File Scannner by SMT
1 of 1 file
smt
-
This download is a Windows program, but it should only be run on your computer if you trust it.
Instead, run it isolated in Windows Sandbox, VirtualBox or Parallels.
Browsers may flag this download as unwanted or malicious. If unsure, scan it with VirusTotal. -
Last modified Nov 5, 2017 4:25:32 PM
MD5 checksum f15aa9ad5671f30668711eef2e3bd019
Mime type Zip archive data
Download filescannner.zip
Size 574 kB
n/a
- Zip - Windows / Computer tool
23 items in the archive
- filescanner.05052001-smt/
- filescanner.05052001-smt/file_id.diz
- filescanner.05052001-smt/fs.dfs
- filescanner.05052001-smt/fs.exe
- filescanner.05052001-smt/fs.faq
- filescanner.05052001-smt/fs.ini
- filescanner.05052001-smt/fs_eng.doc
- filescanner.06062001-smt/
- filescanner.06062001-smt/fs.dfs
- filescanner.06062001-smt/FS.DOC
- filescanner.06062001-smt/fs.exe
- filescanner.06062001-smt/fs.ini
- filescanner.06062001-smt/fs_eng.doc
- filescanner.06062001-smt/ws.doc
- filescanner.06062001-smt/ws.exe
- filescanner.08012002-smt/
- filescanner.08012002-smt/fs.dfs
- filescanner.08012002-smt/FS.DOC
- filescanner.08012002-smt/fs.exe
- filescanner.08012002-smt/fs.ini
- filescanner.08012002-smt/fs_eng.doc
- filescanner.08012002-smt/ws.doc
- filescanner.08012002-smt/ws.exe
,sS$$$$$$ $$ ,s$s ,sS$$$$$
,$$$$$$$7' ^' ,$$$' ,$$$$$$7'
,$$$' ,sS, ,$$$' ,$$$'
,$$$$$$ ,$$$' ,$$$' ,$$$$$
,$$$$$$' ,$$$' ,$$$' ,$$$'
,sS$$$$Ss ,$$$' ,$$$' ,$$$' ,$$$$$$$$
,$$7' ?$P' ?$7' ?$$' ?$$$$$$7'
,$$$'
,$$$$b.
?$$$$$$$$$$b ,sS$Ss, ,sS$Ss$ $b,sSs, $b,sSs, ,sS$Ss, $$$$Ss, ,$$,
`?$$$$ $$' `$$ $$' `$$ $$P^?$$ $$P^?$$ $$' `$$ $$' `$$ ,$'`$,
`$$$' $$ $$ $$ $$ $$ $$ $$ $$$$S7' $$$$S7' ,$',$'
.d$$' $$, ,$$ $$, ,$$ $$ $$ $$ $$ $$, ,, $$`$$, ,$'d$'
sS$$$$$$?' `?$$$7' `?$$$^$$ $$ $$ $$ $$ `?$$$7' $$ `?$$b, ,$$$' MjC/SMF
`$$w$'
FILE SCANNER by SMT/SMF `?7'
File Scanner is a freeware program for identifying differrent
file formats. Now it can do something more, such as unpacking
or decrypting DOS executable files, calculating sizes of directories,
handle headers of executables, playing sounds, edit binary files
in hex, ascii or asm mode and displaying ANSI, PCB, BMP, PCX, EMF,
WMF and SCR pictures, displaying content of DBF.
The list of features is still growing...
The list of features for different files are different.
windows nt specific:
On windows nt file scanner may display list of local processes,
which opened file and user/domain whom this process belong.
this works only for local processes (windows 2000 terminal service
should work). this can't help if process started on other windows
station and accessed through network (i have no network for such tests).
this is not tested with NET_USE'd and SUBST'ed drives.
if process uses file as a part of image (as a dlls) it will be reported.
This checks uses a lot synchronization functions and a bit slow.
they can be disabled with command-line switch '-ns' or in fs.ini
work with all files:
First of all FS looks to filename, and tries to determine
type of this file by its extension (file may not exist on
disk, hehe). Also file description can be read from
files.bbs, descript.ion, 00index.txt, and so on...
Then File Scanner analyzes start of file and
compares it with all records in database. And it display
more: date of creation, modification and last access (with -inf switch).
