10 December 2021

Important Security Tools for Security Analyst

Hex Editors

Disassemblers

A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler.

IDA Pro
Binary Ninja
Radare
Hopper
Capstone
objdump
fREedom
plasma

Detection and Classification

AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
Assemblyline – A scalable distributed file analysis framework.
BinaryAlert – An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
ClamAV – Open source antivirus engine.
Detect-It-Easy – A program for determining types of files.
ExifTool – Read, write and edit file metadata.
File Scanning Framework – Modular, recursive file scanning solution.
hashdeep – Compute digest hashes with a variety of algorithms.
Loki – Host based scanner for IOCs.
Malfunction – Catalog and compare malware at a function level.
MASTIFF – Static analysis framework.
MultiScanner – Modular file scanning/analysis framework
nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
packerid – A cross-platform Python alternative to PEiD.
PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
Rootkit Hunter – Detect Linux rootkits.
ssdeep – Compute fuzzy hashes.
totalhash.py – Python script for easy searching of the TotalHash.cymru.com database.
TrID – File identifier.
YARA – Pattern matching tool for analysts.
Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives

Dynamic Binary Instrumentation

Pin
DynamoRio
frida
dyninst

Mac Decrypting Tools

Cerbero Profiler – Select all -> Copy to new file
AppEncryptor – Tool for decrypting
Class-Dump – use deprotect option
readmem – OS X Reverser’s process dumping tool

Emulator Tools

Qemu
unicorn

Document Analysis

Dynamic Analysis

ProcessHacker
Process Explorer
Process Monitor
Autoruns
Noriben
API Monitor
Wireshark
Fakenet
Volatility
LiME
Cuckoo
Objective-See Utilities
XCode Instruments – XCode Instruments for Monitoring Files and Processes User Guide
dtrace – sudo dtruss = strace dtrace recipes
fs_usage – report system calls and page faults related to filesystem activity in real-time. File I/O: fs_usage -w -f filesystem
dmesg – display the system message buffer
Triton

Deobfuscation

Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
de4dot – .NET deobfuscator and unpacker.
ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
PackerAttacker – A generic hidden code extractor for Windows malware.
unpacker – Automated malware unpacker for Windows malware based on WinAppDbg.
unxor – Guess XOR keys using known-plaintext attacks.
VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
xortool – Guess XOR key length, as well as the key itself.

Debugging Tools

gdb
vdb
lldb
qira

Windows-Only Debugging Tools

Linux-Only Debugging Tools

DDD

Reverse Engineering

angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
bamfdetect – Identifies and extracts information from bots and other malware.
BAP – Multiplatform and open source (MIT) binary analysis framework developed at CMU’s Cylab.
BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
Binary ninja – A reversing engineering platform that is an alternative to IDA.
Binwalk – Firmware analysis tool.
Bokken – GUI for Pyew and Radare. (mirror)
Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
codebro – Web based code browser using clang to provide basic code analysis.
DECAF (Dynamic Executable Code Analysis Framework) – A binary analysis platform based on QEMU. DroidScope is now an extension to DECAF.
dnSpy – .NET assembly editor, decompiler and debugger.
Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
Fibratus – Tool for exploration and tracing of the Windows kernel.
FPort – Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
GDB – The GNU debugger.
GEF – GDB Enhanced Features, for exploiters and reverse engineers.
hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
Hopper – The macOS and Linux Disassembler.
IDA Pro – Windows disassembler and debugger, with a free evaluation version.
Immunity Debugger – Debugger for malware analysis and more, with a Python API.
ILSpy – ILSpy is the open-source .NET assembly browser and decompiler.
Kaitai Struct – DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
LIEF – LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
ltrace – Dynamic analysis for Linux executables.
objdump – Part of GNU binutils, for static analysis of Linux binaries.
OllyDbg – An assembly-level debugger for Windows executables.
PANDA – Platform for Architecture-Neutral Dynamic Analysis.
PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
pestudio – Perform static analysis of Windows executables.
Pharos – The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
plasma – Interactive disassembler for x86/ARM/MIPS.
PPEE (puppy) – A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
Process Explorer – Advanced task manager for Windows.
Process Hacker – Tool that monitors system resources.
Process Monitor – Advanced monitoring tool for Windows programs.
PSTools – Windows command-line tools that help manage and investigate live systems.
Pyew – Python tool for malware analysis.
PyREBox – Python scriptable reverse engineering sandbox by the Talos team at Cisco.
QKD – QEMU with embedded WinDbg server for stealth debugging.
Radare2 – Reverse engineering framework, with debugger support.
RegShot – Registry compare utility that compares snapshots.
RetDec – Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
ROPMEMU – A framework to analyze, dissect and decompile complex code-reuse attacks.
SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
strace – Dynamic analysis for Linux executables.
Triton – A dynamic binary analysis (DBA) framework.
Udis86 – Disassembler library and tool for x86 and x86_64.
Vivisect – Python tool for malware analysis.
WinDbg – multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
X64dbg – An open-source x64/x32 debugger for windows.

