FileInsight-plugins 2.18

Please see the following instructions for installation and update:

• How to install
• How to update

New plugins

Encoding operations

• "Custom base92 encode" plugin and "Custom base92 decode" plugin
  These plugins encode and decode selected region with custom base92 table.

Enhancements

Crypto operations

• AES plugins
  • "No unpadding" option is added for ECB mode and CBC mode.
  • Segment size is selectable for CFB mode.

Compression operations

All plugins show output size.

Encoding operations

• "Binary data to hex text" plugin and "Hex text to binary data" plugin
  These plugins are rewritten to use external Python 3 scripts. They can encode or decode much faster.
• "Octal text to binary data" plugin
  Negative number is supported.
• "Decimal text to binary data" plugin and "Octal text to binary data" plugin
  Delimiters are automatically detected and loose format (multiple lines and using multiple delimiter types) is acceptable.

Misc operations

• "Emulate code" plugin
  RISC-V architecture is supported in emulation with Qiling Framework.

Parsing operations

• "Binwalk scan" plugin
  • Binwalk is upgraded to version 3 that is rewritten with Rust.
  • Detected file types will be shown in bookmarks.
• Disassemble plugin
  RISC-V architecture is supported.
• "File type" plugin
  File type detection accuracy with python-magic is improved with updated libmagic.

Bug fixes

Compression operations

• "QuickLZ decompress" plugin
  Decompression failure for some cases is fixed.

Encoding operations

• "Decimal text to binary data" plugin
  Incorrect byte order for negative values is fixed.

Other changes

• Python Windows embeddable package is updated to 3.12.5.
• Python package dependencies are updated accordingly.

Encoding operations

• "Binary data to octal text" plugin
  "0" prefix is not prepended for octal values.
• "Protobuf decode" plugin
  blackboxprotobuf is switched from the forked version to the original version (https://github.com/nccgroup/blackboxprotobuf).

Misc operations

• "Hash values" plugin
  Hash algorithm of exphash is changed from SHA256 to MD5 due to update of pefile.

Parsing operations

• "Binwalk scan" plugin
  Binwalk is bundled with FileInsight-plugins-embeddable-python-packages because Windows binary of Binwalk is not distributed.
• "Show metadata" plugin
  ExifTool is bundled with FileInsight-plugins-embeddable-python-packages to avoid unavailability on installation because only the latest production versions of ExifTool is available and old production versions are not available.

FileInsight-plugins 2.17.1

Critical bug fix

This version fixes a critical bug of show_simple_dialog.py that prevents the following plugins from running:

Basic operations

• Fill plugin
• Bookmark plugin

Search operations

• "Regex extraction" plugin
• "Regex search" plugin
• "XOR hex search" plugin
• "XOR text search" plugin

Other change

Encoding operations

• "Custom base16 decode" plugin
• "Custom base32 decode" plugin
• "Custom base58 decode" plugin
• "Custom base62 decode" plugin
• "Custom base64 decode" plugin
• "Custom base85 decode" plugin
• "Custom base91 decode" plugin
  These plugins now automatically remove CR and LF before decode.

FileInsight-plugins 2.17

New plugins

Compression operations

• "lzip compress" plugin and "lzip decompress" plugin
  These plugins compress and decompress selected region with lzip format.

Crypto operations

• Camellia plugins
  These plugins encrypt and decrypt selected region with Camellia.
• CAST-128 plugins
  These plugins encrypt and decrypt selected region with CAST-128.
• RC5 plugins
  These plugins encrypt and decrypt selected region with RC5.
• RC6 plugins
  These plugins encrypt and decrypt selected region with RC6.
• XXTEA plugins
  These plugins encrypt and decrypt selected region with XXTEA.

Encoding operations

• "Custom base91 encode" plugin and "Custom base91 decode" plugin
  These plugins encode and decode selected region with custom base91 table.
• "gob decode" plugin
  This plugin decodes selected region as gob (serialization format for golang) serialized data into Python notation

Parsing operations

• "Extract VBA macro" plugin
  This plugin extracts Microsoft Office VBA macro from selected region (the whole file if not selected). It also supports p-code decompilation and VBA stomping detection.
• "String type" plugin
  This plugin identifies type of strings such as API keys and cryptocurrency wallet addresses in the selected region (the whole file if not selected) with lemmeknow.