Date of creation is date, when file was copied to this
storage media. For example, you've installed program from
CD-ROM. Then timedate of last modification is date when
file was compiled, but creation timedate is date when
you've installed this file on HDD. Also FS displays file
attributes (also only with -inf). The database was not started from
scratch, i've partially used base from program by Vadim
Tarasov ([email protected]), with him permission, of course;
you can get FileAnalyzer from author: http://www.world.lv/vnet.
Note that i've done most of database by myself.
Work with directories:
Calculate size of each sub-directory, and it's actual
size (file are stored in clusters, so even if file
size is less then cluster size, it occupied entire
cluster on disk), and display directories structure
as tree. Due to bug in windows95/98, programs can't
determine cluster size through win32 API, so i
use dos interrupts (VWIN32 device). In windows NT
there is no such bug, and cluster size correctly
calculates using win32 API.
Work with DOS/COM executables:
Find program, that processed this file, or compiler.
If there is a unpacker for this program, you can use
"fs -u" to restore file. exe/com unpacker requires
pentium or higher CPU.
Work with DOS/EXE files:
Almost same as COM executables, and besides show
structure of exe-files: size of header, image and
overlay. Available options: fs -rd - remake executable.
It can reduce size of EXE-header and re-optimize relocations.
Most of linkers (TLINK, LINK) align
header to 512 bytes, so even small
assembly program have a large header. When remaking
header, FS decrease it size as much as possible.
FS also may analyze first 256 bytes of overlay (with
option fs -o), so it can detect SFX-archives.
use fs -sd to delete overlay, fs -us to save image and overlay to files
Work with LE/NE files:
Shows some parameters from new-exe header.
Shows description of NE file, stored in header.
In windows LE/NE, FS looks for versionInfo in
resources. By default it displays only description
and number of version. Use fs -v to display all info.
-v switch is also works with MS compress packed files.
Many NE-files contains two different descriptions:
one in header and one in resources.
FS can display exported resident and non-resident
names (fs -e) and can display used modules (fs -i).
Note, that in NE files all import is performing by
ordinals (function numbers), so FS does not
display names of imported functions. You can use
other utilities (New-view) to see imported ordinals.
Work with Portable Executables (win32 files):
First FS tries to display all info about DOS part
of executable (so called 'stub'). It can give
info about compiler, even if file is packed/altered.
For example, Micosoft compilers detects as
'DOS stub from MSVC', Borland's as 'Borland tlink32'.
As for NE-files, FS displays many info from PE-header.
The most interesting is linking datetime, so it is
possible to find out, when this program really was
done, and compare it with release date. Now both
time formats are supported: Microsoft (absolute time
from 1601) and Borland (usual dos timedate,
count starts from 1980).
To view detailed info, use fs -i, fs -id, fs -s and fs -e
switches. Some words about fs -s: there is additional
section "flags", like entry_here, import_here, etc...
They are not stored in section flags, but calculates
by values in header. For example, if START_RVA is
in section RVA area, then flag 'entry_here' will be added.
Also FS calculates PE checksum and compares it with
value in header. FS must read entire file, so it may take
some time, especially on big files, and FS don't try
to find checksum, if it is not defined in PE-header.
Handling of PE-files:
'fs -c' - set correct PE-checksum. You may need to set
checksum after every change of PE-file, otherwise file
may not start (in windows NT).
'fs -rd' - optimize dos stub, make align to 512 bytes - least
possible value, sometimes it decreases file size.
it is also sorts file sections by virtual size, thus making
executables compatible with windows 2000.
use flag -spl to split sections with large zero areas.
this zero areas will be saved as uninitialized sections, and
file size will be decreased. flag -spl is also used to
join adjacent sections with same memory protection attributes;
this flags may be used only with -rn or -rd. another switch,
used with -rn,-rd is -ren. it's renames sections of portable
executable according their content and protection attributes,
the following names are used: .text for section with entrypoint,
.bss for pure virtual sections, .rsrc for resources, .idata for
imports, .edata for exports, .reloc for base relocations,
.data for other data, .rdata for read-only data, and .mixed for
sections with at least two of resources, imports, exports or
relocations.
'fs -rn' - same 'as -rd', plus replacing dos stub. It's replaces
dos part to smallest (64 bytes). Some programs able to reduce
stub to 12-byte or less, but sometimes their results fails to
run, especially on windowsNT.
use -rd and -rn to restore 'damaged' files, that are not running.
thus, it's possible to make UPXed0.50 file run on windows NT
(but you must set 'writeable' attribute at last section yourself).
