From Collaborative RCE Tool Library

Jump to: navigation, search

Malware Analysis Tools


Tool name: Kernel Detective
Rating: 5.0 (3 votes)
Author: GamingMaster -AT4RE                        
Website: http://www.at4re.com
Current version: 1.4.1
Last updated: December 10, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD !

Supported NT versions :
XP/Vista/Server 2008/SEVEN


Kernel Detective gives you the ability to :
1- Detect Hidden Processes.
3- Detect Hidden Threads.
2- Detect Hidden DLLs.
3- Detect Hidden Handles.
4- Detect Hidden Driver.
5- Detect Hooked SSDT.
6- Detect Hooked Shadow SSDT.
7- Detect Hooked IDT.
8- Detect Kernel-mode code modifications and hooks.
9- Disassemble (Read/Write) Kernel-mode/User-mode memory.
10- Monitor debug output on your system.


Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes.

Detect hidden and suspicious threads in system and allow user to forcely terminate them .

Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module.

Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle.

Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers.

Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table.

Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess.

Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.
Also listed in: Hook Detection Tools, Kernel Hook Detection Tools, Kernel Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Hacker
Rating: 5.0 (1 vote)
Author: wj32                        
Website: http://processhacker.sourceforge.net
Current version: 2.33
Last updated: December 27, 2013
Direct D/L link: http://processhacker.googlecode.com/files/processhacker-2.33-bin.zip
License type: Open Source (GNU General Public License V3)
Description: Process Hacker is a feature-packed tool for manipulating processes and services on your computer.

Key features of Process Hacker:
- A simple, customizable tree view with highlighting showing you the processes running on your computer.

- Detailed performance graphs.

- A complete list of services and full control over them (start, stop, pause, resume and delete).

- A list of network connections.

- Comprehensive information for all processes: full process performance history, thread listing and stacks with dbghelp symbols, token information, module and mapped file information, virtual memory map, environment variables, handles, ...

- Full control over all processes, even processes protected by rootkits or security software. Its kernel-mode driver has unique abilities which allows it to terminate, suspend and resume all processes and threads, including software like IceSword, avast! anti-virus, AVG Antivirus, COMODO Internet Security, etc. (just to name a few).

- Find hidden processes and terminate them. Process Hacker detects processes hidden by simple rootkits such as Hacker Defender and FU.

- Easy DLL injection and unloading - simply right-click a process and select "Inject DLL" to inject and right-click a module and select "Unload" to unload!

- Many more features...
Also listed in: Process Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Androguard
Rating: 0.0 (0 votes)
Author: Anthony Desnos                        
Website: http://code.google.com/p/androguard/
Current version: 0.9
Last updated: September 25, 2011
Direct D/L link: http://androguard.googlecode.com/files/androguard-0.9.tar.gz
License type: LGPL
Description: Androguard (Android Guard) is primarily a tool written in full python to play with :
- .class (JavaVM)
- .dex (DalvikVM)
- APK
- JAR
- Android's binary xml

Androguard has the following features :
- Map and manipulate (read/write) DEX/CLASS/APK/JAR files into full Python objects,
- Native support of DEX code in a c++ library,
- Access to the static analysis of your code (basic blocks, instructions, permissions (with database from http://www.android-permissions.org/) ...) and create your own static analysis tool,
- Check if an android application is present in a database (malwares, goodwares ?),
- Open source database of android malwares,
- Diffing of android applications,
- Measure the efficiency of obfuscators (proguard, ...),
- Determine if your application has been pirated (rip-off indicator),
- Risk indicator of malicious application,
- Reverse engineering of applications (goodwares, malwares),
- Transform Android's binary xml (like AndroidManifest.xml) into classic xml,
- Visualize your application into cytoscape (by using xgmml format), or PNG/DOT output,
- Patch JVM classes, add native library dependencies,
- Dump the jvm process to find classes into memory,
- ...
Also listed in: Android Tools, Binary Diff Tools, Disassembler Libraries, Disassemblers, Entropy Analyzers, Java Disassembler Libraries
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MALM: Malware Monitor
Rating: 0.0 (0 votes)
Author: Geoff McDonald                        
Website: http://www.split-code.com/
Current version: v1.2
Last updated: December 16, 2012
Direct D/L link: http://www.split-code.com/files/malm-v1_2.zip
License type: Freeware
Description: MALM is a 32 and 64bit Windows OS command-prompt tool for monitoring malware. It monitors:
- New processes
- New modules in existing processes
- New executable heaps in existing processes.

