I downloaded the new IDASCOPE and there was some small errors , just minors
Unpack into plugins folder.
Its important that you set up your config.py file proberly or it wont run.
its located
C:\Users\yourfolder\Downloads\ida\ida\plugins\IDAscope\idascope\config.py
edit the lines where it says "yourfolder"
you can read a small guide here.
http://pnx-tf.blogspot.no/2014/02/idascope-v11-yara-scanning.html
If you want to use it, make sure to install YARA Python first and adjust the paths specified in ./idacope/config.py to your local collection of signature files.
https://googledrive.com/host/0BznOMqZ9f3VUek8yN3VvSGdhRFU/yara-python-2.0.0.win32-py2.7.exe
also get and unpack sigs into C:\yara\*.yara
https://github.com/cabrel/yarasigs.
download
http://www.filedropper.com/idascope
THX to Computer line for the PySide patch
update!! download more yara sigs and put in C:\yara folder
https://raw.github.com/jaimeblasco/AlienvaultLabs/master/malware_analysis/CommentCrew/apt1.yara
Unpack into plugins folder.
Its important that you set up your config.py file proberly or it wont run.
its located
C:\Users\yourfolder\Downloads\ida\ida\plugins\IDAscope\idascope\config.py
edit the lines where it says "yourfolder"
Python:
configuration = {
"config_path_sep": "\\",
"plugin_only": False,
"paths": {
# "idascope_root_dir": "C:\\Users\\yourfolder\\Downloads\\ida\\ida\\plugins",
"idascope_root_dir": "C:\\Users\\yourfolder\\Downloads\\ida\\ida\\plugins\\IDAscope",
"semantics_file": "idascope\\data\\semantics.json",
"semantics_folder": "idascope\\data\\semantics",
"winapi_keywords_file": "idascope\\data\\winapi_keywords.json",
"winapi_rootdir": "C:\\WinAPI\\"
},
"winapi": {
"search_hotkey": "ctrl+y",
"load_keyword_database": True,
"online_enabled": True
},
"inspection": {
"default_semantics": "win-ring3"
},
"yara": {
"yara_sigs": ["C:\\yara"]
}
}
you can read a small guide here.
http://pnx-tf.blogspot.no/2014/02/idascope-v11-yara-scanning.html
If you want to use it, make sure to install YARA Python first and adjust the paths specified in ./idacope/config.py to your local collection of signature files.
https://googledrive.com/host/0BznOMqZ9f3VUek8yN3VvSGdhRFU/yara-python-2.0.0.win32-py2.7.exe
also get and unpack sigs into C:\yara\*.yara
https://github.com/cabrel/yarasigs.
Code:
#############################################
___ ____ _
|_ _| _ \ / \ ___ ___ ___ _ __ ___
| || | | |/ _ \ / __|/ __/ _ \| '_ \ / _ \
| || |_| / ___ \\__ \ (_| (_) | |_) | __/
|___|____/_/ \_\___/\___\___/| .__/ \___|
|_|
#############################################
by Daniel Plohmann and Alexander Hanel
#############################################
[+] Loading simpliFiRE.IDAscope
[/] setting up shared modules...
[|] loading DocumentationHelper
[|] loading SemanticIdentifier
[/] SemanticIdentifier: Starting (fast) scan by references of function semantics.
[\] Analysis took 0.10 seconds.
[|] Loading WinApiProvider
[|] loading CryptoIdentifier
[|] loading PatternManager
[|] loading YaraScanner
[\] this took 2.66 seconds.
[/] setting up widgets...
[|] loading FunctionInspectionWidget
[|] loading WinApiWidget
[|] loading CryptoIdentificationWidget
[|] loading YaraScannerWidget
[\] this took 0.20 seconds.
Using FLIRT signature: Microsoft VisualC 2-10/net runtime
loading rules from file: C:\yara\apt.yar (72)
loading rules from file: C:\yara\APT_NGO_wuaclt.yar (1)
loading rules from file: C:\yara\APT_NGO_wuaclt_PDF.yar (1)
loading rules from file: C:\yara\avdetect.yar (1)
[!] Could not load yara rules from file: C:\yara\cve.yar
loading rules from file: C:\yara\dbgdetect.yar (3)
loading rules from file: C:\yara\GeorBotBinary.yara (1)
loading rules from file: C:\yara\GeorBotMemory.yara (1)
loading rules from file: C:\yara\hangover.yar (16)
[!] Could not load yara rules from file: C:\yara\index.yar
loading rules from file: C:\yara\sandboxdetect.yar (1)
loading rules from file: C:\yara\vmdetect.yar (1)
loading rules from file: C:\yara\xplug.yar (2)
[!] Performing YARA scan...
download
http://www.filedropper.com/idascope
THX to Computer line for the PySide patch
update!! download more yara sigs and put in C:\yara folder
https://raw.github.com/jaimeblasco/AlienvaultLabs/master/malware_analysis/CommentCrew/apt1.yara