'fs -rn:<dos_file> <pe_file>' - combine two executables: when
you are in DOS, first executable runs, in windows - second. All
DOS executables, that are not self-checking
can be used here: files with overlay may also work.
original algorithm allows to use very large DOS files for stub.
FS displays mangled C++ names in imports/exports, so it'll
show 'public: __thiscall ios::ios(class streambuf *)' instead
of unreadable '??0ios@@QAE@PAVstreambuf@@@Z'.
'fs -inf' - show more details from PE header.
'fs -us' - saves dos image, and pe sections info separate files
PE unpacker
unpacker can handle redirected and trapped imports, works in
winNT/2k and may work in win95 (not tested much, so expect bugs).
if you're running windows nt, please report bugs.
it is strongly recommended use 'fs -rn -spl' on unpacked file
after unpacking
Work with RIFF and IFF files:
RIFF stands for 'resource interchange file format'. RIFF file
can contain any type of information. This files are mostly used
by windows applications. RIFF file contain sections. Every
section has identifier, so called TAG, that shows, what info
is stored in section. FS database contains info about this tags.
Now there is only a few tags. FS shows details in RIFFs with
tag 'WAVE': sound codec, bitrate, quantization frequency, and
some other info, and AVI files: resolution, bitrate, codecs,
audio format, etc...
FS also analyze amiga IFF files, and may show info about
ILBM pictures: resolution and number of colors.
Use -n switch to display only valuable info.
use fs -us to extract chunks
Work with MPEG files:
FS shows most interesting parameters of MPEG: MPEG
version, layer, bitrate, frequency, flags and more...
Size of MPEG header is too small (4 byte), and it
contains too many info, so fake 'MPEG' streams could
appare almost anywhere, though i tried to avoid them (FS
checks bitrate, frequency and skip strange files, also FS
tries to find a sequence of same headers in MPEG stream...).
So rely on your common sence if FS find MPEG stream :)
MP3 music files can contain ID3 info, then FS can show
artist, album name, music style and other info from ID3.
Work with music modules:
Now only MOD, 669, S3M and MTM music modules are supported.
FS shows version (if there is in file format), module title,
and list of samples used... Often there are info about
module, greetings and other composer's notes in sample names,
so it useful.
Binary registry files
binary registry files from windows nt (tested on windows 2000) and
windows 95 could be extracted to .reg format. useful for exploring
stealed registry files without compatibility troubles, hehe ;-)
Content-dependent viewer:
use -view key. Now it supports formats:
1. wave,
2. midi/rmi,
3. bin (raw textscreen dump) with filesize = 4000 or 8000 (dec)
4. ANSI
there can be multiple pictures in 1 file, delimited by CLS command
use -del:nn to set slideshow delay in 1/1000 of second
5. RAW sound - sound played when -snd: of -sbf: switch used
default format is 22KH, 8bit, mono, soundbuffer size is 16Kb
must be overriden with switch -snd:f,b,c or -sbf:nnn
6. creative VOC files. limited support - no player for silence blocks
and for looped samples
7. windows bitmaps.
keys: left, right, up, down - scroll picture,
GrayPlus - ZoomIn, GrayMinus - ZoomOut,
GrayMult - ZoomToScreen, GrayDiv - set original size
Enter - ZoomToMaxWithoutAspectDistortions
8. ZSoft pcx images. supported color formats in decoder:
8 bits * 3 planes (16M,64K,32K colors)
8 bits * 1 plane (256 colors)
1 bit * 4 planes (16 colors)
1 bit * 1 plane (monochrome)
i think, that it's all possible pcx formats
9. SCR-6912 and SCR-6144 files, keyboard controls are same.
10. windows ICO, ANI, CUR
11. unix-style manuals. it is usual text files with 'bold' and
'understriked' codes. this is not 'man' document format,
but files, prepared for printing (for example by 'man <cmd> > <file>')
12. DBF files. supported: dBASE III, FOX PRO, dBASE IV
sorry, viewer is GUI-based and
very simple - no search (maybe later...), but i
coded sorting (click column header; as in many programs, click
to same header again for reverse sorting)
hint: try CTRL+GreyPlus while exploring DBF
13. windows metafiles (*.wmf) and enhanced metafiles (*.emf) vector files
14. fonts preview: .FON and .TTF formats. works only on nt
15. JPEG viewer: displays true color and monochrome JPEGs,
progressive JPEGs are not supported
File optimizer:
now supported only DOS EXE and PE EXE formats... it described above
Hex viewer/editor
this are -hex and -hxr switches. editor are fully customizable,
you can set your own keys in fs.ini and your colors.
