Malware analysis
Table Of Contents
- Disassemblers and Debuggers
- Decompilers
- Deobfuscators
- Other
- Execution Logging and Tracing
- Binary Files Examination and Editing
Disassemblers and debuggers
- IDA - IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
- OllyDbg - A 32-bit assembler level analysing debugger for Windows
- x64dbg - An open-source x64/x32 debugger for Windows
- radare2 - A portable reversing framework
- plasma - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
- ScratchABit - Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API
- Capstone
- Ghidra - A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission
Decompilers
JVM-based languages
- Krakatau - the best decompiler I have used. Is able to decompile apps written in Scala and Kotlin into Java code. JD-GUI and Luyten have failed to do it fully.
- JD-GUI
- procyon
- Luyten - one of the best, though a bit slow, hangs on some binaries and not very well maintained.
- JAD - JAD Java Decompiler (closed-source, unmaintained)
- JADX - a decompiler for Android apps. Not related to JAD.
.net-based languages
- dotPeek - a free-of-charge .NET decompiler from JetBrains
- ILSpy - an open-source .NET assembly browser and decompiler
- dnSpy - .NET assembly editor, decompiler, and debugger
native code
- Hopper - A OS X and Linux Disassembler/Decompiler for 32/64-bit Windows/Mac/Linux/iOS executables.
Python
- uncompyle6 - decompiler for the over 20 releases and 20 years of CPython.
Deobfuscators
- de4dot - .NET deobfuscator and unpacker.
- JS Beautifier
- JS Nice - a web service guessing JS variables names and types based on the model derived from open source.
Other
- nudge4j - Java tool to let the browser talk to the JVM
- dex2jar - Tools to work with Android .dex and Java .class files
- androguard - Reverse engineering, malware and goodware analysis of Android applications
- antinet - .NET anti-managed debugger and anti-profiler code
- UPX - the Ultimate Packer (and unpacker) for eXecutables
Execution logging and tracing
- Wireshark - A free and open-source packet analyzer
- tcpdump - A powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture
- mitmproxy - An interactive, SSL-capable man-in-the-middle proxy for HTTP with a console interface
- Charles Proxy - A cross-platform GUI web debugging proxy to view intercepted HTTP and HTTPS/SSL live traffic
- usbmon - USB capture for Linux.
- USBPcap - USB capture for Windows.
- dynStruct - structures recovery via dynamic instrumentation.
- drltrace - shared library calls tracing.
Binary files examination and editing
Hex editors
- HxD - A hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size
- WinHex - A hexadecimal editor, helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security
- wxHexEditor
- Synalize It/Hexinator
Other
- Binwalk - Detects signatures, unpacks archives, visualizes entropy.
- Veles - a visualizer for statistical properties of blobs.
- Kaitai Struct - a DSL for creating parsers in a variety of programming languages. The Web IDE is particularly useful for reverse-engineering.
- Protobuf inspector
- DarunGrim - executable differ.
- DBeaver - a DB editor.
- Dependencies - a FOSS replacement to Dependency Walker.
- PEview - A quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files
- BinText - A small, very fast and powerful text extractor that will be of particular interest to programmers.