Enhancements

Crypto operations

• ChaCha20 plugins
  These plugins now support 24 bytes nonce.
• RC4 plugins
  These plugins now support key shorter than five bytes.
• TEA plugins and XTEA plugins
  These plugins are rewritten with Binary Refinery and they now support five cipher block modes of operation (ECB, CBC, CFB, OFB, and CTR)

Encoding operations

• "Decimal text to binary data" plugin
  • This plugin now suports conversion from negative numbers.
  • This plugin now automatically removes spaces when you choose a non-space delimiter.

Misc operations

• "Hash values" plugin
  This plugin now supports exphash, Rich PE header hash, TLSH, authentihash, icon MD5, icon dhash, gimphash, and telfhash.

Parsing operations

• "Find PE file" plugin
  • This plugin now notes file types on bookmark comments.
  • This plugin now can find PE file with MSDOS stub if "MZ" signature is missing.

Search operations

• "YARA scan" plugin
  This plugin now can show XOR keys for "xor" keyword.

XOR operations

• "Guess multibyte XOR keys" plugin
  This plugin now can find XORed PE file with MSDOS stub if "MZ" signature is missing.

Bug fixes

Compression operations

• "PPMd compress" plugin and "PPMd decompress" plugin
  Improper check of order value is fixed.

Crypto operations

• RC2 plugins
  Improper check of IV for CTR mode is fixed.

Search operations

• "YARA scan" plugin
  Crash of FileInsight on bookmarking matched regions is fixed.

Other changes

Parsing operations

• "Parse file structure" plugin
  File structure parsers are updated with recent kaitai_struct_formats and kaitai_struct_compiler 0.10.
• "Show metadata" plugin
  ExifTool is updated to 12.60.

FileInsight-plugins 2.16

Important changes

• Embeddable Python is used instead of Python virtual environment (venv) to fully isolate Python environment for FileInsight-plugins from existing Python installation.
• Embeddable Python and requisite Python packages are bundled into a single package and installed from the FileInsight-plugins-embeddable-python-packages (https://github.com/nmantani/FileInsight-plugins-embeddable-python-packages/) repository to speed up installation.
• Python version is 3.10.9.

New plugin

Compression operations

• "LZFSE compress" plugin and "LZFSE decompress" plugin
  These plugins compress and decompress selected region with LZFSE algorithm.

Encoding operations

• "MessagePack encode" plugin and "MessagePack decode" plugin
  These plugins encode JSON of selected region into MessagePack serialized data and vice versa.

XOR operations

• "Simple XOR" plugin
  This plugin does XOR selected region with specified XOR key. You can specify a multibyte XOR key with big endian hex for this plugin, though built-in XOR function of FileInsight accepts a multibyte XOR key with "0x" prefix and little endian hex.

Enhancements

Misc operations

• "Send to" plugin
  Detect It Easy (https://github.com/horsicq/Detect-It-Easy) is added to default external GUI programs.

Parsing operations

• "File type" plugin
  Detect It Easy is used for file type detection in addition to python-magic.

XOR operations

• "Null-preserving XOR" plugin
  Multibyte XOR key is supported.

Bug fixes

XOR operations

• "Incremental XOR" plugin and "Decremental XOR" plugin
  Input parameter check is added.

Other changes

Crypto operations

• Rename ARC2 to RC2
• Rename ARC4 to RC4

XOR operations

• "Guess multibyte XOR keys" plugin
  Decode instruction is changed to use "Simple XOR" plugin instead of built-in XOR function of FileInsight.

FileInsight-plugins 2.15

Important changes

• Python virtual environment (venv) is used to avoid Python package version conflicts with other analysis tools.
• All Python package dependencies are installed under "%USERPROFILE%\Documents\McAfee FileInsight\plugins\Operations\python3-venv" .

New plugin

Basic operations

• "Switch file tabs" plugin
  This plugin switches file tabs with a listbox.

Enhancements

Misc operations

• Emulate code plugin
  • Speakeasy (https://github.com/mandiant/speakeasy) emulation framework is supported in addition to Qiling Framework.
  • Qiling Framework 1.4.3 is supported.
  • Multithread option is added for Qiling Framework.

Other changes

All plugins

An information dialog of the instruction for faster processing is shown when a whole file (> 10MB) is processed without selecting the whole region.

