-
Notifications
You must be signed in to change notification settings - Fork 502
Graphical program to detect PE and ELF anomalies.
capa contains a set of rules to detect capabilities from PE files. To use it, open a Command Prompt and type:
capa -h
Detect It Easy (DIE) is probably the best tool to identify protectors, packers, compilers and linkers used with PE files. It also has an integrated hexadecimal viewer, PE headers parsing/editing capabilities, hash tool, MIME tool and more.
Command-line tool to convert a DLL to an EXE.
Old-school PE analyzer with very interesting features. To mention a few:
- Packer/Protector/Compiler detector.
- Find code caves (zero/NOP byte sequences).
- Overlay detection and extraction.
- Embedded files finder/extractor.
- Scripting (you can use it to patch files mainly).
FireEye (now Mandiant) Labs Obfuscated String Solver is a command-line program that to automatically deobfuscate strings from malware binaries. Open a Command Prompt see see its help:
capa -h
Very complete graphical tool to analyze PE files. It parses and can edit all PE headers, add sections, show statistics, disassemble and more.
PE viewer with a strong focus on malware first assessment. Features include VirusTotal check, suspicious strings highlight and ATT@CK matrix mapping.
PE viewer with a strong focus on malware first assessment. Features include VirusTotal check, suspicious strings highlight and ATT@CK matrix mapping.
A set of command-line tools to work with PE files. Tools include:
- readpe - a PE parser
- pedis - a disassembler
- peres - a resource extractor
- pescan - a scanner
- pepack - a packer detector
- pesec - a security features detector and certificate extractor
readpe tools support different output formats including JSON, XML and HTML. It's nice for file processing at scale.
The redress software is a tool for analyzing stripped Go binaries compiled with the Go compiler. To use it, try this out in a Command Prompt:
redress -h
ResHack is a must. It can do literally anything related to PE resources, including compiling and decompiling RC scripts and extracting resources. It also runs from the command-line. It can be useful particularly useful because some malware samples use resources to store configuration files or additional payloads in the .rsrc section. Normally you see calls to functions like FindResource
, LoadResource
, etc. A good example is HDDCryptor/Mamba ransomware.
Powerful (and Python library) to emulate PE binaries and Windows API calls.
PE analyzer with interesting features, including a very useful PE header comparison.
An inspection tool for UWP and WinUI 3 applications. Seamlessly view and manipulate UI elements and their properties in real time.
Let's say you want to find which DLL contain a certain function, what do you do? That's basically what WinAPI Search is for. But the author went further and added support to regex, error code search, and more.