tries to dump it at a particular state of execution. This might fail, of course, and the file simply runs and performs whatever it's programmed to (which would be nasty stuff in case of malware).

Thank you for pointing this security problem out. As noted in my previous post, the underlying tool TrID File Identifier does not execute any files. It uses a pretty old Unix System V mechanism (/etc/file) to identify binary files, i.e. TrID searches for signatures like AV scanners do.

I also verified that both BitDefender and AVP6 scan all of the named archive types. The BitDefender Free Edition v10 works fine for me (I actually only want an on-demand scanner and don't need no on-access scanner). Nevertheless, it would be fine to have something like a universal unpacker (that does *not* execute). This not only is needed for serious av scanning, but also comes handy for other purposes like exchanging icons or other resources in packed executables.

Regards,
Martin

[buzzlightyear]

After trying TrID on several EXE executable files, I found that this program is probably not the right tool for the job - it always identifies them as Win32 Executable MS Visual C++ (generic).

It looks like PEiD or in particular the PEiDLL could be the swiss army knife for executable file identification.

The download-link from the forementioned forum thread to the DLL is not working for me, but you can find the latest version here. Non-German readers simply scroll down to the big fat download link. You'll find the DLL in the archive.

More interestingly, there is a userdb.txt with this content:

Code: Select all

; Custom sigs

[InstallShield Custom]
signature = 55 8B EC 83 EC 44 56 FF 15 50 21 41 00 8B F0 85 F6 75 08 6A FF FF 15 4C 21 41 00 8A 06 57 8B 3D 80 22 41 00 3C 22 75 1B 56 FF D7 8B F0 8A 06 3C 22 74 04 84 C0 75 F1 80 3E 22 75 15 56 FF D7 8B 
ep_only = true

[ARC-SFX Archive]
signature = 8C C8 8C DB 8E D8 8E C0 89 ?? ?? ?? 2B C3 A3 ?? ?? 89 ?? ?? ?? BE ?? ?? B9 ?? ?? BF ?? ?? BA ?? ?? FC AC 32 C2 8A D8
ep_only = true

[GP-Install v5.0.3.32]
signature = 55 8B EC 33 C9 51 51 51 51 51 51 51 53 56 57 B8 C4 1C 41 00 E8 6B 3E FF FF 33 C0 55 68 76 20 41 00 64 FF 30 64 89 20 BA A0 47 41 00 33 C0 E8 31 0A FF FF 33 D2 A1 A0
ep_only = false

[Inno Setup Module]
signature = 55 8B EC 83 C4 ?? 53 56 57 33 C0 89 45 F0 89 45 ?? 89 45 ?? E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
ep_only = false

[Inno Setup Module]
signature = 49 6E 6E 6F 53 65 74 75 70 4C 64 72 57 69 6E 64 6F 77 00 00 53 54 41 54 49 43
ep_only = true

[Inno Setup Module v1.09a]
signature = 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 C4 89 45 C0 E8 A7 7F FF FF E8 FA 92 FF FF E8 F1 B3 FF FF 33 C0
ep_only = true

[Inno Setup Module v1.2.9]
signature = 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 EC 89 45 C0 E8 5B 73 FF FF E8 D6 87 FF FF E8 C5 A9 FF FF E8 E0
ep_only = true

[Inno Setup Module v2.0.18]
signature = 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 73 71 FF FF E8 DA 85 FF FF E8 81 A7 FF FF E8 C8
ep_only = false

[Inno Setup Module v3.0.4-beta/v3.0.6/v3.0.7]
signature = 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 B3 70 FF FF E8 1A 85 FF FF E8 25 A7 FF FF E8 6C
ep_only = false

[Install Stub 32-bit]
signature = 55 8B EC 81 EC 14 ?? 00 00 53 56 57 6A 00 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 29
ep_only = true

[InstallAnywhere 6.1 -> Zero G Software Inc]
signature = 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0
ep_only = true

[InstallAnywhere 6.1 ->Zero G Software Inc]
signature = 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07
ep_only = true

[InstallShield 2000]
signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 C4 ?? 53 56 57
ep_only = true

[Microsoft CAB SFX]
signature = E8 0A 00 00 00 E9 7A FF FF FF CC CC CC CC CC
ep_only = true

[Microsoft CAB SFX module]
signature = 55 8B EC 83 EC 44 56 FF 15 ?? 10 00 01 8B F0 8A 06 3C 22 75 14 8A 46 01 46 84 C0 74 04 3C 22 75 F4 80 3E 22 75 0D ?? EB 0A 3C 20
ep_only = true