Binary Format and Binary Analysis

CFF Explorer
Cerbero Profiler // Lite PE Insider
Detect It Easy
PeStudio
PEiD
MachoView
nm – View Symbols
file – File information
codesign – Code signing information usage: codesign -dvvv filename
Mobius Resources
z3
bap
angr

Memory Forensics

BlackLight – Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
DAMM – Differential Analysis of Malware in Memory, built on Volatility.
evolve – Web interface for the Volatility Memory Forensics Framework.
FindAES – Find AES encryption keys in memory.
inVtero.net – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
Rekall – Memory analysis framework, forked from Volatility in 2013.
TotalRecall – Script based on Volatility for automating various malware analysis tasks.
VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
Volatility – Advanced memory forensics framework.
VolUtility – Web Interface for Volatility Memory Analysis framework.
WDBGARK – WinDBG Anti-RootKit Extension.
WinDbg – Live memory inspection and kernel debugging for Windows systems.

Malware samples

Clean MX – Realtime database of malware and malicious domains.
Virus Total – Virus Total
Hybrid Analysis – Hybrid Analysis by Falcon Sandbox
Joe Sandbox – Automated Malware Analysis by Joe Sandbox
Browserling Sandbox – URL Sandbox
Contagio – A collection of recent malware samples and analyses.
Exploit Database – Exploit and shellcode samples.
Malshare – Large repository of malware actively scrapped from malicious sites.
MalwareDB – Malware samples repository.
Open Malware Project – Sample information and downloads. Formerly Offensive Computing.
Ragpicker – Plugin based malware crawler with pre-analysis and reporting functionalities
theZoo – Live malware samples for analysts.
Tracker h3x – Agregator for malware corpus tracker and malicious download sites.
ViruSign – Malware database that detected by many anti malware programs except ClamAV.
VirusShare – Malware repository, registration required.
VX Vault – Active collection of malware samples.
Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
Zeus Source Code – Source for the Zeus trojan leaked in 2011.

Domain Analysis

badips.com – Community based IP blacklist service.
AbuseIPDB – Check an IP Address, Domain Name for abuse history.
urlscan.io – URL and website scanner
URL Void – Website Reputation Checker
boomerang – A tool designed for consistent and safe capture of off network web resources.
Cymon – Threat intelligence tracker, with IP/domain/hash search.
Desenmascara.me – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
Dig – Free online dig and other network tools.
dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
IPinfo – Gather information about an IP or domain by searching online resources.
Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
mailchecker – Cross-language temporary email detection library.
MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
Multi rbl – Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
NormShield Services – Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
SpamCop – IP based spam block list.
SpamHaus – Block list based on domains and IPs.
Sucuri SiteCheck – Free Website Malware and Security Scanner.
Talos Intelligence – Search for IP, domain or network owner. (Previously SenderBase.)
TekDefense Automater – OSINT tool for gathering information about URLs, IPs, or hashes.
URLQuery – Free URL Scanner.
Whois – DomainTools free online whois search.
Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
ZScalar Zulu – Zulu URL Risk Analyzer.

Documents and Shellcode

AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
box-js – A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
diStorm – Disassembler for analyzing malicious shellcode.
JS Beautifier – JavaScript unpacking and deobfuscation.
JS Deobfuscator – Deobfuscate simple Javascript that use eval or document.write to conceal its code.
libemu – Library and tools for x86 shellcode emulation.
malpdfobj – Deconstruct malicious PDFs into a JSON representation.
OfficeMalScanner – Scan for malicious traces in MS Office documents.
olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
Origami PDF – A tool for analyzing malicious PDFs, and more.
PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
peepdf – Python tool for exploring possibly malicious PDFs.
QuickSand – QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

Practice Reverse Engineering

Open Source Threat Intelligence Tool

AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
AlienVault Open Threat Exchange – Share and collaborate in developing Threat Intelligence.
Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
Fileintel – Pull intelligence per file hash.
Hostintel – Pull intelligence per host.
IntelMQ – A tool for CERTs for processing incident data using a message queue.
IOC Editor – A free editor for XML IOC files.
ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
MISP – Malware Information Sharing Platform curated by The MISP Project.
Pulsedive – Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
PyIOCe – A Python OpenIOC editor.
RiskIQ – Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
ThreatCrowd – A search engine for threats, with graphical visualization.
ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

APT Notes – A collection of papers and notes related to Advanced Persistent Threats.
File Formats posters – Nice visualization of commonly used file format (including PE & ELF).
Honeynet Project – Honeypot tools, papers, and other resources.
Kernel Mode – An active community devoted to malware analysis and kernel development.
Malicious Software – Malware blog and resources by Lenny Zeltser.
Malware Analysis Search – Custom Google search engine from Corey Harrell.
Malware Analysis Tutorials – The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning practical malware analysis.
Malware Samples and Traffic – This blog focuses on network traffic related to malware infections.
Practical Malware Analysis Starter Kit – This package contains most of the software referenced in the Practical Malware Analysis book.
RPISEC Malware Analysis – These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.
WindowsIR: Malware – Harlan Carvey’s page on Malware.
Windows Registry specification – Windows registry file format specification.
/r/csirt_tools – Subreddit for CSIRT tools and resources, with a malware analysis flair.
/r/Malware – The malware subreddit.
/r/ReverseEngineering – Reverse engineering subreddit, not limited to just malware.

Reverse Engineering Courses

Lenas Reversing for Newbies
Open Security Training
Dr. Fu’s Malware Analysis
Binary Auditing Course
TiGa’s Video Tutorials
Legend of Random
Modern Binary Exploitation
RPISEC Malware Course
SANS FOR 610 GREM
REcon Training
Blackhat Training
Offensive Security
Corelan Training
Offensive and Defensive Android Reversing