Tools of the trade
People ask me (and I ask them) from time to time what tools I use when analyzing malicious files. I though I’d compile a list here, and if you guys (and gals) have others tools that are useful, send me a mail and I’ll update the post.
One software has earned an honorary mention above others. It isn’t hard to guess the software in question is IDA Pro. IDA is a disassembler, but “a complete analysis platform” would be a better description :)
And now to list the other programs and their short descriptions:
In my opinion OllyDbg is the best user-mode debugger available. With script-interface and a nice set of free plugins lying around the net OllyDbg is an analyzers friend.
A free kernel-mode debugger from Microsoft. Very useful when debuggin drivers and rootkits.
A versatile tool for exploring and analyzing PE executable. Has some plugins for unpacking various packers like UPX.
LordPE is a versatile and free tool for editing PE files. You can either attach to a process and work from there, you open a disk image. LordPE has a pretty good dumper buit in also.
PEditor is tool coded by y0da, the same person who brought lovable packers like AsPack and others to you. PEditor is a very nice tool for editing and rebuilding PE executables. Both process attaching and image editing are possible.
ImportREC:
Import Reconstructor. Very useful in rebuilding import tables after unpacking a file.
ADDetector:
AntiDebug Detector. Mentioned in an earlier entry here. Somewhat useful in detecting various anti-debug methods.
EXDetector:
Exploit Detector. Scans a target file to see whether it contains any exploits it recognizes and prints out their physical offsets. Somewhat useful when you stumble onto an unknown piece of malware.
HT is a powerful PE executable viewer, editor and analyzer.
HIEW:
HIEW is also a power PE executable viewer, editor and analyzer. In addition, HIEW has ready support for xor operations. What’s even more nicer is that HIEW allows easy building of custom de/encryption functions :)
KFC:
While it might sound like something to do with fried chicked, that is not the case. KFC is a kernel-mode file copier. This allows it to bypass some protection mechanisms that malware active on a system deploy.
Unpackers
Having a good sortiment of unpackers at hand can save you a lot of time when you’re in a hurry.
Unpacker for FSG V1.3x
Unpacker for any AsPack version since AsPack 2000
Unpacker for PECompact version 1.69 or earlier
UPX:
UPX command line tool. In addition of packing you can also unpack UPX packed files with this, unless they have been modified.
Exe32Pack Unpacker:
Tool for unpacking Exe32Pack packed files.
PolyCryptPE Unpacker:
Unpacker for PolyCryptPE packed files.
AllapleUnpacker:
Tool to unpack the polymorphic protection that is used by the Allaple worm.
QBot-Unprot:
Tool for decrypting the configuration files and logdump files that QBot uses.
NsPack Unpacker:
Unpacker for files that are packed with NsPack.