File Checksum Integrity Verifier (FCIV) :: Tools

<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifiuoVgmPKnVv9FUPZCSghpYzLaUQwzuaKU8v8skrGBuWZoj41I7sJPa5FdwMXd-6eNTmk1tDeez_445FFajOVtFnJ41J5DDpJt86mLlt_wOEi4IlFikSdtZmR1TuI6jvApYPg6gM-Gx52/s1600/File+Checksum+Integrity+Verifier+FCIV.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="File Checksum Integrity Verifier (FCIV)" border="0" height="299" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifiuoVgmPKnVv9FUPZCSghpYzLaUQwzuaKU8v8skrGBuWZoj41I7sJPa5FdwMXd-6eNTmk1tDeez_445FFajOVtFnJ41J5DDpJt86mLlt_wOEi4IlFikSdtZmR1TuI6jvApYPg6gM-Gx52/s640/File+Checksum+Integrity+Verifier+FCIV.JPG" title="File Checksum Integrity Verifier (FCIV)" width="640" /></a></div><div style="text-align: justify;">The File Checksum Integrity Verifier (FCIV) is a command-prompt utility that computes and verifies cryptographic hash values of files. FCIV can compute MD5 or SHA-1 cryptographic hash values. These values can be displayed on the screen or saved in an XML file database for later use and verification.</div><div style="text-align: justify;">FCIV (File Checksum Integrity Verifier) is a small tool or utility from Microsoft that allow us to compute (MD5 and SHA1) and verify Integrity of files. If you are a malware analyst or a researcher or a user who want secure things then you can done a fabulous things with this small utility.</div><h3 class="sbody-h3" style="text-align: justify;">Features</h3><div style="text-align: justify;">The FCIV utility has the following features:</div><ul class="sbody-free_list"><li style="text-align: justify;"> Supports MD5 or SHA1 hash algorithms (The default is MD5.)</li> <li style="text-align: justify;"> Can output hash values to the console or store the hash value and file name in an XML file</li> <li style="text-align: justify;">Can recursively generate hash values for all files in a directory and in all subdirectories (for example, <span class="text-base">fciv.exe c:\ -r</span>)</li> <li style="text-align: justify;">Supplies an exception list to specify files or directories to hash</li> <li style="text-align: justify;">Can store hash values for a file with or without the full path of the file</li> </ul><h3> Example usage</h3><ul class="sbody-free_list"><li>To display the MD5 hash of a file, type the following command at a command prompt: <div class="indent"><span class="sbody-userinput">fciv.exe <var class="sbody-var">filename</var></span></div><span class="text-base">Note </span><var class="sbody-var"> filename</var> is the name of the file.</li> <li>To compute a hash of a file, type a command line that is similar to any one of the following command lines: <div class="indent"><span class="sbody-userinput">fciv.exe c:\mydir\<var class="sbody-var"><var class="sbody-var">myfile.dll</var></var></span><br /> <br /> <span class="sbody-userinput">fciv.exe c:\ -r -exc exceptions.txt -sha1 -xml dbsha.xml</span><br /> <br /> <span class="sbody-userinput">fciv.exe c:\<var class="sbody-var">mydir</var> -type *.exe</span><br /> <br /> <span class="sbody-userinput">fciv.exe c:\<var class="sbody-var">mydir</var> -wp -both -xml db.xml</span></div></li> <li>To list the hashes that are stored in a database, type a command line that is similar to the following command line: <div class="indent"><span class="sbody-userinput">fciv.exe -list -sha1 -xml db.xml</span></div></li> <li>To verify a hash in a file, type a command line that is similar to any one of the following command lines: <div class="indent"><span class="sbody-userinput">fciv.exe -v -sha1 -xml db.xml</span><br /> <br /> <span class="sbody-userinput">fciv.exe -v -bp c:\<var class="sbody-var">mydir</var> -sha1 -xml db.xml</span></div></li> </ul><h3>Video Tutorial::</h3><br /> <div class="separator" style="clear: both; text-align: center;"><br /> <iframe width="100%" height="330" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/sOtnut9wM38/0.jpg" src="https://www.youtube.com/embed/sOtnut9wM38?feature=player_embedded" frameborder="0" allowfullscreen></iframe></div><br /> <h3>Download ::</h3><b>Windows:</b> <a href="http://www.microsoft.com/en-in/download/details.aspx?id=11533" rel="nofollow" target="_blank">Microsoft FCIV</a>

File Checksum Integrity Verifier (FCIV) :: Tools

The File Checksum Integrity Verifier (FCIV) is a command-prompt utility that computes and verifies cryptographic hash values of files. FCI...

Read more »

Mandiant Redline (Memory and File Analysis) :: Tools

<div class="separator" style="clear: both; text-align: center;">  <img alt="Mandiant Redline Logo" border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi85inxEf7aGj9rwDfJlLA1TZjt029HkuPRCGRhLSQHEAM3zBvwbuLTQ5KRk0_EUdzGhbt6PbzzhpzYo2kQigms2_eBtiT3rOaRdXb8fjaQlF-7JuBE_st3IAFkZd3E5dxJ-TJdPkeBzB0X/s400/Memoryze+Logo.png" title="Mandiant Redline Logo" width="400" /></div> <div style="text-align: justify;"> <b>Redline, Mandiant’s</b> premier free tool, provides<i> host investigative</i> capabilities to users to find signs of <i>malicious activity through memory and file analysis</i>, and the development of a threat assessment profile.  With <b>Redline,</b> users can:</div> <ul style="text-align: justify;"> <li>Thoroughly audit and collect all running processes and drivers from <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory</a>, file system metadata, <a href="http://www.toolwar.com/search/label/Registry" target="_blank">registry</a> data, event logs, <a href="http://www.toolwar.com/search/label/Network" target="_blank">network</a> information, services, tasks, and <a href="http://www.toolwar.com/search/label/Web" target="_blank">web</a> history.</li> <li>Analyze and view imported audit data, including narrowing and filtering results around a given timeframe using <b>Redline’s</b> Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.</li> <li>Streamline memory analysis with a proven workflow for analyzing <a href="http://www.toolwar.com/search/label/Malware" target="_blank">malware</a> based on relative priority.</li> <li>Identify processes more likely worth investigating based on the <b>Redline</b> Malware Risk Index (MRI) score.</li> <li>Perform Indicator of Compromise (IOC) <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analysis</a>. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review. </li> </ul> <div style="text-align: justify;"> <br /></div> <div style="text-align: justify;"> In addition, <b>Redline</b> can be used in conjunction with <b>Mandiant for Intelligent Response®(MIR®)</b> and <b>Mandiant for Security Operations™:</b></div> <div style="text-align: justify;"> </div> <ul style="text-align: justify;"> <li>Investigators can open audits gathered in Mandiant for Intelligent Response (MIR) directly in Redline to quickly identify a malicious process and create an IOC based on the analysis. MIR can use this IOC to quickly sweep a <a href="http://www.toolwar.com/search/label/Network" target="_blank">network</a> to identify all other systems running the same or similar malware.</li> <li>Mandiant for Security Operations users can open triage collections directly in Redline in order to perform in-depth <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analysis</a> allowing the user to establish a timeline and the scope of an incident.</li> </ul> <b>Mandiant Redline 1.11</b> includes various changes to improve your user experience, and adds support for <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a> 8 and 2012. A redesigned find panel remains open and offers users the ability to search and filter on a specific column. You can also filter lists by multiple tags at the same time and choose whether to include only items that do or do not have a comment. Finally, the Redline Collector now provides beta support for gathering Windows 2012 and Windows 8 data..<br /> <br /> <br /> <b>Supported Operating Systems:</b> Windows XP, Windows Vista, Windows 7, Windows 8 (32-bit and 64-bit)<br /> <br /> <h3> Tutorials ::</h3> <b>User Guide :: </b><a href="http://www.mandiant.com/library/Redline1.11_UserGuide.pdf">Mandiant Redline 1.11 (PDF)</a><br /> <b>Redline Blog :: </b><a href="https://www.mandiant.com/blog/tag/redline/" target="_blank">Mandiant Redline Blog </a><br /> <br /> <h3> Download ::</h3> <b>Windows :: </b><a href="https://www.mandiant.com/library/Redline-1.11.msi" target="_blank">Mandiant Redline v1.11</a><b><br /></b><br /> <b>Official Website ::</b> <a href="https://www.mandiant.com/resources/download/redline">https://www.mandiant.com/resources/download/redline</a>

Mandiant Redline (Memory and File Analysis) :: Tools

  Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity throug...

