Windows Infosec Software & Notes

• Windows Infosec Software & Notes
  • Reverse Engineering
    • Generic Binaries
    • .NET Binaries
  • Dynamic Analysis
    • Network
    • Binary
  • Static Analysis
  • PowerShell
    • Red Team
    • Blue Team
    • Misc
  • Useful Notes
    • Misc

Reverse Engineering

Generic Binaries

• Ghidra
  • ✅ Pricing: Free
  • ✅ Codebase: Open-source
  • 📝 Notes:
    • Made by NSA
• Binary Ninja
  • ⚠ Pricing: Paid ($149 USD/$4,500 NTD)
  • ⚠ Codebase: Proprietary
  • 📝 Notes:
    • Cheap alternative to IDA Pro
    • Supports plugin development
    • Support native psuedo-code decompiler on the latest dev branch
• IDA Pro
  • ⚠ Pricing: Paid ($1,879 USD/$57,000 NTD)
    • For base application; this does not include any necessary decompilers
  • ⚠ Codebase: Proprietary
  • 📝 Notes:
    • Industry standard
    • Supports 50+ CPU instruction types

.NET Binaries

• dnSpy
  • ✅ Pricing: Free
  • ✅ Codebase: Open-source
  • 📝 Notes:
    • Cross-platform
    • Has a built-in debugger and anti-anti-debug features
      • By default spoofs IsDebuggerPresent, CheckRemoteDebuggerPresent, and System.Diagnostics.Debugger
• dotPeek
  • ✅ Pricing: Free
  • ⚠ Codebase: Proprietary
• .NET Reflector
  • ⚠ Pricing: Paid ($205 USD/$6,200 NTD)
  • ⚠ Codebase: Proprietary
  • 📝 Notes:
    • Can decompile to async state machine level
    • Students can apply for the .NET Developer Bundle for free

Dynamic Analysis

Network

• Fiddler

  • ✅ Pricing: Free
  • ⚠ Codebase: Proprietary
  • 📝 Notes:
    • HTTP(s) debugger

• Burp Suite

  • ⚠ Pricing: Free limited shareware; paid ($399 USD/$12,000 TWD)
  • ⚠ Codebase: Proprietary
  • 📝 Notes:
    • Cross-platform
    • HTTP(s) debugger
    • Popular among web pentesters

• FakeNet-NG

  • ✅ Pricing: Free
  • ✅ Codebase: Open-source
  • 📝 Notes:
    • Cross-platform
    • ⚠ Based on Python 2.x
    • Listens for DNS/HTTP(s)/SSL requests
    • Attempts to serve legitimate files
      • e.g. if the malware requests an JPG file, it will return the user-specific JPG file
    • Ability to create capture file (*.pcap)

Binary

• Process Hacker

  • ✅ Pricing: Free
  • ✅ Codebase: Open-source
  • 📝 Notes:
    • Based on Process Explorer
    • View process tree, network ports, disk activity
    • Manage services
    • Flag malicious executable
    • Inject DLL
    • Manage per-app thread(s)
    • Show if the process is…
      • Packed by a packer
      • Digitally signed
      • A .NET process
    • Too many to list

• Process Explorer

  • ✅ Pricing: Free
  • ⚠ Codebase: Proprietary
  • 📝 Notes:
    • Created by Microsoft

Static Analysis

• strings
  • scoop install strings
• trid
  • scoop install trid
• pestudio
  • Performs strings and VirusTotal analysis
  • Shows referenced API calls
  • Checks for signature validity

PowerShell

Red Team

• PowerMemory
  • In-memory credentials discovery
• CheckPlease
  • Sandbox evasion
• UltimateAppLockerByPassList
  • AppLocker bypass techniques
• Invoke-Obfuscation
  • PowerShell obfuscation

Blue Team

Misc

Useful Notes

Misc

• Starting from Windows 10 v1803, curl is included with the OS.
  • PowerShell users may need to invoke curl.exe instead of curl to avoid the Invoke-WebRequest alias.
  • Alternatively, remove the alias by using Remove-Alias curl.