HACKERSPACE
Avril 2016
Reverse Engineering (RE)
Reverse Code Engineering (RCE)
«Si vous êtes curieux allez voir page 17, Bonne Chance!»
par >_Franck Desert (Setec Astronomy)
HACKFEST
>_About-FD ➛Marié (21 ans) - Papa
➛Français mais en mieux ;-))
➛Hackfest jeux depuis 2013 (à Quebec depuis 4 ans) ➚Travail dur pour sa Plate-forme Hostile (HF Phenix – Azure Cloud)
➚Et toutes les tâches que l’on me donne ;-)
➚ iHack 2016 surtout notez-le dans vos agendas !
➛Un enthousiaste de la sécurité depuis 25 ans
➚Spécialité RCE, Malware, Tous les langages me facinent,
➚Tous les Windows depuis le tout début,
➚Architecte Organique (Dev senior) chez CGI Qc depuis 4 ans.
>_Remove-Context Les pré-requis et sous quel angle :
Apprendre où ré-apprendre tout le temps,
Remettre en question constatment son paradigme,
Focuser tout en modifiant son “MindSet”, Attention c’est une 101+,
Mon Angle d’attaque est orienté contre les Malwares et Veille Techno de codes.
Ce qui ne sera pas abordé :
Une liste bêtes que d’outils (c’est un bootcamp qu’il faudrait faire ;-)),
Une présentation d’un outil en particulier – (formation 1xx, 2xx, etc.),
Du “reversing” pur et dur dans un Desassembleur, (Barbant)
Du code assembleur seulement, de la lecture de mémoire, etc.,
Du “Pentesting” non plus (Vous avez les meilleurs dans la salle ;-))
Du “reversing” de Mobile, IoT, et autres systèmes,
Par contre c’est le même principe!
>_Help-RCE « Reverse-Engineering » # « Rétro-ingénierie »
« Engine » # « Ingénier » dépends du génie (civil), ingénieux.
>_Add-Context1 Focuser sur un vocabulaire commun
[Deboggage # (Desassemblage – Delinkage) # «Decompilage» # Pseudo-Code],
Focuser sur le terrain de chasse sur lequel vous allez évolué,
Focuser sur “L’ATOMIC” car “Too Big”, mais 4 Dimensions (on en reparle),
Focuser sur l’adaptation de son “MindSet” et de ses outils, (JeuxVideo)
Focuser sur les nouveaux paradigmes et moyens mis à votre disposition,
(Machine G8 Cloud, IoT, Service Batch, Parallèlisme, Machine à Learning, etc)
8 zettabytes of data predicted in 2016 (10007 ZB zettabyte 10008 YB yottabyte)
>_Add-Context2 “TimeLess” – “TimeToMarket” – “DLP”
x = y / 2 cela peut être transformé par le compilateur en une série de 20 à 30
instructions processeur.
La sortie d’un dé-compilateur est 5 fois à 10 fois plus court que celle d’un
désassembleur
>_Get-RealMarket
Réalité du marché, plus de 60% des utilisateurs de “Distros” dites de Pentest et/ou de “SandBox
Forensic” se trouvent être sous Windows. Après téléchargement elles sont installées en
“Dualboot” ou sur une Machine virtuelle. Rendu publique grâce à l’api de stats de Sourceforge.
.
Vous pouvez aussi voir la répartition, au niveau mondial, des Windows OS qui arrivent autour de 85%
https://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Desktop_and_laptop_computers
(1) Samurai Web Testing Framework - 66% windows download
https://sourceforge.net/projects/samurai/files/stats/timeline?dates=2013-05-27+to+2016-04-01
(2) Santoku Linux - 60% windows download
https://sourceforge.net/projects/santoku/files/stats/timeline?dates=2013-05-27+to+2016-04-01
(3) Parrot OS - 59% windows download
https://sourceforge.net/projects/parrotsecurity/files/stats/os?dates=2013-06-16%20to%202016-04-01
(4) Matriux - 69% windows download
https://sourceforge.net/projects/matriux/files/stats/os?dates=2010-11-19%20to%202016-04-01
>_Get-ThePower
Bataille de formats XML, JSON, OpenXML, OpenDocument, etc.,
Office Open XML, OpenDocument (OASIS), XML, JSON, JSONP, etc.