As it notices changes, MALM will output observations to the console. When MALM is terminated by CTRL-C, it will generate a final report of it's findings.

This tool is particularly useful for monitoring where the malware resides after execution, since malware often injects itself into other processes.
Also listed in: Memory Data Tracing Tools, Monitoring Tools, Process Monitoring Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Malcode Analysis Pack
Rating: 0.0 (0 votes)
Author: David Zimmer (iDefense Labs)                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=185
Current version:
Last updated: May 5, 2012
Direct D/L link: http://sandsprite.com/CodeStuff/map_setup.exe
License type: GPL2
Description: Update: This is no longer available through the iDefense website. An updated package has been made available by the author.

The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis.

Included in this package are:

• ShellExt - 5 explorer shell extensions
• socketTool - manual TCP Client for probing functionality.
• MailPot - mail server capture pot
• fakeDNS - spoofs dns responses to controlled ip's
• sniff_hit - HTTP, IRC, and DNS sniffer
• sclog - Shellcode research and analysis application
• IDCDumpFix - aids in quick RE of packed applications
• Shellcode2Exe - embeds multiple shellcode formats in exe husk
• GdiProcs - detect hidden processes
• finddll - scan processes for loaded dll by name
• Virustotal - virus reports for single and bulk hash lookups. Explorer integration
Also listed in: API Monitoring Tools, Import Editors, Network Sniffers, Network Tools, Process Monitoring Tools, Reverse Engineering Frameworks, TCP Proxy Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PDF Stream Dumper
Rating: 0.0 (0 votes)
Author: dzzie                        
Website: http://sandsprite.com/blogs/index.php?uid=7
Current version: 0.9.170
Last updated: July 21, 2010
Direct D/L link: http://sandsprite.com/CodeStuff/PDFStreamDumper_Setup.exe
License type: unknown
Description: Full feature list
supported filters: FlateDecode, RunLengthDecode, ASCIIHEXDecode, ASCII85Decode, LZWDecode
Integrated shellcode tools:
sclog gui (Shellcode Analysis tool I wrote at iDefense)
scTest gui libemu based Shellcode analysis tool
Shellcode_2_Exe functionality
Export unescaped bytes to file
supports filter chaining (ie multiple filters applied to same stream)
supports unescaping encoded pdf headers
scriptable interface to process multiple files and generate reports
view all pdf objects
view deflated streams
view stream details such as file offsets, header, etc
save raw and deflated data
search streams for strings
scan for functions which contain pdf exploits (dumb scan)
format javascript using js beautifier (see credits in readme)
view streams as hex dumps
zlib compress/decompress arbitrary files
replace/update pdf streams with your own data
basic javascript interface so you can run parts of embedded scripts
PdfDecryptor w/source - uses iTextSharp and requires .Net Framework 2.0
Basic Javascript de-obsfuscator
can hide: header only streams, duplicate streams, selected streams
js ui also has access to a toolbox class to
simplify fragmented strings
read/write files
do hexdumps
do unicode safe unescapes
disassembler engine
replicate some common Adobe API (new)
Current Automation scripts include:
csv_stats.vbs - Builds csv file with results from lower status bar for all files in a directory
pdfbox_extract.vbs - use pdfbox to extract all images and text from current file
string_scan.vbs - scan all decompressed streams in all files in a directory for a string you enter
unsupported_filters.vbs - scan a directory and build list of all pdfs which have unsupported filters
filter_chains.vbs - recursivly scans parent dir for pdfs that use multiple encoding filters on a stream.
obsfuscated_headers.vbs - recursivly scans parent dir for pdfs that have obsfuscated object headers
pdfbox_extract_text_page_by_page.vbs - uses pdfbox to extract page data into individual files

Current Plugins include:
Build_DB.dll - Search and sort data inside multiple samples, move and organize files
obj_browser.dll - view layout and data inside pdf in text form
Also listed in: Data Search and Extraction Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PPEE (puppy)
Rating: 0.0 (0 votes)
Author: Zaderostam                        
Website: https://www.mzrst.com/
Current version: 1.09
Last updated: October 10, 2017
Direct D/L link: https://www.mzrst.com/puppy/PPEE(puppy)%201.10.zip
License type: Free
Description: This is a professional PE file explorer that lets you dig into all data directories available in the PE/PE64 file and edit them.
Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR are supported.
Two companion plugins are also provided. FileInfo, to query the file in the well-known malware repositories and take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on. YaraPlugin, to test Yara rules against opened file.

Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

Features:

Both PE32 and PE64 support
Examine YARA rules against opened file
Virustotal and OPSWAT's Metadefender query report
Statically analyze windows native and .Net executables
Robust Parsing of exe, dll, sys, scr, drv, cpl, ocx and more
Edit almost every data structure
Easily dump sections, resources and .Net assembly directories
Entropy and MD5 calculation of the sections and resource items
View strings including URL, Registry, Suspicious, ... embedded in files
Detect common resource types
Extract artifacts remained in PE file
Anomaly detection
Right-click for Copy, Search in web, Whois and dump
Built in hex editor
Explorer context menu integration
Descriptive information for data members
Refresh, Save and Save as menu commands
Drag and drop support
List view columns can sort data in an appropriate way
Open file from command line
Checksum validation
Plugin enabled

Feel free to use it ;)
Also listed in: .NET Executable Editors, Dependency Analyzer Tools, Entropy Analyzers, Exe Analyzers, Executable CRC Calculators, Executable File Editors & Patchers, Export Editors, Hex Editors, Import Editors, PE Executable Editors, Relocation Tools, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: pestudio
Rating: 0.0 (0 votes)
Author: Marc Ochsenmeier                        
Website: http://www.winitor.com
Current version: 8.51
Last updated: August 1, 2015
Direct D/L link: https://www.winitor.com/tools/pestudio/current/pestudio.zip
License type: Free for private usage.
Description: pestudio is an application that performs Malware Initial Assessment of any executable file.

Malicious executable attempts to hide its malicious intents and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of pestudio is to detect these anomalies, provide indicators and score the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk.
Also listed in: PE Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: pev
Rating: 0.0 (0 votes)
Author: Fernando Mercês, Jardel Weyrich                        
Website: http://pev.sf.net
Current version: 0.70
Last updated: December 27, 2013
Direct D/L link: http://sourceforge.net/projects/pev/files/pev-0.70/pev-0.70-win32.zip/download
License type: Open Source (GPLv3)
Description: pev is a free and open source multi-platform PE file analysis toolkit,
that provide the following tools:

* pehash - calculate PE file hashes
* pedis - PE disassembler
* pepack - packer detector
* peres - view and extract PE file resources
* pescan - search for suspicious things in PE files, including TLS callbacks
* pesec - check security features and certificates in PE files
* pestr - search for unicode and ascii strings in PE files
* readpe - show PE file headers, sections and more
* rva2ofs - convert RVA to raw file offsets
* ofs2rva - convert raw file offsets to RVA

Features include:

* Based on own PE library, called libpe
* Support for PE32 and PE32+ (64-bit) files
* Formatted output in text and CSV (other formats in development)
* pesec: check security features in PE files, extract certificates and more
* readpe: parse PE headers, sections, imports and exports
* pescan: detect TLS callback functions, DOS stub modification,
suspicious sections and more
* pedis: disassembly a PE file section or function with support for
Intel and AT&T syntax
* Include tools to convert RVA from file offset and vice-versa
* pehash: calculate PE file hashes
* pepack: detect if an executable is packed or not
* pestr: search for hardcoded Unicode and ASCII strings simultaneously
in PE files
* peres: show and extract PE file resources
Also listed in: Disassemblers, Entropy Analyzers, Exe Analyzers, Packer Identifiers, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Dump, pd.exe
Rating: 0.0 (0 votes)
Author: Geoff McDonald                        
Website: http://www.split-code.com/
Current version: v1.4
Last updated: April 18, 2015
Direct D/L link: http://split-code.com/files/pd_latest.zip
License type: Freeware
Description: Process Dump is a 32 and 64 bit command-line tool for dumping malware code from memory back to disk.