Read more »

PeePDF (PDF Analysis, Forensics, Creation and Modification) :: Tools

<div style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdfssXOHi8T0g4PNVG2niVEqC8bGVS2bQv8_wc0aLv8WDhBJ6Qf4HmwrkQoJlcQQtkcpLkUrvaJT9SEivG30mCR9_7y4Shf87TpVzinYYtGUbSzmXiSqszzlHsUI0d9T1VuVnq7P5KubfM/s1600/PeePDF.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="PeePDF Analysis" border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdfssXOHi8T0g4PNVG2niVEqC8bGVS2bQv8_wc0aLv8WDhBJ6Qf4HmwrkQoJlcQQtkcpLkUrvaJT9SEivG30mCR9_7y4Shf87TpVzinYYtGUbSzmXiSqszzlHsUI0d9T1VuVnq7P5KubfM/s1600/PeePDF.jpg" title="PeePDF Analysis" width="400" /></a></div> <b>PeePDF</b> is a <b>Python tool to explore PDF files</b> in order to find out if the file can be harmful or not. The aim of this <a href="http://www.toolwar.com/search/label/Tools" target="_blank"> tool</a> is to provide all the necessary components that a <a href="http://www.toolwar.com/search/label/Security" target="_blank">security</a> researcher could need in a <a href="http://www.toolwar.com/search/label/PDF" target="_blank">PDF analysis</a> without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides <b>Javascript and shellcode <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analysis</a></b> wrappers too. Apart of this it's able to create new PDF files and to modify/obfuscate existent ones. </div> <div style="text-align: justify;"> <br /> The main functionalities of peepdf are the following: </div> <div style="text-align: justify;"> <h3> <b> Analysis: </b></h3> </div> <ul style="text-align: justify;"> <li> Decodings: hexadecimal, octal, name objects </li> <li> More used filters </li> <li> References in objects and where an object is referenced </li> <li> Strings search (including streams) </li> <li> Physical structure (offsets) </li> <li> Logical tree structure </li> <li> Metadata </li> <li> Modifications between versions (changelog) </li> <li> Compressed objects (object streams) </li> <li> Analysis and modification of Javascript (PyV8): unescape, replace, join </li> <li> Shellcode analysis (Libemu python wrapper, pylibemu) </li> <li> Variables (set command) </li> <li> Extraction of old versions of the document </li> <li> Easy extraction of objects, Javascript code, shellcodes (>, >>, $>, $>>) </li> <li> Checking hashes on <a href="http://www.toolwar.com/2013/12/virustotal-analyze-files-and-urls-tools.html" target="_blank"><b>VirusTotal</b></a> </li> </ul> <div style="text-align: justify;"> <b> Creation/Modification: </b></div> <ul style="text-align: justify;"> <li> Basic PDF creation </li> <li> Creation of PDF with Javascript executed wen the document is opened </li> <li> Creation of object streams to compress objects </li> <li> Embedded PDFs </li> <li> Strings and names obfuscation </li> <li> Malformed PDF output: without endobj, garbage in the header, bad header... </li> <li> Filters modification </li> <li> Objects modification </li> </ul> <div style="text-align: justify;"> <b> Execution modes: </b></div> <ul style="text-align: justify;"> <li> Simple command line execution </li> <li> <b>Powerful interactive console</b> (colorized or not) </li> <li> Batch mode </li> </ul> <div style="text-align: justify;"> <b> TODO: </b></div> <ul style="text-align: justify;"> <li> Embedded PDFs analysis </li> <li> Improving automatic Javascript analysis </li> <li> GUI </li> </ul> <h3> Tutorials :: </h3> <b>PeePDF Installation :: </b><a href="http://code.google.com/p/peepdf/wiki/Installation" target="_blank">Click Here</a><b><a href="http://code.google.com/p/peepdf/wiki/Installation" target="_blank"> </a></b><br /> <b>PeePDF Execution :: </b><a href="http://code.google.com/p/peepdf/wiki/Execution" target="_blank">Click Here</a><br /> <b>PeePDF Commands ::  </b><a href="http://code.google.com/p/peepdf/wiki/Commands" target="_blank">Click Here</a><br /> <b>PDF Forensics and Analysis eBook</b> :: <a href="https://www.amazon.com/dp/B00LSF1TU6" target="_blank">Click Here</a> <br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/T1GcheLaY5M?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <h3> Download ::</h3> <b>Linux | Windows :: </b><a href="http://peepdf.googlecode.com/files/peepdf_0.2-BlackHatVegas.zip" target="_blank">peepdf v0.2</a> (.zip)<b> | </b><a href="http://peepdf.googlecode.com/files/peepdf_0.2-BlackHatVegas.tar.gz" target="_blank">peepdf v0.2</a> (.tar.gz) <b> </b><br /> <b>Source Website ::</b> <a href="http://code.google.com/p/peepdf/">http://code.google.com/p/peepdf/</a>

PeePDF (PDF Analysis, Forensics, Creation and Modification) :: Tools

PeePDF is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to prov...

Read more »

Daphne (Task Manager Replacement) :: Tools

<div style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPk3IFMMVNghW3amCSO5HL1MSHkmgh9FFcm1fyXH5s8whXg9TR8FkRHaiOoD9loJg_0NKmceu7vjF_m41L8G0my5JXOjdLhGzlANuU-iBeHOQFICsDUmwp49IsgjtHJ5OTi30hdPcMR4zZ/s1600/dap3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Daphne Windows Tool" border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPk3IFMMVNghW3amCSO5HL1MSHkmgh9FFcm1fyXH5s8whXg9TR8FkRHaiOoD9loJg_0NKmceu7vjF_m41L8G0my5JXOjdLhGzlANuU-iBeHOQFICsDUmwp49IsgjtHJ5OTi30hdPcMR4zZ/s1600/dap3.png" title="Daphne Windows Tool" width="400" /></a></div> </div> <div style="text-align: justify;"> <b>Daphne</b> is a small (system tray) application for <b>killing, controlling and debugging Windows' processes.</b> It was born to kill a <a href="http://www.toolwar.com/search/label/Windows" target="_blank">windows</a> process and became almost a task manager replacement. You can kill a process by dragging the mouse over the windows, by right-clicking the process in the main process list, or by typing its name with the "Kill all by name" command. You can set a any window to be always on top, to be transparent, to be enable.</div> <div style="text-align: justify;"> <br /></div> <div style="text-align: justify;"> Features :: </div> <ul style="text-align: justify;"> <li>Main window</li> <ul> <li>CPU and memory information</li> <li>Comprehensive process list </li> <li>Access to drag-and-drop tool</li> </ul> </ul> <div style="text-align: justify;"> </div> <ul style="text-align: justify;"> <li>Drag-and-drop tool (Drop tool over any window)</li> <ul> <li> Find the process which owns a given window</li> <li>Find the window in the process windows tree</li> <li>Kill the process which owns a given window</li> <li>Hide window and remove application from task bar (application keeps running completely hidden, and can be restored later)</li> <li>Set or remove always on top property</li> <li>Set or remove transparency (alpha)</li> <li>Enable or disable window or control</li> <li>Change window size using numbers (ie 640x480)</li> <li>Save window position and size and restore when the process is started</li> </ul> </ul> <div style="text-align: justify;"> </div> <div style="text-align: justify;"> </div> <ul style="text-align: justify;"> <li> Process list</li> <ul> <li> Including CPU usage, PID, full path and arguments, owner, class (process or service), memory and swap usage, I/O count.</li> <li>Item highlighting with colors for custom, system and high CPU-consumption processes.<br /> Sortable by any column</li> <li>Quick search-as-you-type find by process name when sorted by Process column</li> <li>Customizable column position and width</li> </ul> </ul> <div style="text-align: justify;"> </div> <ul style="text-align: justify;"> <li> Contextual menu allows for:<br /> <ul> <li>Kill the process or ask it to finish execution</li> <li>Schedule process kill for later</li> <li>Set focus</li> <li>Set or remove always on top</li> <li>Create a trap</li> <li>Change processor affinity mask and optionally trap this configuration</li> <li>Change process priority</li> <li>Handle service (start, stop, pause and continue)</li> <li>Copy process name, PID or path to clipboard</li> <li>Open containing folder</li> <li>Look for or submit to DRK process database.</li> <li>Access to process properties window</li> </ul>  </li> <li>Process properties window<br /> <ul> <li>Full command line</li> <li>Parent process and user</li> <li>Startup timestamp</li> <li>Kernel and user time</li> <li>Show and handle minimum and maximum working set size</li> </ul>  </li> <li>Windows tree allows for:<br /> <ul> <li>Set focus</li> <li>Show or hide window or application</li> <li>Handle always on top</li> <li>Make window resizable</li> <li>Turn caption on and off</li> <li>Send a window message (ie. WM_ACTIVATE) with lParam and wParam values</li> <li>Thread list with priority and CPU time</li> <li>Loaded modules</li> <li>Environment variables</li> <li>I/O information</li> </ul>  </li> <li>Daphne main menu (accesible from tray icon too)<br /> <ul> <li>Run process as other user</li> <li>Close windows by matching title</li> <li>Schedule popup message</li> <li>Schedule system shutdown</li> <li>Access CPU usage graph</li> <li>Open process hierarchy tree</li> <li>Installed software list for inspecting installed software available in tray icon menu. Installed software</li> <li>Control inspector window for revealing hidden passwords and other control information</li> <li>Hidden applications and scheduled tasks list</li> <li>Copy process list to clipboard</li> <li>Windows 7 God Mode and Problem steps recorder</li> <li>Kill all process by matching name </li> </ul>  </li> <li>Traps<br /> <ul> <li>Apply to any process, when its startup is detected.</li> <li>Notify process has been created</li> <li>Kill it</li> <li>Hide the application</li> <li>Set always on top on/off</li> <li>Set transparency (alpha)</li> <li>Set desired priority</li> <li>Notify process destroyed/exited</li> <li>Set process affinity mask</li> <li>Keep windows position and size</li> </ul>  </li> <li>Kill menu: </li> <ul> <li>User-defined menu items. </li> <li>Every item has a process list and kill them when activated</li> <li>Four user-defined command lines to be executed if Ctrl-Shift-F1 to F4 combination is pressed. Works globally.</li> <li>Windows explorer contextual menu integration for files and folders</li> <li>Copy name of full path to clipboard</li> <li>Copy folder file listing to clipboard</li> <li>Open command line (CMD) in folder</li> <li>Check which process has a file opened</li> <li>Google folder or file name</li> </ul> </ul> <div style="text-align: justify;"> Optional global and customizable activation shortcut for showing <b>Daphne</b> main window. Tool for creating log file od every started and stopped process and applied traps. You can make configuration portable using INI file instead of <a href="http://www.toolwar.com/search/label/Registry" target="_blank">registry</a> base configuration. </div> <ul> <li>Take care: </li> <ul> <li>process names may be eclipsed by <a href="http://www.toolwar.com/search/label/Malware" target="_blank">malicious</a> software.</li> <li>Command line tool for accesing process list, and kill process by name or kill menu item</li> </ul> </ul> <div style="text-align: justify;"> Internationalization: Spanish, Italian, German, French, Chinese, Swedish, Valencian, Polish, Russian, Portuguese, Japanese, Arabic and Greek support.</div> <div style="text-align: justify;"> <br /> Enhanced (experimental) multidesktop feature: use up to four windows desktops using WindowsKey + F5 to F8. </div> <h3 style="text-align: justify;"> Tutorials ::</h3> <div style="text-align: justify;"> <b>Video Tutorials :: </b><a href="http://www.drk.com.ar/daphne.php" target="_blank">Click Here </a></div> <h3 style="text-align: justify;"> </h3> <h3 style="text-align: justify;"> Download ::</h3> <div style="text-align: justify;"> <b>Windows :: </b><a href="http://www.drk.com.ar/daphne/Daphne_setup_x86.msi" target="_blank">Daphne-x86</a> (.msi) | <a href="http://www.drk.com.ar/daphne/Daphne_setup_x64.msi" target="_blank">Daphne-x64</a> (.msi)<b></b></div> <div style="text-align: justify;"> <b>Source Code :: </b><a href="http://www.drk.com.ar/daphne/Daphne-src.7z" target="_blank">Daphne Source Code</a> (.7z) <b>Official Website :: </b><a href="http://www.drk.com.ar/daphne.php">http://www.drk.com.ar/daphne.php</a><b> Submitted By ::</b> Leandro Fernández</div>