Bataille de Virtualisation Matériel total (La guerre des “CLOUDs”) ;-),
Virtualisaton process comme SandBoxies, VmWare, VirtualBox, etc.
Bataille sur les moteurs JS (grand maître du WEB) et “layout” des moteurs.
ECMAScript (or ES), Rhino - Project Mozilla, CHAKRA EDGEHtml, V8 – Chrome,
SpiderMonkey - Firstversion Firefox, Carakan – Opera, SquirrelFish Extreme - SAFARI
https://en.wikipedia.org/wiki/Comparison_of_layout_engines_%28ECMAScript%29
Bataille sur les browsers qui sont des (Wrappeur, Loadeur, Hosteur, Eco-Système.)
L’industrialisation 4.0 et l’operationnalisation passe par le SOFTWARE “at large”
>_What-Research La rétro-ingénierie comme attaque Étude pour trouver les points faibles d’un OS, d’un produit, etc.,
Étude pour peaufiner les techniques Virales et autres vulnérabilités,
Étude par passion et pour passer au HackFest ou au BlackHat ;-)
La rétro-ingénierie comme défense Étude de binaire malicieux (exemple : rootkit)
Étude de virus informatique en vue d'apporter un moyen d'éradication,
Étude et recherche de vulnérabilités dans les logiciels,
afin d'améliorer leur sécurité,
La rétro-ingénierie comme activité de veille technologique Étude des produits concurrents,
La détermination des composants utilisés,
L'identification d'éventuelles violations de brevets commises par un concurrent ou à éviter.
>_Think-Langage
# Langages de programmations : Cibles, Sujets et surtout Moyens (temps,
argents,etc.)
L’assembleur est très rarement utilisé,
Le C et le C++ sont utilisés que pour des attaques payantes ou d’Etats,
Le Java, .NET avec le VB.NET (C#, F#),
Le VB6, Delphi Ancienne version ou Delphi EX 2013, PureBasic, xBasic,
Les Scripts VBA, Auto-IT, Batch, AutoKey, PowerShell, HTA, Javascript,
# Techniques d’executions,
# Code-natif - Code IL - Code Interprété,
# Tous les langages de Scripts,
# Wrappé, Hosté, Interprété, Droppé, etc.,
>_Add-BadDefense1 Crypteur, Packeur, Obfuscateur,
Compresseur, Loadeur, Installeur, etc.
Noyer le programme,
Poupée russe, installation en Cascade, Multi-installation avec techniques et produits
différents,
Auto-extract, Portable, Connexion à Internet (Filehoster, xxxBin,etc.).
“HomeMade” avec un crypter dit “Cargo”, c’est du “Oligomorphic engine”!
Les meilleurs installeurs et compresseurs du moment : 7zip, Rar, PKZip, Lharc, etc.
“Encryption”, “Stealer”, “Countermeasure”, tout est bon pour rendre l’affaire difficile.
Custum Base64 avec un « character set »
("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/”)
(“ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/”)
>_Add-BadDefense2
https://en.wikipedia.org/wiki/Executable_compression
https://en.wikipedia.org/wiki/List_of_obfuscators_for_.NET
https://en.wikipedia.org/wiki/List_of_installation_software
>_Remove-BadEvasion
FireEye utiliser EMET pour rendre inactif EMET,
(Enhanced Mitigation Experience Toolkit)
https://www.fireeye.com/blog/threat-research/2016/02/
using_emet_to_disabl.html
Evasion des AVs,
Persistances des systèmes,
Exploit-Kit, (Cf la capture ci-jointe)
resource://gre/modules/ (comme exemple dans FireFox),
Powershell avec DotNET. (voir PowerMemory GitHub)
>_Set-GoodAttack
Changer son Paradigme,
“Retourner aux origines”
(exemple quickbms),
Tout est bon à récupérer dans
n’importe quel domaine,
Par cible,
Par sujet,
Par langage,
Par infrastructure, Os,
(dé)Crypteur, (dé)Packeur,
(dé)Obfuscateur, (dé)Compresseur,
(dé)Installeur, etc.,
>_Add-GoodEffect
“Effet de bord” (UPX Packer et Yoda Crypter), Annulation de protections,
« Copy-Paste Pattern », reconnaissable (Yara Rules, MetaExploit, etc.),
Exploit-Kit - retourner l’arme contre l’attaquant, Faire de l’Immuno-Marqueur,
Debugging JavaScript Inside (resource://gre/modules/) (about:about) Firefox.
https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/Debugging_JavaScript
Online : «Beautifier», IDE, Décryptage, Déboguer, etc.
http://crypo.bz.ms/encryptors
>_Extract-RussianDoll
Produits “dit” officiels masquant des appels internet et installations frauduleuses
Les attaquants doivent se défendre,
Les défenseurs doivent attaquer,
Différencier le playload final (Rootkit, RunPe, Native code, etc.)
