Sharing the Tools

Published: 2010-03-30
Last Updated: 2010-03-30 21:34:26 UTC
by Pedro Bueno (Version: 1)
3 comment(s)


In the malware analysis world, you have to have your tools that you feel most comfortable to use, otherwise, a task that could be
accomplished in 10 minutes would take hours.

But sometimes, finding the right tool for the task can be quite a challenge. This is one of the reasons that I decided to create a site,
called www.mysectools.com, where I am able to share some tools that were quite valuable on my day by day malware analysis tasks.

Now, I would like to comment on two tools that I was recently introduced.

The first one is not directly related to Malware Analysis (at least on the concept), since it is more a develpment tool. It is called
WinAPIOverride32 .
It is actually a package/suite with 3 different tools, but the one that I like most is the dumper.exe, because sometime you want more
than just a click and dump application. This one gives you  the freedom to chose what/how you want to dump a module, for example.

The second one is an Anti-Rootkit tool, called XueTr , which honestly I didnt try
outside a controlled environment (vmware,etc...).

This is another quite powerful tool, which in some point reminds me IceSword which if you dont know, I would recommend to check.

Happy Malware Analysis!

----------------------------------------------------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

www.mysectools.com

 

3 comment(s)

Comments

Just added www.mysectools.com to my bookmarks. Lots of good info there, thanks for sharing!
Don't forget JSUnpack (http://jsunpack.jeek.org/dec/go); it's *very* valuable for de-obfuscating JavaScript, no matter how tangled & obfuscated the original JS is. I've used it on many occasions and have great respect for it.

Thanks for the great tools site!
I like Live View (http://liveview.sourceforge.net/) which is a Java application that lets you mount and boot dd images as VMware drives. All the changes are saved in a temp file so you don't alter the original.

Diary Archives