I’m currently studying malware analysis, so I wanted to write a post on the tools I’ve been using recently, to serve as a reference for me and hopefully for anyone interested in binary reversing.
Some tools will have functionality that overlaps with other of the listed tools. It’s up to you which one to use.
Free tools
Either fully open source, or freeware (unrestricted, so no shareware).
Dependency Walker
Displays a hierarchical tree diagram of all dependant modules, with exported, and imported functions.
FileAlyzer
Application with functionality to show resources, PE headers, hex dumps, INI contents, and more. It can read UPX compressed files, ELF (Linux) as well as regular DLL and EXE files.
HxD
Hexadecimal editor. Everyone has their own favourite, but this one works well and is free.
Malcode Analyst Pack
Pack containing lots of useful software and added functionality to aid in static analysis. Among other utilities, it installs shell extensions (that appear upon right-clicking files and folders) for computing MD5 tools, or showing the strings on a file.
PEBrowse
Windows disassembler for 64 and 32 bit programs. Presents the PE structure, with its headers, imports, exports, debug symbols and more in an intuitive GUI. Comes with helpful tools such as hex/ASCII equivalents, window messages and error codes. It also displays metadata for .NET assemblies.
PEiD
Detects common packers, cryptors and compilers for PE files.
The official website seems to have been discontinued, but you can download it here.
Hashes:
- MD5:
759b65127aa2c73ee427db60ea6a6191 - SHA1:
f04ebf471ebcf1598949af5a1aff11279e41da70 - SHA256:
67a0fe273a7273963fac97b808530b7a1d8088af350a06ed755d72c7eaab2de0
pev
Command-line open source tool to analyse PE files. Runs on Windows, macOS and Linux.
PEView
Shows the structure of a PE and COFF file, dispalying headers, sections, import/export tables, and resource information in file types such as EXE and DLL.
Resource Hacker
Shows resources, such as images, dialogs, executables and binaries embedded in PE files such as EXE and DLL.
Radare2
Better known for its dynamic analysis capabilities, it is also capable of performing binary diffing, extract relocation tables, and of course disassemble binaries written in multiple languages for many different architectures.
Sysinternals Suite
Not exactly a tool, but a collection of tools, as the name implies.
Here are a few interesting ones:
- Sigcheck: Shows file version number, timestamp and digital signature details, and optionally allows for VirusTotal sample uploads.
- Strings: Shows hardcoded strings in an executable file.
- Whois: Similar to the Unix tool, shows details on a given Internet address. Maybe you want to investigate a certain string pointing to a domain?
UPX
Very popular executable packer used by malware authors. You can unpack some UPX-packed executables by supplying the command-line option -d to the upx tool.
Paid tools
PE Explorer
Resource editor, UPX unpacker, disassembler, dependency scanner and more.
PEStudio
PEStudio implements very useful features aimed to help detecting anomalies and suspicious patterns. It ships with VirusTotal functionality that queries the service for MD5 hashes of a file. It also list imports and resources. Ships with both a GUI and CLI versions.