16 KiB
Tools (in lite edition)
Analysis
CAPA
Web: https://github.com/fireeye/capa
Developer: mandiant - www.mandiant.com
Description: Capa detects capabilities in executable files. Run this tool against a PE, ELF, or shellcode file and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
DIE
Web: https://github.com/horsicq/DIE-engine
Developer: Hors
Description: Detect It Easy, or abbreviated "DIE" is a program for determining types of files. DIE-Engine is a Graphical User Interface for DIE.
ExeinfoPe
Web: https://github.com/ExeinfoASL/ASL
Developer: ASL - http://www.exeinfo.byethost18.com
Description: ExEinfo PE detects packers, obfuscators, compilers & protectors in binary files.
PEStudio
Web: https://www.winitor.com/download
Developer: winitor
Description: The goal of pestudio is to spot artifacts of executable files in order to ease and accelerate Malware Initial Assessment. The tool is used by Computer Emergency Response Teams (CERT), Security Operations Centers (SOC) and Digital-Forensic Labs worldwide.
XAPKDetector
Web: https://github.com/horsicq/XAPKDetector
Developer: Hors
Description: This tool shows information about build tools, libraries and protection of APK/DEX files. Has heuristic capabilities, and runs in Win/MacOS/Linux.
XPEViewer
Web: https://github.com/horsicq/XPEViewer
Developer: Hors
Description: This tool is a PE file viewer/editor for Windows, Linux and MacOS.
Decompilers
[ANDROID] JADX
Web: https://github.com/skylot/jadx
Developer: skylot
Description: Dex to Java decompiler: command line and GUI tools for producing Java source code from Android Dex and Apk files
[DELPHI] IDR
Web: https://github.com/crypto2011/IDR
Developer: crypto2011
Description: IDR is a decompiler of executable files (EXE) and dynamic libraries (DLL), written in Delphi and executed in Windows32 environment, with the final aim of being capable to restore the most part of initial Delphi source codes from the compiled file.
[DOTNET] ILSpy
Web: https://github.com/icsharpcode/ILSpy
Developer: ic#code
Description: ILSpy is the open-source .NET assembly browser and decompiler.
[JAVA] JD-GUI
Web: https://github.com/java-decompiler/jd-gui
Developer: the Java Decompiler dev team
Description: This is a standalone graphical utility that displays Java sources from CLASS files.
[JAVA] Recaf
Web: https://github.com/Col-E/Recaf
Developer: Matt Coley (Col-E)
Description: An easy to use modern Java bytecode editor that abstracts away the complexities of Java programs. Recaf abstracts away constant pool, stack frames, wide instructions, and more.
[PYTHON] PyInstxtractor
Web: https://github.com/extremecoders-re/pyinstxtractor
Developer: extremecoders-re
Description: Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted. The header of the pyc files are automatically fixed so that a Python bytecode decompiler will recognize it.
Dissasembler
Cutter
Web: https://github.com/rizinorg/cutter
Developer: https://rizin.re
Description: Cutter is a free and open-source reverse engineering platform powered by Rizin (fork of the radare2 reverse engineering framework). It aims at being an advanced and customizable reverse engineering platform while keeping the user experience in mind. Cutter is created by reverse engineers for reverse engineers.
Ghidra
Web: https://ghidra-sre.org/
Developer: NSA
Description: Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms.
x64dbg
Web: www.x64dbg.com
Developer: Duncan Ogilvie (mrexodia)
Description: An open-source binary debugger for Windows, aimed at malware analysis and reverse engineering of executables you do not have the source code for. There are many features available and a comprehensive plugin system to add your own.
HEX Editor
HxD
Web: https://mh-nexus.de/en/hxd
Developer: Maël Hörz
Description: HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size.
The easy to use interface offers features such as searching and replacing, exporting, checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting of files, statistics and much more.
ImHex
Web: https://github.com/WerWolv/ImHex
Developer: WerWolv
Description: ImHex is a Hex Editor, a tool to display, decode and analyze binary data to reverse engineer their format, extract informations or patch values in them.
What makes ImHex special is that it has many advanced features that can often only be found in paid applications. Such features are a completely custom binary template and pattern language to decode and highlight structures in the data, a graphical node-based data processor to pre-process values before they're displayed, a disassembler, diffing support, bookmarks and much much more.
Monitor
Api Monitor
Web: http://www.rohitab.com/apimonitor
Developer: Rohitab
Description: This fine tool lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.
Autoruns
Web: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
Developer: Sysinternals
Description: This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players.
CurrPorts
Web: https://www.nirsoft.net/utils/cports.html
Developer: NirSoft
Description: CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it.
MultiMon
Web: https://www.resplendence.com/multimon_whatsnew
Developer: Resplendence Software Projects Sp.
Description: MultiMon is an advanced multifunctional system monitoring tool for Windows which displays detailed output of a wide range of activities in real-time. The system monitor displays process and thread creation as well as binary image loading. The file system monitor displays activity from the perspective of the file system. The registry monitor shows registry activity in real time.
PE-sieve
Web: https://github.com/hasherezade/pe-sieve
Developer: hasherezade
Description: PE-sieve is a tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis. Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches. Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc.