[Microsoft Windows Update CAB SFX module]
signature = E9 C5 FA FF FF 55 8B EC 56 8B 75 08 68 04 08 00 00 FF D6 59 33 C9 3B C1 75 0F 51 6A 05 FF 75 28 E8 2E 11 00 00 33 C0 EB 69 8B 55 0C 83 88 88 00 00 00 FF 83 88 84 00 00 00 FF 89 50 04 8B 55 10 89 50 0C 8B 55 14 89 50 10 8B 55 18 89 50 14 8B 55 1C 89 50 18
ep_only = false

[Nullsoft Install System v1.98]
signature = 83 EC 0C 53 56 57 FF 15 2C 81 40
ep_only = true

[Nullsoft Install System v1.xx]
signature = 83 EC 0C 53 56 57 FF 15 20 71 40 00 05 E8 03 00 00 BE 60 FD 41 00 89 44 24 10 B3 20 FF 15 28 70 40 00 68 00 04 00 00 FF 15 28 71 40 00 50 56 FF 15 08 71 40 00 80 3D 60 FD 41 00 22 75 08 80 C3 02 BE 61 FD 41 00 8A 06 8B 3D F0 71 40 00 84 C0 74 0F 3A C3 74
ep_only = true

[Nullsoft Install System v1.xx]
signature = 55 8B EC 83 EC 2C 53 56 33 F6 57 56 89 75 DC 89 75 F4 BB A4 9E 40 00 FF 15 60 70 40 00 BF C0 B2 40 00 68 04 01 00 00 57 50 A3 AC B2 40 00 FF 15 4C 70 40 00 56 56 6A 03 56 6A 01 68 00 00 00 80 57 FF 15 9C 70 40 00 8B F8 83 FF FF 89 7D EC 0F 84 C3 00 00 00
ep_only = true

[Nullsoft Install System v2.0]
signature = 83 EC 0C 53 55 56 57 C7 44 24 10 70 92 40 00 33 DB C6 44 24 14 20 FF 15 2C 70 40 00 53 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 2D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00
ep_only = false

[Nullsoft Install System v2.0 RC2]
signature = 83 EC 10 53 55 56 57 C7 44 24 14 70 92 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00
ep_only = false

[Nullsoft Install System v2.0a0]
signature = 83 EC 0C 53 56 57 FF 15 B4 10 40 00 05 E8 03 00 00 BE E0 E3 41 00 89 44 24 10 B3 20 FF 15 28 10 40 00 68 00 04 00 00 FF 15 14 11 40 00 50 56 FF 15 10 11 40 00 80 3D E0 E3 41 00 22 75 08 80 C3 02 BE E1 E3 41 00 8A 06 8B 3D 14 12 40 00 84 C0 74 19 3A C3 74
ep_only = false

[Nullsoft Install System v2.0b2, v2.0b3]
signature = 83 EC 0C 53 55 56 57 FF 15 ?? 70 40 00 8B 35 ?? 92 40 00 05 E8 03 00 00 89 44 24 14 B3 20 FF 15 2C 70 40 00 BF 00 04 00 00 68 ?? ?? ?? 00 57 FF 15 ?? ?? 40 00 57 FF 15
ep_only = true

[Nullsoft Install System v2.0b4]
signature = 83 EC 10 53 55 56 57 C7 44 24 14 F0 91 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 88 72 40 00 BE 00 D4 42 00 BF 00 04 00 00 56 57 A3 60 6F 42 00 FF 15 C4 70 40 00 E8 9F FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 60 71 40 00
ep_only = false

[Nullsoft Install System v2.0b4]
signature = 83 EC 14 83 64 24 04 00 53 55 56 57 C6 44 24 13 20 FF 15 30 70 40 00 BE 00 20 7A 00 BD 00 04 00 00 56 55 FF 15 C4 70 40 00 56 E8 7D 2B 00 00 8B 1D 8C 70 40 00 6A 00 56 FF D3 BF 80 92 79 00 56 57 E8 15 26 00 00 85 C0 75 38 68 F8 91 40 00 55 56 FF 15 60 71
ep_only = false

[Nullsoft PiMP Install System]
signature = 83 EC ?? 53 55 56
ep_only = false

[Nullsoft PIMP Install System v1.3x]
signature = 55 8B EC 81 EC ?? ?? 00 00 56 57 6A ?? BE ?? ?? ?? ?? 59 8D BD
ep_only = true

[Nullsoft PiMP Install System v1.x]
signature = 83 EC 0C 53 56 57 FF 15 ?? ?? 40 00 05 E8 03 00 00 BE ?? ?? ?? 00 89 44 24 10 B3 20 FF 15 28 ?? 40 00 68 00 04 00 00 FF 15 ?? ?? 40 00 50 56 FF 15 ?? ?? 40 00 80 3D ?? ?? ?? 00 22 75 08 80 C3 02 BE ?? ?? ?? 00 8A 06 8B 3D ?? ?? 40 00 84 C0 74 ?? 3A C3 74
ep_only = false

