Tag: malware

Malware Analysis

Malware Memory Footprint Analysis

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images. VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis. VolDiff can also …

Disassembler, Reverse Engineering

Fast Disassembler-Decomposer Library

diStorm is a lightweight, Easy-to-Use and Fast Disassembler/Decomposer Library for x86/AMD64. A Decomposer means that you get a binary structure that describes an instruction rather than textual representation. Features * Access to CPU flags that were affected by the instruction. * Basic Flow Control analysis support. * AVX and FMA instruction sets support. * Complete …

Security

Protocol Analysis-Decoder Framework

ChopShop is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft. Note that ChopShop is still in perpetual beta and is dependent on libnids/pynids for the majority of its underlying functionality. Documentation for ChopShop can be found on ReadTheDocs. Pynids pynids is a …

Forensics, Malware Analysis

Automater – IP URL and MD5 OSINT Analysis

Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal. Options …

Honeypot, Malware Analysis

Glastopf – Web Application Honeypot

Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application. This tool is designed to capture information on the latest web application attacks using a scalable and easy to deploy …

Disassembling, Reverse Engineering

Windows Disassembler for 64-bit & 32-bit Programs

PEBrowse64 Professional (v6.3) is a 64-bit executable and requires the .NET framework. It will display both Win32 and Win64 executables, native, managed and mixed. PEBrowse Professional (v10.1.4) is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies. With the PEBrowse disassembler, one can open and examine any executable without the need to …

Forensics, Malware Analysis, Reverse Engineering

Dump running Win32 process memory image

User Mode Process Dumper ver. 8.1 (userdump) dumps any running Win32 processes memory image (including system processes such as csrss.exe, winlogon.exe, services.exe, etc) on the fly, without attaching a debugger, or terminating target processes. Generated dump file can be analyzed or debugged by using the standard debugging tools. The userdump generates dump file by several …