Reverse Engineering Malware Toolkits


For Linux, a complete toolkit has already been assembled with all the essential tools - all you need to do is download the distribution and install in a VM!


For Windows, unfortunately, you must assemble your own environment piece by piece. Starting from a fresh Windows 10 64-bit installation, you will want:

Category Tool Purpose
Tools 7-Zip Decompress wide variety of file types
Tools Notepad++ Text editor
Tools Python 3.6.x Scripting language
Tools WinSCP Secure file transfer
Tools Visual C++ 2010 Redistributable Package (x86)
Tools Visual C++ 2013 Redistributable Package (x86)
Unpacking UPX Packer/unpacker for executables
Unpacking Scylla Recover executable from packed binary after running (Blog post on usage)
Unpacking Universal Import Fixer (UIF) Reveal obfuscated imports in binary
Unpacking Imports Fixer Reveal obfuscated imports in binary
Unpacking Exeinfo PE Packer, unpacker, data detector
Unpacking Detect It Easy Packer identifier
Unpacking Bytehist Produces byte usage histogram (hints if file is packed/compressed)
Unpacking pe-unmapper Can recover PE executable dumped from memory
Decoding strings2 Extract ASCII and Unicode strings from binary data
Decoding HxD Hex Editor
Decoding BinText Extract ASCII and Unicode strings from binary data
Decoding scdbg Show all Windows API functions called by shellcode
Decoding jmp2it Transfer EIP control to shellcode (Blog post on usage)
Behavior Analysis ProcDOT Visual malware analysis (Requires WinDump and GraphViz to be installed)
Behavior Analysis API Monitor Monitor and control API calls made by processes
Behavior Analysis Process Monitor Show real-time file system, Registry and process/thread activity
Behavior Analysis Process Hacker Open source clone of classic Process Explorer tool
Behavior Analysis Wireshark Network packet capture and analysis
Behavior Analysis Noriben Malware analysis sandbox
Behavior Analysis Regshot Registry snapshot and comparison utility
Behavior Analysis TcpLogView Simple viewer for active TCP connections
Behavior Analysis HashMyFiles Calculate hash values (MD5/SHA/etc...) of file
Behavior Analysis Fiddler Web debugging proxy (edit and analyze HTTP/HTTPS traffic in-flight)
Behavior Analysis AutoRuns Show programs that will run automatically (i.e. persistence)
PE File Analysis PeStudio Malware static analysis assessment tool
PE File Analysis CFF Explorer Editor for PE files
PE File Analysis IDA Freeware 5.0 Disassembler, debugger, and (add-on) decompiler. $$$$ for Pro version.
PE File Analysis OllyDbg 2 + OllyDumpEx Disassembler and debugger
PE File Analysis x64dbg x64/x32 Windows debugger
ScyllaHide Plugin for x64dbg (and OllyDbg 2, and others) - Performs anti-anti-debugging to hide your analysis tool from the malware
xAnalyzer Plugin for x64dbg - Performs additional static analysis on function definitions, arguments, and data types