[Nullsoft PIMP Install System v1.x]
signature = 83 EC 5C 53 55 56 57 FF 15 ?? ?? ?? 00
ep_only = true

[RAR-SFX Archive (1)]
signature = 4D 5A ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 52 53 46 58
ep_only = false

[VISE Installer]
signature = 55 8B EC 6A FF 68 80 D1 40 00 68 70 91 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 BC D0 40 00 33 D2 8A D4 89 15 18 F2 40 00 8B C8 81 E1 FF 00 00 00 89 0D
ep_only = false

[WinRAR 32-bit SFX Module]
signature = E9 ?? ?? 00 00 00 00 00 00 90 90 90 ?? ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? FF
ep_only = true

[WinZip (32-bit) 6.x]
signature = FF 15 FC 81 40 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10
ep_only = true

[WinZip 32-bit SFX v6.x module]
signature = FF 15 ?? ?? ?? 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 38 08 74 06 40 80 38 00 75 F6 80 38 00 74 01 40 33 C9 ?? ?? ?? ?? FF 15
ep_only = true

[WinZip 32-bit SFX v8.x module]
signature = 53 FF 15 ?? ?? ?? 00 B3 22 38 18 74 03 80 C3 FE 8A 48 01 40 33 D2 3A CA 74 0A 3A CB 74 06 8A 48 01 40 EB F2 38 10 74 01 40 ?? ?? ?? ?? FF 15
ep_only = true

[WinZip Self-Extractor 2.2 personal edition -> WinZip Computing (h)]
signature = 53 FF 15 58 70 40 00 B3 22 38 18 74 03 80 C3 FE 40 33 D2 8A 08 3A CA 74 10 3A CB 74 07 40 8A 08 3A CA 75 F5 38 10 74 01 40 52 50 52 52 FF 15 5C 70 40 00 50 E8 15 FB FF FF 50 FF 15 8C 70 40 00 5B
ep_only = true

[Wise Installer Stub]
signature = 55 8B EC 81 EC 78 05 00 00 53 56 BE 04 01 00 00 57 8D 85 94 FD FF FF 56 33 DB 50 53 FF 15 34 20 40 00 8D 85 94 FD FF FF 56 50 8D 85 94 FD FF FF 50 FF 15 30 20 40 00 8B 3D 2C 20 40 00 53 53 6A 03 53 6A 01 8D 85 94 FD FF FF 68 00 00 00 80 50 FF D7 83 F8 FF
ep_only = true

[Wise Installer Stub]
signature = 55 8B EC 81 EC ?? ?? 00 00 53 56 57 6A 01 5E 6A 04 89 75 E8 FF 15 ?? 40 40 00 FF 15 ?? 40 40 00 8B F8 89 7D ?? 8A 07 3C 22 0F 85 ?? 00 00 00 8A 47 01 47 89 7D ?? 33 DB 3A C3 74 0D 3C 22 74 09 8A 47 01 47 89 7D ?? EB EF 80 3F 22 75 04 47 89 7D ?? 80 3F 20
ep_only = false

[Wise Installer Stub]
signature = 55 8B EC 81 EC ?? 04 00 00 53 56 57 6A ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? 40 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? 20
ep_only = true

[Wise Installer Stub v1.10.1029.1]
signature = 55 8B EC 81 EC 40 0F 00 00 53 56 57 6A 04 FF 15 F4 30 40 00 FF 15 74 30 40 00 8A 08 89 45 E8 80 F9 22 75 48 8A 48 01 40 89 45 E8 33 F6 84 C9 74 0E 80 F9 22 74 09 8A 48 01 40 89 45 E8 EB EE 80 38 22 75 04 40 89 45 E8 80 38 20 75 09 40 80 38 20 74 FA 89 45
ep_only = true

[Inno Installer v5.1.2] ;collides with: Borland Delphi 2.0 [Overlay]
signature = 55 8B EC 83 C4 CC 53 56 57 33 C0 89 45 F0 89 45 DC E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22
ep_only = true

[Inno Installer v4.0.5] ;collides with: Inno Setup Module Heuristic Mode [Inno SFX]
signature = 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 C4 89 45 C0 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22
ep_only = true 

So I guess this package is the right starting point for anyone interested in writing a generic unpacker plugin for TC. If my programming skills weren't so limited I'd do it myself but I simply can't.

EDIT: The author of PEiD has released his own UserDB.txt here:
http://www.secretashell.com/BobSoft/Downloads/UserDB.zip

This one contains hundreds of signatures and has 5172 lines ...

Regards,
Martin

[m^2]

The author of PEiD has released his own UserDB.txt here:
http://www.secretashell.com/BobSoft/Downloads/UserDB.zip

This one contains hundreds of signatures and has 5172 lines ...

Want a bigger one? Click.