-
Notifications
You must be signed in to change notification settings - Fork 500
Utilities
You know it. It's a great archiver, but it also opens and is able to parse and extract things from PE files, OLE files and others. Really a must.
CLI program to download malware samples from MalwareBazaar and check URLs against SpamHaus. To use it, open a Command Prompt and type bazzar -h
.
A web app that runs locally and provides a set of useful tools like converters (base64, ROT13, etc).
CLI program to calculate the entropy of multiple files at once. Open a Command Prompt and type:
entropy
Nice simple tool to show description from error codes used by Windows API. It supports input both in decimal or hexadecimal prefixed a 0x
prefix.
When reversing GUI Windows programs, you may want to enable/disable controls in a window. This is the tool for that.
Have you ever needed manpages-like documentation for Windows API functions? Now you have it. Let's say you want to see how LoadLibrary
function works, just open a Command Prompt and use manw
like this:
c:\>manw loadlibrary
LoadLibraryA function (libloaderapi.h) - Win32 apps
Exported by: Kernel32.dll
Loads the specified module into the address space of the calling process.
HMODULE LoadLibraryA(
LPCSTR lpLibFileName
);
Return value: If the function succeeds, the return value is a handle to the module.If the function fails, the return value is NULL.
Source: https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya
Or maybe you want to remember how Process Environment Block (PEB) structure looks like:
c:\>manw PEB
PEB (winternl.h) - Win32 apps
Contains process information.
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID Reserved4[3];
PVOID AtlThunkSListPtr;
PVOID Reserved5;
ULONG Reserved6;
PVOID Reserved7;
ULONG Reserved8;
ULONG AtlThunkSListPtr32;
PVOID Reserved9[45];
BYTE Reserved10[96];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved11[128];
PVOID Reserved12[1];
ULONG SessionId;
} PEB, *PPEB;
Source: https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb
Another good thing of manw
is that it creates a local cache for the things you queried to preventing it from going to the internet all the time. Neat stuff.
Great, lightweight text/code editor. Useful when analyzing scripts, for example.
Adds a hash tab when you right-click a file and go to its Properties. It supports lots of different hashing algorithms, VirusTotal querying, and more. It's really a must.
Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes, running malware or installing a new software product.
Everything you do in VirusTotal web UI from the command-line. Open a Command Prompt and type vt --help
to see its usage.
Call any Windows API function from the command-line. Examples:
winapiexec user32.dll@MessageBoxW 0 "World!" "Hello" 0
Shorter way:
winapiexec u@MessageBoxW 0 "World" "Hello" 0
kernel32.dll
is the default if you don't specify a DLL:
winapiexec @Sleep 0x3e8
It also supports nested functions. Check the author's website.