toolkit/TOOLS.md

# Tools

1. [Analysis](#analysis)
1. [Decompilers](#decompilers)
1. [Dissasembler](#dissasembler)
1. [Hex editor](#hex-editor)
1. [Monitor](#monitor)
1. [Other](#other)
1. [Rootkits detector](#rootkits-detector)
1. [Unpacking](#unpacking)


## Analysis

### CAPA
***Web:*** https://github.com/fireeye/capa <br/>
***Developer:*** mandiant - www.mandiant.com <br/>
***Description:*** Capa detects capabilities in executable files. You run it against a PE, ELF, or shellcode file and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate. <br/>

### DIE
***Web:*** https://github.com/horsicq/DIE-engine <br/>
***Developer:*** horsicq <br/>
***Description:*** Detect It Easy, or abbreviated "DIE" is a program for determining types of files. DIE-Engine is a Graphical User Interface for DIE.  <br/>

### ExeinfoPe
***Web:*** https://github.com/ExeinfoASL/ASL <br/>
***Developer:*** ASL - http://www.exeinfo.byethost18.com <br/>
***Description:*** ExEinfo PE detects packers, obfuscators, compilers & protectors. <br/>

### PE-Bear
***Web:*** https://github.com/hasherezade/pe-bear-releases <br/>
***Developer:*** hasherezade <br/>
***Description:*** PE-bear is a freeware reversing tool for PE files. Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files. <br/>

### PEiD
***Web:*** https://appnee.com/peid/ (closed) <br/>
***Developer:*** snaker <br/>
***Description:*** PEiD (short for PE iDentifier) is a well-known professional, extensible packer/cryptor/compiler detecting tool. It’s so powerful that it can detect the types/signatures of almost any PE file packing tools (at present, the number has been more than 600 kinds) <br/>

### PEStudio
***Web:*** https://www.winitor.com/download <br/>
***Developer:*** winitor <br/>
***Description:*** The goal of pestudio is to spot artifacts of executable files in order to ease and accelerate Malware Initial Assessment. The tool is used by Computer Emergency Response Teams (CERT), Security Operations Centers (SOC) and Digital-Forensic Labs worldwide. <br/>

### ProtectionID
***Web:*** The official site is down forever. You can check the Wayback Machine here: https://web.archive.org/web/20210331144912/https://protectionid.net/ <br/>
***Developer:*** CDKiller & TippeX <br/>
***Description:*** PiD Team's Protection ID started as a PC game protection detector, and quickly became a swiss-army knife to detect packers & .NET protections.<br/>

### XAPKDetector
***Web:*** https://github.com/horsicq/XAPKDetector <br/>
***Developer:*** horsicq <br/>
***Description:*** This tool shows information about build tools, libraries and protection of APK/DEX files. Has heuristic capabilities, and runs in Win/MacOS/Linux. <br/>

### XELFViewer
***Web:*** https://github.com/horsicq/XELFViewer <br/>
***Developer:*** horsicq <br/>
***Description:*** This is an ELF file viewer/editor for Windows, Linux and MacOS. <br/>

### XPEViewer
***Web:*** https://github.com/horsicq/XPEViewer <br/>
***Developer:*** horsicq <br/>
***Description:*** This tool is a PE file viewer/editor for Windows, Linux and MacOS. <br/>


## Decompilers

### [ANDROID] JADX
***Web:*** https://github.com/skylot/jadx <br/>
***Developer:*** skylot <br/>
***Description:*** Dex to Java decompiler: command line and GUI tools for producing Java source code from Android Dex and Apk files <br/>

### [AUTOIT] Exe2Aut
***Web:*** www.exe2aut.com <br/>
***Developer:*** ??? <br/>
***Description:*** Exe2Aut is designed to be the easiest to use and most versatile
decompiler for compiled AutoIt3 scripts one could think of. Exe2Aut is even capable of decompiling
executables that have been packed and protected using AutoIt3Camo, Themida, Armadillo, Safengine and so forth due to its low level nature. <br/>

### [AUTOIT] MyAutToExe
***Web:*** https://files.planet-dl.org/Cw2k/MyAutToExe/index.html <br/>
***Developer:*** CW2K@gmx.de <br/>
***Description:*** Decompiles 'compiled' AutoIT Exe files. <br/>

### [DELPHI] Dede
***Web:*** ??? <br/>
***Developer:*** DaFixer <br/>
***Description:*** ??? <br/>

### [DELPHI] IDR
***Web:*** https://github.com/crypto2011/IDR <br/>
***Developer:*** crypto2011 <br/>
***Description:*** Interactive Delphi Reconstructor <br/>

