From Collaborative RCE Tool Library
Malware Analysis Tools
| Tool name: | Kernel Detective |
| ||
|---|---|---|---|---|
| Author: | GamingMaster -AT4RE | |||
| Website: | http://www.at4re.com | |||
| Current version: | 1.4.1 | |||
| Last updated: | December 10, 2010 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD ! Supported NT versions : XP/Vista/Server 2008/SEVEN Kernel Detective gives you the ability to : 1- Detect Hidden Processes. 3- Detect Hidden Threads. 2- Detect Hidden DLLs. 3- Detect Hidden Handles. 4- Detect Hidden Driver. 5- Detect Hooked SSDT. 6- Detect Hooked Shadow SSDT. 7- Detect Hooked IDT. 8- Detect Kernel-mode code modifications and hooks. 9- Disassemble (Read/Write) Kernel-mode/User-mode memory. 10- Monitor debug output on your system. Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes. Detect hidden and suspicious threads in system and allow user to forcely terminate them . Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module. Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle. Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers. Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table. Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines. Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective. A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess. Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter. | |||
| Also listed in: | Hook Detection Tools, Kernel Hook Detection Tools, Kernel Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Process Hacker |
| ||
|---|---|---|---|---|
| Author: | wj32 | |||
| Website: | http://processhacker.sourceforge.net | |||
| Current version: | 2.14 | |||
| Last updated: | March 27, 2011 | |||
| Direct D/L link: | http://sourceforge.net/projects/processhacker/files/processhacker2/processhacker-2.14-bin.zip | |||
| License type: | Open Source (GNU General Public License) | |||
| Description: | Process Hacker is a feature-packed tool for manipulating processes and services on your computer. Key features of Process Hacker: - A simple, customizable tree view with highlighting showing you the processes running on your computer. - Detailed performance graphs. - A complete list of services and full control over them (start, stop, pause, resume and delete). - A list of network connections. - Comprehensive information for all processes: full process performance history, thread listing and stacks with dbghelp symbols, token information, module and mapped file information, virtual memory map, environment variables, handles, ... - Full control over all processes, even processes protected by rootkits or security software. Its kernel-mode driver has unique abilities which allows it to terminate, suspend and resume all processes and threads, including software like IceSword, avast! anti-virus, AVG Antivirus, COMODO Internet Security, etc. (just to name a few). - Find hidden processes and terminate them. Process Hacker detects processes hidden by simple rootkits such as Hacker Defender and FU. - Easy DLL injection and unloading - simply right-click a process and select "Inject DLL" to inject and right-click a module and select "Unload" to unload! - Many more features... | |||
| Also listed in: | Process Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Androguard |
| ||
|---|---|---|---|---|
| Author: | Anthony Desnos | |||
| Website: | http://code.google.com/p/androguard/ | |||
| Current version: | 0.9 | |||
| Last updated: | September 25, 2011 | |||
| Direct D/L link: | http://androguard.googlecode.com/files/androguard-0.9.tar.gz | |||
| License type: | LGPL | |||
| Description: | Androguard (Android Guard) is primarily a tool written in full python to play with : - .class (JavaVM) - .dex (DalvikVM) - APK - JAR - Android's binary xml Androguard has the following features : - Map and manipulate (read/write) DEX/CLASS/APK/JAR files into full Python objects, - Native support of DEX code in a c++ library, - Access to the static analysis of your code (basic blocks, instructions, permissions (with database from http://www.android-permissions.org/) ...) and create your own static analysis tool, - Check if an android application is present in a database (malwares, goodwares ?), - Open source database of android malwares, - Diffing of android applications, - Measure the efficiency of obfuscators (proguard, ...), - Determine if your application has been pirated (rip-off indicator), - Risk indicator of malicious application, - Reverse engineering of applications (goodwares, malwares), - Transform Android's binary xml (like AndroidManifest.xml) into classic xml, - Visualize your application into cytoscape (by using xgmml format), or PNG/DOT output, - Patch JVM classes, add native library dependencies, - Dump the jvm process to find classes into memory, - ... | |||