Déploiement et Campagne de contamination - mode mixte, “Low&Slow” (213 jours), etc.
https://addons.mozilla.org/fr/firefox/blocked/
Code Franckeinstein, Multi-Os, Multi-Network, C&C, etc.
>_Get-HASH
ALORS M’AVEZ-VOUS TROUVÉ? NON! ALLEZ GO! GO!
Caché, Fusionné, Mergé ?
Si vous trouvez le HASH vous trouverez un Bonus ;-)
(Ce hash sera utilisable pour le iHACK 2016, le 11 Juin Prochain ;-))
>_Create-Environement IDEs, RAD (Rapid application development), Système en ligne, etc.,
Browsers et leurs environements, (Collections pour Firefox),
Technique comme Linux-Like - http://cmder.net/
Technique de classements et de Bookmarks, Technique des Alias Gmail avec le +,
Avatar, ne jamais laisser de traces (même pour son égo),
Awesome liste Github et autres,
https://github.com/vhf/free-programming-books/blob/master/free-programming-books.md?sf21101349=1
https://github.com/rshipp/awesome-malware-analysis
https://github.com/sindresorhus/awesome
Challenge, CTF Kata, CTF physique, Collaboration,
Bulletins, Blog des sociétés de sécurité,
Twitter et les sites de Surveillances des recherches (Visibrain, Tiobe, etc.),
Allez voir mon ami Aditya Agrawal de Manifest Security !
https://manifestsecurity.com/
>_Get-5Dimension Vision 4D, Inventez votre 5 Dimension ;-))
Tout est prétexte à être “reverser”, même les outils qui vous servent à “reverser”,
Tout est bon pour trouver l’information, le moindre indice peut être important,
Youtube (etc.), Réseau Sociaux, une capture d’écran, Pastebin (etc.),
OpenSource (toutes les forges), Black-forum, Forum de jeux,
Réfléchissez Enquêteur, (des noms, pseudo, groupes, lieux, le tout mixé),
Jamais de mauvais codes, toujours une technique à découvrir,
Environnement Virtuel, Environnement Hostile (The Zoo Malware),
http://ytisf.github.io/theZoo/
https://github.com/ytisf/theZoo
VxShare, mais sur invitation!
>_Get-Example1
>_Get-ToolsBox Compilers
Assemblers
Assemblers IDE C++ IDE
Disassemblers & Debuggers
Debuggers Ollydbg 2 Plugins Ollydbg 1 Plugins
Disassemblers
IDA Tools
Android .NET .NET Debuggers VB Delphi Java Flash Misc
Logging and Monitoring Tools
Malware Analysis Tools
Mobile Malware Analysis PDF Tools Sandboxes
PE Tools
PE Editors PE Analyzers PE Rebuilders Resource Editors
Environ 90 Fichiers dans l’archive OneDrive.
c’est le même fichier lorsque vous le voyez en lien.
Pour le MDP : HackerSpace2016 - (casse sensitive)
>_Get-ToolsBox Compilers, Assemblers and IDE
A collection of Assemblers, IDE and free compilers. Probably you already have some but others might prove hard to find on the internet and
they can still come in handy every now and then.
[Assemblers]
FASM: http://flatassembler.net/download.php
The flat assembler is a fast and efficient self-assembling 80×86 assembler for DOS, Windows and Linux operating systems. Currently it
supports all 8086-80486/Pentium instructions with MMX, SSE, SSE2, SSE3 and 3DNow! extensions and x86-64 (both AMD64 and EM64T)
instructions, can produce output in binary, MZ, PE, COFF or ELF format.
Masm 11: OneDrive PhenixZ
Microsoft assembler
Tasm 5.0: OneDrive PhenixZ
Turbo assembler
[Assembler IDE]
WinAsm 5.1.8.8: OneDrive PhenixZ
WinAsm Studio is a free Integrated Development Environment IDE for developing 32-bit Windows. The MASM is supported inherently, while
there’re FASM and FASM Add-Ins.
