Reading Time: 6 minutes

This does not pretend to be another list with endless tools. I decided to share it because it describes all the tools I use with some frequency during my research work.

Other lists from authors are also available at the bottom of the page.

 

Malware Analysis and RE

Here’s a set of useful tools for malware analysis and reverse engineering.

Debuggers / Disassemblers

Ollydbg [v1.10 or v2.0.] – OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft® Windows®.


Ollydbg Plugins:
StrongOD (OllyDbg plugin) – This plug-in provides three kinds of ways to initiate the process.
Ollydbg with 10 plugins – StrongOD v0.4.8.892; PhantOm Plugin v1.85; OllyStepNSearch v0.6.2; OllyDump v3.00.110; EasyController v1.0.5.0; Analyze This v0.1; Labless v1.1.2.85


 

OllyDRX – A modified version of Ollydgb with useful plugins.

Immunity Debugger – It’s a powerful new way to write exploits, analyze malware, and reverse engineer binary files.

WINDBG – Microsoft Windows Debugger (WinDbg) is a powerful Windows-based debugger that is capable of both user-mode and kernel-mode debugging (my favourite tool).

x64dbg – An open-source x64/x32 debugger for Windows. Please, see all the available plugins here.

IDA PRO – IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all.


IDA PRO Plugins:
IDAGolangHelper – Set of IDA Pro scripts for parsing GoLang types information stored in compiled binary.

ScyllaHide – ScyllaHide is an advanced open-source x64/x86 usermode Anti-Anti-Debug library. It can be used both in Ollydbg and X64dbg. Enjoy it.

– flare-ida – This repository contains a collection of IDA Pro scripts and plugins used by the FireEye Labs Advanced Reverse Engineering (FLARE) team.


 

GHIDRA – A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission.

Hopper – The macOS and Linux Disassembler.

plasma – PLASMA is an interactive disassembler. It can generate a more readable assembly (pseudo code) with colored syntax.

 

Decompilers

.NET
– Ilspy – ILSpy is the open-source .NET assembly browser and decompiler.

DotPeek – dotPeek is a free-of-charge standalone tool based on ReSharper’s bundled decompiler. It can reliably decompile any .NET assembly into equivalent C# or IL code.

vb5.0/6.0
VB Decompiler Lite 11 (p-code, VB6) – Best code recovery solution for Visual Basic 5.0/6.0 applications and fast disassembler for Visual Studio .NET compiled apps.

WKTVBDebugger– A debugger for Visual Basic P-Code compiled apps.

Semi-vd-decompiler – Partial decompiler for Visual Basic.

P32Dasm – VB5/VB6 Pcode decompiler.

Numega SmartCheck

Delphie
DeDe – DeDe is a very fast program that can analyze executables compiled with Delphi.

AutoIt
AutoIt3 Decompiler – 
This application can be used to decompile AutoIt scripts.

 

Fake DNS

– fakenet –   This tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware’s network activity from within a safe environment. This is my favorite tool to fake DNS responses.

ApateDNS – ApateDNS™ is a tool for controlling DNS responses through an easy-to-use GUI.

 

Detection and Classification

 PEstudio – This tool is used by Computer Emergency Response Teams (CERT) and Labs worldwide in order to perform Malware Initial Assessment. It’s very useful to perform an initial analysis.

PEView – PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files.

FileAnalyzer – FileAlyzer brings more to offer than PEview as far as features, being able to provide basic PE information as well as offer some new functionality, such as automated unpacking for files packed with UPX and PECompact.

CFF Explorer – A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. My favorite tool to analyze the structure of a PE file, its imports, sections, etc.

PEiD – PEiD detects most common packers, cryptors and compilers for PE files.

Exeinfo PE – It is a packer and compiler detector and also a bin data detector.

Detect IT Easy – Detect It Easy, or abbreviated “DIE” is a program for determining types of files.

 RDG Packer Detector – RDG Packer Detector is a detector packers, cryptors, Compilers, Packers Scrambler, Joiners, Installers. It’s very important when a malware is protected with a crypter. This tool can provide some information about that.

– Loki – Host based scanner for IOCs.

