admin/toolkit
1
0
Fork 0
mirror of https://github.com/indetectables-net/toolkit.git synced 2025-05-06 18:51:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update docs

Browse Source
This commit is contained in:
DSR! 2023-02-28 00:34:03 -03:00
parent 378423c36a
commit 009348c8fe
1 changed files with 140 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

211
TOOLS-LITE.md
View File

@ -1,4 +1,4 @@
# Tools (in lite edition)
# Tools in lite edition
1. [Analysis](#analysis)
1. [Decompilers](#decompilers)
@ -6,7 +6,7 @@
1. [Hex editor](#hex-editor)
1. [Monitor](#monitor)
1. [Other](#other)
1. [Patcher](#patcher)
1. [Reverse](#reverse)
1. [Unpacking](#unpacking)
@ -27,20 +27,30 @@
***Developer:*** ASL - http://www.exeinfo.byethost18.com <br/>
***Description:*** ExEinfo PE detects packers, obfuscators, compilers & protectors in binary files. <br/>
### PE-Bear
***Web:*** https://github.com/hasherezade/pe-bear-releases <br/>
***Developer:*** hasherezade <br/>
***Description:*** PE-bear is a freeware reversing tool for PE files. Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files. <br/>
### PEiD (with plugins and databases) *Available using the extra called: Oldies*
***Web:*** https://web.archive.org/web/20110924071419/http://www.peid.info/ <br/>
***Developer:*** snaker <br/>
***Description:*** PEiD (short for PE iDentifier) is a well-known professional, extensible packer/cryptor/compiler detecting tool. Its so powerful that it can detect the types/signatures of almost any PE file packing tools (at present, the number has been more than 600 kinds) <br/>
### PEStudio
***Web:*** https://www.winitor.com/download <br/>
***Developer:*** winitor <br/>
***Description:*** The goal of pestudio is to spot artifacts of executable files in order to ease and accelerate Malware Initial Assessment. The tool is used by Computer Emergency Response Teams (CERT), Security Operations Centers (SOC) and Digital-Forensic Labs worldwide. <br/>
### XAPKDetector
***Web:*** https://github.com/horsicq/XAPKDetector <br/>
***Developer:*** Hors <br/>
***Description:*** This tool shows information about build tools, libraries and protection of APK/DEX files. Has heuristic capabilities, and runs in Win/MacOS/Linux. <br/>
### ProtectionID *Available using the extra called: Oldies*
***Web:*** https://web.archive.org/web/20210331144912/https://protectionid.net/ <br/>
***Developer:*** CDKiller & TippeX <br/>
***Description:*** PiD Team's Protection ID started as a PC game protection detector, and quickly became a swiss-army knife to detect packers & .NET protections. <br/>
### XPEViewer
***Web:*** https://github.com/horsicq/XPEViewer <br/>
### XELFViewer
***Web:*** https://github.com/horsicq/XELFViewer <br/>
***Developer:*** Hors <br/>
***Description:*** This tool is a PE file viewer/editor for Windows, Linux and MacOS. <br/>
***Description:*** This is an ELF file viewer/editor for Windows, Linux and MacOS. <br/>
## Decompilers
@ -50,10 +60,15 @@
***Developer:*** skylot <br/>
***Description:*** Dex to Java decompiler: command line and GUI tools for producing Java source code from Android Dex and Apk files <br/>
### [DELPHI] IDR
***Web:*** https://github.com/crypto2011/IDR <br/>
***Developer:*** crypto2011 <br/>
***Description:*** IDR is a decompiler of executable files (EXE) and dynamic libraries (DLL), written in Delphi and executed in Windows32 environment, with the final aim of being capable to restore the most part of initial Delphi source codes from the compiled file. <br/>
### [DELPHI] Dede *Available using the extra called: Oldies*
***Web:*** https://code.google.com/archive/p/dedex/ <br/>
***Developer:*** DaFixer <br/>
***Description:*** DeDe is a very fast program that can analize executables compiled with Delphi 3,4,5,6, C++Builder and Kylix and give you all dfm files on the target, every published method in well-commented Assembler, and lots of other information.- <br/>
### [DOTNET] GrayWolf *Available using the extra called: Oldies*
***Web:*** https://web.archive.org/web/20181114171712/http://www.digitalbodyguard.com/graywolf.html <br/>
***Developer:*** DigitalBodyGuard <br/>
***Description:*** GrayWolf is a reverse engineering tool focused on .NET Framework Applications. It can de-obfuscate binaries, live-edit IL, add payloads, edit attributes, and copy strong names signing on EXE/DLL. <br/>
### [DOTNET] ILSpy
***Web:*** https://github.com/icsharpcode/ILSpy <br/>
@ -78,16 +93,27 @@
