Opensource

AMFParser plugin for Fiddler2 web debugger. It can be used for parsing and displaying AMF data inside HTTP’s POST requests and responses. To know more about AMF or Adobe Message Format, please refer to Action Message Format.

DarunGrim is a patch diffing tool developed to reverse engineer Microsoft Patches. Used for developing many 1-day exploits. (Currently under End of Support)

FlashHacker is an ActionScript Bytecode instrumentation framework. The RABCDasm tool is used for disassembling and assembling of ActionScript Bytecode. FlashHacker uses Bytecode disassembly to inject various instrumentation instructions. This is very useful when you work with malicious Flash files.

LoadDLL is a tool to load DLL using command. In case where you have a DLL components to debug, you can simply load it using LoadDLL and perform dynamic analysis.

PowerShellRunBox is dynamic PowerShell analysis framework based upon Windows PowerShell Debugging Functionality. It can step through obfuscated code to reveal it’s obfuscation scheme or to show the micro-behaviors. This can improve productivity with PowerShell malware analysis.

RunShellcode is a command line tool to load and run Windows shellcode.

ShellCodeEmulator is a Windows shellcode emulation tool based upon unicorn framework. ShellcodeEmulator emulates Windows shellcode with the help of windbg process memory dumps. You can provide shellcode to analyze with any Windows process dump image. The tool will emulate as much as of the userland code using the shellcode bytes and the provided dump image.

WindowsEventTools contains EventCollectionTools and EventInvestigationTools.

WindowsTestingEnvironment provides information and scripts to setup malware, exploit testing environment on Windows.

binkit is a binary reverse engineering data science kit. It will extract statistical information from binaries and use it for various analysis. You can use it as a binary patch analysis tool using various diffing algorithms.

dumpflash is a tool to retrieve and write Flash data to the physical NAND Flash memory or virtual image file. Various operations like ECC check and on-image pattern recognition, extraction and rewriting for u-Boot bootloader and JFFS2 file system are supported.

DarunGrim contributed to frida-gum and frida-core project. Frida-gum is a cross-platform instrumentation and introspection library written in C. This library is consumed by frida-core through its JavaScript bindings, GumJS.

idatool is a utility script using IDAPython.

iptanalyzer is a Intel PT log analyzer that supports parallel processing of trace log to expedite decoding. Also it can create basic block based caching information for various analysis based on the information. For example, locating specific code execution inside a module or finding abnormal code transfer are good example usage.

petool is a utility to fix broken PE files. Usually when you dump a PE image out from running process the geometry is different from file-based PE image because some fields in PE are modified to support loading of the image. This tool can fix up those entries so that you can load the file from disassemblers like IDA.

DarunGrim contributed to sRDI. sRDI allows for the conversion of DLL files to position independent shellcode.

threathuntingtools is an abstraction layer over elasticsearch library to implement winlogbeat event hunting.

DarunGrim contributed to Unicorn Engine as a beta tester - Unicorn Credits. Gave feedback on the implementation of segmentation model.

windbgtool is a WinDbg Toolbox package. This tool runs more complicated operations based upon PyKD package.

windows_sdk_data contains Windows API listing in JSON format - generated from SDK headers + SDK API documentation for SAL notations. You can use it for fuzzing, writing Windbg extensions, PyKD script to dump parameters or writing Frida script that understands parameters.

wintracer is a Windows behavior tracing tool based upon Frida. Still under development.