>_Get-ToolsBox [C/C++ IDE]
Visual Studio Express: http://www.microsoft.com/express/download/
Microsoft Visual Studio is the main Integrated Development Environment (IDE) from Microsoft. It can be used to develop console and
Graphical user interface applications along with Windows Forms applications, web sites, web applications, and web services in both native
code together with managed code for all platforms supported by Microsoft Windows, Windows Mobile, Windows CE, .NET Framework, .NET
Compact Framework and Microsoft Silverlight.
Code::Blocks: http://www.codeblocks.org/
Code::Blocks is a free C++ IDE built to meet the most demanding needs of its users. It is designed to be very extensible and fully configurable
and has multiple compiler support (default GCC).
>_Get-ToolsBox [Disassemblers & Debuggers]
OllyDbg 2.01: OneDrive PhenixZ
OllyDbg 2.01 [ Now supports plugin! ]
OllyDbg v1.10: OneDrive PhenixZ
Debugger… You should know it
WinDbg: http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx
Windows Symbol Packages: http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx
Microsoft Debugger
X64dbg: http://x64dbg.com/
An open-source x64/x32 debugger for windows. Supports also plugins
OllyDbg 2 Plugin
Sequential Dumper OneDrive PhenixZ
More information on Zairon site: http://zairon.wordpress.com/2014/04/03/my-new-ollydbg-plugin-sequential-dumper/
Sequential Dumper is conceptually able to dump blocks of memory in sequence: it monitors the flow of the malware code trying to dump all the
new allocated/decrypted parts in different memory areas containing code of the malware itself.
DbgHook : OneDrive PhenixZ
DbgHook is a small plugin for Olly 2.1 that hooks the classics functions used for antidebug’s tricks, the driver is for Windows 7 x64 (tested on
build 7600.16385.1), so for running it need to be registered and PatchGuard disabled (you can use tools like DSEO).
ollydbg2-python: https://github.com/0vercl0k/ollydbg2-python
Scripting OllyDBG2 using Python.
>_Get-ToolsBox [OllyDbg 1 Plugin]
FullDisasm 3.0.1.175: OneDrive PhenixZ
FullDisasm is a small plugin for OllyDbg 1.10 which allows you to replace the old disassemble.
HideDebugger 1.24: OneDrive PhenixZ
Hide Debugger is a plugin that uses various tricks to hide the presence of the debugger.
ODbgScript 1.82.6: OneDrive PhenixZ
ODbgScript is a plugin meant to let you automate OllyDbg by writing scripts in an assembly-like language.
OllyAdvanced 1.27: OneDrive PhenixZ
All in one OllyDbg plugin: olly hidding, olly bugs fix etc… [ Fixed some bugs to work on Windows Vista/7 OS ]
OllyStealth64 1.3: OneDrive PhenixZ
Anti Anti and compatibility plugin for Olly 1.10 running on Vista x64.
OllyDbg PDK v1.10: OneDrive PhenixZ
OllyDbg Plugin Development Kit
OllyDump 3.00.110: OneDrive PhenixZ
Dump the process with a rebuilded IT
Qcmdline 1.06: OneDrive PhenixZ
A commandline for OllyDbg with much more features than the standard one
SehSpy 0.1: OneDrive PhenixZ
Useful while you are stepping through SEH Handlers
StrongOD 0.4.8.892: OneDrive PhenixZ
This plugin is more usefull to set some OllyDbg settings, especially in unpacking case to make it very strong.
PhantOm 1.85: OneDrive PhenixZ
Another plugin, like StrongOD, that allows you to mod your Olly.
Illy 0.1 Beta 3 : OneDrive PhenixZ
Try to debug your .NET targets into Olly!
>_Get-ToolsBox
[Disassemblers]
IDA 6.9 Demo: https://www.hex-rays.com/products/ida/support/download_demo.shtml
IDA Demo version
IDA 5.0 Free: http://www.hex-rays.com/idapro/idadownfreeware.htm
IDA 5.0 Freeware version
W32Dasm zip: [password: disassembler ] OneDrive PhenixZ
The famous disassembler patched to include VB support and comments in the listing
IDA Utilities
Determina PDB plugin 1.0: OneDrive PhenixZ
This is a replacement for the IDA PDB plugin which significantly improves the analysis of binaries with public debugging symbols.
