Forensics

FOCA

FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans. These documents may be on web pages, and can be downloaded and analyzed with FOCA.

It is capable of analyzing a wide variety of documents, with the most common being Microsoft Office, Open Office, or PDF files, although it also analyzes Adobe InDesign or SVG files, for instance.

These documents are searched for using three possible search engines: Google, Bing, and Exalead. The sum of the results from the three engines amounts to a lot of documents. It is also possible to add local files to extract the EXIF information from graphic files, and a complete analysis of the information discovered through the URL is conducted even before downloading the file.

With all data extracted from all files, FOCA matches information in an attempt to identify which documents have been created by the same team and what servers and clients may be inferred from them.

Spiderfoot

SpiderFoot
SpiderFoot is an open source intelligence automation tool. Its goal is to automate the process of gathering intelligence about a given target.

Purpose
There are three main areas where SpiderFoot can be useful:

If you are a pen-tester, SpiderFoot will automate the reconnaissance stage of the test, giving you a rich set of data to help you pin-point areas of focus for the test.

Understand what your network/organization is openly exposing to the outside world. Such information in the wrong hands could be a significant risk.

SpiderFoot can also be used to gather threat intelligence about suspected malicious IPs you might be seeing in your logs or have obtained via threat intelligence data feeds.

Dumproc 0.2

A quick tool for dumping memory from a process or writing data into it.

Lame Patcher 0.4.4b

file patcher available with both GUI (on Windows) and command-line mode plus various features. It uses some text files with the lpatch extension for the list of operations to perform on the target file to patch.These text files are trivial to create and edit and allow to specify comments, the default name of the file to patch, an introduction to display before apply the patch, MD5 hash verification, the modification of a byte at a specific offset, the substitution of a sequence of bytes or a string, wildcards and more.Exists also an older version of "patch files" used for substituting bytes at fixed offsets and are identified by the lpatch.dat name.On Windows the tool can also be used to patch a running process and launching+patching it.
this patcher and its patch files are the only that I use for my patches.

Signsrch 0.2.3

Tool for searching signatures inside files, extremely useful in reversing engineering for figuring or having an initial idea of what encryption/compression algorithm is used for a proprietary protocol or file.It can recognize tons of compression, multimedia and encryption algorithms and many other things like known strings and anti-debugging code, which can be also manually added since it's all based on a text signature file read at run time and easy to modify.Supports multi threading, scanning of folders using wildcards, scanning of processes, conversion of the executables offsets in memory offsets, loading of custom signature files and their automatic checking for avoiding errors, automatic finding of the instructions that reference the found signatures (like "Find references" of Ollydbg) and the launching of an executable placing an INT3 byte at the desired memory offset.

Executable's strings lister and replacer 0.2.3a

this tool has the main purpose of finding any ASCII and unicode string inside PE and ELF executables with the possibility of modifying them using any external text editor and re-injecting them in the original executable.
technically the finding of the strings works in the following way: it disassembles all the executable sections of the input file (like .text, only x86 32 bit supported) and visualizes any string or any array of strings, so any instruction like push "string" or mov eax, "string" or mov eax, "[4*edx+array]" and so on is handled perfectly.instead the injecting of the modified strings back in the executable (ELF not supported) is performed through the adding of a new "stringz" section which contains all the new strings and the substituting of all the pointers to those strings collected in the "finding" operation with the new ones (relocation).the tool can be also used as a quick and advanced strings program (the one available on *nix) with the difference that the strings found by exestringz are not casuals but are found and confirmed by the disassembled code avoiding false positives.anyway through the -b option the tool can acts exactly like the strings program and naturally can also re-import the modified strings.there is also an "experimental" option specific for the Asian utf8 which was also the reason of the initial creation of this tool for the translating of a Japanese game.note that for obvious technical reasons is not possible to export and re import ever all the strings for any executable because in some cases (usually with big programs) could be generated false positives, anyway the output file generated by the tool is very easy to understand and edit so it's not a problem.

technical limitations:

AndroChef Java Decompiler

AndroChef Java Decompiler is Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8 , 8.1 and Windows 10 decompiler for Java that reconstructs the original source code from the compiled binary CLASS files. AndroChef Java Decompiler is able to decompile the most complex Java 6 applets and binaries, producing accurate source code.

AndroChef successfully decompiles obfuscated Java 6, Java 7 and Java 8 .class and .jar files. Support Java language features like generics, enums and annotations. According to some studies, AndroChef Java Decompiler is able to decompile 98.04% of Java applications generated with traditional Java compilers - a very high recovery rate. It is simple but powerful tool that allows you to decompile Java and Dalvik bytecode (DEX, APK) into readable Java source. Easy to use.

ILSpy

ILSpy is the open-source .NET assembly browser and decompiler.

ILSpy Features:

Assembly browsing
IL Disassembly
Support C# 5.0 “async”
Decompilation to C#
Supports lambdas and ‘yield return’
Shows XML documentation
Decompilation to VB
Saving of resources
Save decompiled assembly as .csproj
Search for types/methods/properties (substring)
Hyperlink-based type/method/property navigation
Base/Derived types navigation
Navigation history
BAML to XAML decompiler
Save Assembly as C# Project
Find usage of field/method
Extensible via plugins (MEF)
Assembly Lists

Snowman is a native code to C/C++ decompile

Snowman is a native code to C/C++ decompiler

Standalone Version
Supports ARM, x86, and x86-64 architectures.
Reads ELF, Mach-O, and PE file formats.
Reconstructs functions, their names and arguments, local and global variables, expressions, integer, pointer and structural types, all types of control-flow structures, including switch.
Has a nice graphical user interface with one-click navigation between the assembler code and the reconstructed program.
Has a command-line interface for batch processing.

IDA Plug-in
Enjoys all executable file formats supported by the disassembler.
Benefits from IDA’s signature search, parsers of debug information, and demanglers.
Decompiles a chosen function or the whole program by push of a button.
Allows easy jumping between the disassembler and the decompiled code.
Fully integrates into IDA’s GUI.

Pin - A Binary Instrumentation Tool

Overview

Pin is a dynamic binary instrumentation framework for the IA-32 and x86-64 instruction-set architectures that enables the creation of dynamic program analysis tools. Some tools built with Pin are VTune Amplifier XE, Inspector XE, Advisor XE and SDE. The tools created using Pin, called Pintools, can be used to perform program analysis on user space applications in Linux and Windows. As a dynamic binary instrumentation tool, instrumentation is performed at run time on the compiled binary files. Thus, it requires no recompiling of source code and can support instrumenting programs that dynamically generate code.

Pin provides a rich API that abstracts away the underlying instruction-set idiosyncrasies and allows context information such as register contents to be passed to the injected code as parameters. Pin automatically saves and restores the registers that are overwritten by the injected code so the application continues to work. Limited access to symbol and debug information is available as well.

Pin was originally created as a tool for computer architecture analysis, but its flexible API and an active community (called "Pinheads") have created a diverse set of tools for security, emulation and parallel program analysis.

Distribution

Pin is proprietary software developed and supported by Intel and is supplied free of charge for non-commercial use. Pin includes the source code for a large number of example instrumentation tools like basic block profilers, cache simulators, instruction trace generators, etc. It is easy to derive new tools using the examples as a template.

Syndicate content