### [DOTNET] dnSpyEx
***Web:*** https://github.com/dnSpyEx/dnSpy <br/>
***Developer:*** dnSpy <br/>
***Description:*** dnSpy <br/>

### [DOTNET] GrayWolf
***Web:*** ??? <br/>
***Developer:*** DigitalBodyGuard <br/>
***Description:*** GrayWolf <br/>

### [DOTNET] ILSpy
***Web:*** https://github.com/icsharpcode/ILSpy <br/>
***Developer:*** ic#code <br/>
***Description:*** ILSpy <br/>

### [JAVA] JD-GUI
***Web:*** https://github.com/java-decompiler/jd-gui <br/>
***Developer:*** ??? <br/>
***Description:*** JD-GUI <br/>

### [JAVA] Recaf
***Web:*** https://github.com/Col-E/Recaf <br/>
***Developer:*** Matt Coley (Col-E) <br/>
***Description:*** ??? <br/>

### [PYTHON] PyInstxtractor
***Web:*** https://github.com/extremecoders-re/pyinstxtractor <br/>
***Developer:*** ??? <br/>
***Description:*** ??? <br/>

### [VB] P-Code-ExDec
***Web:*** ??? <br/>
***Developer:*** ??? <br/>
***Description:*** ??? <br/>


## Dissasembler

### BDASM
***Web:*** ??? <br/>
***Developer:*** ??? <br/>
***Description:*** BDASM MFC Application <br/>

### Cutter
***Web:*** https://github.com/rizinorg/cutter <br/>
***Developer:*** ??? <br/>
***Description:*** ??? <br/>

### Immunity Debugger
***Web:*** ??? <br/>
***Developer:*** ??? <br/>
***Description:*** Immunity Debugger, 32-bit analysing debugger <br/>

### OllyDbg 1.10
***Web:*** https://www.ollydbg.de <br/>
***Developer:*** Oleh Yuschuk <br/>
***Description:*** OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. It has a user friendly interface, and its functionality can be extended by third-party plugins. <br/>

### w32Dasm
***Web:*** ??? <br/>
***Developer:*** URSoft <br/>
***Description:*** W32DASM was an excellent 16/32 bit disassembler for Windows <br/>

### x64dbg
***Web:*** https://sourceforge.net/projects/x64dbg <br/>
***Developer:*** ??? <br/>
***Description:*** x64dbg <br/>


## HEX Editor

### HxD
***Web:*** https://mh-nexus.de/en/hxd <br/>
***Developer:*** Maël Hörz <br/>
***Description:*** HxD Hex Editor <br/>

### ImHex
***Web:*** https://github.com/WerWolv/ImHex <br/>
***Developer:*** WerWolv <br/>
***Description:*** ImHex Hex Editor <br/>

### REHex
***Web:*** https://github.com/solemnwarning/rehex <br/>
***Developer:*** ??? <br/>
***Description:*** ??? <br/>

### WinHex
***Web:*** https://x-ways.net/winhex <br/>
***Developer:*** X-Ways Software Technology AG <br/>
***Description:*** WinHex <br/>


## Monitor

### Api Monitor
***Web:*** ??? <br/>
***Developer:*** rohitab.com <br/>
***Description:*** API Monitor v2 (Alpha) 32-bit <br/>

### Autoruns
***Web:*** https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns <br/>
***Developer:*** Sysinternals <br/>
***Description:*** Autostart program viewer <br/>

### CurrPorts
***Web:*** https://www.nirsoft.net/utils/cports.html <br/>
***Developer:*** NirSoft <br/>
***Description:*** CurrPorts <br/>

### HollowsHunter
***Web:*** https://github.com/hasherezade/hollows_hunter <br/>
***Developer:*** ??? <br/>
***Description:*** ??? <br/>

### MultiMon
***Web:*** https://www.resplendence.com/multimon_whatsnew <br/>
***Developer:*** Resplendence Software Projects Sp. <br/>
***Description:*** MultiMon <br/>

### PE-sieve
***Web:*** https://github.com/hasherezade/pe-sieve <br/>
***Developer:*** ??? <br/>
***Description:*** ??? <br/>

### Portmon
***Web:*** https://docs.microsoft.com/en-us/sysinternals/downloads/portmon <br/>
***Developer:*** SysInternals <br/>
***Description:*** Portmon/EE <br/>

### Process Explorer
***Web:*** https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer <br/>
***Developer:*** Sysinternals <br/>
***Description:*** Sysinternals Process Explorer <br/>