Delphi signatures 1.0: OneDrive PhenixZ
Delphi 6 and 7 IDA signatures.
IDA Stealth 1.3.3: OneDrive PhenixZ
IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques.
Rock4 v2: OneDrive PhenixZ
Rockey4 v2.x C++ library IDA signatures.
Sentinel Hardware Keys: OneDrive PhenixZ
Sentinel Hardware Keys v1.0.3 IDA signature.
Sentinel Lm: OneDrive PhenixZ
From SentinelLm 7.0 to 7.3 and 8.x IDA signatures.
Sentinel SuperPro: OneDrive PhenixZ
From Sentinel SuperPro 6.0 to 6.4.4 IDA signatures.
>_Get-ToolsBox
IDA Utilities
PatchDiff2 2.0.10b: OneDrive PhenixZ
PatchDiff2 is a plugin that can analyze two IDB files and find the differences between both.
Funcap 0.91 : OneDrive PhenixZ
IDA Pro script to add useful runtime info to static analysis.
IDA Sploiter 1.0: http://thesprawl.org/projects/ida-sploiter/
IDA Pro script designed to enhance IDA’s capabilities as an exploit development and vulnerability research tool.
IDA Patcher 1.2: http://thesprawl.org/projects/ida-patcher/
IDA Pro script designed to enhance IDA’s ability to patch binary files and memory.
IDAPython 1.7.2: https://github.com/idapython/bin
IDAPython is an IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro.
IDA Toolbag 2.0: https://thunkers.net/~deft/code/toolbag/docs.html
The IDA Toolbag is a plugin providing supplemental functionality to the Hex-Rays IDA Pro disassembler.
IDAscope 1.2.1: https://bitbucket.org/daniel_plohmann/simplifire.idascope/
IDAscope is an IDA Pro extension with the goal to ease the task of (malware) reverse engineering.
BinSourcerer 1.31: https://github.com/BinSigma/BinSourcerer
BinSourcerer is an assembly to source code matching framework written in Python.
>_Get-ToolsBox Android
AndroChef Java Decompiler: http://www.neshkov.com/ac_decompiler.html
With AndroChef Java Decompiler you can decompile apk., dex, jar and java class-files.
.NET
{smartkill} v0.6: OneDrive PhenixZ
.NET 1/2/3 Patcher/Encoder/Decoder
.NET Reflector 6.6.0.30: OneDrive PhenixZ
.NET Reflector enables you to decompile and analyze .NET assemblies in C#, Visual Basic and IL.
.NET Reflector Add-Ins: http://www.codeplex.com/reflectoraddins
ILSpy 2.3.1.1855: OneDrive PhenixZ
Same program of Reflector but freeware.
reflexil 2.0 ILSpy addon: OneDrive PhenixZ
IlDasm v4.0.30319.17929: OneDrive PhenixZ
IL Disassembler
PEBrowse Professional Interactive 10.1.5: OneDrive PhenixZ
.NET 1.1/2 Debugger, 64bit exe files are supported
PEBrowseDbg64 6.3: OneDrive PhenixZ
For 64bit OS
De4Dot: https://github.com/0xd4d/de4dot
de4dot is a .NET deobfuscator and unpacker written in C#.
It will try its best to restore a packed and obfuscated assembly to almost the original assembly.
>_Get-ToolsBox .NET Debuggers
dnSpy: https://github.com/0xd4d/dnSpy
.NET assembly editor, decompiler, and debugger
DILE 0.2.13: OneDrive PhenixZ
Dotnet IL Editor (DILE) allows disassembling and debugging .NET 1.0/1.1/2.0/3.0/3.5/4.0 applications without source code or .pdb files.