Daphne (Task Manager Replacement) :: Tools

Daphne is a small (system tray) application for killing, controlling and debugging Windows' processes. It was born to kill a wind...

Read more »

Second Look (Linux Memory Forensics) :: Tools

<div style="text-align: justify;"> <div class="separator" style="clear: both;">  <img border="0" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj3s-HN2dZGFNYEv4wk6IGLmblttBSVAhyiADK6Tcg_sE6ucHyhB_M1xINBz418Iy8K5vLizCBYB253oHqRxFsyyY8VZykHyveoJ2XteU5fG4hbI2gGuQ-r6z4iNVCrNR0thbZCaMasHa_/s1600/secondlook.jpg" width="640" /></div> The Incident Response edition of <b>Second Look®: Linux Memory Forensics</b> is designed for use by investigators who need quick, easy, and effective <a href="http://www.toolwar.com/search/label/Linux" target="_blank">Linux</a> <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory acquisition</a> and analysis capabilities. Second Look® is a product of Raytheon Pikewerks Corporation. </div> <h3 style="text-align: justify;"> <span class="mw-headline" id="Memory_Acquisition"> Memory Acquisition::</span></h3> <div style="text-align: justify;"> <b>Second Look®</b> preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A <a href="http://www.toolwar.com/search/label/CLI" target="_blank">command-line</a> script allows for acquisition of <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory</a> from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory. </div> <h3 style="text-align: justify;"> <span class="mw-headline" id="Memory_Analysis"> Memory Analysis ::</span></h3> <div style="text-align: justify;"> <b>Second Look® </b>interprets live system memory or captured memory images, detecting and <a href="http://www.toolwar.com/search/label/Reverse" target="_blank">reverse engineering</a> malware, including stealthy kernel <a href="http://www.toolwar.com/search/label/Rootkit" target="_blank"> rootkits</a> and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels. </div> <div style="text-align: justify;"> <b>Second Look®</b> also applies an integrity verification approach for the analysis of each process in memory. This enables it to detect unauthorized applications as well as stealthy user-level <a href="http://www.toolwar.com/search/label/Malware" target="_blank">malware</a>. </div> <h3 style="text-align: justify;"> <span class="mw-headline" id="Supported_Systems"> Supported Systems ::</span></h3> <div style="text-align: justify;"> Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used <a href="http://www.toolwar.com/search/label/Distribution" target="_blank">Linux distributions</a>. The following are its capabilities as of April 2012: </div> <ul style="text-align: justify;"> <li> Supported target kernels: 2.6.x, 3.x up to 3.2 </li> <li> Supported target architectures: x86 32- and 64-bit </li> <li> Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more! </li> </ul> <h3 style="text-align: justify;"> Product features (Second Look Incident Response Edition) ::</h3> <ul style="text-align: justify;"> <li>Memory acquisition and analysis for all 32- and 64-bit x86 (i386/i486/i586/i686, amd64/x86_64) Linux systems running 2.6- and 3-series kernels. This includes: <ul> <li>Amazon Linux 2010.11 through 2014.03, and higher;</li> <li>Debian 4 through 7, and higher;</li> <li>Fedora 2 through 20, and higher;</li> <li>Red Hat Enterprise Linux (RHEL) and CentOS 4.x, 5.x, 6.x, and higher;</li> <li>Ubuntu 4.10 through 14.04, and higher;</li> <li>and other distributions.</li> </ul> </li> <li>Analysis via command line interface (CLI) or graphical user interface (GUI) applications which run on Ubuntu 12.04 (32- or 64-bit) or RHEL/CentOS 6.x (64-bit).</li> <li>Automatic kernel version identification — just select a memory image and go.</li> <li>Supported memory image formats: <ul> <li>raw physical memory images ("mem" format — as produced by secondlook-memdump, Inception, and other tools);</li> <li>SLM memory images ("slm" format — a high-performance compressed memory image format used by Second Look Enterprise Security Edition);</li> <li>LiME memory images ("lime", "padded", or LiME "raw" formats — "lime" and LiME "raw" formats require conversion with secondlook-lime2mem or secondlook-limeraw2mem, respectively ‐ LiME "padded" is the equivalent of a raw physical memory image);</li> <li>VMware virtual machine snapshots ("vmem", "vmsn", or "vmss" formats — "vmsn" and "vmss" formats, as well as "vmem" files from VMs with >4GB RAM, require conversion with VMware's vmss2core and secondlook-core2mem);</li> <li>VirtualBox snapshots ("vbc" format — via conversion with secondlook-vbc2mem); and</li> <li>KVM Libvirt-QEMU-Save or QEMU-savevm snapshots ("lqs" or "qsv" formats — via conversion with lqs2mem, originally secondlook-lqs2mem, now an open source project).</li> </ul> </li> <li>Support for analysis of memory images from systems running either distribution stock kernels or custom kernels.</li> <li>Support for analysis of memory images from Amazon EC2 instances (under both pv and hvm virtualization types).</li> <li>Access to a repository of over 9000 ZRKs (Zipped Reference Kernels) providing the metadata and baseline for analysis and verification of CentOS, Debian, Fedora, RHEL, and Ubuntu stock kernels.</li> <li>An easy-to-use tool for creation of ZRKs for other distributions or for custom kernels.</li> <li>Second Look ZRKs can also be used as Volatility profiles.</li> <li>Integrity verification of the kernel and processes in memory.</li> <li>Access to a pagehash database containing hashes of the executable code pages of the ELF executables and shared libraries from over 2 million software packages from the Amazon, CentOS, Debian, Fedora, RHEL, and Ubuntu distributions.</li> <li>An easy-to-use tool for the addition of pagehashes supporting verification of custom or third-party software.</li> <li>Detection of kernel rootkits, backdoors, and other kernel-mode malware (known and unknown varieties).</li> <li>Detection of shared library rootkits, keyloggers, spyware, injected libraries, injected threads, and other user-mode malware (known and unknown varieties).</li> <li>Detection of unknown or unauthorized processes.</li> <li>Recovery of device mapper crypto keys for LUKS, TrueCrypt, and other full disk encryption schemes.</li> <li>Extraction of system state from captured memory images, including loaded kernel modules, running processes, memory mappings, open files, active network connections, and more. Output is available in the GUI, in plain text from the CLI, and in JSON format for ingestion by other programs.</li> <li>Offline usage is supported via a subscription to our ZRK and pagehash reference data feeds.</li> </ul> <h3 style="text-align: justify;"> More Reasons to Choose Second Look</h3> <div style="text-align: justify;"> Beyond the unique and powerful Linux Incident Response feature set listed above, what sets Second Look apart is the team behind it and the quality of the software they deliver. </div> <ul style="text-align: justify;"> <li>The Second Look Team provides professional support via phone and email, with on-site consulting services available. You get direct access to experts in Linux system internals and security.</li> <li>Customer feedback often quickly leads to new features.</li> <li>Second Look ships with comprehensive documentation, including a User Guide with explanations of the techniques most commonly used by attackers to maintain stealthy persistence on Linux systems.</li> <li>Second Look is regression tested against a large suite of sample memory images to ensure maximum quality and compatibility.</li> <li>If you like the visibility that Second Look gives you during investigations, you can upgrade to the Enterprise Security edition to monitor your systems on an ongoing basis.</li> </ul> <ul style="text-align: justify;"> </ul> <h3 style="text-align: justify;"> Tutorial ::</h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/wt326aXmDMA?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <div style="text-align: justify;"> </div> <h3 style="text-align: justify;"> Download ::</h3> <div style="text-align: justify;"> <b>Linux :: </b>$1495 (USD) | <a href="http://secondlookforensics.com/contact/" target="_blank">Contact Here</a> for Purchase</div> <div style="text-align: justify;"> <b>Official Website :: </b><a href="http://secondlookforensics.com/">http://secondlookforensics.com/</a></div>

Second Look (Linux Memory Forensics) :: Tools

  The Incident Response edition of Second Look®: Linux Memory Forensics is designed for use by investigators who need quick, easy, and e...

