Malware Analysis Tools

While it is a lot of fun to parse structures from a hex dump or disassemble opcodes in my head, I rely on many tools to reverse engineer software efficiently. In general, it does not matter which tools you use. It only matters that you know how to use them. However, finding the right tool for the task at hand is not always easy.

Below is a non-exhaustive list of tools I use regularly during malware analysis. Many of these tools have been recommended to me by very talented and experienced colleagues. Others I found while reading blogs or malware analysis reports. I hope this list inspires you to incorporate some of these tools into your analysis process.

Static analysis

Portable Executable (PE) and Component Object File Format (COFF) viewers


Robust PE/COFF file viewer for 32-bit files.

CFF Explorer

Powerful PE/COFF file viewer for 32-bit and 64-bit files. Allows to edit files easily. Useful resource viewer.


Probably the best tool to inspect executable’s resources.

IDA Pro Plugins

Shellcode hashes

Part of

Search IDB files for shellcode hashes and annotates the database with respective function names.


Part of

Specify or choose a function type for indirect calls. Helpful for analysis of malware that resolves Windows API calls at runtime.


Diff binaries on disassembly level. Helpful when comparing malware variants.



Sometimes still useful for packer and compiler detection. Very helpful is the Krypto ANALyzer (KANAL) plugin.


Decode obfuscated strings from Windows PE files and shellcode. Allows to pull results into other analysis frameworks. Also a shameless plug.


Find differences and similarities in disassembled code.

Dynamic analysis

Process Monitor

Monitor malware behavior in real-time.


The dynamic network analysis tool. Simulates a network on the local system.


Dump memory and reconstruct imports for 32-bit and 64-bit processes.

Process Hacker

Very powerful system activity monitor. Provides extensive process information. Allows to read, modify, and dump process memory.


What tools do you prefer to use? Is there a better alternative to a tool I have listed? Please let me know in the comments below.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.