### Process Hacker 3
***Web:*** https://processhacker.sourceforge.io/nightly.php <br/>
***Developer:*** Process Hacker <br/>
***Description:*** Process Hacker <br/>

### Procmon
***Web:*** https://docs.microsoft.com/en-us/sysinternals/downloads/procmon <br/>
***Developer:*** Sysinternals <br/>
***Description:*** Process Monitor <br/>

### RegShot
***Web:*** https://github.com/Seabreg/Regshot <br/>
***Developer:*** Seabreg <br/>
***Description:*** Regshot is a small, free and open-source registry compare utility that allows you to quickly
take a snapshot of your registry and then compare it with a second one - done after doing
system changes or installing a new software product. <br/>

### SysAnalyzer
***Web:*** https://github.com/dzzie/SysAnalyzer <br/>
***Developer:*** dzzie <br/>
***Description:*** SysAnalyzer is an application that was designed to give malcode analysts an 
automated tool to quickly collect, compare, and report on the actions a 
binary took while running on the system. <br/>

### TCPView
***Web:*** https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview <br/>
***Developer:*** Sysinternals <br/>
***Description:*** TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. <br/>


## Other

### APKEasyTool
***Web:*** https://forum.xda-developers.com/t/tool-windows-apk-easy-tool-v1-59-2-2021-04-03.3333960/ <br/>
***Developer:*** Evildog1 <br/>
***Description:*** Apk Easy Tool is a lightweight GUI application that enables you to manage, sign, compile and decompile the APK files for the apps you are working on. <br/>

### ApkStudio
***Web:*** https://github.com/vaibhavpandeyvpz/apkstudio <br/>
***Developer:*** Vaibhav Pandey -aka- VPZ <br/>
***Description:*** Open-source, cross-platform Qt based IDE for reverse-engineering Android application packages. <br/>

### ASCII Art Generator
***Web:*** ??? <br/>
***Developer:*** ASCII Art Generator <br/>
***Description:*** ASCII Art Generator <br/>

### AstroGrep
***Web:*** https://sourceforge.net/projects/astrogrep <br/>
***Developer:*** AstroComma Inc. <br/>
***Description:*** AstroGrep is a Microsoft Windows GUI File Searching (grep) utility. Its features include regular expressions, versatile printing options, stores most recent used paths and has a "context" feature which is very nice for looking at source code. <br/>

### AVFucker
***Web:*** https://marcoramilli.com/2010/01/02/avfucker-new-version/ <br/>
***Developer:*** Marco Ramilli <br/>
***Description:*** AVFucker is a tool that helps you evade Antivirus using the “replace byte signature” techniques. <br/>

### Cool Beans NFO Creator
***Web:*** https://www.coolbeans.ws/nfocreator.shtml <br/>
***Developer:*** Cool Beans Software <br/>
***Description:*** Cool Beans NFO Creator is a small program that generates detailed .nfo text files based on nearly fifty user-input fields. <br/>

### FLOSS
***Web:*** https://github.com/fireeye/flare-floss <br/>
***Developer:*** mandiant <br/>
***Description:*** The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance basic static analysis of unknown binaries. <br/>

### HashMyFiles
***Web:*** https://www.nirsoft.net/utils/hash_my_files.html <br/>
***Developer:*** NirSoft <br/>
***Description:*** HashMyFiles is small utility that allows you to calculate the MD5 and SHA1 hashes of one or more files in your system. You can easily copy the MD5/SHA1 hashes list into the clipboard, or save them into text/html/xml file.  <br/>

### ImpREC
***Web:*** Offline since forever - use https://www.aldeid.com/wiki/ImpREC <br/>
***Developer:*** MackT/uCF <br/>
***Description:*** ImpRec is a very handy tool that can be used to repair/reconstruct the import table for packed programs.  <br/>

### Indetectables Offset Locator
***Web:*** https://www.indetectables.net/viewtopic.php?t=29725&sid=d42f7cab211096f4f52fef67efc9b538 <br/>
***Developer:*** Mingo, yorll, metal <br/>
***Description:*** This is a classic, great tool to clean AV signatures in executables. <br/>

### NFO Maker
***Web:*** ??? <br/>
***Developer:*** The Millenium Group <br/>
***Description:*** ??? <br/>

### ProcDOT
***Web:*** https://www.procdot.com/downloadprocdotbinaries.htm <br/>
***Developer:*** CERT.at <br/>
***Description:*** ProcDOT - Visual Malware Analysis <br/>