Compression operations

• "PPMd compress" plugin and "PPMd decompress" plugin
  • Python module dependency is changed from ppmd-cffi to pyppmd (https://github.com/miurahr/pyppmd). pyppmd is the successor of ppmd-cffi.

install.ps1

• Python version is updated to 3.9.13. python-lzo 1.12 does not work with Python 3.10.x.
• Binwalk version is still fixed to 2.3.2 because 2.3.3 is broken on Windows and it has not been fixed yet.

FileInsight-plugins 2.14

New plugins

Basic operations

• "Change endianness" plugin
  This plugin changes endianness of selected region.

Compression operations

• Plugins for the following compression algorithms are added.
  • Brotri
  • LZF
  • LZJB
  • LZRW1/KH
  • Snappy

Encoding operations

• "Custom base62 decode" plugin and "Custom base62 encode" plugin
  These plugins decode / encode selected region with custom base62 table.

XOR operations

• "XOR with another file" plugin
  This plugin does XOR selected region (the whole file if not selected) with the content of another file as XOR key.

Enhancements

Encoding operations

• "Binary data to decimal text" plugin and "Decimal text to binary data" plugin
  Conversion from / into single integer value larger than 255 is supported.

Misc operations

• "Emulate code" plugin
  Qiling Framework 1.4.0 is supported. However, Qiling Framework 1.4.0 can not emulate dyniamically linked Linux executable file.
  I recommend to use Qiling Framework 1.2.3 until this issue will be fixed.

All plugins

Index number is appended to the name of newly opened tab.

Plugins that require region selection

Instruction is shown when no file is opened or no region is selected.

Bug fixes

Encoding operations

• "Custom base58 decode" plugin
• "Custom base58 encode" plugin
• "Custom base85 decode" plugin
• "Custom base85 encode" plugin
• "Protobuf decode" plugin
  Error handling is fixed.

Plugins that show a messagebox

messagebox becomes modal to prevent it from going behind FileInsight window and being inoperable.

Other changes

install.ps1

• Python version is updated to 3.9.9. Currently some Python modules such as ppmd-cffi and yara-python are not available for Python 3.10.x.
• ExifTool version is updated to 12.36.
• Binwalk version is fixed to 2.3.2 because newer versions does not work on Windows.
• lz4 version is fixed to 3.1.3 because Windows package of lz4 3.1.10 is currently not available.
• Qiling Framework version is fixed to 1.2.3 because Qiling Framework 1.4.0 can not emulate dyniamically linked Linux executable file.

FileInsight-plugins 2.13

New plugins

Search operations

• "Regex extraction" plugin
  This plugin searches with regular expression in selected region (the whole file if not selected) and extract matched regions as single concatenated region.

XOR operations

• "XOR with next byte (reverse)" plugin
  This plugin does reverse operation of "XOR with next byte" plugin.

Enhancements

install.ps1

Proxy server setting of Windows is automatically used and specifying a proxy server by editing install.ps1 is no longer needed.

Basic operations

• Bookmark plugin
  Offset will be prepended to bookmark comment.

Encoding operations

• "Hex text to binary data" plugin
  Hex values of 0x0 ... 0xf are treated as 0x00 ... 0x0f.
• ROT13 plugin
  Spinbox for amount of rotation is changed to editable.

Search operations

• "Regex search" plugin and "Replace" plugin
  Number of search hits will be shown.

Parsing operations

• Strings plugin
  Spinbox for minimum length is changed to editable.

XOR operations

• "Guess multibyte XOR keys" plugin
  File type will be noted as bookmark comment.
• "Visual decrypt" plugin and "Visual encrypt" plugin
  Variable XOR key length is supported.

Bug fixes

install.ps1

Behavior of pip with a proxy server is fixed.

Parsing operations

• "Parse file structure" plugin
  Bug of showing negative offset is fixed.

XOR operations

• "XOR with next byte" plugin
  Fix bug that XOR is skipped when value of current position is 0x00.

Other changes

Misc operations

• "Emulate code" plugin
  Emulation trace will be shown in a new "Emulation trace" tab instead of the Output pane.

Parsing operations

• "Binwalk scan" plugin
  Output will be shown in a new "Binwalk output" tab instead of the Output pane.
• "Show metadata" plugin
  Output will be shown in a new "Metadata" tab instead of the Output pane.

