A list of useful tools and links for reverse engineering of malware
Ressources for Reverse Engineering
Tools for Reverse Engineering
- pythonarsenal
- openrce
- wtsxDev reverse-engineering - The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research.
- WinAppDbg6 - WinAppDbg Debugger
- pefile - pefile is a Python module to read and work with PE (Portable Executable) files
Reverse Engineering Frameworks
Reverse Engineering Videos
| Needed Function | IDA Skripts | IDA Plugins |
|---|---|---|
| Call Stack | CallStackWalk | |
| MSDN Annotation | msdn-crawler | IDAscope, MSDN_crawler, msdn-plugin-ida |
| Search | FindInstructions, wpsearch, localxrefs6 | |
| Assembler Edit | Keypatch | |
| Function Sytax | IDAscope | |
| Crypto/Compression Detection | FindCrypt | IDAscope |
| Wrapper Function Annotation | IDAscope | |
| IDAPython | Sark, IPyIDA | |
| Anti Debugging | stealth, ScyllaHide | |
| Scanning | VirusTotal v0.1 | |
| UniCode | UniCodeString Analyst | |
| Compare | Turbodiff | |
| Dump/Export | StDump5 | |
| Graph | GraphGrabber | SimplifyGraph |
| other | Runtime-Evaluated Addressing Resolver | |
| Decompiler | HexRaysCodeXplorer | |
| Toolbox | IDA Splode | |
| Yara | ida_yara, yara_fn | IDARay-Plugin |
| Static Analysis | IDAPythonEmbeddedToolkit | capstool, x86 Emulator, ida-splode, BinCAT, MazeWalker |
| Deobfuscator | Optimice | |
| SQL Export | da2sql-plugin-ida | |
| Sharing | bincrowd-plugin-ida | |
| XRef | xref_finder, backtrace, Reef | |
| WinDbg | Integrating WinDbg and IDA | |
| Disassembler | ScratchABit | |
| Strings | Stingray | |
| Docker | Docker | |
| Comments | idapython_hints | |
| Diff Tool | patchdiff2, BinDiff, DarunGrim | |
| Collaboration | Reverse-Engineering Database, collabREate |
Skripts for IDA Pro
- CallStackWalk - Call stack reconstruction
- FindInstructions - Find opcodes and instructions
- wpsearch - Searches for immediate values commonly founds in MIPS WPS checksum implementations.
- ida_yara - A python script that can be used to scan data within in an IDB using Yara
- IDAPythonEmbeddedToolkit - A set of script to automate many of the steps associated with statically analyzing, or reverse engineering, the firmware of embedded devices in IDA Pro
- FindCrypt - A Python implementation of IDA FindCrypt/FindCrypt2 plugin (see http://www.hexblog.com/?p=28).
- Comment exception handlers in PE32+ (x64) - Comment exception handlers in PE32+ (x64) executables (Example: http://www.mista.nu/files/x64eh_after.png)
- msdn-crawler - Parses MSDN documentation into an XML file
- da2sql-plugin-ida - IDB SQL exporter
- Integrating WinDbg and IDA - Integrating WinDbg and IDA for Improved Code Flow Analysis
- IDAPython-ColorThreads - finds all thread start addresses and colors each thread & all descendant functions the same color. Functions called by multiple threads are colored grey.
- backtrace - A class that can be used to backtrace reference of registers and args in IDA
- yara_fn - Generate a yara rule that matches the basic blocks of the current function in IDA Pro
- GraphGrabber - Used to grab full-resolution images of IDA graphs.
- idapython_hints - example of: using ctypes with the IDA SDK, providing custom UI hints/comments with dynamic data from Python
- windows_syscalls_dumper - A dirty IDAPython script to dump windows system call number/name pairs as JSON
- industroyer - An IDAPython script for IDA Pro that helps reverse engineer binaries that are using the OPC Data Access protocol.
