Graphical program to detect PE and ELF anomalies.
capa contains a set of rules to detect capabilities from PE files. To use it, open a Command Prompt and type:
capa -h
Detect It Easy (DIE) is probably the best tool to identify protectors, packers, compilers and linkers used with PE files. It also has an integrated hexadecimal viewer, PE headers parsing/editing capabilities, hash tool, MIME tool and more.
Command-line tool to convert a DLL to an EXE.
Old-school PE analyzer with very interesting features. To mention a few:
- Packer/Protector/Compiler detector.
- Find code caves (zero/NOP byte sequences).
- Overlay detection and extraction.
- Embedded files finder/extractor.
- Scripting (you can use it to patch files mainly).
FireEye (now Mandiant) Labs Obfuscated String Solver is a command-line program that to automatically deobfuscate strings from malware binaries. Open a Command Prompt see see its help:
capa -h
Very complete graphical tool to analyze PE files. It parses and can edit all PE headers, add sections, show statistics, disassemble and more.
PE viewer with a strong focus on malware first assessment. Features include VirusTotal check, suspicious strings highlight and ATT@CK matrix mapping.
PE viewer with a strong focus on malware first assessment. Features include VirusTotal check, suspicious strings highlight and ATT@CK matrix mapping.
A set of command-line tools to work with PE files. Tools include:
- readpe - a PE parser
- pedis - a disassembler
- peres - a resource extractor
- pescan - a scanner
- pepack - a packer detector
- pesec - a security features detector and certificate extractor
readpe tools support different output formats including JSON, XML and HTML. It's nice for file processing at scale.
The redress software is a tool for analyzing stripped Go binaries compiled with the Go compiler. To use it, try this out in a Command Prompt:
redress -h
ResHack is a must. It can do literally anything related to PE resources, including compiling and decompiling RC scripts and extracting resources. It also runs from the command-line. It can be useful particularly useful because some malware samples use resources to store configuration files or additional payloads in the .rsrc section. Normally you see calls to functions like FindResource, LoadResource, etc. A good example is HDDCryptor/Mamba ransomware.
Powerful (and Python library) to emulate PE binaries and Windows API calls.
PE analyzer with interesting features, including a very useful PE header comparison.
An inspection tool for UWP and WinUI 3 applications. Seamlessly view and manipulate UI elements and their properties in real time.
Let's say you want to find which DLL contain a certain function, what do you do? That's basically what WinAPI Search is for. But the author went further and added support to regex, error code search, and more.