A collection of open source reverse engineering tools
3rd-party lists
- onethawt/idaplugins-list: a list of IDA plugins
- duo-labs/idapython - Duo Labs IDAPython Repository
- usualsuspect/ida_stuff
IOCTL / Windows driver
- mwrlabs/win_driver_plugin - A tool to help when dealing with Windows IOCTL codes or reversing Windows drivers.
- nccgroup/DriverBuddy - DriverBuddy is an IDA Python script to assist with the reverse engineering of Windows kernel drivers.
Diff / Patch
- keypatch0 - A replacement of the internal IDA assembler
- McGill-DMaS/Kam1n0-Plugin-IDA-Pro - The Kam1n0 Assembly Clone Search Engine
- ohjeongwook/DarunGrim - A Binary Diffing and Patch Analysis Tool (v3) http://darungrim.org
- debasishm89/MassDiffer - Large Scale Cumulative Binary Diffing Script
- joxeankoret/diaphora - the most advanced Free and Open Source program diffing tool
FLIRT / Signatures
- Maktm/FLIRTDB - A community driven collection of IDA FLIRT signature files
- polymorf/findcrypt-yara - IDA pro plugin to find crypto constants (and more)
- L4ys/IDASignsrch - IDAPython Plugin for searching signatures, use xml signature database from IDA_Signsrch
Web Assembly
UEFI
- kyurchenko/IDAPython-scripts-for-UEFI-analisys: Analysis of the disassembled UEFI image
- gdbinit/EFISwissKnife - An IDA plugin to improve (U)EFI reversing
Loader
Golang
- sibears/IDAGolangHelper - Set of IDA Pro scripts for parsing GoLang types information stored in compiled binary
- strazzere/golang_loader_assist - Making GO reversing easier in IDA Pro
Auxiliary
- Ga-ryo/IDAFuzzy - Fuzzy search tool for IDA Pro
- avast-tl/retdec - a retargetable machine-code decompiler based on LLVM
- ampotos/dynStruct - Reverse engineering tool for automatic structure recovering and memory use analysis based on DynamoRIO and Capstone
- IDA StringCluster - extending IDA's string navigation capabilities
- ida_ea - A set of exploitation/reversing aids for IDA: Context Viewer, Instuction Emulator, Heap Explorer, Trace Dumper, CMD and Restyle
- ida-arm-system-highlight - Decoding ARM system instructions
- alexhude/FRIEND - Flexible Register/Instruction Extender aNd Documentation
- REhints/HexRaysCodeXplorer - Hex-Rays Decompiler plugin for better code navigation
- darx0r/Reef - IDAPython plugin for finding Xrefs from a function
- ALSchwalm/dwarfexport - Export dwarf debug information from IDA Pro
- maddiestone/IDAPythonEmbeddedToolkit - IDAPython scripts for automating analysis of firmware of embedded devices
- nccgroup/PythonClassInformer - an IDAPython plugin for viewing run-time type information
- tkmru/nao- Simple No-meaning Assembly Omitter for IDA pro (CURRENTLY UNDER DEVELOPMENT)
- bkerler/uEmu - a tiny cute emulator plugin for IDA based on unicorn engine
- joxeankoret/idamagicstrings - An IDA Python script to extract information from string constants
Synchronization
- a1ext/labeless - Labels/Comments synchronization between IDA PRO and dbg backend (OllyDbg1.10, OllyDbg 2.01, x64dbg) , Remote memory dumping tool (including x64-bit), Python scripting tool
- comsecuris/gdbida: a visual bridge between a GDB session and IDA Pro's disassembler
Unpacking
- DavidKorczynski/RePEconstruct - a tool for automatically unpacking binaries and rebuild the binaries in a manner well-suited for further analysis, specially focused on further manual analysis in IDA pro.
- iwseclabs/gunpack
Devirtualize
Packing
Blockchain
Uncategorized
- TakahiroHaruyama/ida_haru - stackstring_static.py - IDAPython script statically-recovering strings constructed in stack
- deepinstinct/dsc_fix - Aids in reverse engineering libraries from dyld_shared_cache in IDA
- a1ext/auto_re - IDA PRO auto-renaming plugin with tagging support
- danigargu/heap-viewer - An IDA Pro plugin to examine the glibc heap, focused on exploit development
- nirizr/idasix - IDAPython compatibility library, aims to create a smooth ida development process and allow a single codebase to function with multiple IDA/IDAPython versions
- endgameinc/xori - an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data
- IDArlingTeam/IDArling - Collaborative Reverse Engineering plugin for IDA Pro & Hex-Rays
- xerub/idastuff
- NeatMonster/AMIE - A Minimalist Instruction Extender
- lucasg/idamagnum - a plugin for integrating MagnumDB requests within IDA
- 0xgalz/Virtuailor - IDAPython tool for creating automatic C++ virtual tables in IDA Pro
- binja-plugins/djumpo_unchained - de-obfuscates chained jumps
- ernw/binja-ipython - A plugin to integrate an IPython kernel into Binary Ninja
Plugin development
Uncategorized
- szimeus/evalyzer - Using WinDBG to tap into JavaScript and help with deobfuscation and browser exploit detection
- comaeio/SwishDbgExt - Incident Response & Digital Forensics Debugging Extension
- zodiacon/GflagsX - Enhanced version of the GFlags tool
- hugsy/gef - GDB Enhanced Features for exploit devs & reversers
- voltron - A hacky debugger UI for hackers
- pwndbg - Exploit Development and Reverse Engineering with GDB Made Easy
- peda - Python Exploit Development Assistance for GDB
- hugsy/gef - https://github.com/hugsy/gef
- libptmalloc gdb plugin
- cyrus-and/gdb-dashboard - Modular visual interface for GDB in Python
Anti anti-VM
Behavior monitor
Debuggers
- iGio90/uDdbg - A gdb like debugger that provide a runtime env to unicorn emulator and additionals features!