## Dissasembler
### Cutter
***Web:*** https://github.com/rizinorg/cutter <br/>
***Developer:*** https://rizin.re <br/>
***Description:*** Cutter is a free and open-source reverse engineering platform powered by Rizin (fork of the radare2 reverse engineering framework). It aims at being an advanced and customizable reverse engineering platform while keeping the user experience in mind. Cutter is created by reverse engineers for reverse engineers. <br/>
### BDASM *Available using the extra called: Oldies*
***Web:*** www.bsasm.com (closed) <br/>
***Developer:*** Manuel Jiménez <br/>
***Description:*** BDASM is a multi-cpu, multi format file disassembler for Windows. Currently it supports ELF, X-Box, PE and raw binary files. The CPU support includes the Intel x86 16/32bits processor family up to SSE2 instructions, and PowerPc 603,604 32bits CPUs. <br/>
### Ghidra
### Ghidra *Available using the extra called: Ghidra*
***Web:*** https://ghidra-sre.org/ <br/>
***Developer:*** NSA <br/>
***Description:*** Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms. <br/>
### OllyDbg 1.10 (with plugins and scripts) *Available using the extra called: Oldies*
***Web:*** https://www.ollydbg.de <br/>
***Developer:*** Oleh Yuschuk <br/>
***Description:*** OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. It has a user friendly interface, and its functionality can be extended by third-party plugins. <br/>
### w32Dasm (with all versions) *Available using the extra called: Oldies*
***Web:*** http://members.home.net/w32dasm/ (closed) <br/>
***Developer:*** URSoftware <br/>
***Description:*** W32DASM is a disassembler: a tool made to translate machine language back into assembly language. It's ideal for those interested in reverse engineering, who want to take code apart and find out how it works.
Although W32DASM is ancient since hasn't received updates for a very long time (it's officially discontinued), it works without any trouble on Windows 10. <br/>
### x64dbg
***Web:*** www.x64dbg.com <br/>
***Developer:*** Duncan Ogilvie (mrexodia) <br/>
@ -126,11 +152,6 @@ What makes ImHex special is that it has many advanced features that can often on
***Developer:*** NirSoft <br/>
***Description:*** CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it. <br/>
### MultiMon
***Web:*** https://www.resplendence.com/multimon_whatsnew <br/>
***Developer:*** Resplendence Software Projects Sp. <br/>
***Description:*** MultiMon is an advanced multifunctional system monitoring tool for Windows which displays detailed output of a wide range of activities in real-time. The system monitor displays process and thread creation as well as binary image loading. The file system monitor displays activity from the perspective of the file system. The registry monitor shows registry activity in real time. <br/>
### PE-sieve
***Web:*** https://github.com/hasherezade/pe-sieve <br/>
***Developer:*** hasherezade <br/>
@ -146,16 +167,21 @@ What makes ImHex special is that it has many advanced features that can often on
***Developer:*** Sysinternals <br/>
***Description:*** Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. <br/>
### System Informer (Process Hacker 3)
***Web:*** https://systeminformer.sourceforge.io <br/>
***Developer:*** System Informer <br/>
***Description:*** A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. <br/>
### Procmon
***Web:*** https://docs.microsoft.com/en-us/sysinternals/downloads/procmon <br/>
***Developer:*** Sysinternals <br/>
***Description:*** Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements. <br/>
### RegistryChangesView
***Web:*** https://www.nirsoft.net/utils/registry_changes_view.html <br/>
***Developer:*** NirSoft <br/>
***Description:*** RegistryChangesView is a tool for Windows that allows you to take a snapshot of Windows Registry and later compare it with another Registry snapshots, with the current Registry or with Registry files stored in a shadow copy created by Windows. When comparing 2 Registry snapshots, you can see the exact changes made in the Registry between the 2 snapshots, and optionally export the Registry changes into a standard .reg file of RegEdit. <br/>
### System Informer (Process Hacker 3)
***Web:*** https://systeminformer.sourceforge.io <br/>
***Developer:*** System Informer <br/>
***Description:*** A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. <br/>
### TCPView
***Web:*** https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview <br/>
***Developer:*** Sysinternals <br/>
@ -169,25 +195,25 @@ What makes ImHex special is that it has many advanced features that can often on
