KANAL - Krypto Analyzer for PEiD
This plugin searches for known crypto algorithms, functions and libraries inside
of the specified module.
Load the file into PEiD and select "Krypto ANALyzer" from the
plugins menu. A new dialog will open and the detected crypto algorithms,
constants, functions and libraries will be listed. The offset of the signature
is displayed for every item; if the analyzed file is a PE executable, also
the virtual address of the signature is displayed.
So, the results look like
Crypto name :: File offset :: Virtual address
For PE executable files, KANAL searches for "reasonable" references
of the detected piece of code or data. If, for example, some kind of crypto
substitution table is detected, KANAL attempts to find the address
where the table is referenced from. The references are displayed as subitems
of the detected crypto item (so, you have to expand the item to see it).
If no reference of the detected signature is found
(e.g. because it's not a piece of data, but rather a constant contained inside
of an assembly instruction), the text "The reference is above"
- Using the Export button, you can save the results to a file,
or copy them to clipboard. The possible output formats are:
- List of Items - text file containing the list of detected crypto algorithms
with the corresponding addresses (i.e. what you see in the results window,
- List of Items with References - text file containing the list of detected
crypto algorithms with the corresponding addresses and references (i.e. what you see
in the results window, expanded items).
- IDC Script - Bookmarks - IDC script for IDA Pro; when executed,
it creates a list of bookmarks corresponding to the detected results.
- IDC Script - Comments - IDC script for IDA Pro; when executed,
it sets the comments (containing detected crypto algorithms and their description)
for the corresponding addresses.
- IDC Script - Bookmarks & Comments - IDC script for IDA Pro;
when executed, it sets both the bookmarks of detected results and their comments.
- When you right click on any line of the results, the corresponding address is
copied into the clipboard (both for the crypto itself and for the references).
- When you select an item from the list, a simple description, corresponding
to the crypto item, will be displayed in the bottom part of the window.
- The detection of crypto algorithms is limited to those possible to identify
by a specific signature (such as fixed s-boxes, permutation tables,
initialization values, etc). Simple mathematical algorithms, such as RSA,
cannot be detected in a generic way. Even some of the algorithms that normally
can be detected by their tables (e.g. AES) can be implemented such that
the tables are not static, but rather generated dynamically during the runtime
using special formulas; in such cases they probably won't be recognized
- Some functions (even RSA) can be detected according to their implementation
in specific crypto libraries. This kind of detection, however, depends on the
compiler used, its optimization settings, etc - so it won't work in all cases.
- A few of the algorithms are detected by a single DWORD - so, they are
susceptible to occasional false alarms.
- Some crypto algorithms share a common initialization code - so if multiple
crypto algorithms are present in the file, they may be "mixed up"
sometimes. The plugin tries to filter the results somehow (to guess which
algorithm it actually is, using the "shared" code),
but it may not be 100% accurate, of course.
- The processed file is just scanned for known patterns - no part of the file is
executed. So, it's safe to use KANAL on malicious files.
igNorAMUS - maintaining the source and all the detections at the moment
snaker - the original coding and detections
Maxx - detection of various functions from common crypto libraries
pusher - testing and bug reports