Collection of IDA Pro Plugin Ressources
- tuts4you.com - List of Plugins
- devttys0/ida - List of Plugins
- onethawt/idaplugins-list - List of Plugins
- flare-ida - IDA Pro utilities from FLARE team
- zynamic - List of Plugins
- Alexander_Hanel Repos - List of Plugins
- williballenthin - List of Plugins
- The Malware Dare Group
Plugins for IDA Pro
- Keypatch - Assembler functionality
- OllyDumpEx - Memory snapshot
- IDAscope - Function reconstruction, MSDN documentation, finding of potential crypto/compression algorithms
- MSDN_crawler - MSDN inline Annotations (MSDN database file)
- Sark - Object-oriented scripting layer written on top of IDAPython
- IPyIDA - IPython console integration for IDA Pro
- localxrefs6 - Finds references from within the current function to any highlighted text
- stealth - stealth against anti-debugging tricks
- VirusTotal v0.1 - VirusTotal reporting and file submission
- UniCodeString Analyst and Comment Maker 1.0.0.1 - Unicode string analysis
- Turbodiff 1.0b_r1.1 - binary diffing tool
- StDump5 - export IDA types (structs and enums) into high-level language definitions
- ScyllaHide 1.2 - x64/x86 usermode Anti-Anti-Debug library
- Runtime-Evaluated Addressing Resolver - resolving indirect jump/call instructions (eg. call dword ptr [ecx+1Ch], jmp eax, etc)
- SimplifyGraph - Assist with complex graphs
- IDA Splode - Augmenting Static Reverse Engineering with Dynamic Analysis and Instrumentation
- IDARay-Plugin - Matches the database against multiple YARA files which themselves may contain multiple rules
- capstool - A set of functions that can be used to do basic static analysis of x86/x64 instructions
- Optimice - the IDAPython deobfuscator
- msdn-plugin-ida - Imports MSDN documentation into IDA Pro
- bincrowd-plugin-ida - BinCrowd Plugin. BinCrowd is a collaborative reverse engineering tool that can be used by reverse engineers to keep a repository of reverse engineered information and share this information with friends and colleagues.
- xref_finder - xref_finder is a pair of tools that can be used for adding cross-references into an IDA Pro database that can't be identified using strictly static analysis, such as virtual calls (i.e. call eax).
- ScratchABit - An interactive incremental disassembler with data/control flow analysis capabilities
- Reef - Finding Xrefs from a function
- Stingray - Finding function strings recursively
- Docker - Run IDA Pro disassembler in Docker containers for automating, scaling and distributing the use of IDAPython scripts.
- HexRaysPyTools - Assists in the creation of classes/structures and detection of virtual tables. It also facilitates transforming decompiler output faster and allows to do some stuff which is otherwise impossible.
- patchdiff2 - A plugin for the IDA dissassembler that can analyze two IDB files and find the differences between both.
- BinDiff - A comparison tool for binary files, that assists vulnerability researchers and engineers to quickly find differences and similarities in disassembled code.
- DarunGrim - A Binary Diffing and Patch Analysis Tool
- Reverse-Engineering Database - The two combined allow sharing of findings between those who practice RE.
- collabREate - Collaborative reverse engineering plugin for IDA Pro.
- x86 Emulator - Embedded x86 emulator for Ida Pro
- ida-splode - Augmenting Static Reverse Engineering with Dynamic Analysis and Instrumentation
Plugins for Malware Analysis with IDA Pro
- IDApatchwork
- IDA Toolbag - A plugin providing supplemental functionality to the Hex-Rays IDA Pro disassembler
- BinCAT - Binary code static analyser, with IDA integration. Performs value and taint analysis, type reconstruction
- MazeWalker - Toolkit for enriching and speeding up static malware analysis
- BASS - Automated Signature Synthesizer
Tools für Exploit Development
- sulley - A pure-python fully automated and unattended fuzzing framework
Plugins for Exploit Development with IDA Pro
- Dr. Gadget - Analyze ROP payload
Plugins for IDA Pro Decompiler
- HexRaysCodeXplorer - better code navigation
Yara Rules
- get_eip.yara - Find EIP
Tutorials Exploit Development
Interesting Blogs
- FireEye Threat Research Blog
- Alexander Hanel's Blog
- Phoenix Testing Facility
- IDAPython Blog - Blog on IDAPython
- rehints
- Hexblog - Blog of the IDA Pro Author
- zynamics
- exploit-monday
- byte-atlas
Security Vendor Blogs
- Eset Blog - Eset Blog