While it is a lot of fun to parse structures from a hex dump or disassemble opcodes in my head, I rely on many tools to reverse engineer software efficiently. In general, it does not matter which tools you use. It only matters that you know how to use them. However, finding the right tool for the task at hand is not always easy.
Below is a non-exhaustive list of tools I use regularly during malware analysis. Many of these tools have been recommended to me by very talented and experienced colleagues. Others I found while reading blogs or malware analysis reports. I hope this list inspires you to incorporate some of these tools into your analysis process.
Portable Executable (PE) and Component Object File Format (COFF) viewers
Robust PE/COFF file viewer for 32-bit files.
Powerful PE/COFF file viewer for 32-bit and 64-bit files. Allows to edit files easily. Useful resource viewer.
Probably the best tool to inspect executable’s resources.
IDA Pro Plugins
Search IDB files for shellcode hashes and annotates the database with respective function names.
Specify or choose a function type for indirect calls. Helpful for analysis of malware that resolves Windows API calls at runtime.
Diff binaries on disassembly level. Helpful when comparing malware variants.
Sometimes still useful for packer and compiler detection. Very helpful is the Krypto ANALyzer (KANAL) plugin.
Decode obfuscated strings from Windows PE files and shellcode. Allows to pull results into other analysis frameworks. Also a shameless plug.
Find differences and similarities in disassembled code.
Monitor malware behavior in real-time.
The dynamic network analysis tool. Simulates a network on the local system.
Dump memory and reconstruct imports for 32-bit and 64-bit processes.
Very powerful system activity monitor. Provides extensive process information. Allows to read, modify, and dump process memory.
What tools do you prefer to use? Is there a better alternative to a tool I have listed? Please let me know in the comments below.