Portmon
Web: https://docs.microsoft.com/en-us/sysinternals/downloads/portmon
Developer: SysInternals
Description: Portmon is a utility that monitors and displays all serial and parallel port activity on a system. It has advanced filtering and search capabilities that make it a powerful tool for exploring the way Windows works, seeing how applications use ports, or tracking down problems in system or application configurations.
Process Explorer
Web: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
Developer: Sysinternals
Description: Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
Process Hacker 3
Web: https://processhacker.sourceforge.io
Developer: Process Hacker
Description: A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.
Procmon
Web: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
Developer: Sysinternals
Description: Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements.
TCPView
Web: https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview
Developer: Sysinternals
Description: TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.
Other
APK Studio
Web: https://github.com/vaibhavpandeyvpz/apkstudio
Developer: Vaibhav Pandey -aka- VPZ
Description: Open-source, cross-platform Qt based IDE for reverse-engineering Android application packages.
FLOSS
Web: https://github.com/fireeye/flare-floss
Developer: mandiant
Description: The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance basic static analysis of unknown binaries.
HashCalc
Web: https://www.slavasoft.com/hashcalc/
Developer: SlavaSoft
Description: A fast and easy-to-use calculator that allows to compute message digests, checksums and HMACs for files, as well as for text and hex strings. It offers a choice of 13 of the most popular hash and checksum algorithms for calculations.
HashMyFiles
Web: https://www.nirsoft.net/utils/hash_my_files.html
Developer: NirSoft
Description: HashMyFiles is small utility that allows you to calculate the MD5 and SHA1 hashes of one or more files in your system. You can easily copy the MD5/SHA1 hashes list into the clipboard, or save them into text/html/xml file.
Process Dump
Web: http://split-code.com/processdump.html
Developer: Split-Code
Description: Process Dump is a Windows reverse-engineering tool to dump malware memory components back to disk for analysis. It uses an aggressive import reconstruction approach to make analysis easier, and supports 32 and 64 bit modules.
RawCap
Web: https://www.netresec.com/?page=RawCap
Developer: Netresec
Description: RawCap is a free command line network sniffer for Windows that uses raw sockets. Can sniff most interface types, including WiFi, WWAN (Mobile Broadband) and PPP interfaces.
Resource Hacker
Web: http://www.angusj.com/resourcehacker
Developer: Angus Johnson
Description: Resource Hacker is a resource editor for 32bit and 64bit Windows applications. It's both a resource compiler aand a decompiler, enabling viewing and editing resources in executables.
Scylla
Web: https://github.com/NtQuery/Scylla
Developer: The NtQuery team
Description: Great tool for the purpose of rebuilding an Import Table. This is an alternative to ImpRec.
Strings
Web: https://docs.microsoft.com/en-us/sysinternals/downloads/strings
Developer: Sysinternals
Description: Search for ANSI and Unicode strings in binary images.
Threadtear
Web: https://github.com/GraxCode/threadtear
Developer: GraxCode
Description: Threadtear is a multifunctional deobfuscation tool for java. Android application support is coming soon (Currently working on a dalvik to java converter). Suitable for easier code analysis without worrying too much about obfuscation.
VirusTotal Uploader
Web: https://github.com/SamuelTulach/VirusTotalUploader
Developer: Samuel Tulach
Description: VirusTotal file uploader
XOpCodeCalc
Web: https://github.com/horsicq/XOpcodeCalc
Developer: Hors
Description: This tool is an x86/64 Opcode calculator. The program works on macOS, Linux and Windows.
x64dbg Plugin Manager
Web: https://github.com/horsicq/x64dbg-Plugin-Manager
Developer: Hors
Description: Plugin manager for x64dbg.
Patcher
AT4RE Patcher
Web: https://www.at4re.net/f/thread-54.html
Developer: Agmcz & Sn!per X
Description: Patch generator. Currently the most complete and best that can be used.
dUP
Web: https://web.archive.org/web/20120327143407/http://diablo2oo2.cjb.net:80/
Developer: diablo2oo2
Description: dUP 2 is a freeware patch generator which can build a small standalone patcher executable for microsoft windows systems.
uPPP
Web: https://forum.tuts4you.com/forum/120-uppp/
Developer: Ufo-Pu55y
Description: Another patch generator. Requires .NET Runtime 2.0 for the GUI.
UnPacking
De4Dot
Web: https://github.com/de4dot/de4dot
Developer: de4dot
Description: de4dot is an open source .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly.
Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.
UniExtract 2
Web: https://github.com/Bioruebe/UniExtract2
Developer: Bioruebe
Description: Universal Extractor 2 is a tool designed to extract files from any type of extractable file.
Unlike most archiving programs, UniExtract is not limited to standard archives such as .zip and .rar. It can also deal with application installers, disk images and even game archives and other multimedia files. An overview of supported file types can be found here
XVolkolak
Web: https://horsicq.github.io/
Developer: Hors
Description: XVolkolak is an unpacker emulator. Unlike programs of this type, it does not use DebugAPI and other features of the operating system. Everything is emulated. You can safely unpack malware for further investigation without the risk of damaging the system.
All machine instructions are not executed on a real processor, so unpacking occurs regardless of the processor type and the operating system.