I added this function, because most popular hexeditor (hiew)
become shareware, and i don't like to pay for soft; moreover,
full version, and shareware demo version are different, so it's not
possible to crack shareware version to get it work like full version...
this hexeditor has many advantages in compare with competing products:
it's freeware (unlike hiew), it's not portable (unlike biew and hiew),
so uses all OS power (though biew contains OS-dependent file I/O may
compete with FS by speed),
it's a win32 application, unlike qview (dos apps requires loading
ntvdm.exe, executing autoexec.nt and config.nt, so they are slow)
its customizable, i'm adding new functions there frequently, more
friendly interface, windows clipboard support, easy block selections
and manipulations, and many other...
Drawbacks: no support for SYS/NE/LE/LX/ELF/etc formats, only MZ/PE.
Undo operations: it's really useful - you can undo any changes
(and redo them again). undo history list is best way to see what changes
are made. number of undo steps is only limited by free disk space.
file scanner keeps undo data between edit sessions by default. you may
disable it in .ini file (if free disk space is important). some interesting
thing is 'UndoByte' command - its restore original byte value in
changed block (so it's not necessary to undo whole block)
Some words about clipboard. it is designed to be compatible with other
applications, that's why FS does not create own clipboard format and uses
standart CF_TEXT. Therefore there is some limitations: you can't place
control characters into clipboard. When cursor in hex area clipboard
works with hex dump of data, so every byte can be stored; in text
area clipboard works with normal text strings. If you want to do
binary block operations make sure that cursor is in hex area, do not
mix text and dump.
Search - there are three search modes:
1. byte sequence or string. here is a trick from hiew: when you
press enter on text field search is not case-sensitive, when
on hex field, case is important.
you can search with mask (this feature taken from
STS monitor - the coolest debugger i've ever seen ;-]),
so you can find all instructions like add [eax+nn],15 -
search for 80400015 with mask FFFF00FF
string search starts from cursor
2. find relative reference - find call, jump, long 386 jump or loop
to point at cursor. make sure needed disasm mode active (16 or 32 bit)
this search starts from begin of file
3. find absolute reference. you can find raw 32-bit pointer to
cursor or pointer to cursor virtual address. i often use this when
cracking win32 progs - for example, find string "Insert CD..." and
then immediately find reference to this string... then find
conditional jump (using relative search) to this routine and patch it!
this type of search also starts from begin of file
FindNext - repeat last search, but from cursor position
goto function - it's possible to use virtual address if VA-mode is on
Splitscreen mode - using this feature you can see two part of your file
simultaneously; for ex. in 16-bit and 32-bit disasm modes, or in text and
in disasm modes. all two windows are completely independent - they have
own selected block marks, view, put and bitness modes and so on. Any changes,
made in first window will be immediately displayed in second..
also you can adjust sizes of view windows.
Save block - just saves selected block to file into given offset. you must
select some block.
Load block - if there is a block selected, then loads block from file into
selected block (size of loaded part not more than size of selection), if
there is no selected block, loads file from given offset until end of file to
cursor location... Note that like in copy&paste operations, put mode is
important... so you can LOAD, INSERT, XOR, AND, and OR data.
PE header editor, data directory & sections editor - press esc to undo
changes or enter to accept. pressing enter on rva field of data directory
or on any field of section dialog will jump to corresponding data structure.
goto exports: redirected exports are showed as oldname -> newdll.newname
goto imports: jumps to IAT entry, corresponding to selected function. hint:
press 'FindRawRef' (mapped to Alt-F7 by default) for searching references to
imported function. if you've found stub like 'jump dword [func]', then
place cursor to start of 'jmp' and press 'FindRelRef' (Ctrl-F7) to get
refs to this stub
Fill: fill operation uses put mode.. so you can fill block with
pattern, 'xor', 'and', 'or' block with pattern and use mask for this
operations. for example, to reset low byte in each dword you may
use and mode with pattern 00,FF,FF,FF or put mode with pattern 00,FF,FF,FF
and mask FF,00,00,00; for setting low byte of each dword in block to 46
use put mode with pattern 46,00,00,00 with mask FF,00,00,00. obviously,
you may set/reset particular bits in block. i hope, you got idea...