Read more »

Rootkit Hunter (Rootkit Scanner) :: Tools

<div style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <b><img alt="rootkit hunter logo" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmAKcX4SzdyaNdf4DapqpG3d1wMIQl85Bf0MAAPmJDtEku0X-3BPe_s9_ozZkwyHMyJrfIXdORod7eI9TGZejFbegPFldu185F6m872hTfpFEgo8CPqIQPMyFm9ltA2FzzD6V9PhSLSoVP/s1600/Rkhunter.jpg" title="rootkit hunter logo" /></b></div> <b>Rootkit Hunter</b> is <a href="http://www.toolwar.com/search/label/Scanner" target="_blank">scanning tool</a> to ensure you for about 99.9%* you're clean of nasty <a href="http://www.toolwar.com/search/label/Tools" target="_blank">tools</a>. This tool <i>scans for <a href="http://www.toolwar.com/search/label/Rootkit" target="_blank">rootkits</a>, backdoors and local exploits</i> by running tests like:<br /> <br />     - MD5 <a href="http://www.toolwar.com/search/label/Hash" target="_blank">hash</a> compare<br />     - Look for default files used by rootkits<br />     - Wrong file permissions for binaries<br />     - Look for suspected strings in LKM and KLD modules<br />     - Look for hidden files<br />     - Optional scan within plaintext and binary files<br /> <br /> <b>Rootkit Hunter</b> is released as GPL licensed project and free for everyone to use.* No, not really 99.9%.. It's just another security layer<br /> <br /> <b>System requirements:</b><br />     - Compatible operating system (see 'Supported operating systems')<br />     - Bourne Again Shell (BASH)<br /> <br /> <b>Supported operating systems ::</b><br /> - Most <a href="http://www.toolwar.com/search/label/Distribution" target="_blank">Linux distributions</a><br /> - Most *BSD distributions</div> <div style="text-align: justify;"> <h3> Tutorial ::</h3> <b>Scanning Techniques :: </b><a href="http://www.rootkit.nl/articles/rootkit_scanning_techniques.html" target="_blank">Click Here</a><br /> <b>Documentations :: </b><a href="http://www.rootkit.nl/files/rootkit_documentation.html" target="_blank">Click Here</a><br /> <b>Video Tutorial ::</b>  <br /> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/5ngeBpeRros?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> </div> <div style="text-align: justify;"> <h3> Download ::</h3> </div> <div style="text-align: justify;"> <b>Linux :: </b><a href="http://sourceforge.net/projects/rkhunter/files/latest/download" target="_blank">RootKit Hunter v1.4.0</a> (.tar.gz)<b> </b></div> <div style="text-align: justify;"> <b>Official Website ::</b> <a href="http://www.rootkit.nl/projects/rootkit_hunter.html">http://www.rootkit.nl/projects/rootkit_hunter.html</a></div>

Rootkit Hunter (Rootkit Scanner) :: Tools

Rootkit Hunter is scanning tool to ensure you for about 99.9%* you're clean of nasty tools . This tool scans for rootkits , backdoo...

Read more »

Lynis (Security and System Auditing) :: Tools

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPJSrg2v61K-1SHIewex9MB7DLBAqrgKTy2REJhuc1jyKxL99Tia_vx44VmSeUWWxbHdgZtEVAjWn5GUbxWD9dLfe1o2Suta4Ww_ZgfvwIITFiR8JkMpR5A-ZkTq17LVggAJlfumpTReoW/s1600/lynis-screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="lynis screenshot" border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPJSrg2v61K-1SHIewex9MB7DLBAqrgKTy2REJhuc1jyKxL99Tia_vx44VmSeUWWxbHdgZtEVAjWn5GUbxWD9dLfe1o2Suta4Ww_ZgfvwIITFiR8JkMpR5A-ZkTq17LVggAJlfumpTReoW/s320/lynis-screenshot.png" title="lynis screenshot" width="400" /></a></div> <div style="text-align: justify;"> <b>Lynis</b> is a <b><i>Security and system auditing tool</i> </b>to harden <a href="http://www.toolwar.com/search/label/Linux" target="_blank">Linux</a> systems. <b>Lynis</b> is an <b>auditing tool </b>for Unix/Linux (specialists). It scans the <a href="http://www.toolwar.com/search/label/System" target="_blank">system</a> and available software and performs many individual <a href="http://www.toolwar.com/search/label/Security" target="_blank">security</a> checks. It determines the hardening state of the machine and <a href="http://www.toolwar.com/search/label/Detect" target="_blank">detects</a> security issues. Beside security related information it will also scan for general system information, installed packages and possible configuration errors. <b>Lynis</b> is a <a href="http://www.toolwar.com/search/label/Security" target="_blank">security tool</a> to audit and harden Unix and Linux based systems. It scans the system by performing many security control checks, looks for installed software and determines compliance to standards. Also will it detects security issues and errors in configuration. At the end of the scan it will provide the warnings and suggestions to help you improving the security defense of your systems.<br /> <br /> This software aims in assisting automated auditing, hardening, software patch management, <a href="http://www.toolwar.com/search/label/Vulnerability" target="_blank">vulnerability</a> and <a href="http://www.toolwar.com/search/label/Malware" target="_blank">malware</a> scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (<a href="http://www.toolwar.com/search/label/USB" target="_blank">USB</a> stick, cd/dvd).<br /> <br /> <b>Lynis </b>assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits.<br /> <br /> <b>Intended audience:</b><br /> Security specialists, penetration testers, system auditors, system/network managers.<br /> <br /> <b>Examples of audit tests:</b><br /> - Available authentication methods<br /> - Expired SSL certificates<br /> - Outdated software<br /> - User accounts without password<br /> - Incorrect file permissions<br /> - Configuration errors<br /> - Firewall auditing<br /> <br /> <b>Current state:</b><br /> Stable releases are available, development is active.<br /> <h3> Tutorials :: </h3> <b>Documentation :: </b><a href="http://www.rootkit.nl/files/lynis-documentation.html" target="_blank">Click Here</a> </div> <div style="text-align: justify;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/FgkC4k1kJaE?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <div style="text-align: justify;"> </div> <div style="text-align: justify;"> </div> <div style="text-align: justify;"> <h3> <b>Download </b></h3> <b>Linux ::</b> <a href="http://cisofy.com/files/lynis-1.4.0.tar.gz" target="_blank">Llynis-1.4.0</a> (.tar.gz)</div> <div style="text-align: justify;"> <b>Official Website :: </b><a href="http://www.rootkit.nl/projects/lynis.html" target="_blank">http://www.rootkit.nl/projects/lynis.html </a></div> </div>

Lynis (Security and System Auditing) :: Tools

Lynis is a Security and system auditing tool to harden Linux systems. Lynis is an auditing tool for Unix/Linux (specialists). It sca...

Read more »