Features:
* Dumps 32 and 64 bit modules back to disk
* Dumps code at a specific address back to disk with reconstructing a 32 and 64 bit PE header and building an import address table
* Reconstructs imports aggressively - linking any DWORD or QWORD in the image being dumped to the corresponding import
* Supports a clean library hashing approach, allowing for dumping of only unrecognized modules

The import reconstruction approach is aggressive and even reconstructs references to imports loaded by GetProcAddress:
1. Copies OriginalFirstThunk over FirstThunk array for each imported library. (original import reconstruction approach)
2. Looks at all modules loaded in the current process, and builds a list of the addresses of all exported functions.
3. Searches the region or module that is being dumped for any DWORD (x86) or QWORD (x64) matching an exported address in the process.
4. For each match, adds an imported library with FirstThunk pointing to the DWORD or QWORD to patch up, linking it to the exported function of the corresponding library.
5. The size of the last section is increased, and the extended original import table is placed here.

Dump code from a specific address, building a PE header and import table:
pd.exe -pid 0x1a7 -a 0x3e1000

Dump all modules from all processes (only unrecognized modules will be dumped):
pd.exe -system

Dump all modules from a specific process:
pd.exe -pid 0x18A

Dump all modules by process name:
pd.exe -p .*chrome.*

Build clean-hash database. These hashes will be used to exclude modules from dumping with the above commands:
pd.exe -db gen

Comes in .zip format and supports Windows x86 and x64:
- http://split-code.com/files/pd_latest.zip

Requires Microsoft Visual C++ 2008 Redistributable:
- http://www.microsoft.com/en-ca/download/details.aspx?id=29
- http://www.microsoft.com/en-ca/download/details.aspx?id=15336
Also listed in: Automated Unpackers, Dump Fixers, Memory Dumpers, Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: scdbg
Rating: 0.0 (0 votes)
Author: David Zimmer                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=152
Current version:
Last updated: March 30, 2012
Direct D/L link: http://sandsprite.com/CodeStuff/scdbg.zip
License type: free
Description: scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the Windows API the shellcode attempts to call.

Additions include:
100+ new api hooks, 5 new dlls, interactive debug shell, memory dumping, rebuilt PEB, SEH support, support for file format exploits, support for return address scanners, memory monitor, report mode, dump mode, easily human readable outputs, log after xx capabilities, directory mode, inline analysis of process injection shellcode and more...

Builds are available for Windows (native), Cygwin, and *nix variants.

See tool web page for more details.


**************************
New catagory Request: Shellcode Analysis

While other categories describe functions of this tool, its a really specialized niche field.
Not many people know specialized tools exist for it, a category of its own (probably
within the Malcode Analysis section?) would help people find it. I can think of two other applications to link into this new section. (libemu and sclog) and maybe shellcode_2_exe
***************************
Also listed in: API Monitoring Tools, Automated Unpackers, Debuggers, Monitoring Tools, Needs New Category
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Security Research and Development Framework
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Website: http://blog.amrthabet.co.cc
Current version: v 1.00
Last updated: November 25, 2012
Direct D/L link: http://code.google.com/p/srdf
License type: GPL v.2
Description: Do you see writing a security tool in windows is hard?
Do you have a great idea but you can’t implement it?
Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?
So, Security Research and Development Framework is for you.


Abstract:

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

Introduction:

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

The Features:

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools … and they are:

· Assembler and Disassembler
· x86 Emulator
· Debugger
· PE Analyzer
· Process Analyzer (Loaded DLLs, Memory Maps … etc)
· MD5, SSDeep and Wildlist Scanner (YARA)
· API Hooker and Process Injection
· Backend Database, XML Serializer
· And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:

· Object-oriented and easy to use development framework
· Easy IRP dispatching mechanism
· SSDT Hooker
· Layered Devices Filtering
· TDI Firewall
· File and Registry Manager
· Kernel Mode easy to use internet sockets
· Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Source Code: http://code.google.com/p/srdf
Facebook Page: http://www.facebook.com/SecDevelop

JOIN US ... just mail me at: amr.thabet[at]student.alx.edu.eg
Also listed in: Assembler IDE Tools, Assemblers, Automated Unpackers, Debugger Libraries, Debuggers, Disassembler Libraries, Disassemblers, Driver & IRP Monitoring Tools, Exe Analyzers, Kernel Filter Monitoring Tools, Kernel Tools, Low-level Development Libraries, Programming Libraries, Reverse Engineering Frameworks, X64 Disassembler Libraries, X86 Disassembler Libraries, X86 Emulators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views