Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Sharing the Tools - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sharing the Tools


In the malware analysis world, you have to have your tools that you feel most comfortable to use, otherwise, a task that could be
accomplished in 10 minutes would take hours.

But sometimes, finding the right tool for the task can be quite a challenge. This is one of the reasons that I decided to create a site,
called www.mysectools.com, where I am able to share some tools that were quite valuable on my day by day malware analysis tasks.

Now, I would like to comment on two tools that I was recently introduced.

The first one is not directly related to Malware Analysis (at least on the concept), since it is more a develpment tool. It is called
WinAPIOverride32 .
It is actually a package/suite with 3 different tools, but the one that I like most is the dumper.exe, because sometime you want more
than just a click and dump application. This one gives you  the freedom to chose what/how you want to dump a module, for example.

The second one is an Anti-Rootkit tool, called XueTr , which honestly I didnt try
outside a controlled environment (vmware,etc...).

This is another quite powerful tool, which in some point reminds me IceSword which if you dont know, I would recommend to check.

Happy Malware Analysis!

----------------------------------------------------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

www.mysectools.com

 

Pedro

155 Posts
ISC Handler
Just added www.mysectools.com to my bookmarks. Lots of good info there, thanks for sharing!
KPryor

7 Posts Posts
Don't forget JSUnpack (http://jsunpack.jeek.org/dec/go); it's *very* valuable for de-obfuscating JavaScript, no matter how tangled & obfuscated the original JS is. I've used it on many occasions and have great respect for it.

Thanks for the great tools site!
computerfreaker

4 Posts Posts
I like Live View (http://liveview.sourceforge.net/) which is a Java application that lets you mount and boot dd images as VMware drives. All the changes are saved in a temp file so you don't alter the original.
Jasey

93 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!