xAnalyzer v2.5.6 released: plugin for the x86/x64 x64dbg debugger

xAnalyzer is a plugin for the x86/x64 x64dbg debugger by @mrexodia. This plugin is based on the APIInfo Plugin by @mrfearless, although some improvements and additions have been made. xAnalyzer is capable of doing various types of analysis over the static code of the debugged application to give more extra information to the user. This plugin is going to make extensive API functions call detections to add functions definitions, arguments and data types as well as any other complementary information, something close at what you get with OllyDbg analysis engine, in order to make it even more comprehensible to the user just before starting the debugging task.

Features

Some of the main features and improvements include:

• Extended function calls analysis (over 13,000 API’s definitions from almost 200 DLL’s)
• Defined and generic functions, arguments, data types and additional debugging info recognition.
• Automatic loops detection.
• User maintained definition files

Before xAnalyzer

After xAnalyzer

Changelog v2.5.6

• Fixed wrong calculation when adding comments larger than 512 chars which caused a BoF ( closes #53 )
• Added two new entries to the ntdll.api definition file

Download

Installation

1. Download the latest version of x64dbg
2. Copy xAnalyzer.dp32/xAnalyzer.dp64 files and apis_def folder to x32/x64 respective plugins directories of x64dbg
3. Look under the “Plugins” menu in the main x64dbg window or in the secondary menu in the Disasm window as well as a “xAnalyzer” entry

Configuration

xAnalyzer has some options to choose from in order to personalize even more the experience with it, to use it just when you need it and the way you want it. The plugin options are as follows:

• Automatic Analysis: When this option is ON, the plugin is going to launch a fully automatic analysis over the executable code every time it reaches the entry point when loading on the debugger. By using this option you get the closer OllyDbg initial analysis behavior on x64dbg.
• Extended Analysis: This option is going to force xAnalyzer to make an extended analysis of the entire code section of the debugged executable. WARNING!!! By enabling this option the analysis process may take much more time and resources to complete, also large amount of RAM memory might be used by x64dbg depending on the size of the section and the amount of extra data added to the debugged executable static disassembly
• Analyze Undefined Functions: By selecting this option xAnalyzer will use generic analysis and argument types for all of those API Calls/Functions that are not defined in the api definition files and also calls like:CALL {REGISTER}
  CALL {REGISTER + DISPLACEMENT}
  CALL {DYNAMIC_POINTER}

Usage

xAnalyzer has some commands and menu options to choose from when working with an executable:

Analyze Selection

By making a selection of several instructions in the disassembly windows of x64dbg and selecting this menu, a fast analysis will be made over the selected lines. You can also use the hotkeys Ctrl+Shift+X for launching this option.

Analyze Function

If you are in the middle of some function you could use this menu entry to analyze that entire function and only that function. Taking your single selected instruction as a reference xAnalyzer will process from there all the lines inside a block of code. You could also use the hotkeys Ctrl+X for launching this type of analysis

Analyze Executable

This command it’s going to launch a full analysis over the entire executable. This feature takes the Extended Analysis option into consideration for the depth of analysis to be used. You could use the hotkeys Ctrl+Alt+X to execute it as well

Remove Analysis Menus

In these cases, all of these menus are going to make the opposite of what the previous commands did. In case you want to get rid of the analysis extra information in some parts of the code or in the entire executable if wished.

Copyright (c) 2016 ThunderCls

Source: https://github.com/ThunderCls