***Developer:*** Vaibhav Pandey -aka- VPZ <br/>
***Description:*** Open-source, cross-platform Qt based IDE for reverse-engineering Android application packages. <br/>
### AVFucker *Available using the extra called: Oldies*
***Web:*** www.indetectables.net <br/>
***Developer:*** Sr Sombrero <br/>
***Description:*** AVFucker is a tool that helps you evade Antivirus using the “replace byte signature” technique. <br/>
### FLOSS
***Web:*** https://github.com/fireeye/flare-floss <br/>
***Developer:*** mandiant <br/>
***Description:*** The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance basic static analysis of unknown binaries. <br/>
### HashCalc
***Web:*** https://www.slavasoft.com/hashcalc/ <br/>
***Developer:*** SlavaSoft <br/>
***Description:*** A fast and easy-to-use calculator that allows to compute message digests, checksums and HMACs for files, as well as for text and hex strings. It offers a choice of 13 of the most popular hash and checksum algorithms for calculations. <br/>
### HashMyFiles
***Web:*** https://www.nirsoft.net/utils/hash_my_files.html <br/>
***Developer:*** NirSoft <br/>
***Description:*** HashMyFiles is small utility that allows you to calculate the MD5 and SHA1 hashes of one or more files in your system. You can easily copy the MD5/SHA1 hashes list into the clipboard, or save them into text/html/xml file. <br/>
### Process Dump
***Web:*** http://split-code.com/processdump.html <br/>
***Developer:*** Split-Code <br/>
***Description:*** Process Dump is a Windows reverse-engineering tool to dump malware memory components back to disk for analysis. It uses an aggressive import reconstruction approach to make analysis easier, and supports 32 and 64 bit modules. <br/>
### Indetectables Offset Locator *Available using the extra called: Oldies*
***Web:*** https://www.indetectables.net/viewtopic.php?t=29725 <br/>
***Developer:*** Mingo, Yorll & Metal <br/>
***Description:*** This is a classic, great tool to clean AV signatures in executables. <br/>
### RawCap
***Web:*** https://www.netresec.com/?page=RawCap <br/>
@ -199,63 +225,78 @@ What makes ImHex special is that it has many advanced features that can often on
***Developer:*** Angus Johnson <br/>
***Description:*** Resource Hacker is a resource editor for 32bit and 64bit Windows applications. It's both a resource compiler aand a decompiler, enabling viewing and editing resources in executables. <br/>
### Scylla
***Web:*** https://github.com/NtQuery/Scylla <br/>
***Developer:*** The NtQuery team <br/>
***Description:*** Great tool for the purpose of rebuilding an Import Table. This is an alternative to ImpRec. <br/>
### RunAsDate
***Web:*** https://www.nirsoft.net/utils/run_as_date.html <br/>
***Developer:*** NirSoft <br/>
***Description:*** RunAsDate is a small utility that allows you to run a program in the date and time that you specify. This utility doesn't change the current system date and time of your computer, but it only injects the date/time that you specify into the desired application. <br/>
### ShowString *Available using the extra called: Oldies*
***Web:*** Unknown <br/>
***Developer:*** figugegl <br/>
***Description:*** This little tool shows all ASCII and UNICODE strings in a file. You can edit, copy, paste, sort, search and much more. <br/>
### Strings
***Web:*** https://docs.microsoft.com/en-us/sysinternals/downloads/strings <br/>
***Developer:*** Sysinternals <br/>
***Description:*** Search for ANSI and Unicode strings in binary images. <br/>
### Threadtear
***Web:*** https://github.com/GraxCode/threadtear <br/>
***Developer:*** GraxCode <br/>
***Description:*** Threadtear is a multifunctional deobfuscation tool for java. Android application support is coming soon (Currently working on a dalvik to java converter). Suitable for easier code analysis without worrying too much about obfuscation. <br/>
### VirusTotal Uploader
***Web:*** https://github.com/SamuelTulach/VirusTotalUploader <br/>
***Developer:*** Samuel Tulach <br/>
***Description:*** VirusTotal file uploader <br/>
### XOpCodeCalc