| Also listed in: | Android Tools, Binary Diff Tools, Disassembler Libraries, Disassemblers, Entropy Analyzers, Java Disassembler Libraries | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Malcode Analysis Pack |
| ||
|---|---|---|---|---|
| Author: | David Zimmer (iDefense Labs) | |||
| Website: | http://labs.idefense.com/files/labs/releases/previews/map/ | |||
| Current version: | ||||
| Last updated: | November 13, 2006 | |||
| Direct D/L link: | http://labs.idefense.com/software/download/?downloadID=8 | |||
| License type: | GPL2 | |||
| Description: | The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis. Included in this package are: • ShellExt - 4 explorer shell extensions • socketTool - manual TCP Client for probing functionality. • MailPot - mail server capture pot • fakeDNS - spoofs dns responses to controlled ip's • sniff_hit - HTTP, IRC, and DNS sniffer • sclog - Shellcode research and analysis application • IDCDumpFix - aids in quick RE of packed applications • Shellcode2Exe - embeds multiple shellcode formats in exe husk • GdiProcs - detect hidden processes | |||
| Also listed in: | Network Tools, Process Monitoring Tools, TCP Proxy Tools, Network Sniffers, Import Editors, Reverse Engineering Frameworks, API Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | PDF Stream Dumper |
| ||
|---|---|---|---|---|
| Author: | dzzie | |||
| Website: | http://sandsprite.com/blogs/index.php?uid=7 | |||
| Current version: | 0.9.170 | |||
| Last updated: | July 21, 2010 | |||
| Direct D/L link: | http://sandsprite.com/CodeStuff/PDFStreamDumper_Setup.exe | |||
| License type: | unknown | |||
| Description: | Full feature list supported filters: FlateDecode, RunLengthDecode, ASCIIHEXDecode, ASCII85Decode, LZWDecode Integrated shellcode tools: sclog gui (Shellcode Analysis tool I wrote at iDefense) scTest gui libemu based Shellcode analysis tool Shellcode_2_Exe functionality Export unescaped bytes to file supports filter chaining (ie multiple filters applied to same stream) supports unescaping encoded pdf headers scriptable interface to process multiple files and generate reports view all pdf objects view deflated streams view stream details such as file offsets, header, etc save raw and deflated data search streams for strings scan for functions which contain pdf exploits (dumb scan) format javascript using js beautifier (see credits in readme) view streams as hex dumps zlib compress/decompress arbitrary files replace/update pdf streams with your own data basic javascript interface so you can run parts of embedded scripts PdfDecryptor w/source - uses iTextSharp and requires .Net Framework 2.0 Basic Javascript de-obsfuscator can hide: header only streams, duplicate streams, selected streams js ui also has access to a toolbox class to simplify fragmented strings read/write files do hexdumps do unicode safe unescapes disassembler engine replicate some common Adobe API (new) Current Automation scripts include: csv_stats.vbs - Builds csv file with results from lower status bar for all files in a directory pdfbox_extract.vbs - use pdfbox to extract all images and text from current file string_scan.vbs - scan all decompressed streams in all files in a directory for a string you enter unsupported_filters.vbs - scan a directory and build list of all pdfs which have unsupported filters filter_chains.vbs - recursivly scans parent dir for pdfs that use multiple encoding filters on a stream. obsfuscated_headers.vbs - recursivly scans parent dir for pdfs that have obsfuscated object headers pdfbox_extract_text_page_by_page.vbs - uses pdfbox to extract page data into individual files Current Plugins include: Build_DB.dll - Search and sort data inside multiple samples, move and organize files obj_browser.dll - view layout and data inside pdf in text form | |||
| Also listed in: | Data Search and Extraction Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