Hook Analyzer (Malware Analysis and Cyber Intelligence) :: Tools

<div class="separator" style="clear: both; text-align: center;"> <img alt="Hook Analyser 3.0" border="0" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0OmIirqGeQmdgB2nH4Gn-Cqwf17KXdZUVLYFVDBGbtK70u1NfT5MPvoVYbSj89mfPHKKK9qJbxCL4tIc_vpxb7syDkjmX59Dk7oizgHoIhfCoQ6GvkGLEhf5EwK0_GI4yov3373V6Ljyz/s640/Hook+Analyser+3.0.png" title="Hook Analyser 3.0" width="640" /></div> <div style="text-align: justify;"> <b>Hook Analyser</b> is a <i>malware analysis</i> and <i>cyber intelligence</i> (gathering and analysis) utility. As well as <b>Hook Analyzer</b> performs spawn and hook to application, hook to a specific running application process, perform static <a href="http://www.toolwar.com/search/label/Malware" target="_blank">malware</a> analysis, application crash <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analysis</a>, EXE extractor from process, and cyber threat intelligence.<br /> <b><br /> The project/utility has six (6) key functionalities -</b><br /> <b>1. Spawn and Hook to Application</b> - This feature allows analyst to spawn an application, and hook into it. The module performs the following -<br /> a. PE validation<br /> b. Static <a href="http://www.toolwar.com/search/label/Malware" target="_blank">malware</a> analysis.<br /> c. Other options (such as pattern search or dump all)<br /> d. Type of hooking (Automatic, Smart or manual)<br /> e. Spawn and hook<br /> <br /> With the ‘hook’ module, there are three types of hooking being supported –<br /> <br /> a) Automatic – The tool will parse the application import tables, and based upon that will hook into specified APIs<br /> b) Manual – On this, the tool will ask end-user for each API, if it needs to be hooked.<br /> c) Smart – This is essentially a subset of automatic hooking however, excludes uninteresting APIs.<br /> <br /> <b>2. Hook to a specific running process</b>- The option allows analyst to hook to a running (active) process. The module performs the following operations –<br /> <br /> a. List all running process<br /> b. Identify the running process executable path.<br /> c. Perform static malware analysis on executable (fetched from process executable path)<br /> d. Other options (such as pattern search or dump all)<br /> e. Type of hooking (Automatic, Smart or manual)<br /> f. Hook to a specific running process<br /> g. Hook and continue the process<br /> <br /> <b>3. Static Malware Analysis -</b> This module is one of the most interesting and useful module of <b>Hook Analyzer</b>, which performs scanning on PE or <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a> executable (and DLLs) to identify potential malware traces. <br /> <br /> a. PE file validation<br /> b. CRC and timestamps validation<br /> c. PE properties such as Image Base, Entry point, sections, subsystem<br /> d. TLS entry <a href="http://www.toolwar.com/search/label/Detect" target="_blank">detection</a>.<br /> e. Entry point verification (if falls in suspicious section)<br /> f. Suspicious entry point detection<br /> g. Packer detection<br /> h. Signature trace (extended from malware analyzer project), such as Anti VM aware, debug aware, keyboard hook aware etc. This particular function searches for more than 20 unique malware behaviors (using 100’s of signature).<br /> i. Import Intel scanning.<br /> j. Deep search (module) <br /> k. Online search of MD5 (of executable) on Threat Expert.<br /> l. String dump (ASCII)<br /> m. Executable file information<br /> n. Hexdump<br /> o. PEfile info dumping<br /> p. ...and more.<br /> <br /> <b>4. Application crash analysis</b> - This module enables <a href="http://www.toolwar.com/search/label/Exploitation" target="_blank">exploit</a> researcher and/or application developer to analyse memory content when an application crashes. This module essentially displays data in different <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory</a> register (such as EIP).<br /> <br /> <br /> <b>5. Exe extractor</b> - This module essentially extracts executables from running process/s, which could then be further analyzed using Hook Analyzer, Malware Analyzer or other solutions. This module is potentially useful for incident responders<br /> <br /> <br /> <b>6. Cyber Threat Intelligence </b>- This module is being created to gather and analyze information related to Cyber Threats and <a href="http://www.toolwar.com/search/label/Vulnerability" target="_blank">vulnerabilities</a>. The module can be run using HookAnalyser.exe (via Option 6), or can be run directly.<br /> <br /> The module present information on a web browser (with dashboard alike representation). It has three (3) presentations - <br /> • Threat Vectors - by Country (through url.txt - provided)<br /> • Threat Vectors - by Geography (through url.txt - provided)<br /> • Vulnerability / Threat Feed (through rss.txt)</div> <div style="text-align: justify;"> <b><br /> </b></div> <h3 style="text-align: justify;"> <b>Tutorials :: </b></h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/msYo7pPsu6A?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <div style="text-align: justify;"> <b> </b></div> <div style="text-align: justify;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/sdnRP90weT4?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <h3 style="text-align: justify;"> <b>Download ::</b></h3> <div style="text-align: justify;"> <b>Windows :: </b><a href="https://docs.google.com/file/d/0B4eYJx0xZdQAcDlvS3JhcmxmMjQ/edit" target="_blank">Hook Analyzer v3.0</a><b> </b></div> <div style="text-align: justify;"> <b>Official Website :: </b><a href="http://hookanalyser.com/">http://hookanalyser.com/</a></div> <div style="text-align: justify;"> <b>Submitted By :: </b>Beenu Arora </div>

Hook Analyzer (Malware Analysis and Cyber Intelligence) :: Tools

Hook Analyser is a malware analysis and cyber intelligence (gathering and analysis) utility. As well as Hook Analyzer performs spawn ...

Read more »

Immunity Debugger :: Tools

<div class="separator" style="clear: both; text-align: center;"> <img alt="Immunity Debugger logo" border="0" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9Tz7osQXiMIGssd8NGbnuYt2UuNlyHH6exkoSIEvMi6eJWYewN-waCLbYG-2ZjR-PbZhLWL2A9wBOmtAo9V0AKXaUBpGgoDlDoMAhMep5Qott6zJB-zoqQuUaLf0pzc5oMPvczcOOL0pJ/s400/debugger-logo.png" title="Immunity Debugger logo" width="400" /></div> <div style="text-align: justify;"> <b>Immunity Debugger</b> is a powerful new way to <i>write exploits, <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analyze</a> <a href="http://www.toolwar.com/search/label/Malware" target="_blank">malware</a>, and reverse engineer binary files.</i> It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported <a href="http://www.toolwar.com/search/label/Python" target="_blank">Python</a> API for easy extensibility.</div> <div style="text-align: justify;"> <img border="0" src="http://www.immunityinc.com/bullet.gif" /> A <a href="http://www.toolwar.com/search/label/Debugger" target="_blank">debugger</a> with functionality designed specifically for the security industry<br /> <img border="0" src="http://www.immunityinc.com/bullet.gif" />Cuts exploit development time by 50%<br /> <img border="0" src="http://www.immunityinc.com/bullet.gif" />Simple, understandable interfaces<br /> <img border="0" src="http://www.immunityinc.com/bullet.gif" />Robust and powerful scripting language for automating intelligent debugging<br /> <img border="0" src="http://www.immunityinc.com/bullet.gif" />Lightweight and fast debugging to prevent corruption during complex analysis<br /> <img border="0" src="http://www.immunityinc.com/bullet.gif" />Connectivity to fuzzers and exploit development <a href="http://www.toolwar.com/search/label/Tools" target="_blank">tools</a></div> <div style="text-align: justify;"> </div> <div style="text-align: justify;"> <h3> Tutorials ::</h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/fIUOiwYTpho?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/KlcLLzdtT2U?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> </div> <div style="text-align: justify;"> <h3> Download ::</h3> </div> <div style="text-align: justify;"> <b>Windows :: </b><a href="http://debugger.immunityinc.com/ID_register.py" target="_blank">Immunity Debugger </a><b> </b></div> <div style="text-align: justify;"> <b>Official Website ::</b>  <a href="http://debugger.immunityinc.com/">http://debugger.immunityinc.com/</a></div>

Immunity Debugger :: Tools

Immunity Debugger is a powerful new way to write exploits, analyze malware , and reverse engineer binary files. It builds on a solid ...

Read more »

Comodo Instant Malware Analysis :: Tools

<div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZXpq3vpAdfRoyhd2TuuLhRbcxvLUBdg7j0s0qs-de-oL4mMDVYHrSC1fhR8Qi8WvGxs01xNpvkrcfzmLAOEgynz-P-VuNsBvQuCYbzN19hY690b6aG_bmqqkqa8rOkCqfFeXpt3YG86co/s1600/malware_submission.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Comodo Instant Malware Analysis :: Tools" border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZXpq3vpAdfRoyhd2TuuLhRbcxvLUBdg7j0s0qs-de-oL4mMDVYHrSC1fhR8Qi8WvGxs01xNpvkrcfzmLAOEgynz-P-VuNsBvQuCYbzN19hY690b6aG_bmqqkqa8rOkCqfFeXpt3YG86co/s640/malware_submission.gif" title="Comodo Instant Malware Analysis :: Tools" width="640" /></a></div> <div style="text-align: justify;"> <b>COMODO Automated Malware Analysis System</b> will scan it and report back its findings. If you have a suspicious file, please submit it online by using the form that available in below download section.</div> <div style="text-align: justify;"> <br /></div> <div style="text-align: justify;"> Online :: <a href="http://camas.comodo.com/">http://camas.comodo.com/</a></div>

Comodo Instant Malware Analysis :: Tools

COMODO Automated Malware Analysis System will scan it and report back its findings. If you have a suspicious file, please submit it onli...

Read more »

Anubis (Malware Analysis) :: Tools

<div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTmAx_NudzfUupSdKvSkb0hV3Z5-uet6DMoIU6IOOLV2D1jhrwUKJ1J0Nr8Y10u30CXriHeCoN7-RrUyMg2I2OXk-tJ-Nx16UORipoRzOCFsusKV1b90cEopYLaxyWRrAdtMGtf-nBFaQ5/s1600/anubis+logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="anubis logo" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTmAx_NudzfUupSdKvSkb0hV3Z5-uet6DMoIU6IOOLV2D1jhrwUKJ1J0Nr8Y10u30CXriHeCoN7-RrUyMg2I2OXk-tJ-Nx16UORipoRzOCFsusKV1b90cEopYLaxyWRrAdtMGtf-nBFaQ5/s200/anubis+logo.png" title="anubis logo" width="114" /></a></div> <div style="text-align: justify;"> <b>Anubis</b> is a service for<b> analyzing malware.</b> Submit your <b>Windows executable</b> or <b>Android APK</b> and receive an analysis report telling you what it does. Alternatively, submit a <b>suspicious URL</b> and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL. </div> <div style="text-align: justify;"> <br /></div> <div style="text-align: justify;"> <b>Online :: </b><a href="http://anubis.iseclab.org/">http://anubis.iseclab.org/</a> </div>

Anubis (Malware Analysis) :: Tools

Anubis is a service for analyzing malware. Submit your Windows executable or Android APK and receive an analysis report telling you ...

