the-backdoor-factory - Patch PE, ELF, Mach-O binaries with shellcode (NOT Supported)

•    Python

For security professionals and researchers only. The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.

LIEF - LIEF - Library to Instrument Executable Formats

•    C++

The purpose of this project is to provide a cross platform library which can parse, modify and abstract ELF, PE and MachO formats.

SigThief - Stealing Signatures and Making One Invalid Signature at a Time

•    Python

I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess. So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not.

Manalyze - A static analyzer for PE executables.

•    C++

My work on Manalyze started when my antivirus tried to quarantine my malware sample collection for the thirtieth time. It is also born from my increasing frustration with AV products which make decisions without ever explaining why they deem a file malicious. Obviously, most people are better off having an antivirus decide what's best for them. But it seemed to me that expert users (i.e. malware analysts) could use a tool which would analyze a PE executable, provide as many data as possible, and leave the final call to them. If you want to see some sample reports generated by the tool, feel free to try out the web service I created for it: manalyzer.org.

CLIFileRW

CLIFileRW is a .NET library specifically designed to read and rewrite .NET binaries. The library. develped for the CodeBricks research project, has been developed with the uttermost performance in mind: it interacts with .NET reflection only under explicit request so large cod...

Amber - Reflective PE packer.

•    Assembly

amber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly compiled PE files into reflective payloads that can load and execute itself like a shellcode. It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products and application white-listing mitigations. If you want to learn more about the packing methodology used inside amber check out below. For more detail about usage, installation and how to decrease detection rate check out WIKI. Developed By Ege Balcı from INVICTUS/PRODAFT.

machomachomangler - Tools for mangling Mach-O and PE binaries

•    Python

Additionally: a tool that creates a "placeholder" library, which imports the mangled library described above, and then re-exports the symbols under their original names. For code that wants to use a pynativelib library: a tool that takes a dylib/bundle/executable, a list of "original" dylibs, and for each "original" dylib, a newname for that dylib, and a mangling rule. It then (a) replaces the import of the original dylib with an absolute import of the new dylib name from a non-existent directory, (b) marks this as a "weak" import, (c) applies the mangling rule to all symbols imported from this dylib, (d) marks these symbols for lookup in the flat namespace.

PeNet - Portable Executable (PE) library written in .Net

•    CSharp

PeNet is a parser for Windows Portable Executable headers. It completely written in C# and does not rely on any native Windows APIs. Furthermore it supports the creation of Import Hashes (ImpHash), which is a feature often used in malware analysis. You can extract Certificate Revocation List, compute different hash sums and other useful stuff for working with PE files. For help see the Wiki.

pescan - Malice PExecutable Plugin

•    Python

This repository contains a Dockerfile of malice/pescan. This will output to stdout and POST to malice results API webhook endpoint.

goblin - An impish, cross-platform binary parsing crate, written in Rust

•    Rust

Goblin requires rustc 1.19. libgoblin aims to be your one-stop shop for binary parsing, loading, and analysis.

DLLSpy - DLL Hijacking Detection Tool

•    C++

DLLSpy is a that detects DLL hijacking in running processes, services and in their binaries. DLLSpy has three engines under its belt.

tinycc - My tinycc fork: hopefully, better OSX support, EFI targets, and ???

•    C

Today this includes some basic build support (CONFIG_OSX) in ./configure and ./Makefile. It also makes the '-run' mode function, allowing tcc to open up libc.dylib. The targets are arm64-win32-tcc and arm64-uefi-tcc. libtcc1 is not built, so this is only useful for standalone code, such as UEFI images.

Project-Euler - 🍡Solutions on Project Euler Removed

•    Go

🍡Solutions on Project Euler Removed

bearparser - Portable Executable parsing library (from PE-bear)

•    C++

Portable Executable parsing library (from PE-bear)

IAT_patcher - Persistent IAT hooking application - based on bearparser

•    C++

Persistent IAT hooking application - based on bearparser. More: http://hasherezade.github.io/IAT_patcher/

MapPE - MapPE constructs the memory mapped image of given PE files.

•    Go

MapPE constructs the memory mapped image of given PE files.