This does not pretend to be another list with endless tools. I decided to share it because it describes all the tools I use with some frequency during my research work.
Other lists from authors are also available at the bottom of the page.
Malware Analysis and RE
Here’s a set of useful tools for malware analysis and reverse engineering.
Debuggers / Disassemblers
– OllyDRX – A modified version of Ollydgb with useful plugins.
– Immunity Debugger – It’s a powerful new way to write exploits, analyze malware, and reverse engineer binary files.
– WINDBG – Microsoft Windows Debugger (WinDbg) is a powerful Windows-based debugger that is capable of both user-mode and kernel-mode debugging (my favourite tool).
– IDA PRO – IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all.
– ScyllaHide – ScyllaHide is an advanced open-source x64/x86 usermode Anti-Anti-Debug library. It can be used both in Ollydbg and X64dbg. Enjoy it.
– Ilspy – ILSpy is the open-source .NET assembly browser and decompiler.
– DotPeek – dotPeek is a free-of-charge standalone tool based on ReSharper’s bundled decompiler. It can reliably decompile any .NET assembly into equivalent C# or IL code.
– VB Decompiler Lite 11 (p-code, VB6) – Best code recovery solution for Visual Basic 5.0/6.0 applications and fast disassembler for Visual Studio .NET compiled apps.
– DeDe – DeDe is a very fast program that can analyze executables compiled with Delphi.
– fakenet – This tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware’s network activity from within a safe environment. This is my favorite tool to fake DNS responses.
– ApateDNS – ApateDNS™ is a tool for controlling DNS responses through an easy-to-use GUI.
Detection and Classification
– PEstudio – This tool is used by Computer Emergency Response Teams (CERT) and Labs worldwide in order to perform Malware Initial Assessment. It’s very useful to perform an initial analysis.
– PEView – PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files.
– FileAnalyzer – FileAlyzer brings more to offer than PEview as far as features, being able to provide basic PE information as well as offer some new functionality, such as automated unpacking for files packed with UPX and PECompact.
– CFF Explorer – A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. My favorite tool to analyze the structure of a PE file, its imports, sections, etc.
– PEiD – PEiD detects most common packers, cryptors and compilers for PE files.
– Exeinfo PE – It is a packer and compiler detector and also a bin data detector.
– Detect IT Easy – Detect It Easy, or abbreviated “DIE” is a program for determining types of files.
– RDG Packer Detector – RDG Packer Detector is a detector packers, cryptors, Compilers, Packers Scrambler, Joiners, Installers. It’s very important when a malware is protected with a crypter. This tool can provide some information about that.
– Loki – Host based scanner for IOCs.
– ClamAV – Open source antivirus engine.
– FastIR Collector – This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.
– exiftool – ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.
– de4dot – .NET deobfuscator and unpacker.
– FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
– XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
– CyberChef – The Cyber Swiss Army Knife.
Debugging and Reverse Engineering
– Process Monitor– Advanced monitoring tool for Windows programs.
– Process Explorer – Advanced task manager for Windows.
– Process Hacker – Tool that monitors system resources.
– RegShot – Registry compare utility that compares snapshots.
– LordPE – LordPE is an advanced application that facilitates tools for manipulating various parts of PE files. It features a PE editor, a breaking and entering function, PE rebuilder, unsplitter, and dumper server.
– upx – UPX homepage: the Ultimate Packer for eXecutables.
– Import Reconstructor (ImpRec) – This tool is designed to rebuild imports for protected/packed Win32 executables. It reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and all ASCII module and function names.
– Wireshark – Wireshark is the world’s foremost and widely-used network protocol analyzer.
– AnalogX TextScan – It searches any binary file for a minimum and maximum string length, and then returns all occurrences in sorted order.
– volatility – An advanced memory forensics framework.
– findevilproc (label possible new candidates)
–EVTXtract recovery – EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.
–helix3 (extract memory from Windows and sent it via netcat to linux = nc -l -vvv -p 8888 > memory.dd)
– FTK Imager – The FTK Imager tool is capable of both acquiring and analyzing computer forensic evidence.
– Autopsy – Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.
– dumpit – Momory dump (standalone app).
– Processdump – Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis.
– CheatEngine – Cheat Engine, commonly abbreviated as CE, is an open-source memory scanner/hex editor/debugger created by Eric Heijnen (“Dark Byte”) for the Windows operating system.
– peepdf – PDF analyzer.
– Radare2 – r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files.
– Unicorn – It is a lightweight multi-platform, multi-architecture CPU emulator framework.
– CyberChef – The Cyber Swiss Army Knife.
– Hybrid Analysis
– Free Automated Malware Analysis Service – powered by Falcon Sandbox
– Jottis malware scan
– Scan your website – urlscan.io
– AMAaaS (Android files)
– Any.run (Community Edition)
– Binary Guard True Bare Metal
– Intezer Analyze (Community Edition)
– Comodo Valkyrie
– Detux Sandbox (Linux binaries)
– Joe Sandbox Cloud (Community Edition)
– Malwr (down at the moment)
– SecondWrite (free version)
Other Common Awesome Lists
- awesome-awesomeness – awesome-* or *-awesome lists.
- lists – The definitive list of (awesome) lists curated on GitHub.
- Movies For Hacker – A curated list of movies every hacker & cyberpunk must watch.