--- title: Windows Security Tools lang: en-us --- {%hackmd By3kXOghU %} :::info <img alt="" src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0Ij48cGF0aCBkPSJNMjEgNEgxMWwtMS0zSDNjLTEuMSAwLTIgLjktMiAydjE1YzAgMS4xLjkgMiAyIDJoOGwxIDNoOWMxLjEgMCAyLS45IDItMlY2YzAtMS4xLS45LTItMi0yek03IDE2Yy0yLjc2IDAtNS0yLjI0LTUtNXMyLjI0LTUgNS01YzEuMzUgMCAyLjQ4LjUgMy4zNSAxLjNMOS4wMyA4LjU3Yy0uMzgtLjM2LTEuMDQtLjc4LTIuMDMtLjc4LTEuNzQgMC0zLjE1IDEuNDQtMy4xNSAzLjIxUzUuMjYgMTQuMjEgNyAxNC4yMWMyLjAxIDAgMi44NC0xLjQ0IDIuOTItMi40MUg3di0xLjcxaDQuNjhjLjA3LjMxLjEyLjYxLjEyIDEuMDJDMTEuOCAxMy45NyA5Ljg5IDE2IDcgMTZ6bTYuMTctNS40MmgzLjdjLS40MyAxLjI1LTEuMTEgMi40My0yLjA1IDMuNDctLjMxLS4zNS0uNi0uNzItLjg2LTEuMWwtLjc5LTIuMzd6bTguMzMgOS45MmMwIC41NS0uNDUgMS0xIDFIMTRsMi0yLjUtMS4wNC0zLjEgMy4xIDMuMS45Mi0uOTItMy4zLTMuMjUuMDItLjAyYzEuMTMtMS4yNSAxLjkzLTIuNjkgMi40LTQuMjJIMjB2LTEuM2gtNC41M1Y4aC0xLjI5djEuMjloLTEuNDRMMTEuNDYgNS41aDkuMDRjLjU1IDAgMSAuNDUgMSAxdjE0eiIvPjxwYXRoIGZpbGw9Im5vbmUiIGQ9Ik0wIDBoMjR2MjRIMHptMCAwaDI0djI0SDB6Ii8+PC9zdmc+" /> **Language Availability** If you would like to view this in a different language, feel free to use Google Translate 😉. ::: # Windows Infosec Software & Notes [toc] ## Reverse Engineering :::warning Use multiple tools for comparison when decompiling! Every tool creates different results. **Always** use multiple decompilers if you encounter weird results. ::: ### Generic Binaries - [Ghidra](https://ghidra-sre.org) - ✅ **Pricing**: Free - ✅ **Codebase**: Open-source - 📝 **Notes**: - Made by NSA - [Binary Ninja](https://binary.ninja/) - ⚠ **Pricing**: Paid ($149 USD/$4,500 NTD) - ⚠ **Codebase**: Proprietary - 📝 **Notes**: - Cheap alternative to IDA Pro - Supports plugin development - Support native psuedo-code decompiler on the latest dev branch - [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - ⚠ **Pricing**: Paid ($1,879 USD/$57,000 NTD) - For base application; this does not include any necessary decompilers - ⚠ **Codebase**: Proprietary - 📝 **Notes**: - Industry standard - Supports 50+ CPU instruction types ### .NET Binaries - [dnSpy](https://github.com/0xd4d/dnSpy) - ✅ **Pricing**: Free - ✅ **Codebase**: Open-source - 📝 **Notes**: - Cross-platform - Has a built-in debugger and anti-anti-debug features - By default spoofs `IsDebuggerPresent`, `CheckRemoteDebuggerPresent`, and `System.Diagnostics.Debugger` - [dotPeek](https://www.jetbrains.com/decompiler/) - ✅ **Pricing**: Free - ⚠ **Codebase**: Proprietary - [.NET Reflector](https://www.red-gate.com/products/dotnet-development/reflector/) - ⚠ **Pricing**: Paid ($205 USD/$6,200 NTD) - ⚠ **Codebase**: Proprietary - 📝 **Notes**: - **Can decompile to async state machine level** - Students can apply for the .NET Developer Bundle for free ## Dynamic Analysis ### Network - [Fiddler](https://www.telerik.com/fiddler) - ✅ **Pricing**: Free - ⚠ **Codebase**: Proprietary - 📝 **Notes**: - HTTP(s) debugger - [Burp Suite](https://portswigger.net/burp/communitydownload) - ⚠ **Pricing**: Free limited shareware; paid ($399 USD/$12,000 TWD) - ⚠ **Codebase**: Proprietary - 📝 **Notes**: - Cross-platform - HTTP(s) debugger - Popular among web pentesters - [FakeNet-NG](https://github.com/fireeye/flare-fakenet-ng) - ✅ **Pricing**: Free - ✅ **Codebase**: Open-source - 📝 **Notes**: - Cross-platform - ⚠ Based on Python 2.x - Listens for DNS/HTTP(s)/SSL requests - Attempts to serve legitimate files - e.g. if the malware requests an JPG file, it will return the user-specific JPG file - Ability to create capture file (`*.pcap`) ### Binary - [Process Hacker](https://processhacker.sourceforge.io/) - ✅ **Pricing**: Free - ✅ **Codebase**: Open-source - 📝 **Notes**: - Based on Process Explorer - View process tree, network ports, disk activity - Manage services - Flag malicious executable - Inject DLL - Manage per-app thread(s) - Show if the process is... - Packed by a packer - Digitally signed - A .NET process - Too many to list - [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) - ✅ **Pricing**: Free - ⚠ **Codebase**: Proprietary - 📝 **Notes**: - Created by Microsoft ## Static Analysis - strings - `scoop install strings` - trid - `scoop install trid` - pestudio - Performs `strings` and VirusTotal analysis - Shows referenced API calls - Checks for signature validity ## PowerShell ### Red Team - [PowerMemory](https://github.com/giMini/PowerMemory) - In-memory credentials discovery - [CheckPlease](https://github.com/Arvanaghi/CheckPlease) - Sandbox evasion - [UltimateAppLockerByPassList](https://github.com/api0cradle/UltimateAppLockerByPassList) - AppLocker bypass techniques - [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation) - PowerShell obfuscation ### Blue Team ### Misc ## Useful Notes ### Misc - Starting from Windows 10 v1803, `curl` is included with the OS. - PowerShell users may need to invoke `curl.exe` instead of `curl` to avoid the `Invoke-WebRequest` alias. - Alternatively, remove the alias by using `Remove-Alias curl`.