Skip to content

Utilities

Jump to bottom
merces edited this page May 30, 2023 · 15 revisions

7-Zip

You know it. It's a great archiver, but it also opens and is able to parse and extract things from PE files, OLE files and others. Really a must.

Bazzar

CLI program to download malware samples from MalwareBazaar and check URLs against SpamHaus. To use it, open a Command Prompt and type bazzar -h.

CyberChef

A web app that runs locally and provides a set of useful tools like converters (base64, ROT13, etc).

Entropy

CLI program to calculate the entropy of multiple files at once. Open a Command Prompt and type:

entropy

Error Lookup

Nice simple tool to show description from error codes used by Windows API. It supports input both in decimal or hexadecimal prefixed a 0x prefix.

ForceToolkit

When reversing GUI Windows programs, you may want to enable/disable controls in a window. This is the tool for that.

manw

Have you ever needed manpages-like documentation for Windows API functions? Now you have it. Let's say you want to see how LoadLibrary function works, just open a Command Prompt and use manw like this:

c:\>manw loadlibrary
LoadLibraryA function (libloaderapi.h) - Win32 apps

Exported by: Kernel32.dll

Loads the specified module into the address space of the calling process.

HMODULE LoadLibraryA(
  LPCSTR lpLibFileName
);

Return value: If the function succeeds, the return value is a handle to the module.If the function fails, the return value is NULL.

Source: https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya

Or maybe you want to remember how Process Environment Block (PEB) structure looks like:

c:\>manw PEB
PEB (winternl.h) - Win32 apps

Contains process information.

typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  PVOID                         Reserved4[3];
  PVOID                         AtlThunkSListPtr;
  PVOID                         Reserved5;
  ULONG                         Reserved6;
  PVOID                         Reserved7;
  ULONG                         Reserved8;
  ULONG                         AtlThunkSListPtr32;
  PVOID                         Reserved9[45];
  BYTE                          Reserved10[96];
  PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
  BYTE                          Reserved11[128];
  PVOID                         Reserved12[1];
  ULONG                         SessionId;
} PEB, *PPEB;

Source: https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb

Another good thing of manw is that it creates a local cache for the things you queried to preventing it from going to the internet all the time. Neat stuff.

Notepad++

Great, lightweight text/code editor. Useful when analyzing scripts, for example.

OpenHashTab

Adds a hash tab when you right-click a file and go to its Properties. It supports lots of different hashing algorithms, VirusTotal querying, and more. It's really a must.

Regshot

Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes, running malware or installing a new software product.

vt-cli

Everything you do in VirusTotal web UI from the command-line. Open a Command Prompt and type vt --help to see its usage.

winapiexec

Call any Windows API function from the command-line. Examples:

winapiexec user32.dll@MessageBoxW 0 "World!" "Hello" 0

Shorter way:

winapiexec u@MessageBoxW 0 "World" "Hello" 0

kernel32.dll is the default if you don't specify a DLL:

winapiexec @Sleep 0x3e8

It also supports nested functions. Check the author's website.

Clone this wiki locally