FileAlyzer

Know more!

If you want to know more about the inner life of files, FileAlyzer is the tool you urgently need!

FileAlyzer shows basic file content, a standard hex viewer, and a wide range of customized displays for interpreted complex file structures that help you understand the purpose of a file.

It also supports generation of OpenSBI advanced file parameters – with FileAlyzer you can find the right attributes to write your own optimized malware file signatures!

Features

Alternate Data Streams

Files as you see them do often contain more than the visible content, through so called alternate data streams.

FileAlyzer makes the additional information in these streams visible through a list of streams associated with the current file, and a basic hex viewer.

Sometimes, malware attaches itself as a custom stream to legit files, and can be identified here.

Android apps

Android apps are actually zip archives that include the app code and many resources and configuration files. FileAlyzer will display a few app properties, for example the list of permissions and app would like to use.

Anomalies

While loading information on the various views of FileAlyzer, it looks for details that are uncommon or wrong. These details may hint at malware behaviour.

Each anomaly is described with an ID, a short title, and a description that explains why this detail is unusual, and what it might be used for.

Archives

FileAlyzer displays contents of many common archive types, including .cab, .zip, .chm, NSIS installers, rar, .tar and .arj.

Authenticode Signatures

Signatures have been a requirement for Windows Logo programs for years, and are a good idea for any kind of published program. Signatures allow the user to verify where the program he's using is coming from, to avoid running a malware-infected version.

FileAlyzer displays all details about the signature it finds in a file.

Databases

FileAlyzer can display the content of some standard database formats like dBase, SQLite3, Ini, Mozilla Preferences, Mozilla or format, or QIF.

Delphi Code Map

If you analyze a .map file produced by Embarcadero Delphi, you'll see a structured view of its data.

ELF Header

Many Linux files are in the ELF format, just like you would expect Windows files to be in PE format. FileAlyzer displays the header of these files to give you some insight.

ELF Sections

Many Linux files are in the ELF format, just like you would expect Windows files to be in PE format. Just like PE files are divided into sections, ELF files are as well, and this view display where to find them in the file.

EXIF

For photos and other graphic files, FileAlyzer will display EXIF information embedded into the file.

External Classification Sources

Sometimes you simply want to look up a file on the Internet, and usually you just pick a hash and search for it using your favourite search engine. FileAlyzer lets you do exactly that.

File Bitmaps

Sometimes, similarities between files are easier to identify visually. File bitmaps can reveal them even if static hashes or dynamic analysis is not giving obvious results.

General File Properties

The General view of FileAlyzer displays standard file properties as you would see them in Windows Explorer, including short filename paths and UNC paths (hover the mouse over the location field), standard hashes, and access times in UTC.

By right-clicking the attributes field, you can enable editing, after which you can change file attributes as well as click or double-click on the file ages to touch them with a new date.

Next to the attributes, you'll find interpretations of the file content based on the standardized and extendable signs.txt database in the program folder.

Hashes

FileAlyzer calculates a bunch of standard checksums and hashes upon request, including CRC-32, MD5, SHA-1 and later SHA versions, as well as RipeMD, HAVAL, Snefru, Tiger, Panama and more.

Hex Viewer

FileAlyzer includes a hexadecimal viewer that displays file content byte for byte.

If you right-click this view, you can scan for strings, resulting in some lists on the right side pane that are categorized as GUIDs, filenames, registry entries and URLs where possible.

A special Analysis tab allows you to interpret and highlight recognized data within the view, which is stored persistent for future sessions.

HTML

If you're analysing a HTML file, FileAlyzer will display the content in this view.

Images

FileAlyzer displays images for standard file formats like JPEG, BMP or PNG.

InCtrl5 Logs

InCtrl5 was a widely used tool by PC Magazine (written by Neil J. Rubenking) to log changes software would make to systems up to Windows XP times. Nowadays it's used rarely, but FileAlyzer is able to display the HTML reports created by InCtrl5 to simplify browsing the results.

INI files

INI files are used for storing settings sometimes. FileAlyzer displays a structured view of them.

iOS Apps

If an iOS app (stored as .ipa on your desktop computer) is analyzed, this view will show details about the app, including detected tracking modules used by the app.

Media Tags

FileAlyzer is able to parse the tags of media files like MP3, Ogg, Flac or Wave and present information from tags stored inside in ID3v1, ID3v2.3, ID3v2.4, VorbisComments, native Flac, RIFF, Ape and more formats.

This can be of interest to malware analysts where malware URLs are stored within tags, hoping to fool audio players automatically displaying embedded web information.

MZ Header

The MZ Header is the beginning of all executable files on Windows, and ranges back even to DOS times.

OpenSBI

OpenSBI is an open malware signature language offered by Safer-Networking and used in Spybot.

FileAlyzer is able to generate advanced file parameters in OpenSBI syntax for many of its supported views, which will appear here.

OS Compatibility

The Compatibility View lists which PE function imports of a file are compatible with system libraries made available by various Windows versions.

This can be of interest for malware analysts to quickly see if a malware sample is not compatible with the test systems, for example.

In case of functions imported by the analyzed that are common to malware, like code injection functions, this information will be shown on this view as well.

PE Disassembler

The Disassembler view allows you to see what's executed by an PE executable displayed as assembler code. You won't need this unless you're good at reading assembler, trust us.

PE Exports

PE Exports are the functions that Windows libraries (usually *.dll) are offering to other programs.

FileAlyzer shows an overview (collapsed here) and exported functions, by name and ordinal, and information where in the file the associated code can be found.

PE Header

PE headers can be found at the beginning of all Windows executable files and libraries on Windows, and describe details that help finding details within the file.

PE Imports

Imports are links to functions within system (or third party) libraries that Windows executable files use.

The list of imported functions gives a first idea of the functionality and capability of a PE file.

PE Resources

Executable Windows files and libaries (the essential part of any apps you use) store graphical and text resources in a standardized format within the files.

The Resources View in FileAlyzer displays them, sorted by type, to give you an insight.

PE Sections

Windows executables and libraries are structured into sections with different purposes. Sections for executable code and for PE Resources are the most common ones.

Malware files sometimes are much larger than their regular sections and hide payload (more malware to copy into the system) outside of the section table, or within a dedicated section.

Text colors of sections here correspond with the text colors on the Hex View to easily identify content and borders.

PEiD (Packers, cryptors and compilers)

PEiD tries to identify packers, cryptors and compilers and determines the files entropy, and FileAlyzer supports the PEiD plugin to display this information.

Prefetch files

Windows uses Prefetch files to speed up the execution of certain programs. FileAlyzer interpretes these files and shows you what's inside!

Scheduled Tasks

FileAlyzer is able to display properties of files that store Windows Scheduled Tasks.

Security

This view shows all security parameters of the inspected file, in a structure interesting to developers, since it uses internal constant names instead of the end consumer texts.

The search field at the top and lines with a different background demonstrate a highlighting feature available on most FileAlyzer views.

Spybot File Scan
Text

FileAlyzer displays text with syntax highlighting for many common formats like C, HTML, Ini, JavaScript, Pascal, PHP, SQL, Basic, VBS or XML.

UPX Details

Executable files compressed with UPX will be shown with compression details.

VirusTotal Lookup

With the VirusTotal view, FileAlyzer will be able to display results of dozens on anti-virus engines about the file you currently analyze, either from previous analysis, or by submitting your actual sample.

Download

Standard Installer
Get this to install on a 32 or 64 bit Windows system.
  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7
  • Windows XP
Portable Installer
Download this to include FileAlyzer in your PortableApps collection.
  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7
  • Windows XP