- mxmssh/drltrace - a library calls tracer for Windows and Linux applications
- Wenzel/r2vmi - Hypervisor-Level Debugger based on Radare2 / LibVMI, using VMI IO and debug plugins
- panda-re/panda - Platform for Architecture-Neutral Dynamic Analysis
- iGio90/Dwarf - a gui for android reverse engineers and crackers
- Cisco
Protocol / traffic analysis
- nccgroup/readable-thrift - makes binary Thrift protocol messages easy to work with by converting them to and from a human-friendly format
- google/ssl_logger - Decrypts and logs a process's SSL traffic
- laf0rge/udtrace - UNIX domain socket tracing LD_PRELOAD wrapper
- RPC
Diff
- joxeankoret/pigaios - A tool for matching and diffing source codes directly against binaries
- WalkingCat/SymDiff - Diff tool for comparing symbols in PDB files
U3D
- HearthSim/UnityHook - Platform to hook into Unity3D assemblies
- Perfare/Il2CppDumper - Get types, methods, fields and so on from Unity Il2Cpp binary file
PHP
Python
DotNet
- enkomio/shed - .NET runtine inspector
- williballenthin/python-dotnet-binaryformat - Pure Python parser for data encoded by .NET's BinaryFormatter
- enkomio/RunDotNetDll - A simple utility to list all methods of a given .NET Assembly and to invoke them
- jbevain/cecil - Cecil is a library to inspect, modify and generate .NET programs and libraries
- ILSpy plugins
Flash/ActionScript
QT
Mac
- wzqcongcong/macSubstrate - Substrate for macOS
- malus-security/sandblaster - the first tool that reverses binary sandbox profiles to their original SBPL format
- steven-michaud/HookCase - Tool for reverse engineering macOS/OS X
- SUpraudit - An actually useful praudit(1) for MacOS
iOS
- kernelcache - Identify and rename function stubs (plt entries) in an iOS kernelcache. ARM64 only.https://github.com/hzqst/VmwareHardenedLoader
- bazad/ida_kernelcache - An IDA Toolkit for analyzing iOS kernelcaches
Emulators
- Cisco-Talos/pyrebox - Python scriptable Reverse Engineering Sandbox, a Virtual Machine instrumentation and inspection framework based on QEMU
- QuarkslaB Dynamic binary Instrumentation
- lunixbochs/usercorn - dynamic binary analysis via platform emulation
- fireeye/flare-emu - marries IDA Pro’s binary analysis capabilities with Unicorn’s emulation framework to provide the user with an easy to use and flexible interface for scripting emulation tasks
Binary tools
Graph / Visualization
- fireeye/SimplifyGraph - IDA Pro plugin to assist with complex graphs
- patois/IDACyber - visualizing the currently loaded IDB's data
Memory tools
Diff/Patch
Auxiliary
- fireeye/remote_lookup - scan a 32bit process and build an export name/address map which can be queried
- IDAConnect/IDAConnect - [WIP] Collaborative Reverse Engineering plugin for IDA Pro & Hex-Rays
Uncategorized
- cboin/re_lab - A portable reverse engineering environment using docker
- s7ephen/tlb_extract - Extract Typelib Data from portable executables (recursively within a directory)
- programa-stic/barf-project - A multiplatform open source Binary Analysis and Reverse engineering Framework
- m4b/bingrep - like
grepUBER, but for binaries - fireeye/flare-vm - a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing
- blacknbunny/peanalyzer - Advanced Portable Executable File Analyzer And Disassembler
- agustingianni/symrepl - a small utility that helps you investigate the type information inside binaries
- NetSPI/PESecurity - PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode
- HarmJ0y/pylnker - a Python port of lnk-parse-1.0, a tool to parse Windows .lnk files
- s3team/VMHunt - Extraction and Simplification of Virtualized Binary Code
- apprenticeharper/DeDRM_tools - DeDRM tools for ebooks
- cea-sec/miasm - Reverse engineering framework in Python
- yifengyou/Code-virtualization-and-automation-analysis - 代码虚拟化与自动化分析
Wiki
- michalmalik/osx-re-101 - A collection of resources for OSX/iOS reverse engineering
- michalmalik/linux-re-101 - A collection of resources for linux reverse engineering
- recodeking/MalwareAnalysis - A curated list of awesome malware analysis tools and resources
- wtsxDev/Malware-Analysis - List of awesome malware analysis tools and resources
- yellowbyte/reverse-engineering-reference-manual - a collage of reverse engineering topics that I find interesting
- lmy375/awesome-vmp - 虚拟机分析相关资料
Tutorials
- Binary protection schemes by Andrew Griffiths
- sigalor/whatsapp-web-reveng - Reverse engineering WhatsApp Web
- How to become the best Malware Analyst E-V-E-R
- 恶意样本分析手册–特殊方法篇
Other articles