For security professionals and researchers only. The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.
file-infector bdf capstone pe macho elfThe purpose of this project is to provide a cross platform library which can parse, modify and abstract ELF, PE and MachO formats.
reverse-engineering malware-analysis binary-analysis parser modification executable-formats elf macho pe lief parsing sdk android dex oat art vdexI've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess. So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not.
pe testing-antivirus certificates python3My work on Manalyze started when my antivirus tried to quarantine my malware sample collection for the thirtieth time. It is also born from my increasing frustration with AV products which make decisions without ever explaining why they deem a file malicious. Obviously, most people are better off having an antivirus decide what's best for them. But it seemed to me that expert users (i.e. malware analysts) could use a tool which would analyze a PE executable, provide as many data as possible, and leave the final call to them. If you want to see some sample reports generated by the tool, feel free to try out the web service I created for it: manalyzer.org.
malware static analysis peamber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly compiled PE files into reflective payloads that can load and execute itself like a shellcode. It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products and application white-listing mitigations. If you want to learn more about the packing methodology used inside amber check out below. For more detail about usage, installation and how to decrease detection rate check out WIKI. Developed By Ege Balcı from INVICTUS/PRODAFT.
packer pe crypter stub shellcode shellcode-loader payload malware-research paperAdditionally: a tool that creates a "placeholder" library, which imports the mangled library described above, and then re-exports the symbols under their original names. For code that wants to use a pynativelib library: a tool that takes a dylib/bundle/executable, a list of "original" dylibs, and for each "original" dylib, a newname for that dylib, and a mangling rule. It then (a) replaces the import of the original dylib with an absolute import of the new dylib name from a non-existent directory, (b) marks this as a "weak" import, (c) applies the mangling rule to all symbols imported from this dylib, (d) marks these symbols for lookup in the flat namespace.
mach-o pe shared-librariesPeNet is a parser for Windows Portable Executable headers. It completely written in C# and does not rely on any native Windows APIs. Furthermore it supports the creation of Import Hashes (ImpHash), which is a feature often used in malware analysis. You can extract Certificate Revocation List, compute different hash sums and other useful stuff for working with PE files. For help see the Wiki.
pe pefile portable-executable pe-header import-hash imphash malware-analysisThis repository contains a Dockerfile of malice/pescan. This will output to stdout and POST to malice results API webhook endpoint.
malware plugin malice docker pe pe-executable executable pefile malice-plugin malware-analysis malware-research peid signature-verificationGoblin requires rustc 1.19. libgoblin aims to be your one-stop shop for binary parsing, loading, and analysis.
elf mach archive pe binary-analysis reverse-engineering cross-platformDLLSpy is a that detects DLL hijacking in running processes, services and in their binaries. DLLSpy has three engines under its belt.
permission pe privilege-escalation dll-hijacking dllToday this includes some basic build support (CONFIG_OSX) in ./configure and ./Makefile. It also makes the '-run' mode function, allowing tcc to open up libc.dylib. The targets are arm64-win32-tcc and arm64-uefi-tcc. libtcc1 is not built, so this is only useful for standalone code, such as UEFI images.
osx macho tcc tinycc efi pe uefi🍡Solutions on Project Euler Removed
project-euler pePortable Executable parsing library (from PE-bear)
pe parser-library multiplatform bearparserPersistent IAT hooking application - based on bearparser. More: http://hasherezade.github.io/IAT_patcher/
pe iat hooking multiplatform iat-hooking pe-file pe-format bearparserMapPE constructs the memory mapped image of given PE files.
pe loader parser
We have large collection of open source products. Follow the tags from
Tag Cloud >>
Open source products are scattered around the web. Please provide information
about the open source projects you own / you use.
Add Projects.