### Process-Dump
***Web:*** http://split-code.com/processdump.html <br/>
***Developer:*** Split-Code <br/>
***Description:*** Process Dump is a Windows reverse-engineering tool to dump malware memory components back to disk for analysis. It uses an aggressive import reconstruction approach to make analysis easier, and supports 32 and 64 bit modules. <br/>

### Resource Hacker
***Web:*** http://www.angusj.com/resourcehacker <br/>
***Developer:*** Angus Johnson <br/>
***Description:*** Resource Hacker is a resource editor for 32bit and 64bit Windows applications. It's both a resource compiler aand a decompiler, enabling viewing and editing resources in executables. <br/>

### Scylla
***Web:*** https://github.com/NtQuery/Scylla <br/>
***Developer:*** ??? <br/>
***Description:*** Great tool for the purpose of rebuilding an Import Table. This is an alternative to ImpRec. <br/>

### ShowString
***Web:*** ??? <br/>
***Developer:*** ??? <br/>
***Description:*** ??? <br/>

### Strings
***Web:*** https://docs.microsoft.com/en-us/sysinternals/downloads/strings <br/>
***Developer:*** Sysinternals <br/>
***Description:*** Search for ANSI and Unicode strings in binary images. <br/>

### Threadtear
***Web:*** https://github.com/GraxCode/threadtear <br/>
***Developer:*** GraxCode <br/>
***Description:*** Threadtear is a multifunctional deobfuscation tool for java. Android application support is coming soon (Currently working on a dalvik to java converter). Suitable for easier code analysis without worrying too much about obfuscation. <br/>

### VirusTotalUploader
***Web:*** https://github.com/SamuelTulach/VirusTotalUploader <br/>
***Developer:*** Samuel Tulach <br/>
***Description:*** VirusTotal file uploader <br/>

### XOpCodeCalc
***Web:*** https://github.com/horsicq/XOpcodeCalc <br/>
***Developer:*** horsicq <br/>
***Description:*** This tool is an x86/64 Opcode calculator. The program works on macOS, Linux and Windows. <br/>


## Rootkits Detector

### GMER
***Web:*** http://www.gmer.net <br/>
***Developer:*** The GMER dev team. <br/>
***Description:*** GMER is an application that detects and removes rootkits. <br/>

### Sysinspector
***Web:*** https://www.eset.com/int/support/sysinspector/ <br/>
***Developer:*** ESET <br/>
***Description:*** SET SysInspector scans your operating system and captures details such as running processes, registry content, startup items and network connections. ESET SysInspector is a convenient utility for the toolbox of every IT expert and first responder. <br/>

### Windows Kernel Explorer
***Web:*** https://github.com/AxtMueller/Windows-Kernel-Explorer <br/>
***Developer:*** AxtMueller <br/>
***Description:*** Windows Kernel Explorer (you can simply call it as "WKE") is a free but powerful kernel research tool. It supports from Windows XP to Windows 11. Compared with WIN64AST and PCHunter, WKE can run on the latest Windows 11 without updating binary files. <br/>


## UnPacking

### De4Dot
***Web:*** https://github.com/de4dot/de4dot <br/>
***Developer:*** de4dot <br/>
***Description:*** e4dot is an open source .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. <br/>

### GUnPacker
***Web:*** ??? <br/>
***Developer:*** ??? <br/>
***Description:*** ??? <br/>

### NETUnpack
***Web:*** ??? <br/>
***Developer:*** NTCore <br/>
***Description:*** .NET Generic Unpacker <br/>

### QUnpack
***Web:*** http://qunpack.ahteam.org <br/>
***Developer:*** Archer <br/>
***Description:*** Generic unpacker <br/>

### RL!dePacker
***Web:*** Offline as of now - see developer website, or better yet, google a bit. <br/>
***Developer:*** Ap0x <br/>
***Description:*** RL!dePacker is a renowned, generic unpacker. <br/>

### UniExtract
***Web:*** https://github.com/Bioruebe/UniExtract2 <br/>
***Developer:*** Bioruebe <br/>
***Description:*** Universal Extractor 2 is a tool designed to extract files from any type of extractable file. <br/>

### VM Unpacker
***Web:*** ??? <br/>
***Developer:*** YingCracker <br/>
***Description:*** Anti Spyware Toolkit VMUnpacker <br/>

### XVolkolak
***Web:*** http://n10info.blogspot.com/2018/07/xvolkolak-021.html <br/>
***Developer:*** horsicq <br/>
***Description:*** XVolkolak is an unpacker emulator. <br/>