KANAL - Krypto Analyzer for PEiD
Version 2.82
This plugin searches for known crypto algorithms, functions and libraries inside
of the specified module.
Usage:
Load the file into PEiD and select "Krypto ANALyzer" from the
plugins menu. A new dialog will open and the detected crypto algorithms,
constants, functions and libraries will be listed. When you select an item
from the list, a simple description, corresponding to the item, will be
displayed in the bottom part of the window. The offset of the signature
is displayed for every item; if the analyzed file is a PE executable, also
the virtual address of the signature is displayed.
So, the results look like
Crypto name :: File offset :: Virtual address
For PE executable files, KANAL searches for "reasonable" references
of the detected piece of code or data. If, for example, some kind of crypto
table is detected, KANAL attempts to find the address where the table
is referenced from. The references are displayed as subitems of the detected
crypto item (so, you have to expand the item to see it).
If no reference of the detected signature is found
(e.g. because it's not a piece of data, but rather a constant contained inside
of an assembly instruction), the text "The reference is above"
is displayed.
When you click on any line of the results, the corresponding address is copied
into the clipboard (both for the crypto itself and for the references).
Limitations:
- The detection of crypto algorithms is limited to those possible to identify
by a specific signature (such as fixed s-boxes, permutation tables,
initialization values, etc). Simple mathematical algorithms, such as RSA,
cannot be detected in a generic way.
- Some functions (even RSA) can be detected according to their implementation
in specific crypto libraries. This kind of detection, however, depends on the
compiler used, its optimization settings, etc - so it won't work in all cases.
- A few of the algorithms are detected by a single DWORD - so, they are
susceptible to occasional false alarms.
- Some crypto algorithm share a common initialization code - so if multiple
crypto algorithms are present in the file, they may be "mixed up"
sometimes. The plugin tries to filter the results somehow (to guess which
algorithm it actually is, using the "shared" code),
but it may not be 100% accurate, of course.
Credits:
igNorAMUS - maintaining the source and all the detections at the moment
snaker - the original coding and detections
Maxx - detection of various functions from common crypto libraries
pusher - testing and bug reports