Source Code Analyzer

Used for source code analysis, generally security related.

Capstone

Capstone is a lightweight multi-platform, multi-architecture disassembly framework.

Multiple architectures
Capstone is one of a very few disassembly frameworks that can support multi-architectures. So far, it can handle 4 most important architectures: ARM, ARM64 (aka ARMv8/AArch64), Mips & X86. More will be added in the future when possible.
Updated

As far as we are aware, in all 4 architectures, Capstone can handle more instructions than other frameworks. Especially, it even supports most modern CPU extensions & is guaranteed to remain updated in the future.
Clean, simple & intuitive architecture-neutral API

Clean & intuitive is the key principle in designing the API for Capstone. The interface has always been as simple as possible. It would take a new user just few minutes to understand & start writing his own tool based on available samples accompanying Capstone source code.

Even better, the API is independent of the hardwares, so your analysis tool can work in the same way across all the architectures.
Detailed instruction information

Capstone breaks down instruction information, making it straightforward to access to instruction operands & other internal instruction data.

This feature is called “decomposer” by some alternatives, but Capstone is the only framework having this across all the architectures, in seamless way.
Instruction semantics

Capstone provides some important semantics of the disassembled instruction, such as list of implicit registers read & written, or if this instruction belongs to a group of instructions (such as ARM Neon group, or Intel SSE4.2 group). Now writing your own machine code normalization becomes easier than ever.
Zero barrier

Implemented in pure C language, Capstone is easy to be adopted for your low-level tool. Furthermore, lightweight & efficient bindings for popular languages such as Python, Ruby, OCaml, C#, Java & Go are also available.

Malheur Malware Analyzer

Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures. Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox.

Extraction of prototypes. From a given set of reports, Malheur identifies a subset of prototypes representative for the full data set. The prototypes provide a quick overview of recorded behavior and can be used to guide manual inspection.

Clustering of behavior. Malheur automatically identifies groups (clusters) of reports containing similar behavior. Clustering allows for discovering novel classes of malware and provides the basis for crafting specific detection and defense mechanisms, such as anti-virus signatures.

Classification of behavior. Based on a set of previously clustered reports, Malheur is able to assign unknown behavior to known groups of malware. Classification enables identifying novel variants of malware and can be used to filter program behavior prior to manual inspection.

Hook Analyser Malware Tool

Malware Analyser is a freeware tool to perform static and dynamic analysis of the malwares.
Author: Beenu Arora

The features are:
String based analysis for registry, API calls, IRC Commands, DLL’s called and VMAware.
Display detailed headers of PE with all its section details, import and export symbols etc.
On distros, can perform an ASCII dump of the PE along with other options (check –help argument).

For windows, it can generate various section of a PE : DOS Header, DOS Stub, PE File Header, Image Optional Header, Section Table, Data Directories, Sections
ASCII dump on windows machine.
Code Analysis (disassembling)
Online malware checking (www.virustotal.com)
Check for Packer from the Database.

Tracer functionality: Can be used to identify
Anti-debugging Calls tricks, File system manipulations Calls Rootkit Hooks, Keyboard Hooks, DEP Setting Change, Network Identification traces.

Signature Creation: Allows to create signature of malware.
Batch Mode Scan to Scan all DLL and Exe in directories and sub-directories

Recent updates:
--Added Traces signatures
--Improved parsing
--Added ThreatExpert for online scanning option
--Packed libraries onto single executable
--Improved Traces signatures

NetCrypt

A proof-of-concept packer for .NET executables, designed to provide a starting point to explain the basic principles of runtime packing.
It is a full implementation of a simple .NET PE file packer, which doesn't use native code.

It can perform the following tasks:
pack itself
packing files packed by itself (up to four layers of packing are tested)
automagically resolve dependencies of the packed EXE

The following downsides/problems are known:
output files are quite big
there is no compression
console applications/DLLs cannot be packed.