***Web:*** https://github.com/horsicq/XOpcodeCalc <br/>
***Developer:*** Hors <br/>
***Description:*** This tool is an x86/64 Opcode calculator. The program works on macOS, Linux and Windows. <br/>
### x64dbg Plugin Manager
***Web:*** https://github.com/horsicq/x64dbg-Plugin-Manager <br/>
***Developer:*** Hors <br/>
***Description:*** Plugin manager for x64dbg. <br/>
## Reverse
### GetSymbol
***Web:*** https://github.com/dbgsymbol/getsymbol <br/>
***Developer:*** @Paul091_ <br/>
***Description:*** Simple tool to download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers compatible with Windows 8.1, 10 and 11. <br/>
### CryptoTester
***Web:*** https://github.com/Demonslay335/CryptoTester <br/>
***Developer:*** Michael Gillespie <br/>
***Description:*** A utility for playing with cryptography, geared towards ransomware analysis. <br/>
### DLest
***Web:*** https://github.com/DarkCoderSc/DLest <br/>
***Developer:*** DarkCoderSc (Jean-Pierre LESUEUR) <br/>
***Description:*** This powerful Microsoft Windows application is specifically designed to assist developers and malware analysts with the analysis and manipulation of exported functions in Portable Executable (PE) files, particularly DLLs. With DLest, you can easily enumerate exported functions using a variety of methods, including drag and drop, opening a folder, or recursively scanning a folder with regular expression filtering to only include PE files with specific export function names. <br/>
### ExtremeDumper
***Web:*** https://github.com/wwh1004/ExtremeDumper <br/>
***Developer:*** wwh1004 <br/>
***Description:*** .NET Assembly Dumper <br/>
## Patcher
### GetSymbol
***Web:*** https://github.com/dbgsymbol/getsymbol <br/>
***Developer:*** @Paul091_ <br/>
***Description:*** Simple tool to download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers compatible with Windows 8.1, 10 and 11. <br/>
### AT4RE Patcher
***Web:*** https://www.at4re.net/f/thread-54.html <br/>
***Developer:*** Agmcz & Sn!per X <br/>
***Description:*** Patch generator. Currently the most complete and best that can be used. <br/>
### ImpREC (with plugins) *Available using the extra called: Oldies*
***Web:*** Unknown <br/>
***Developer:*** MackT/uCF <br/>
***Description:*** ImpRec is a very handy tool that can be used to repair/reconstruct the import table for packed programs. <br/>
### dUP
***Web:*** https://web.archive.org/web/20120327143407/http://diablo2oo2.cjb.net:80/ <br/>
***Developer:*** diablo2oo2 <br/>
***Description:*** dUP 2 is a freeware patch generator which can build a small standalone patcher executable for microsoft windows systems. <br/>
### Keygener Assistant
***Web:*** https://www.at4re.net/f/thread-47.html <br/>
***Developer:*** Mr Paradox & dj-siba <br/>
***Description:*** Convert, analyze, encrypt and process characters to and from an abundance of encodings and formats with this fully-featured calculator and processor. <br/>
### uPPP
***Web:*** https://forum.tuts4you.com/forum/120-uppp/ <br/>
***Developer:*** Ufo-Pu55y <br/>
***Description:*** Another patch generator. Requires .NET Runtime 2.0 for the GUI. <br/>
### Process Dump
***Web:*** http://split-code.com/processdump.html <br/>
***Developer:*** Split-Code <br/>
***Description:*** Process Dump is a Windows reverse-engineering tool to dump malware memory components back to disk for analysis. It uses an aggressive import reconstruction approach to make analysis easier, and supports 32 and 64 bit modules. <br/>
### Scylla
***Web:*** https://github.com/NtQuery/Scylla <br/>
***Developer:*** The NtQuery team <br/>
***Description:*** Great tool for the purpose of rebuilding an Import Table. This is an alternative to ImpRec. <br/>
### WinAPI Search
***Web:*** https://dennisbabkin.com/winapisearch/ <br/>
***Developer:*** Dennis Babkin <br/>
***Description:*** WinAPI Search app was designed primarily for Windows developers, researchers and malware reverse engineers. Its original goal was to provide a utility to search for Win32 functions by name, but this app later grew to include additional functionality. <br/>
### x64dbg Plugin Manager
***Web:*** https://github.com/horsicq/x64dbg-Plugin-Manager <br/>
***Developer:*** Hors <br/>
***Description:*** Plugin manager for x64dbg. <br/>
## UnPacking
@ -266,12 +307,40 @@ What makes ImHex special is that it has many advanced features that can often on
