Reverse Engineering Malware Toolkits
Linux
For Linux, a complete toolkit has already been assembled with all the essential tools - all you need to do is download the distribution and install in a VM!
Windows
For Windows, unfortunately, you must assemble your own environment piece by piece. Starting from a fresh Windows 10 64-bit installation, you will want:
| Category | Tool | Purpose |
|---|---|---|
| Tools | 7-Zip | Decompress wide variety of file types |
| Tools | Notepad++ | Text editor |
| Tools | Python 3.6.x | Scripting language |
| Tools | WinSCP | Secure file transfer |
| Tools | Visual C++ 2010 Redistributable Package (x86) | |
| Tools | Visual C++ 2013 Redistributable Package (x86) | |
| Unpacking | UPX | Packer/unpacker for executables |
| Unpacking | Scylla | Recover executable from packed binary after running (Blog post on usage) |
| Unpacking | Universal Import Fixer (UIF) | Reveal obfuscated imports in binary |
| Unpacking | Imports Fixer | Reveal obfuscated imports in binary |
| Unpacking | Exeinfo PE | Packer, unpacker, data detector |
| Unpacking | Detect It Easy | Packer identifier |
| Unpacking | Bytehist | Produces byte usage histogram (hints if file is packed/compressed) |
| Unpacking | pe-unmapper | Can recover PE executable dumped from memory |
| Decoding | strings2 | Extract ASCII and Unicode strings from binary data |
| Decoding | HxD | Hex Editor |
| Decoding | BinText | Extract ASCII and Unicode strings from binary data |
| Decoding | scdbg | Show all Windows API functions called by shellcode |
| Decoding | jmp2it | Transfer EIP control to shellcode (Blog post on usage) |
| Behavior Analysis | ProcDOT | Visual malware analysis (Requires WinDump and GraphViz to be installed) |
| Behavior Analysis | API Monitor | Monitor and control API calls made by processes |
| Behavior Analysis | Process Monitor | Show real-time file system, Registry and process/thread activity |
| Behavior Analysis | Process Hacker | Open source clone of classic Process Explorer tool |
| Behavior Analysis | Wireshark | Network packet capture and analysis |
| Behavior Analysis | Noriben | Malware analysis sandbox |
| Behavior Analysis | Regshot | Registry snapshot and comparison utility |
| Behavior Analysis | TcpLogView | Simple viewer for active TCP connections |
| Behavior Analysis | HashMyFiles | Calculate hash values (MD5/SHA/etc...) of file |
| Behavior Analysis | Fiddler | Web debugging proxy (edit and analyze HTTP/HTTPS traffic in-flight) |
| Behavior Analysis | AutoRuns | Show programs that will run automatically (i.e. persistence) |
| PE File Analysis | PeStudio | Malware static analysis assessment tool |
| PE File Analysis | CFF Explorer | Editor for PE files |
| PE File Analysis | IDA Freeware 5.0 | Disassembler, debugger, and (add-on) decompiler. $$$$ for Pro version. |
| PE File Analysis | OllyDbg 2 + OllyDumpEx | Disassembler and debugger |
| PE File Analysis | x64dbg | x64/x32 Windows debugger |
| ScyllaHide | Plugin for x64dbg (and OllyDbg 2, and others) - Performs anti-anti-debugging to hide your analysis tool from the malware | |
| xAnalyzer | Plugin for x64dbg - Performs additional static analysis on function definitions, arguments, and data types |