For many years I’ve been using custom Windows right-click menu entries to speed up common analysis tasks such as:
- calculate hash sums
- open a file in IDA Pro (
ida.exeorida64.exe) - zip a file (with password-protection “infected”)
- unzip a file (using password “infected”)
The result looks like this:
Recently, I set up a new analysis environment and very quickly missed these. So here they go for doing this more quickly in the future.
Right-Click Menu: Get file hash sums
The hash sum generation comes provided by various tools — including my favorite hashmyfiles. After downloading and moving the files to your desired location, run the program and use Options – Enable Explorer Context Menu.
Right-Click Menu: Registry entries
The registry key HKEY_CLASSES_ROOT\*\shell stores right-click extensions for alls files. I prefer this generic type, because I often use files with no extension or extensions like .exe_, .bin, or .dl_. To setup a right-click entry for specific file types, e.g., .exe you can use entries like HKEY_CLASSES_ROOT\.exe\shell.
Here are the entries I’ve created and configured (unrelated entries are grayed out). The registry key and value details are shown below.
Right-Click Menu: Open with IDA Pro
To set the right-click menu icon, create and set the below key and value. See the end of this post for the easiest way to import all described entries.
HKEY_CLASSES_ROOT*\shell\Open with IDA 8.2\Icon"C:\Program Files\IDA Pro 8.2\ida.exe",0
To facilitate opening the file with ida.exe, set the below value. The %1 indicates the selected file’s path.
HKEY_CLASSES_ROOT*\shell\Open with IDA 8.2\command"C:\Program Files\IDA Pro 8.2\ida.exe" "%1"
Note that you have to update the entry for a new IDA version. Alternatively, you can create a shortcut and configure that for the most recent release.
Right-Click Menu: Open with IDA Pro (64-bit version)
As of now, IDA Pro still uses two binaries to analyze 32-bit and 64-bit programs. The registry configuration only points to ida64.exe instead of ida.exe. So for example, set
HKEY_CLASSES_ROOT*\shell\Open with IDA 8.2 (x64)\command"C:\Program Files\IDA Pro 8.2\ida64.exe" "%1"
Zip and unzip with password “infected”
Since I often use and share password-protected archives, the following right-click entry speeds up zipping and unzipping these files. I rely on 7-zip here, which you have to install beforehand.
HKEY_CLASSES_ROOT*\shell\zip "infected"\command"C:\Program Files\7-Zip\7z.exe" a -pinfected -tzip "%1.zip" "%1"
The above command line explained:
<path to 7z.exe>a: add files to archive-p{Password}: set Password-t{Type}: set type of archive%1.zip: Output filename%1: Input filename
To unzip, set:
HKEY_CLASSES_ROOT*\shell\unzip "infected"\command"C:\Program Files\7-Zip\7z.exe" e -pinfected "%1"
The command line here:
<path to 7z.exe>e: Extract files from archive (without using directory names)- alternatively, use
xto eXtract files with full paths
- alternatively, use
-p{Password}: set Password%1: Input filename
Registry Editor exports
Copy the below code into a .reg file, e.g., awesome.reg and run it (accepting the security warnings). You may modify the entries before or after importing them to reflect your specific configuration.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\*\shell\Open with IDA 8.2]
"Icon"="\"C:\\Program Files\\IDA Pro 8.2\\ida.exe\",0"
[HKEY_CLASSES_ROOT\*\shell\Open with IDA 8.2\command]
@="\"C:\\Program Files\\IDA Pro 8.2\\ida.exe\" \"%1\""
[HKEY_CLASSES_ROOT\*\shell\Open with IDA 8.2 (x64)]
"Icon"="\"C:\\Program Files\\IDA Pro 8.2\\ida64.exe\",0"
[HKEY_CLASSES_ROOT\*\shell\Open with IDA 8.2 (x64)\command]
@="\"C:\\Program Files\\IDA Pro 8.2\\ida64.exe\" \"%1\""
[HKEY_CLASSES_ROOT\*\shell\zip "infected"]
[HKEY_CLASSES_ROOT\*\shell\zip "infected"\command]
@="\"C:\\Program Files\\7-Zip\\7z.exe\" a -pinfected -tzip \"%1.zip\" \"%1\""
[HKEY_CLASSES_ROOT\*\shell\unzip "infected"]
[HKEY_CLASSES_ROOT\*\shell\unzip "infected"\command]
@="\"C:\\Program Files\\7-Zip\\7z.exe\" e -pinfected \"%1\""