Read more »

Malware Classifier (Malware Analysis) :: Tools

<div class="separator" style="clear: both; text-align: center;"> <img alt="adobe malware classifier " border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJFSWBvBrB6iEW5mUe0RLgLd4aTklWqEcrJku4K5HoKfHloY6DDXgTMVL4g8funQXw0_Yaxw2LuVUfUe3WqD_yvQoVBSUtp-dpw3XWg7kkmWbJlum9If5NsE1Kifvf0LFPi1Gryz7sq1ot/s400/adobe+malware+classifier.png" title="adobe malware classifier " width="400" /></div> <div style="text-align: justify;"> <b>Adobe Malware Classifier</b> is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and easily determine if a <b><i>binary file contains malware</i></b>, so they can develop <b> <a href="http://www.toolwar.com/search/label/Malware" target="_blank">malware</a> detection</b> signatures faster, reducing the time in which users' systems are vulnerable. Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.”<br /><br /> The tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a dataset of approximately 100,000 malicious programs and 16,000 clean programs. <br /> The tool extracts seven key features from an unknown binary, feeds them to one of the four classifiers or all of them, and presents its classification of the unknown binary.</div> <div style="text-align: justify;"> <h3> Download :: </h3> <b>Python :: </b><a href="http://sourceforge.net/projects/malclassifier.adobe/files/AdobeMalwareClassifier.py/download" target="_blank">AdobeMalwareClassifier.py</a><br /> <b>Source :: </b><a href="http://sourceforge.net/projects/malclassifier.adobe/?source=navbar">http://sourceforge.net/projects/malclassifier.adobe/?source=navbar</a></div>

Malware Classifier (Malware Analysis) :: Tools

Adobe Malware Classifier is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and e...

Read more »

VirusTotal (Analyze files and URLs) :: Tools

<div class="separator" style="clear: both; text-align: center;"> <img alt="virustotal logo" border="0" height="70" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_tdl85tCDSMyYMpacR9LL_CK2AehDKuIiji7z27f0HCHva-H4cBOUdzchlHBuKhIMi7y-qAjBkrxhPNy9QG9vMIgh180-_lugQgdYdr5OKvqWU_gT4lZqr9v8ppC2b39ZnvLE-LyNkSWa/s400/virustotal+logo.png" title="virustotal logo" width="400" /> </div> <div style="text-align: justify;"> <b>VirusTotal</b>, a subsidiary of Google, is a <i><b>free <a href="http://www.toolwar.com/search/label/Online" target="_blank">online</a> service that analyzes files and URLs</b></i> enabling the <i>identification of viruses, worms, trojans and other kinds of malicious content</i> detected by antivirus engines and website <a href="http://www.toolwar.com/search/label/Scanner" target="_blank">scanners.</a> At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners. </div> <div style="text-align: justify;"> <b>VirusTotal’</b>s mission is to help in improving the antivirus and <a href="http://www.toolwar.com/search/label/Security" target="_blank">security</a> industry and make the internet a safer place through the development of free tools and services.<b> VirusTotal's</b> main characteristics are highlighted below. </div> <h3 style="text-align: justify;"> Free unbiased service ::</h3> <div style="text-align: justify;"> <b>VirusTotal</b>, is offered freely to end users as long as its use has no commercial purpose and does not become part of any business activity. Even though the service works with engines belonging to different enterprises and organizations, <b>VirusTotal</b> does not distribute or advertise any products belonging to third parties, but simply acts as an aggregator of information. This prevents us from being subjected to any kind of bias and allows us to offer an objective service to our users. </div> <h3 style="text-align: justify;"> Runs multiple antivirus engines and website scanners ::</h3> <div style="text-align: justify;"> <b>VirusTotal</b> simply acts as an information aggregator. The aggregated data is the output of different antivirus engines, website scanners, file and URL <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analysis</a> tools and user contributions. The full list of antivirus solutions and website scanners used in VirusTotal can be found in the credits and collaboration acknowledgements section. </div> <h3 style="text-align: justify;"> Runs multiple file and URL characterization tools ::</h3> <div style="text-align: justify;"> As previously stated,<b> VirusTotal</b> also aggregates the output of a number of file and URL characterization tools. These tools cover a wide range of purposes, ranging from providing structural information about Microsoft Windows portable executables (PEs) to identifying signed software. The full list of file and URL characterization tools used in <b>VirusTotal</b> can be found in the credits and collaboration acknowledgements section. </div> <h3 style="text-align: justify;"> Real time updates of virus signatures and blacklists ::</h3> <div style="text-align: justify;"> The <a href="http://www.toolwar.com/search/label/Malware" target="_blank">malware</a> signatures of antivirus solutions present in VirusTotal are periodically updated as they are developed and distributed by the antivirus companies. The update polling frequency is 15 minutes—this makes sure that the products are using the latest signature sets. </div> <div style="text-align: justify;"> <a href="http://www.toolwar.com/search/label/Web" target="_blank">Website</a> scanning is done via API queries to the different companies providing the particular solution, hence, the most updated version of their dataset is always used. </div> <h3 style="text-align: justify;"> Detailed results from each scanner ::</h3> <div style="text-align: justify;"> <b>VirusTotal </b>not only tells you whether a given antivirus solution detected a submitted file, but also displays the exact detection label returned by each engine (e.g. <span class="label important">I-Worm.Allaple.gen</span>). </div> <div style="text-align: justify;"> This feature is also present in URL scanners. Most of them will discriminate malware sites, phishing sites, suspicious sites, etc. Moreover, some of the engines will provide additional information explicitly stating whether a given URL belongs to a particular botnet, which brand is targeted by a given phishing site, etc. </div> <h3 style="text-align: justify;"> Real time global service operation statistics ::</h3> <div style="text-align: justify;"> Information about the number of resources (files and URLs) processed by <b>VirusTotal</b> can be found in the statistics section. These statistics provide a number of notions and groupings, such as global detection ratios for the received files, submissions per country, most popular detection labels, etc. No statistics comparing the different antivirus products and website detection engines are generated—neither will they ever be generated (on a public or private basis), even though their calculation is trivial. The reason is that using <b>VirusTotal </b> for antivirus testing is a bad idea. </div> <h3 style="text-align: justify;"> Automation API ::</h3> <div style="text-align: justify;"> File and URL scanning can be automated with a free public API. For obvious reasons (including prevention of competition with the antivirus products present in <b>VirusTotal</b>), the public API is subjected to a strong request rate limitation. Should a user require a higher request rate, a honeypot API is available for researchers and a private mass API is offered to individuals with commercial and product enhancement intentions. A detailed specification of the different APIs can be found in the advanced features section. </div> <h3 style="text-align: justify;"> Online malware research community ::</h3> <div style="text-align: justify;"> In August 2010 <b>VirusTotal </b>integrated a pseudo-social network that allows its users to interact with other users and comment on files and URLs. These comments may range from deep malware analyses to information on the distribution vector and in-the-wild locations of the submitted files, hence, the community acts as the collective intelligence component of VirusTotal. Files and URLs can be voted as malicious or innocuous, building a community maliciousness score for the resource. </div> <div style="text-align: justify;"> In other words, when security products fail (false positives/false negatives), there is still a chance that some VirusTotal Community user will have produced a useful review of the resource for its community peers. </div> <h3 style="text-align: justify;"> Desktop applications for interacting with the service ::</h3> <div style="text-align: justify;"> With the aim of making the Internet a safer place <b>VirusTotal's</b> team has released a number of desktop applications and tools for interacting with the service (one-click file uploader, <a href="http://www.toolwar.com/search/label/Browser" target="_blank">browser</a> extensions, etc.). Many of <b>VirusTotal's</b> users have also developed their own applications and have made them publicly available on the Internet. More information about these resources can be found in the advanced features section. </div> <div style="text-align: justify;"> <br /></div> <h3 style="text-align: justify;"> Tutorials ::</h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/TFSmJaiO_G0?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <div style="text-align: justify;"> <br /> <b>Online :: </b><a href="https://www.virustotal.com/">https://www.virustotal.com/</a></div>

VirusTotal (Analyze files and URLs) :: Tools

  VirusTotal , a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of v...

Read more »

Cuckoo Sandbox (Malware Analysis) :: Tools

<div class="row" style="text-align: justify;"> <div class="span6" style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <img alt="Cockoo sandbox logo" border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgibr626QwfgXHYV4JYq_X59SkjRlgqtUxt37xeoKA02je4VxQCzLHM2HF_UMNOs73aOU78-Ym3kDdcNf_Sh4lu8veicfMPHF_ExBSG4ZSq32iari06OXQx68KZJGay6AFbiMYSwZObGuUD/s400/cuckoo+sandbox+logo.png" title="Cockoo sandbox logo" width="400" /></div> <h3> What is Cuckoo Sandbox?</h3> <b>Cuckoo Sandbox</b> is a <b><i>malware analysis system</i></b>. What does that mean? It simply means that you can throw any <i>suspicious file</i> at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.<br /> <h3> Why should you use it?</h3> <i><b>Malware</b> is the swiss-army knife of cybercriminals</i> and any other adversary to your corporation or organization.<br /> In these evolving times, detecting and removing <a href="http://www.toolwar.com/search/label/Malware" target="_blank"> malware</a> artifacts is not enough: it's vitally important to understand how they work and what they would do/did on your systems when deployed and understand the context, the motivations and the goals of a breach.<br /> In this way you are able to more effectively understand the incident, respond to it and protect yourself for the future.<br /> There are infinite other contexts where you might need to deploy a sandbox internally, from <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analyzing</a> an internal breach to proactively scouting wildly distributed threats, collect actionable data and analyzing the ones actively targeting your infrastructure or products.<br /> In any of these cases you'll find Cuckoo to be perfectly suitable, incredibly customizable and well... free!</div> <div class="span6" style="text-align: justify;"> <h3> What does it produce?</h3> Cuckoo generates a handful of different raw data which include:<br /> <ul> <li>Native functions and <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a> API calls traces</li> <li>Copies of files created and deleted from the filesystem</li> <li>Dump of the memory of the selected process</li> <li>Full <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory</a> dump of the analysis machine</li> <li>Screenshots of the desktop during the execution of the malware analysis</li> <li><a href="http://www.toolwar.com/search/label/Network" target="_blank">Network</a> dump generated by the machine used for the analysis</li> </ul> In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:<br /> <ul> <li>JSON report</li> <li>HTML report</li> <li>MAEC report</li> <li>MongoDB interface</li> <li>HPFeeds interface</li> </ul> Even more interestingly, thanks to Cuckoo's extensive modular design, you are able to customize both the processing and the reporting stages. Cuckoo provides you all the requirements to easily integrate the sandbox into your existing <a href="http://www.toolwar.com/search/label/Framework" target="_blank">frameworks</a> and storages with the data you want, in the way you want, with the format you want.<br /> <h3> Tutorials ::</h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/720Vh3FaGN8?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/KVoDCrYeCXo?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/-npWBiDloRQ?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <h3> Download :: </h3> <b>Alternative Downloads ::</b><br /> <pre>git clone git://github.com/cuckoobox/cuckoo.git</pre> If you want to clone a specific branch ::<br /> <pre>git clone -b <branch name> git://github.com/cuckoobox/cuckoo.git</pre> <b><span style="font-family: inherit;">Linux ::</span></b> <a href="http://www.cuckoosandbox.org/download.html" target="_blank">Cuckoo Sandbox 0.6</a><br /> <b>Official Website :: </b>http://www.cuckoosandbox.org/<br /> <h3> </h3> </div> </div>

Cuckoo Sandbox (Malware Analysis) :: Tools

What is Cuckoo Sandbox? Cuckoo Sandbox is a malware analysis system . What does that mean? It simply means that you can throw any su...