***Description:*** de4dot is an open source .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly.
Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.<br/>
### GUnPacker *Available using the extra called: Oldies*
***Web:*** Unknown <br/>
***Developer:*** Unknown <br/>
***Description:*** This tool is a generic unpacker. It has two main functionalities: (A) OEP positioning, and (B) the dumped code and data can be used to repair the follow-up of a PE header.
From Chinese developers. Competitor of Quick Unpack. <br/>
### NETUnpack *Available using the extra called: Oldies*
***Web:*** https://ntcore.com/?page_id=353 <br/>
***Developer:*** Erik Pistelli (NTCore) <br/>
***Description:*** This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. <br/>
### QUnpack
***Web:*** http://qunpack.ahteam.org <br/>
***Developer:*** Archer & FEUERRADER <br/>
***Description:*** The program is intended for a dynamic unpacking of binders, crypters, packers and protectors.
QuickUnpack tries to bypass all possible scramblers/obfuscators and restores redirected import. From the version 1 the opportunity of unpacking dll is added. From the version 2 the attach process feature added which allows to use QuickUnpack as a dumper and import recoverer. Scripts are also supported from version 2 which allows unpacking of more complicated protections. Version 3 brought x64 support and hardware virtualization debugging engine. This makes QuickUnpack a unique software product which has no similar analogues in the world! <br/>
### RL!dePacker (with unpack SDK) *Available using the extra called: Oldies*
***Web:*** http://www.reversinglabs.com <br/>
***Developer:*** Ap0x <br/>
***Description:*** Reversing Labs RL!dePacker has a build in option to detect OEP. However this option does not work with VB (always use FindOEP! function with VB applications and Force to manual OEP?) and some packers. So if RL!dePacker can not unpack the file use FindOEP! function to detect correct OEP, but use it only as a second resort since it can be jammed! <br/>
Generic unpacker can unpack ONLY packers that do not use IAT redirection, that dont steal APIs and which fill out IAT table in correct order. All ordinals that can be converted to API names are converted, others are inserted into IAT as ordinals! <br/>
### UniExtract 2
***Web:*** https://github.com/Bioruebe/UniExtract2 <br/>
***Developer:*** Bioruebe <br/>
***Description:*** Universal Extractor 2 is a tool designed to extract files from any type of extractable file. <br/>
Unlike most archiving programs, UniExtract is not limited to **standard archives** such as `.zip` and `.rar`. It can also deal with **application installers**, **disk images** and even **game archives** and other **multimedia files**. An overview of supported file types can be found [here](https://github.com/Bioruebe/UniExtract2/blob/master/docs/FORMATS.md)
### VMUnpacker (with all versions) *Available using the extra called: Oldies*
***Web:*** https://web.archive.org/web/20080318210939/http://dswlab.com/d3.html <br/>
***Developer:*** dswlab <br/>
***Description:*** This tool uses the technology of Virtual Machines. It can unpack various known & unknown shells. It is suitable for unpacking the shelled Trojan horse in virus analysis, and because all codes are run under the VM, they will not take any danger to your system. <br/>
### XVolkolak
***Web:*** https://horsicq.github.io/ <br/>
***Developer:*** Hors <br/>