This post is part of a series of posts categorized as “Wiki” that contain basic how-to information. The intent is to create a reference repository for myself, but I’m not selfish so if anyone else can also benefit from it then I’m happy to share the knowledge!
There are so many great tools that can help with malware analysis and I find myself forgetting which ones I’ve heard of. A lot of the tools in this list I originally learned about from one of two sources: the book “Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software” by Michael Sikorski and Andrew Honig; the SANS FOR610: Reverse-Engineering Malware course by Lenny Zeltser and Anuj Soni.
Many of these tools can be found bundled together for Windows in “FLARE VM” or for Linux in “REMnux.” Both are free.
Basic Static Analysis
| Name | Usage Cases |
|---|---|
| base64 | [Linux] Encode or decode base64 |
| BinText | [Windows] Examine ASCII and Unicode strings in a file |
| Detect It Easy | [Linux/Windows] Identify PE header details, compiler, programming language; Linux GUI is die, command line is diec |
| CFF Explorer | [Linux/Windows] PE editing |
| CScript | [Windows] JavaScript and VBScript interpreter for deobfuscation |
| Exeinfo PE | [Windows] Identify PE header details, compiler, programming language, and extract artifacts |
| exiftool | [Linux] Extracts file metadata |
| HxD | [Windows] Hex editor (file and memory), file hash, file comparison |
| MASTIFF (mas.py) | [Linux] Automated extraction of properties, including fuzzy hash, hex dump, section hashes, imports, yara rule checking, strings , resource extraction, and other helpful properties |
| Notepad++ | [Windows] Text editor with plugins: JSTool (minify JavaScript to remove extraneous code, beautify to make JavaScript readable); Npp Converter (convert ASCII/Hex); MIME Tools (Base64 encode/decode, URL encode/decode, SAML decode); Compare (compare files side by side) |
| peframe | [Linux] Hashes, interesting functionality, suspicious API, and other helpful properties |
| pescan | [Linux] Windows executable anomalies detection |
| pescanner.py | [Linux/Windows] Section hashes, entry point, imports and suspicious IAT entries, and other helpful properties |
| pestr | [Linux] Extract strings from Windows executable (ASCII and Unicode at same time); –net extracts only networking strings |
| PeStudio | [Windows] Section hashes, strings, indicators of maliciousness, entropy, imports, exports, and other helpful properties |
| portex | [Linux/Windows] Section hashes, entropy, imports, API functionality summary, anomaly detection, and other helpful properties |
| signsrch | [Linux/Windows] Identify compression, crypto functionality |
| SpiderMonkey | [Linux/Windows] JavaScript interpreter for deobfuscation |
| strings | [Linux/Windows] Extract strings from file (ASCII by default, Unicode with –encoding=-l); -a all file if compiled |
| strings2 | [Windows] Extract ASCII and Unicode strings from file or active running process |
| translate.py | [Linux/Windows] Bitwise operations on file, such as XOR, ROL/ROR, etc. |
| trid | [Linux] Identify file type |
| V8 | [Linux/Windows] JavaScript interpreter for deobfuscation |
| xor-kpa.py | [Linux/Windows] Derive XOR key and perform XOR operations |
| xxd | [Linux] Make a hex dump or revert a hex dump to binary |
Basic Dynamic Anlysis
| Name | Usage Cases |
|---|---|
| accept-all-ips | [Linux] Wrapper script to enable and disable iptables intercepting and redirecting direct IP connections |
| Apache/httpd | [Linux] Webserver |
| ApateDNS | [Windows] Responds to DNS queries redirecting traffic to user-specified IP address |
| box-js | [Linux] Analyze JavaScript while emulating Windows runtime components |
| Burp | [Linux/Windows] Display host HTTP and HTTPS traffic and debug web applications |
| CapTipper | [Linux/Windows] Analyze and extract files from a .pcap |
| curl | [Linux/Windows] Download files or website assets |
| fakedns | [Linux] Responds to DNS queries redirecting traffic to the host IP running fakedns |
