Malware Analysis Tools

While it is a lot of fun to parse structures from a hex dump or disassemble opcodes in my head, I rely on many tools to reverse engineer software efficiently. In general, it does not matter which tools you use. It only matters that you know how to use them. However, finding the right tool for the task at hand is not always easy.

Below is a non-exhaustive list of tools I use regularly during malware analysis. Many of these tools have been recommended to me by very talented and experienced colleagues. Others I found while reading blogs or malware analysis reports. I hope this list inspires you to incorporate some of these tools into your analysis process.

Static analysis

Portable Executable (PE) and Component Object File Format (COFF) viewers

PEview

http://wjradburn.com/software/

Robust PE/COFF file viewer for 32-bit files.

CFF Explorer

http://www.ntcore.com/exsuite.php

Powerful PE/COFF file viewer for 32-bit and 64-bit files. Allows to edit files easily. Useful resource viewer.

ResHacker

http://www.angusj.com/resourcehacker/

Probably the best tool to inspect executable’s resources.

IDA Pro Plugins

Shellcode hashes

Part of https://github.com/fireeye/flare-ida/

Search IDB files for shellcode hashes and annotates the database with respective function names.

ApplyCalleeType

Part of https://github.com/fireeye/flare-ida/

Specify or choose a function type for indirect calls. Helpful for analysis of malware that resolves Windows API calls at runtime.

IDACompare

https://github.com/dzzie/IDACompare

Diff binaries on disassembly level. Helpful when comparing malware variants.

General

PEid

https://www.aldeid.com/wiki/PEiD

Sometimes still useful for packer and compiler detection. Very helpful is the Krypto ANALyzer (KANAL) plugin.

FLOSS

https://github.com/fireeye/flare-floss/

Decode obfuscated strings from Windows PE files and shellcode. Allows to pull results into other analysis frameworks. Also a shameless plug.

Bindiff

https://www.zynamics.com/software.html

Find differences and similarities in disassembled code.

Dynamic analysis

Process Monitor

https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

Monitor malware behavior in real-time.

FakeNet-NG

https://github.com/fireeye/flare-fakenet-ng

The dynamic network analysis tool. Simulates a network on the local system.

Scylla

https://github.com/NtQuery/Scylla

Dump memory and reconstruct imports for 32-bit and 64-bit processes.

Process Hacker

http://processhacker.sourceforge.net/

Very powerful system activity monitor. Provides extensive process information. Allows to read, modify, and dump process memory.

 

What tools do you prefer to use? Is there a better alternative to a tool I have listed? Please let me know in the comments below.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.