Read more »

APKinspector (Android Application Analysis) :: Tools

<div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDfll6W-RvD12nGiztawoL8QzR2hiHtY9U0CyFpiOh8DIlhHtylQu4GXGEeJOXGgm-Kn-50SpKrC-tMzOnEz3XmJq8OPzHGd1s1Cbwz9hJkW4ewca_vWW6qMKYQEEKP3C2IbytnRVmnsY7/s1600/APKinspector+Logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="APKinspector Logo" border="0" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDfll6W-RvD12nGiztawoL8QzR2hiHtY9U0CyFpiOh8DIlhHtylQu4GXGEeJOXGgm-Kn-50SpKrC-tMzOnEz3XmJq8OPzHGd1s1Cbwz9hJkW4ewca_vWW6qMKYQEEKP3C2IbytnRVmnsY7/s320/APKinspector+Logo.png" title="APKinspector Logo" width="320" /></a></div> <div style="text-align: justify;"> <span itemprop="description"><br /> </span></div> <div style="text-align: justify;"> <span itemprop="description"><b>APKinspector</b> is a powerful GUI tool for analysts to <b>analyze the Android applications.</b></span> The goal of this project is to aide analysts and reverse engineers to visualize compiled <a href="http://www.toolwar.com/search/label/Android" target="_blank">Android</a> packages and their corresponding DEX code. <b>APKInspector</b> provides both <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analysis</a> functions and graphic features for the users to gain deep insight into the malicious apps: </div> <ul style="text-align: justify;"> <li> CFG </li> </ul> <ul style="text-align: justify;"> <li> Call Graph </li> </ul> <ul style="text-align: justify;"> <li>Static Instrumentation </li> </ul> <ul style="text-align: justify;"> <li>Permission Analysis </li> </ul> <ul style="text-align: justify;"> <li>Dalvik codes </li> </ul> <ul style="text-align: justify;"> <li>Smali codes </li> </ul> <ul style="text-align: justify;"> <li>Java codes </li> </ul> <ul style="text-align: justify;"> <li>APK Information </li> </ul> <h3 style="text-align: justify;"> Tutorial ::</h3> <div style="text-align: justify;"> This is a guide to get <b>APKInspector</b> running on your own computer. The latest version is tested on Ubuntu 10.10 and Ubuntu 11.04. </div> <ol style="text-align: justify;"> <li>Download the latest version of <b>APKInspector</b> via GIT </li> <li>Run “./Install.sh” </li> <li>Test if APKInspector can boot correctly, go to the directory of “<b>APKInspector</b>”, run “python StartQT.py”. </li> </ol> <h3 style="text-align: justify;"> <a href="http://www.blogger.com/null" name="What’s_new?"></a></h3> <h3> Download ::</h3> <b>Windows or Linux ::</b> <a href="http://apkinspector.googlecode.com/files/apkinspector.Beta.zip" target="_blank">APKInspector Beta</a><br /> <b>Source :: </b><a href="http://code.google.com/p/apkinspector/">http://code.google.com/p/apkinspector/</a>

APKinspector (Android Application Analysis) :: Tools

APKinspector is a powerful GUI tool for analysts to analyze the Android applications. The goal of this project is to aide analysts a...

Read more »

Moblie Sandbox (Malware Analysis) :: Tools

<div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_qbvIc8E9v5X4r0t44FgOmDqC7zmSCQI18Co_RwJhj0LT7b4V-Fj-eVHPAknjUafduiYnS9pLdD13ccoRx_BiMGYy_llqPPE47AkWGQqbljQmA3IhxZeudMKZ9SsaZtPxKZpIvhO9NBXn/s1600/Mobile+Sandbox+Logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Mobile Sandbox Logo" border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_qbvIc8E9v5X4r0t44FgOmDqC7zmSCQI18Co_RwJhj0LT7b4V-Fj-eVHPAknjUafduiYnS9pLdD13ccoRx_BiMGYy_llqPPE47AkWGQqbljQmA3IhxZeudMKZ9SsaZtPxKZpIvhO9NBXn/s400/Mobile+Sandbox+Logo.png" title="Mobile Sandbox Logo" width="400" /></a></div> <div style="text-align: justify;"> </div> <div style="text-align: justify;"> <b>Mobile-Sandbox</b>.com is part of the <b>MobWorm</b> project and provides<b> static and dynamic malware analysis</b> for Android OS smartphones.<br /> <b>Mobile Sandbox</b> provides static analysis of <a href="http://www.toolwar.com/search/label/Malware" target="_blank">malware</a> images with an easy accessible <a href="http://www.toolwar.com/search/label/Web" target="_blank">web</a> interface for submission.<br /> This service is still under continuous development and is run purely as a research tool and a best effort service. We reserve the right to take it down at any point for maintenance or other reasons.</div> <div style="text-align: justify;"> <br /></div> <div style="text-align: justify;"> <b>Online Website ::<a href="http://www.blogger.com/goog_1673190333"> </a></b><a href="http://mobilesandbox.org/">http://mobilesandbox.org/</a></div>

Moblie Sandbox (Malware Analysis) :: Tools

Mobile-Sandbox .com is part of the MobWorm project and provides static and dynamic malware analysis for Android OS smartphones. Mob...

Read more »

Droidbox (Dynamic Analysis of Android Application) :: Tools

<div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxjcKyHHA4pdNe2hL5YdmmobKmzVoyS5GUB_R3hBEykHcJucVuhf-2b6P080HXYZLvhYkKrx72b8ItbCDvaHvF2k88KX0z9AUrNJDhUbtv5x6paMTNG69Uu7N3-KIKP4kOzHAPV20Ux3qv/s1600/droidbox+analysis.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Droidbox Analysis" border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxjcKyHHA4pdNe2hL5YdmmobKmzVoyS5GUB_R3hBEykHcJucVuhf-2b6P080HXYZLvhYkKrx72b8ItbCDvaHvF2k88KX0z9AUrNJDhUbtv5x6paMTNG69Uu7N3-KIKP4kOzHAPV20Ux3qv/s400/droidbox+analysis.png" title="Droidbox Analysis" width="400" /></a></div> <br /> <div style="text-align: justify;"> <b>DroidBox </b>is developed to offer <b>dynamic analysis of Android applications</b>. The following information is shown in the results, generated when analysis is ended: </div> <ul style="text-align: justify;"> <li>Hashes for the analyzed package </li> <li>Incoming/outgoing network data </li> <li>File read and write operations </li> <li>Started services and loaded classes through DexClassLoader </li> <li>Information leaks via the network, file and SMS </li> <li>Circumvented permissions </li> <li>Cryptography operations performed using <a href="http://www.toolwar.com/search/label/Android" target="_blank">Android</a> API </li> <li>Listing broadcast receivers </li> <li>Sent SMS and phone calls </li> </ul> <div style="text-align: justify;"> Additionally, two images are generated visualizing the behavior of the package. One showing the temporal order of the operations and the other one being a treemap that can be used to check similarity between analyzed packages. </div> <div style="text-align: justify;"> <br /></div> <h3 style="text-align: justify;"> Tutorial :: </h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/E-3s7ZfjTsA?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <h3 style="text-align: justify;"> Download ::</h3> <div style="text-align: justify;"> <b>Linux ::</b> <a href="http://droidbox.googlecode.com/files/droidbox4.1.1.tar.gz" target="_blank">Droidbox 4.1.1</a> <b>Source :: </b> <a href="http://code.google.com/p/droidbox/">http://code.google.com/p/droidbox/</a></div>

Droidbox (Dynamic Analysis of Android Application) :: Tools

DroidBox is developed to offer dynamic analysis of Android applications . The following information is shown in the results, generated...