| FakeNet-NG | [Windows] Emulate network protocols and redirect network connections |
| Fiddler | [Windows] Display host HTTP and HTTPS traffic and debug web applications |
| iptables | [Linux] Redirect IP traffic |
| INetSim | [Linux] Emulate network protocols, as well as view decrypted HTTPS traffic |
| Netcat | [Linux/Windows] Listen to port |
| NetworkMiner | [Linux/Windows] GUI analysis and extraction of files from a .pcap |
| PE Capture | [Windows] Monitors for and and records any executables that run |
| ProcDOT | [Windows] Visually examine a Process Monitor log |
| Process Explorer | [Windows] Monitor system resources and other helpful features |
| Process Hacker | [Windows] Monitor system resources, view open network connections, examine runtime memory, and other helpful features |
| Process Monitor | [Windows] Realtime file system, Registry, process and thread activity recording |
| RegShot | [Windows] Capture and compare Registry snapshots |
| strings2 | [Windows] Extract ASCII and Unicode strings from file or active running process |
| TcpLogView | [Windows] Records opening and closing of TCP connections |
| Thug | [Linux/Windows] Low-interaction honeyclient for looking at malicious websites |
| TOR | [Linux/Windows] Hide IP when interacting with C2 servers or other malicious hosts |
| VPN | [Linux/Windows] Hide IP when interacting with C2 servers or other malicious hosts |
| wget | [Linux/Windows] Download files or website assets |
| Wireshark | [Linux/Windows] Network packet capture and extract files from .pcap |
Advanced Static and Dynamic Analysis
| Name | Usage Cases |
|---|---|
| API Monitor | [Windows] Monitor and examine API calls of a running process |
| Binary Ninja | [Linux/Windows] Disassembler and decompiler (beta at this time) |
| dnSpy | [Windows] Debugger and .NET assembly editor |
| Ghidra | [Windows] Disassembler and decompiler, static code analysis |
| Hopper | [Linux] Disassembler and decompiler |
| IDA | [Windows] Disassembler and decompiler, static code analysis |
| jmp2it | |
| OllyDumpEx | |
| Radare2 | [Linux/Windows] Disassembler, debugger, and other helpful features |
| scdbg | [Windows] Shellcode emulator |
| Scylla | |
| x32dbg & x64dbg | [Windows] Debugging, static code analysis |
| Windbg | [Windows] Debugging, static code analysis |
Malicious Documents
| Name | Usage Cases |
|---|---|
| base64dump.py | [Linux/Windows] Extract encoded strings from file, base64 by default but others available |
| olebrowse.py | [Linux/Windows] Examine OLE2 files and streams |
| olecfexport | [Linux/Windows] Examine OLE2 file streams |
| olecfinfo | [Linux/Windows] Examine OLE2 files |
| oledir.py | [Linux/Windows] Examine OLE2 files |
| oledump.py | [Linux/Windows] Explore Microsoft Office file contents and identify and dump streams with macros |
| olevba.py (part of oletools) | [Linux/Windows] Parse Microsoft Office files and extract macros |
| Origami PDF | [Linux] Parse and analyze PDF documents |
| pcodedmp.py | [Linux/Windows] Locate and extract macro p-code from Microsoft Office files |
| pdfid.py | [Linux/Windows] Identify high risk keywords and dictionary entries in a PDF |
| PDF Stream Dumper | [Windows] PDF analysis, JavaScript deobfuscation, shellcode |
| pdf-parser.py | [Linux/Windows] Examine structure of PDF and look at its contents |
| peepdf.py | [Linux/Windows] Get stats for a PDF and identify high risk keywords and dictionary entries, as well as examine structure of PDF and look at its contents |
| qpdf | [Linux/Windows] Convert encrypted, password protected PDF or PDF streams to unencrypted |
| rtfdump.py | [Linux/Windows] Examine and dump contents of RTF files |
| rtfobj.py | [Linux/Windows] Dump objects from RTF files |
| shellcode2exe.py | [Linux/Windows] Convert shellcode to Windows executable |
| SSview | [Windows] View and extract OLE2 contents |
| swf_mastah.py | [Linux/Windows] Extract Flash from PDF |
| unicode2hex-escaped | [Linux] Convert Unicode to hex |
| unicode2raw | [Linux] Convert Unicode to raw |