Powerful Virus Analysis Tool InstallRite Portable Cracked Version Download, InstallRite Virus Analysis Tutorial

Download link: http://olseeling.qjwm.com/down_1173304.html

Chinese localization patch: http://olseeling.qjwm.com/down_1173268.html

InstallRite is a tool that analyzes system changes by comparing snapshots. It was originally often used to observe the file and registry changes made before and after software installation, but it can also help analyze suspicious programs: first record the system state, then run the sample, and finally compare the two snapshots to see which files it added, modified, or deleted, and which registry entries it changed.

When analyzing viruses or suspicious programs, it is not recommended to run them directly on your everyday system. It is best to prepare a virtual machine, save a VM snapshot in advance, and isolate the network environment as much as possible. This way, even if the sample causes damage, you can roll back the system and avoid affecting your real computer.

Basic Idea

InstallRite's analysis principle is very straightforward:

1. Before running the suspicious program, create a snapshot of the current system.
2. Run the virus or suspicious program and wait for it to finish executing.
3. Run InstallRite's analysis function to compare the changes made after the most recent snapshot.
4. Check the file system and registry differences to determine what actions the sample performed.
5. Based on the difference results, clean up newly added files, restore modified registry entries, or further locate startup items, services, and dropped files.

Steps

First, complete the registration and Chinese localization of the portable version, then create a system snapshot before analyzing the virus. This snapshot serves as the baseline for the “clean state,” and all later changes will be compared against it.

Second, after the snapshot has been created, run the virus sample. It is recommended to experiment only inside a virtual machine, and to save the VM's own snapshot before running it. After the virus has fully run, click InstallRite's analysis function to analyze the changes made after the most recent snapshot.

Third, after the analysis is complete, click “Check Installation” at the top. At this point, you can see the changes the virus file made to the system, including newly added or modified files, registry keys and values, and other information.

Things to Watch During Analysis

When reviewing the results, focus on these locations:

• System startup items and registry locations such as Run and RunOnce.
• Newly added executable files in system directories, temporary directories, and user directories.
• Key files that have been replaced or deleted.
• Newly added services, drivers, scheduled tasks, or abnormal autostart configurations.
• Registry changes related to browsers, network proxies, and firewall settings.

If you only want to determine what a program changed during installation, you can simply compare snapshots using the process above. If you are analyzing a virus, it is best to use InstallRite's results together with other tools, such as process viewers, startup item viewers, and network connection viewers. InstallRite mainly tells you “what changed before and after,” but it may not explain how malicious each change is. You need to judge based on the actual path, filename, signature, and runtime behavior.

This software also has other functions. This time, the focus is mainly on how to use it for snapshot comparison to analyze suspicious programs. You can study the other features on your own.