Implementation
The packer is implemented in a shared library called netcrypt.dll. If you reference this library you can just use the following code to pack a file:
byte[] arrayOfUnpackedExeBytes;
// ... perform file loading/generation logic
byte[] packedExe = Packer.Pack(arrayOfUnpackedExeBytes);

Grabber

Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website.
Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.

Contact
-------
author: Romain Gaucher
website: http://rgaucher.info/beta/grabber
email: [email protected]

Current features
Because it's a small tool, the set of vulnerabilities is small...
- Cross-Site Scripting
- SQL Injection (there is also a special Blind SQL Injection module)
- File Inclusion
- Backup files check
- Simple AJAX check (parse every JavaScript and get the URL and try to get the parameters)
- Hybrid analysis/Crystal ball testing for PHP application using PHP-SAT
- JavaScript source code analyzer: Evaluation of the quality/correctness of the JavaScript with JavaScript Lint
- Generation of a file [session_id, time(t)] for next stats analysis.

How do I use Grabber ?

You have a main script grabber.py which execute the modules (xss.py, sql.py, etc.).
Download Grabber
Download Grabber
The executable version produced by py2exe
Source code
Installation
For using Grabber you only need Python 2.4, BeautifulSoup and PyXML. You can download the packages on the websites given above.
Configuration
You can configure the run with a configuration file like this:

http://127.0.0.1/bank
1

Then launch the grabber.py script.
Or you can use the command line parameters:
$ python grabber.py --spider 1 --sql --xss --url http://127.0.0.1/bank

The two configuration are equivalents.
What you need to know ?

Halcyon

Generates Kolkata fingerprints for web application identification.
Halcyon is a repository crawler that runs checksums for static files found within a given git repository. After performing a change frequency analysis, it begins recording the checksums with the static files updated the most often and works its way down from there. Using checksum data, the application then generates well-formed version fingerprint signatures in YML format, for easy feeding into kolkata. Additionally, signature output includes revision ID, so it may be possible to find an exact commit for the instance of the application in question.

Dependencies:
git repository software

Usage:
The application may be time-intensive, depending on the volume of files that need to be checksummed and the number of revisions that they may have.

usage: halcyon.py [-h] [-c] -u URL -f FILE -m MATCH
[--omit-directory OMIT_DIRECTORY] [-t TOP]

optional arguments:
-h, --help show this help message and exit
-c, --clone Clone the repo first.
-u URL, -p URL, --url URL, --path URL
Path or URL to the repository.
-f FILE, --file FILE File to search for version information
-m MATCH, --match MATCH
Regex to match line with version number (ie: '^\\\$wp_version = \x27([^']+)\x27;$')
--omit-directory OMIT_DIRECTORY
Comma separated list of directories to omit. (Helpful for removing install directories from signature generation)
-t TOP, --top TOP Top 'n' most-frequently-edited files to use. (0 for unlimited)

Example:
python2 halcyon.py -u https://github.com/WordPress/WordPress.git -c -f wp-version.php -m "^\\\$wp_version = \x27([^']+)\x27;$" -t 1

Silverlight Spy

Silverlight Spy is a runtime inspector tool providing unprecedented access to all aspects of any Silverlight in-browser, out-of-browser and Windows Phone 7 application. Explore the UI element tree, monitor events, extract XAML, interactively execute DLR code, view statistics and more.

Trillix

Convert SWF to FLA within seconds! Flash Decompiler Trillix is the only application capable of converting SWF to FLA with high speed, high quality and hundreds of additional features. It is the ultimate tool to recover your lost FLA files - being the market leader since 2003! Decompile SWF files and obtain source code FLA in seconds. It supports batch conversion, so you can leave a bunch of different tasks to it and do any other things while our application is working.

Veracode

Current forces are putting pressure on organizations to secure their applications fast. The Veracode product suite facilitates that for you and we make implementation a breeze with our private cloud delivery platform. There's no hardware to buy; no software to install; no disruption to current systems; no intensive developer training; and you can be up and running in minutes.

Hackbar

Hackbar is another firefox add on that acts as a simple security audit / Penetration test tool

Syndicate content