– ClamAV – Open source antivirus engine.

– FastIR Collector – This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.

exiftool – ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.

yara –  Creating Yara Signatures for Malware Detection.

yarGen – It is a generator for YARA rules.

pev – pev is a full-featured, open source, multiplatform command line toolkit to work with PE (Portable Executables) binaries.

binwalk – Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.

peframe – PEframe is a open source tool to perform static analysis on Portable Executable malware and generic suspicious file.

PortexAnalyser – PortEx is a Java library for static malware analysis of Portable Executable files.

TrID – Binary identification.

PEBear – PE-bear is a freeware reversing tool for PE files. Its objective was to deliver fast and flexible “first view” tool for malware analysts, stable and capable to handle malformed PE files.

 

Deobfuscation

de4dot – .NET deobfuscator and unpacker.

FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.

XORBruteForcer – A Python script for brute forcing single-byte XOR keys.

CyberChef – The Cyber Swiss Army Knife.

JSUnpack – JavaScript deobfuscator.

 

Debugging and Reverse Engineering

Process Monitor– Advanced monitoring tool for Windows programs.

Process Explorer –  Advanced task manager for Windows.

Process Hacker – Tool that monitors system resources.

RegShot – Registry compare utility that compares snapshots.

LordPE – LordPE is an advanced application that facilitates tools for manipulating various parts of PE files. It features a PE editor, a breaking and entering function, PE rebuilder, unsplitter, and dumper server.

upx – UPX homepage: the Ultimate Packer for eXecutables.

Import Reconstructor (ImpRec) – This tool is designed to rebuild imports for protected/packed Win32 executables. It reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and all ASCII module and function names.

Wireshark – Wireshark is the world’s foremost and widely-used network protocol analyzer.

AnalogX TextScan – It searches any binary file for a minimum and maximum string length, and then returns all occurrences in sorted order.

 

Memory

volatility – An advanced memory forensics framework.
 plugins:
– findevilproc (label possible new candidates)

EVTXtract recovery – EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.

helix3 (extract memory from Windows and sent it via netcat to linux = nc -l -vvv -p 8888 > memory.dd)

FTK Imager – The FTK Imager tool is capable of both acquiring and analyzing computer forensic evidence.

Autopsy – Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.

– dumpit – Windows live acquisition memory (a standalone app).

– Processdump – Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis.

CheatEngine – Cheat Engine, commonly abbreviated as CE, is an open-source memory scanner/hex editor/debugger created by Eric Heijnen (“Dark Byte”) for the Windows operating system.

PE-Sieve – Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

 

File Analysis

peepdf – PDF analyzer.

oledump – Windows file analysis [1] and [2].

oletools – Suite to analyze OLE and MS Office files.

Structured Storage Viewer (SSV) – This tool allows to completely manage any MS OLE Structured Storage based file.

BiffView++ – BiffView is a tool for viewing the BIFF structure of a binary Excel sheet.

 

Emulators

Radare2 – r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files. (GUI: Cutter).

Unicorn – It is a lightweight multi-platform, multi-architecture CPU emulator framework.

 

Other

munpack – Used to extract attachments from incoming emails.

REMNUX – Reverse engineering virtual machine.

WinAFL – Fuzzing Windows binaries.

 

Online Tools

CyberChef – The Cyber Swiss Army Knife.


Sandboxes
– VirusTotal
– Hybrid Analysis 
 https://metadefender.opswat.com
– ReverseIt
– https://www.malwares.com
– https://www.maltiverse.com/search
– https://any.run/
– Free Automated Malware Analysis Service – powered by Falcon Sandbox
– Jottis malware scan
– Scan your website – urlscan.io
– https://www.dnsbl.info/dnsbl-database-check.php
AMAaaS (Android files)
Any.run (Community Edition)
Binary Guard True Bare Metal
Intezer Analyze (Community Edition)
Comodo Valkyrie
Detux Sandbox (Linux binaries)
Joe Sandbox Cloud (Community Edition)
Malwr (down at the moment)
sandbox.pikker.ee
SecondWrite (free version)
SNDBOX
ThreatTrack
ViCheck

 

 

Other Common Awesome Lists