It can debug even itself or the assemblies of the .NET Framework on IL level
VB
WKT VB Debugger 4.3: OneDrive PhenixZ
Visual Basic P-Code Debugger (click on Ignore if and error window pops up during install process)
VB Decompiler: OneDrive PhenixZ
VB 1, 2, 3 decompiler
VB Decompiler Lite 10.3 : OneDrive PhenixZ
P-code decompiler and native code for VB5-6 programs
ExDec: OneDrive PhenixZ
P-code decompiler for VB 5/6 programs
P-Code Opcodes List: http://web.archive.org/web/20101127044116/http:/vb-decompiler.com/pcode/opcodes.php?t=1
Database of P-Code Opcodes
>_Get-ToolsBox
Delphi
Delphi Decompiler v3.99.0a build 2005: OneDrive PhenixZ
Decompiler for Delphi 3, 4, 5, 6, C++ Builder and Kylix
Delphi Decompiler v3.10.1527 + Source Code: OneDrive PhenixZ
Decompiler for Delphi 3, 4, 5, 6, C++ Builder and Kylix, source code included
Delphi DFM Explorer 0.1b: OneDrive PhenixZ
Delphi DFM Explorer
Interactive Delphi Reconstructor: OneDrive PhenixZ
All Delphi’s Knowledge base version: http://kpnc.org/idr32/en/download.htm
A very useful tool to work with Delphi executable
Delphi Decompiler 1.7 build 929: OneDrive PhenixZ
Remake of DeDe
Java
Java Decompiler
Java Decompiler: OneDrive PhenixZ
Java Decompiler Gui: http://jd.benow.ca/
JD may be used to recover lost source code and explore the source of Java runtime libraries. (JD Project)
Java Bytecode Visualizer 4.4: http://www.drgarbage.com/download/
Inspect, understand and debug Java bytecode.
javadecompilers.com: http://www.javadecompilers.com/
Decompile Java code online.
>_Get-ToolsBox
Flash
Flash Disassembler v1.62: OneDrive PhenixZ
Source Code: OneDrive PhenixZ
Flash SWF Disassembler
Free Flash Decompiler 8.0.1: OneDrive PhenixZ
Flash SWF decompiler and editor
Misc
Help Decompiler 2.1: OneDrive PhenixZ
Windows Help File Decompiler
>_Get-ToolsBox
Logging and Monitoring Tools
A collection of useful monitoring tool designed to explore and log the activities on a running process.
Api Monitor v2 Alpha 13 – Portable [DL]: OneDrive PhenixZ
Latest Version ( rohitab.com ): http://www.rohitab.com/apimonitor
Handy and customizable Api Monitor with advanced filtering capabilities. Standalone version for 32/64bit systems.
Filemon 7.04 for Nt/Xp/…: OneDrive PhenixZ
Filemon for Nt/Xp/… on Amd64: OneDrive PhenixZ
Filemon source code: OneDrive PhenixZ
The famous file monitor
Ice Sword v1.22: OneDrive PhenixZ
An effective tool against rootkits, with a lot of additional functions like process dumper/killer/explorer, raw disk access monitor and much more.
Process Hacker 2.38.343: OneDrive PhenixZ
A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.
Sysinternals Suite – update 02/02/2016: OneDrive PhenixZ
The Sysinternals Troubleshooting Utilities (such as Process Explorer, Process Monitor and so on) rolled up into a single Suite of tools.
Regmon 7.04 for Nt/Xp/…: OneDrive PhenixZ
Regmon for Nt/Xp/… on Amd64: OneDrive PhenixZ
Regmon source code: OneDrive PhenixZ
The famous registry monitor
Spy++ v11.00.50727: OneDrive PhenixZ
Spying tool with point-and-click Handle/ID grabbing
>_Get-ToolsBox Malware Analysis Tools
A list of analysis tools designed to log the activities of a process, log its network traffic, access to the registry etc.
SysAnalyzer setup (old): OneDrive PhenixZ
SysAnalyzer GitHub repo (updated): https://github.com/dzzie/SysAnalyzer
SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer
was designed to enable analists to quickly build a comprehensive report as to the actions a binary takes on a system.
Regshot 1.9.0: OneDrive PhenixZ
Regshot is an open-source (GPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a
second one – done after doing system changes or installing a new software product.
Wireshark: http://www.wireshark.org/download.html
Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as
detailed as possible.
Robtex Online Service: http://www.robtex.com/
IPs, Domains, Network Structure Analysis tool.
VirusTotal: http://www.virustotal.com/
Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of
malware detected by antivirus engines.
Mobile-Sandbox: http://mobilesandbox.org/
Mobile-Sandbox.com provides static and dynamic malware analysis for Android OS smartphones.
Malzilla: OneDrive PhenixZ
MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability
to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate
javascript aswell.
