Analytic features in VB Decompiler
Especially for criminologists and antivirus analysts, we are pleased to present a new license for VB Decompiler. In the version with automatic analytics features, VB Decompiler can generate a report that contains detailed information about the activity of a decompiled program on a user's computer. The analyst receives a full report on the areas (procedures and functions) of the program that perform various manipulations with files, registry, windows, processes, as well as using service functions of Visual Basic to call functions by name (CallByName) and direct access to memory addresses (VarPtr).
This information allows you to essentially speed up the analysis of potentially malicious programs for their functionality, which greatly simplifies the work of antivirus analysts. Also, the described functionality will be useful for criminologists to search for hidden, undocumented features of the analyzed programs.
Running VB Decompiler, just open the binary file being analyzed. Make sure that the "Analyze Prototypes" option is enabled in the settings (menu "Tools" -> "Options"). After the end of the file analysis process, a report on the program's functionality will be automatically opened.
The report is divided into two parts: a brief report and a report with links to the strings. The first part presents the addresses and functions that produce certain manipulations with files, registry, and so on.
In the second part, in addition to the functions themselves, VB Decompiler provide string references from each of these functions (if available). This allows you to roughly estimate which files or registry keys are manipulated without going into each specific procedure. Naturally, the lines will be presented only if they are not encrypted and placed in the clear.
The report window allows you to quickly navigate to the code of each function, look at the binary data in the HEX editor, as well as navigate to the addresses of the arrangement of strings. To go to the code of a function, just double-click on its name. To go to the HEX editor, simply double-click on the virtual address located before the function name or string.
In order to return back to the report, you must click the "A" button above the object tree. In this case, the cursor will be automatically placed on the place where you finished the analysis before moving to the function. The transition between previously open functions is done with the "<" and ">" buttons above the object tree. Also, the "<" button corresponds to the hotkey "Esc" on the keyboard.
In the report window, the functions of selecting and copying lines are available. You can also save the report through the menu "File" -> "Save analytics report".
We hope this functionality will greatly simplify your work on analyzing files!
This information allows you to essentially speed up the analysis of potentially malicious programs for their functionality, which greatly simplifies the work of antivirus analysts. Also, the described functionality will be useful for criminologists to search for hidden, undocumented features of the analyzed programs.
How it works
Running VB Decompiler, just open the binary file being analyzed. Make sure that the "Analyze Prototypes" option is enabled in the settings (menu "Tools" -> "Options"). After the end of the file analysis process, a report on the program's functionality will be automatically opened.
The report is divided into two parts: a brief report and a report with links to the strings. The first part presents the addresses and functions that produce certain manipulations with files, registry, and so on.
In the second part, in addition to the functions themselves, VB Decompiler provide string references from each of these functions (if available). This allows you to roughly estimate which files or registry keys are manipulated without going into each specific procedure. Naturally, the lines will be presented only if they are not encrypted and placed in the clear.
The report window allows you to quickly navigate to the code of each function, look at the binary data in the HEX editor, as well as navigate to the addresses of the arrangement of strings. To go to the code of a function, just double-click on its name. To go to the HEX editor, simply double-click on the virtual address located before the function name or string.
In order to return back to the report, you must click the "A" button above the object tree. In this case, the cursor will be automatically placed on the place where you finished the analysis before moving to the function. The transition between previously open functions is done with the "<" and ">" buttons above the object tree. Also, the "<" button corresponds to the hotkey "Esc" on the keyboard.
In the report window, the functions of selecting and copying lines are available. You can also save the report through the menu "File" -> "Save analytics report".
We hope this functionality will greatly simplify your work on analyzing files!
(C) Sergey Chubchenko, VB Decompiler's main developer