Search operations

• All plugins
  Output will be shown in a new tab instead of the Output pane.
• "XOR hex search" plugin and "XOR text search" plugin
  Elapsed time will be shown after execution of the plugins.

Visualization operations

• "Byte histogram" plugin
  Byte frequency wiil be shown in a new "Byte frequency" tab.

XOR operations

• "Guess multibyte XOR keys" plugin
  • Elapsed time will be shown after execution of the plugin.
  • Output will be shown in a new "Guessed XOR keys" tab.

FileInsight-plugins 2.12

New plugin

Misc operations

• "Send to (CLI)" plugin
  This plugin sends selected region (the whole file if not selected) to other CLI program and shows output in a new tab.
  Menu items of this plugin can be customized with send_to_cli.json (this file can be opened with "Customize menu").
  This plugin supports multiple command line arguments.

Important changes

Misc operations

• "Send to" plugin
  This plugin is renamed to "Send to (GUI)".

Enhancements

Plugin menu

Features of "Check for update" and "Version info" are added.
"Check for update" feature can check whether new version is available and execute install.ps1.
"Check for update" feature requires requests Python module.

Misc operations

• "Send to (GUI)" plugin
  Support of multiple command line arguments is added.

Bug fixes

install.ps1

Use HTTP proxy for curl.exe when $PROXY_HOST and $PROXY_PORT are defined.

FileInsight-plugins 2.11

Important changes

Sub-categories are added to the following categories and plugin menu is reorganized accordingly:

Compression operations

Compress and Decompress sub-categories are added.

Crypto operations

Decrypt and Encrypt sub-categories are added.

Encoding operations

Decode and Encode sub-categories are added.

Enhancements

All plugins that will show a setting dialog

Plugins can be executed by hitting Enter key in addition to clicking OK button.

Basic operations

• Bookmark plugin
  Selected bookmark color will be saved as colorchooser.json in Operations folder and set as default in next time.

Misc operations

• Emulate code plugin
  [brk] memory region can be dumped for Linux code emulation.

Parsing operations

• "Parse file structure" plugin
  • Mach-O parser is added.
  • Parsed data is sorted by offset.
  • Parser modules are improved to bookmark regions that are not bookmarked in previous versions.

Search operations

• "Regex search" plugin and Replace plugin
  Search keywords will be added to bookmark comments.
• "YARA scan" plugin
  YARA rule names and string identifiers will be added to bookmark comments.

install.ps1

The latest snapshot of FileInsight-plugins can be installed with "-update -snapshot" option.

Bug fixes

Basic operations

• Bookmark plugin
  Root window will be set to topmost to prevent color chooser dialog from going behind FileInsight main window and becoming inoperable.

Parsing operations

• "Parse file structure" plugin
  • Gzip parser and PE parser
    Bug of timezone handling is fixed.

Other changes

Misc operations

• "Send to" plugin
  Default paths of IDA Free and CyberChef are updated.

Parsing operations

• "Parse file structure" plugin
  • Parser modules are updated with the ones that are compiled from the latest snapshot of kaitai_struct_formats.
  • kaitai_struct_python_runtime is updated to the latest snapshot.

install.ps1

• Python is updated to 3.9.5.
• ExifTool is updated to 12.25.
• Repository separation of rootfs files from Qiling Framework is suported.

FileInsight-plugins 2.10

New plugins

Basic operations

• Bookmark plugin
  This plugin bookmarks selected region with specified comment and color.

Encoding operations

• "Custom base16 decode" plugin
  This plugin decodes selected region with custom base16 table.
• "Custom base16 encode" plugin
  This plugin encodes selected region with custom base16 table.
• "Custom base85 decode" plugin
  This plugin decodes selected region with custom base85 table.
• "Custom base85 encode" plugin
  This plugin encodes selected region with custom base85 table.

Enhancement

Parsing operations

• Strings plugin
  • Decoded strings will be shown at the top of plugin output.
  • Capability to decode BASE64 strings has been added.

Bug fix

Parsing operations

• Disassemble plugin
  Bookmarking incorrect end of disassembly location has been fixed.

Other changes

Misc operations

• "Emulate code" plugin
  Qiling Framework 1.2.3 is supported.