Volatility: https://github.com/volatilityfoundation
Volatility Framework is a completely open collection of tools, for the extraction of digital artifacts from volatile memory (RAM) samples.
>_Get-ToolsBox Mobile malware analysis tools are included together with useful sandboxing software for dynamic analysis.
APKTool: http://code.google.com/p/android-apktool/
A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after
making some modifications; it makes possible to debug smali code step by step.
Dex2Jar: http://code.google.com/p/dex2jar/
Designed to read the Android Dalvik Executable (.dex/.odex) format. It reads the dex instruction to dex-ir format and can convert to ASM format.
Can also be used to perform some basic deobfuscation.
Smali: http://code.google.com/p/smali/
smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation.
PDF Tools
PeePDF: https://github.com/jesparza/peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not
Sandboxes
Cuckoo Sandbox: http://www.cuckoosandbox.org/
Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files.
DroidBox: https://github.com/pjlantz/droidbox
DroidBox is developed to offer dynamic analysis of Android applications.
Malwasm: https://code.google.com/p/malwasm/
Malwasm is a tool based on Cuckoo Sandbox designed to help perform step by step analysis, log all malware activities and store them into a
web accessible database.
>_Get-ToolsBox
PE Tools
A collection of tools for your daily PE interactions: editors, analyzers, rebuild and resource extractors.
PE Editors
Cerbero PE Insider: http://cerbero.io/peinsider/
Explorer Suite III Multi-Platform Version: http://ntcore.com/Files/ExplorerSuite.exe
Explorer Suite III Stand-alone Version: http://ntcore.com/Files/CFF_Explorer.zip
PE Editor with support for: PE32, PE64, .NET, and process monitor/dumper
Lord PE 1.41 Deluxe b: OneDrive PhenixZ
PE Editing suite
ProcDump v1.6.2: OneDrive PhenixZ
Unpacker, Decryptor, PE Editor
>_Get-ToolsBox
PE Analyzers
Crypto Searcher: OneDrive PhenixZ
Crypto has hundreds of signatures used to detect crypto algos used in a program
Detect it Easy 1.00: OneDrive PhenixZ
Another one PE identifier.
PEiD 0.95: OneDrive PhenixZ
PE Identifier, with many interesting plugins [ Include a working in progress userdb.txt; last update 25/06/2009 ]
PROTECTiON iD 6.7.5 December 2015: OneDrive PhenixZ
The ultimate Game Protection Scanner
RDG Packer Detector 0.7.5: OneDrive PhenixZ
PE identifier, often better than PeId
Stud PE v. 2.6.1.0: OneDrive PhenixZ
Another PE identifier
PeStudio 8.51: OneDrive PhenixZ
PeStudio is a unique tool that performs the static investigation of 32-bit and 64-bit executable
>_Get-ToolsBox
PE Rebuilders
Import Recostructor 1.7 FINAL: OneDrive PhenixZ
Useful for rebuilding the IT of PE executable (PE+ not supported)
CHimpREC 1.0.0.1: OneDrive PhenixZ
Rebuilder for PE/PE+ executable
Relox 1.0a: OneDrive PhenixZ
Useful for rebuilding the Reloc table of an unpacked dll
Scylla 0.9.8: OneDrive PhenixZ
A powerful PE reconstructor for x86/x64 platforms which supports also plugins
Resource editors
XNResourceEditor 3.0.0.1: OneDrive PhenixZ
Resource Editor
Resource Hacker 4.2.5: OneDrive PhenixZ
A complete resource editing tool
>_Get-R&D
Also known as RE4B. Written by Dennis Yurichev (yurichev.com).
"Reverse Engineering for Beginners" free book
A4 (for browsing or printing) A5 (for ebook readers)
Nom de quelques «Repository» a essayer d’avoir :
AhmedHacks
Ultra Hacker Tools
ShkoShiko hacker AIO
ExelabVideoKurs
repo.Malekal
FeliksPack3
Sites Webs à suivre :
Woodman RCE, Tuts4PC, OpenRCE, etc.
>_Add-Calendar
iHACK 2016
11 JUIN 2016
Venez en nombre…
HACKFEST
>_Set-Merci
>_Get-Questions ?
“Setec Astronomy” est
l’anagramme de “too many secrets”!
Un autre moyen de “Reverser”
HACKFEST