---
title: Windows Security Tools
lang: en-us
---
{%hackmd By3kXOghU %}
:::info
<img alt="" src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0Ij48cGF0aCBkPSJNMjEgNEgxMWwtMS0zSDNjLTEuMSAwLTIgLjktMiAydjE1YzAgMS4xLjkgMiAyIDJoOGwxIDNoOWMxLjEgMCAyLS45IDItMlY2YzAtMS4xLS45LTItMi0yek03IDE2Yy0yLjc2IDAtNS0yLjI0LTUtNXMyLjI0LTUgNS01YzEuMzUgMCAyLjQ4LjUgMy4zNSAxLjNMOS4wMyA4LjU3Yy0uMzgtLjM2LTEuMDQtLjc4LTIuMDMtLjc4LTEuNzQgMC0zLjE1IDEuNDQtMy4xNSAzLjIxUzUuMjYgMTQuMjEgNyAxNC4yMWMyLjAxIDAgMi44NC0xLjQ0IDIuOTItMi40MUg3di0xLjcxaDQuNjhjLjA3LjMxLjEyLjYxLjEyIDEuMDJDMTEuOCAxMy45NyA5Ljg5IDE2IDcgMTZ6bTYuMTctNS40MmgzLjdjLS40MyAxLjI1LTEuMTEgMi40My0yLjA1IDMuNDctLjMxLS4zNS0uNi0uNzItLjg2LTEuMWwtLjc5LTIuMzd6bTguMzMgOS45MmMwIC41NS0uNDUgMS0xIDFIMTRsMi0yLjUtMS4wNC0zLjEgMy4xIDMuMS45Mi0uOTItMy4zLTMuMjUuMDItLjAyYzEuMTMtMS4yNSAxLjkzLTIuNjkgMi40LTQuMjJIMjB2LTEuM2gtNC41M1Y4aC0xLjI5djEuMjloLTEuNDRMMTEuNDYgNS41aDkuMDRjLjU1IDAgMSAuNDUgMSAxdjE0eiIvPjxwYXRoIGZpbGw9Im5vbmUiIGQ9Ik0wIDBoMjR2MjRIMHptMCAwaDI0djI0SDB6Ii8+PC9zdmc+" /> **Language Availability**
If you would like to view this in a different language, feel free to use Google Translate 😉.
:::
# Windows Infosec Software & Notes
[toc]
## Reverse Engineering
:::warning
Use multiple tools for comparison when decompiling! Every tool creates different results. **Always** use multiple decompilers if you encounter weird results.
:::
### Generic Binaries
- [Ghidra](https://ghidra-sre.org)
- ✅ **Pricing**: Free
- ✅ **Codebase**: Open-source
- 📝 **Notes**:
- Made by NSA
- [Binary Ninja](https://binary.ninja/)
- ⚠ **Pricing**: Paid ($149 USD/$4,500 NTD)
- ⚠ **Codebase**: Proprietary
- 📝 **Notes**:
- Cheap alternative to IDA Pro
- Supports plugin development
- Support native psuedo-code decompiler on the latest dev branch
- [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml)
- ⚠ **Pricing**: Paid ($1,879 USD/$57,000 NTD)
- For base application; this does not include any necessary decompilers
- ⚠ **Codebase**: Proprietary
- 📝 **Notes**:
- Industry standard
- Supports 50+ CPU instruction types
### .NET Binaries
- [dnSpy](https://github.com/0xd4d/dnSpy)
- ✅ **Pricing**: Free
- ✅ **Codebase**: Open-source
- 📝 **Notes**:
- Cross-platform
- Has a built-in debugger and anti-anti-debug features
- By default spoofs `IsDebuggerPresent`, `CheckRemoteDebuggerPresent`, and `System.Diagnostics.Debugger`
- [dotPeek](https://www.jetbrains.com/decompiler/)
- ✅ **Pricing**: Free
- ⚠ **Codebase**: Proprietary
- [.NET Reflector](https://www.red-gate.com/products/dotnet-development/reflector/)
- ⚠ **Pricing**: Paid ($205 USD/$6,200 NTD)
- ⚠ **Codebase**: Proprietary
- 📝 **Notes**:
- **Can decompile to async state machine level**
- Students can apply for the .NET Developer Bundle for free
## Dynamic Analysis
### Network
- [Fiddler](https://www.telerik.com/fiddler)
- ✅ **Pricing**: Free
- ⚠ **Codebase**: Proprietary
- 📝 **Notes**:
- HTTP(s) debugger
- [Burp Suite](https://portswigger.net/burp/communitydownload)
- ⚠ **Pricing**: Free limited shareware; paid ($399 USD/$12,000 TWD)
- ⚠ **Codebase**: Proprietary
- 📝 **Notes**:
- Cross-platform
- HTTP(s) debugger
- Popular among web pentesters
- [FakeNet-NG](https://github.com/fireeye/flare-fakenet-ng)
- ✅ **Pricing**: Free
- ✅ **Codebase**: Open-source
- 📝 **Notes**:
- Cross-platform
- ⚠ Based on Python 2.x
- Listens for DNS/HTTP(s)/SSL requests
- Attempts to serve legitimate files
- e.g. if the malware requests an JPG file, it will return the user-specific JPG file
- Ability to create capture file (`*.pcap`)
### Binary
- [Process Hacker](https://processhacker.sourceforge.io/)
- ✅ **Pricing**: Free
- ✅ **Codebase**: Open-source
- 📝 **Notes**:
- Based on Process Explorer
- View process tree, network ports, disk activity
- Manage services
- Flag malicious executable
- Inject DLL
- Manage per-app thread(s)
- Show if the process is...
- Packed by a packer
- Digitally signed
- A .NET process
- Too many to list
- [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer)
- ✅ **Pricing**: Free
- ⚠ **Codebase**: Proprietary
- 📝 **Notes**:
- Created by Microsoft
## Static Analysis
- strings
- `scoop install strings`
- trid
- `scoop install trid`
- pestudio
- Performs `strings` and VirusTotal analysis
- Shows referenced API calls
- Checks for signature validity
## PowerShell
### Red Team
- [PowerMemory](https://github.com/giMini/PowerMemory)
- In-memory credentials discovery
- [CheckPlease](https://github.com/Arvanaghi/CheckPlease)
- Sandbox evasion
- [UltimateAppLockerByPassList](https://github.com/api0cradle/UltimateAppLockerByPassList)
- AppLocker bypass techniques
- [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)
- PowerShell obfuscation
### Blue Team
### Misc
## Useful Notes
### Misc
- Starting from Windows 10 v1803, `curl` is included with the OS.
- PowerShell users may need to invoke `curl.exe` instead of `curl` to avoid the `Invoke-WebRequest` alias.
- Alternatively, remove the alias by using `Remove-Alias curl`.