Read more »

SRDF - Security Research and Development Framework :: Framework

<div class="separator" style="clear: both; text-align: center;"> <img alt="SRDF - Security Research and Development Framework" border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGnFfLl9tWVJH2zHKe7QLRdJ4tE1-4JAVwWqtOKo-ds-ItC_74qf8W7on7y6J8LHN7QOoORnyUYL9kjj92u8pROLRqs2-pzuPS2_fdPhfbbIAtfarXwCUSP_srtZSZgrFQ8NKSyvpKJCAy/s640/SRDF+Logo.jpg" title="SRDF - Security Research and Development Framework" width="640" /></div> <div style="text-align: justify;"> <b>SRDF - Security Research and Development Framework</b> is a free open source <i>Development Framework</i> created to support <i> writing security tools and malware analysis tools</i>. And to convert the security researches and ideas from the theoretical approach to the practical implementation. </div> <div style="text-align: justify;"> This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF. </div> <h3 style="text-align: justify;"> <span style="font-size: large;"><b>Introduction:</b></span> </h3> <div style="text-align: justify;"> In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays. </div> <div style="text-align: justify;"> The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame. </div> <div style="text-align: justify;"> The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF </div> <div style="text-align: justify;"> The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework </div> <div style="text-align: justify;"> SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea. </div> <div style="text-align: justify;"> The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section. </div> <h3 style="text-align: justify;"> <span style="font-size: large;"><b>The Features:</b></span> </h3> <div style="text-align: justify;"> Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project. </div> <div style="text-align: justify;"> In User-Mode part, SRDF gives you many helpful tools … and they are: </div> <ul style="text-align: justify;"> <li>Assembler and Disassembler </li> </ul> <ul style="text-align: justify;"> <li>x86 Emulator </li> </ul> <ul style="text-align: justify;"> <li>Debugger </li> </ul> <ul style="text-align: justify;"> <li>PE Analyzer </li> </ul> <ul style="text-align: justify;"> <li>Process Analyzer (Loaded DLLs, Memory Maps … etc) </li> </ul> <ul style="text-align: justify;"> <li>MD5, SSDeep and Wildlist Scanner (YARA) </li> </ul> <ul style="text-align: justify;"> <li>API Hooker and Process Injection </li> </ul> <ul style="text-align: justify;"> <li>Backend Database, XML Serializer </li> </ul> <ul style="text-align: justify;"> <li>And many more </li> </ul> <div style="text-align: justify;"> In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features: </div> <ul style="text-align: justify;"> <li>Object-oriented and easy to use development framework </li> </ul> <ul style="text-align: justify;"> <li>Easy IRP dispatching mechanism </li> </ul> <ul style="text-align: justify;"> <li>SSDT Hooker </li> </ul> <ul style="text-align: justify;"> <li>Layered Devices Filtering </li> </ul> <ul style="text-align: justify;"> <li>TDI Firewall </li> </ul> <ul style="text-align: justify;"> <li>File and Registry Manager </li> </ul> <ul style="text-align: justify;"> <li>Kernel Mode easy to use internet sockets </li> </ul> <ul style="text-align: justify;"> <li>Filesystem Filter </li> </ul> <div style="text-align: justify;"> Still the Kernel-Mode in progress and many features will be added in the near future. </div> <h3 style="text-align: justify;"> Download ::  </h3> <div style="text-align: justify;"> <b>Linux :: </b><a href="http://srdf.googlecode.com/files/SRDF-v1.00.rar" target="_blank">SRDF v1.0</a></div> <div style="text-align: justify;"> <b>Help & Official Website :: </b>https://www.owasp.org/</div>

SRDF - Security Research and Development Framework :: Framework

SRDF - Security Research and Development Framework is a free open source Development Framework created to support writing security too...

Read more »

ReFrameworker :: Framework

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoFnuAWV-aVgL3wC50yN4F7GTHTD8Tef37-UNLYiFkWuY2DrdUN4uwjtJp3QTQBTH22ELF59dCN8zgJ7lkNFEtWfkQ0judpnIw7w4W2E3QqWMy0eOW59qoSXpMVVffNuWtRgZi0yLKlM9w/s1600/ReFrameworker+logo+toolwar.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="reframeworker logo toolwar" border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoFnuAWV-aVgL3wC50yN4F7GTHTD8Tef37-UNLYiFkWuY2DrdUN4uwjtJp3QTQBTH22ELF59dCN8zgJ7lkNFEtWfkQ0judpnIw7w4W2E3QqWMy0eOW59qoSXpMVVffNuWtRgZi0yLKlM9w/s320/ReFrameworker+logo+toolwar.jpg" title="reframeworker logo toolwar" width="320" /></a></div> <div style="text-align: justify;"> <span style="font-family: inherit;"><span style="font-size: small;"><span style="text-align: justify;"><b>ReFrameworker</b> is a general purpose <i>Framework modifier</i>, used to <i>reconstruct framework Runtimes</i> by creating modified versions from the original implementation that was provided by the framework vendor. ReFrameworker performs the required steps of runtime manipulation by tampering with the binaries containing the framework's classes, in order to produce modified binaries that can replace the original ones. It was developed to experiment with and demonstrate deployment of MCR (Managed Code Rootkits) code into a given framework. Among its features: - Performs all the required steps needed for modifying framework binaries (disassemble, code injection, reassemble, precompiled images cleaning, etc.) - Fast development and deployment of a modified behavior into a given framework - Auto generated deployers - Modules: a separation between general purpose "building blocks" that can be injected into any given binary, allowing the users to create small pieces of code that can be later combined to form a specific injection task. - Can be easily adapted to support multiple frameworks by minimal configuration (currently comes preconfigured for the .NET framework) - Comes with many "preconfigured" proof-of-concept attacks (implemented as modules) that demonstrate its usage that can be easily extended to perform many other things. ReFrameworker, as a general purpose framework modification tool, can be used in other contexts besides security such as customizing frameworks for performance tuning, Runtime tweaking, virtual patching, hardening, and probably other usages - It all depends on what it is instructed to do.</span></span></span></div> <div style="text-align: justify;"> <span style="font-family: inherit;"><span style="font-size: small;"><span style="text-align: justify;"><br /></span></span></span></div> <div style="text-align: justify;"> <span style="font-family: inherit;"><span style="font-size: small;"><span style="text-align: justify;"><b>Tutorial File ::</b> <a href="https://appsec-labs.com/system/files/Managed%20Code%20Rootkits%20presentation%20%28SOURCE%202010%29.pdf" target="_blank">Click Here</a></span></span></span></div> <div style="text-align: justify;"> <b><span style="font-family: inherit;"><span style="font-size: small;"><span style="text-align: justify;">Download Here :: </span></span></span></b><span style="font-family: inherit;"><span style="font-size: small;"><span style="text-align: justify;"><a href="https://appsec-labs.com/system/files/ReFrameworker_V1.1.zip" target="_blank">ReFrameworker v1.1.zip</a>  <b>(</b>Windows)<b> </b></span></span></span></div> <div style="text-align: justify;"> <span style="font-family: inherit;"><span style="font-size: small;"><span style="text-align: justify;"><b>Official Website :: </b>https://appsec-labs.com/ </span></span></span></div> </div>

ReFrameworker :: Framework

ReFrameworker is a general purpose Framework modifier , used to reconstruct framework Runtimes by creating modified versions from th...

Read more »

Zero Wine (Malware Analysis) :: Tools

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <img alt="Zero Wine logo" border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKL4PHE7CkDUT7pPvSFJMm5r70V2xQi_hLrm7B7PiD6pS0DDJTaFdR4n9CcE36te1JtS-LSLEHh5uXVzXNVQ0yoFD2Uag_XG1M7e_QeQPmNwqCrDT2zeFkz30q_Y2pDPyePzOksXhym3bR/s400/zerowine+logo.png" title="Zero Wine logo" width="400" /></div> <div class="Textbody" style="text-align: justify;"> <b>Zero Wine </b>is a tool for <i>Malware Behavior Analysis.</i> <b>Zero wine</b> is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program. </div> <div class="Textbody" style="text-align: justify;"> The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course). With this information, analyzing malware's behavior turns out to be very easy. </div> <div class="Textbody" style="text-align: justify;"> <b>Zero wine</b> is distributed as one QEMU virtual machine image with a Debian operating system installed. The image contains software to upload and analyze malware and to generate reports based on the information gathered (this software is stored in /home/malware/zerowine). </div> <div class="Textbody" style="text-align: justify;"> Running the distributed virtual machine with the correct command line options (use the supplied startup shell script to run the virtual machine) provides a web based (web server is written in python) graphical interface to upload malware to be analyzed (a CGI written, also, in python).</div> <div class="Textbody" style="text-align: justify;"> When a new malware is uploaded, it is copied to the directory<i> /tmp/vir/MD5_OF_THE_FILE,</i> them, the previous created WINE environment (WINEPREFIX if you prefer) is removed and a backup system is untared (the backup system is /home/malware/backup/backup.tar.gz). After this operation, the malware is executed using the shell script malware_launcher.sh (the file is stored in the folder /home/malware/bin).</div> <div class="Textbody" style="text-align: justify;"> <span style="font-weight: bold;">NOTE:</span> The current system is subject to change as it doesn't allow the analysis of more than one malware at a time. In the future, every time you upload a new malware file it will be added to a queue for later analysis and a new WINEPREFIX specific to run this malware will be created.</div> <div class="Textbody" style="text-align: justify;"> <br /></div> <div class="Textbody" style="text-align: justify;"> <b>Download Here :: </b><a href="http://sourceforge.net/projects/zerowine/files/latest/download" target="_blank">Zero Wine 2.0.0.tar.bz2</a></div> <div class="Textbody" style="text-align: justify;"> <b>Tutorial / Official Website :: </b> http://zerowine.sourceforge.net/</div> </div>

Zero Wine (Malware Analysis) :: Tools

Zero Wine is a tool for Malware Behavior Analysis. Zero wine is an open source (GPL v2) research project to dynamically analyze the b...

Read more »