Assembler and disassembler: supported x86 architecture
(without MMX,3DNow,SSE),
Zilog Z80 (complete! all opcodes, even undocumented) for hacking
ZX-spectrum snapshots and 6502 for hacking Nintendo (aka Dendy) games
and a lot of other platforms, that uses 6502.
calculator:
calculator has following operators:
~,!,*,%,/,+,-,<<,>>,<,>,<=,>=,=,==,!=,&,^,|,&&,||
and round brackets
operator precedence is same with C/C++
all numbers are hex by default and must start with digit (e.g. 0-9)
decimal numbers must start with @
character codes - contructions like 'x', 'abcd' and so on..
you can use cut and paste to move value from calculator to another dialog
bookmarks: there are usual ('fixed') and 'sticky' bookmarks.
usual bookmarks contain absolute offset from start of file.
sticky bookmarks 'sticks' to marked byte: if there is insertion or
deletion operation before bookmark, it moves. if you delete block,
containing sticky bookmark, bookmark will be deleted too.
bookmarks may be saved between edit sessions (KeepBookmarks=1 in .ini file)
Many functions and options described in fs.ini
Non-file & misc. functions:
-inf - show more info: filetimes, filesize,
details from headers, etc...
Switch -n: use this switch for brief info about file.
when this switch active, FS does not display filetimes and
filesizes, RIFF tags, music module' samplenames, strange values in
PE/NE-exe headers, and some other additional info.
Switch -p: wait keypress after printing full screen
-mono - disable colors
-cs:<new_cluster_size> : override cluster size. useful for
estimation directory size on drive with another cluster size
without copying directory here. cluster size can't be zero
-ans - ansi output - very useful with wildcards. you can specify output
ansi filename as shown here:
fs -n -ans:c:\test.ans *.exe *.com
and view result with your favourite ansi viewer, you can even output
fs database contents to ansi file. use it with switch -mono to create
text log-file.
-slnt - show messages only about performing actions, such as
"checksum: setting to right value". may be used with bat-files
or with wildcards: 'fs -rr2 -slnt *.exe *.dll *.ocx'
this switch was undocumented some time
Ansi and PC-Board viewer:
Keyboard controls in ansi viewer: ESC - return, UP, DOWN, PGUP, PGDN,
HOME, END - scroll; same keys with CTRL - quick scroll.
Known BUGS:
Unpacking DOS COM/EXE: file extension don't changes,
even if file format changes; e.g. if you unpack EXE file,
created by COM2EXE, output file will be COM-file, but
extension remains .EXE
Does not show FileVersionInfo of VxDs when running on windows NT
displays blinking in ansi only if VGA is already in blinking mode.
you must run DOS-program that sets needed video mode
(like acidview.exe or pv.exe) before running FS with blinking ANSIs
unpacker: can't detect hackstop 1.11, 1.13 for .com-files due to
limitations of my script detection system, it detects
it as RCC/286 but unpacking fails, because script must be different
ansi viewer and hexeditor looks strange in 80x50 videomode -
please don't use this mode!
Win9x-specific bugs (too many, that's why i plan to stop support 9x)
-view -sbf:7000000 can completely hang-up system on some sound cards
hexeditor: can't enter symbols in alternative keyboard layouts
pe-unpacker not tested very good
a lot scripts for pe-unpacker will not work (copy-on-write not implemented)
font viewer will not work
Plans for future versions:
hexeditor: mouse support (?)
hexeditor: 3DNow!, MMX, SSE instructions
General info:
File Scanner was written by SMT ([email protected])
last updates of FS can be found on http://smf.chat.ru/
Greets:
Greets to Veit Kannegieser - why you don't develop typ3 anymore ???
Hello to Liu TaoTao - TR is great!!!
Big thanks to those people, who helped me to make this incredible program:
MajestiC - logo, a lot of packers
Duke/SMF - many ideas, comments, *file*formats*, packers, etc...
Alexander Alferowich - bugreports and some suggestions
mAXX - some suggestions