| Crawlector – A Threat Hunting Framework
Description: Crawlector is a threat-hunting framework designed for scanning websites for malicious objects.
Note: The framework was first presented at the No Hat conference in Bergamo, Italy (Slides, YouTube Video), and will be presented again at the AVAR conference, in Singapore.
The framework is available on GitHub.
| EKFiddle2Yara
Description: EKFiddle2Yara is a tool that takes EKFiddle rules and converts them into Yara rules.
Note: The tool was first presented at the No Hat conference in Bergamo, Italy (Slides, YouTube Video), along with the Crawlector framework.
The tool is available on GitHub.
| PureBasic Compiler Reverse Engineering Toolset
. PuBaLP: (PureBasic Library Parser) is a tool for parsing structures of PureBasic proprietary library file format and dumping of original COFF libraries.
Download – Size: 379 KB
SHA-256: 5753eee1c1e7f393bd3d44b567ea4941ffb06b39ff75ed70837d7558cfa38ba6
. PuBaHelper: is an IDA Pro plugin that helps in, identifying PureBasic (PB) binaries – Windows binaries (32|64; EXE|DLL), applying relevant FLIRT signatures – Windows version only (32|64), looking up a given PB API documentation either online or in a local CHM file. (Plugins were built with IDA SDK 7.0)
Download – Size: 733 KB
SHA-256: acc58a60cb066e9a0380e36132cd829a16d50f78d79ec3183cb99ef05361eebb
. PureBasic IDA FLIRT Signatures (note: these are also included in the PuBaHelper release package)
Download – Size: 515 KB
SHA-256: f9097ba2c0a49086621cf92586d8773ffffc3b9ef91aef20e2a1df3d51c71579
NOTE: PuBaLP, PuBaHelper and PureBasic IDA FLIRT Signatures have been updated to account for version 4 of the compiler (May 29th, 2020).
| InsHelper v0.1 – the Ourea Build:111119
Download – Size: 148.0 KB
SHA-256: 406450645f510fc1feacfb844a194c1903db8c001c7db86b079d84b81e88d683
Description: InsHelper is a simple IDA Pro plugin that allows you to web-search for x86 API names, x86 mnemonic documentation and selected/highlighted text. Additionally, it defaults to a regular Google search for all non-x86 processor modules. All happens with one click (hotkey Ctrl-Shift-Q) of a button, depending on the current context. (Plugins were built with IDA SDK 7.0)
For more information about the plugin, please check the following online documentation: InsHelper – Documentation
| Base64CPPLib & ExBase64 Tool
Description: Base64CPPLib is an open-source Base64 encoding and decoding library written in “modern” C++. The library is highly extensible and supports working with strings, hexadecimal streams, and files.
ExBase64 is a Base64 encoding and decoding command line tool that leverages the full capabilities of Base64CPPLib Library.
The library and the tool are available on GitHub.
| SPF (ShellPcapFication) v1.1 – Release Edition:The Thinker
Download – Size: 868.0 KB
SHA-256: 49fc2c0f5b575ea5748101a73bad4f01468f9dda20eb449c7bac3ed474705d41
Description: SPF (ShellPcapFication), is a shell framework that provides a sophisticated abstraction layer for TShark (console-based version of Wireshark) and Windows command shell interpreter. It features a custom, unique and simple declarative language called Eros that consists of only two constructs, four keywords, three Input operators, auxiliary logic, a function call operator, an INSERT statement, a specifier, and an include preprocessing directive. Additionally, a set of built-in helper commands are also provided by SPF to simplify interaction with Eros in a dynamic way.
SPF main features include:
1. The democratization of writing and sharing a standardized set of constructs based on Eros language
2. The capability to use different constructs as building blocks to form complex operations
3. Simplification of repetitive tasks
4. Rich shell functionality
5. Automation of Exploit Kit detection
6. Protocol-specific features/fields extraction
7. Building self-contained and easy-to-manage self-explanatory units/constructs
8. Functioning as a signature detection system (based on TShark powerful protocol dissectors)
For more information about SPF, please check the following:
[+] Online documentation (PDF): SPF – Documentation
[+] ToorCon conference presentation (Sep 2nd, 2017): Video(YouTube): ShellPcapFication (SPF) – A Sophisticated Interactive Shell Framework
[+] Features Explanation
1. Introduction to Implicit Constructors (Nov 5th, 2017)
2. How to Write a Construct that Checks for Malicious SSL Certificates (Nov 25th, 2017) |-> “checkcert” construct
| IDAEye v0.4 – FalconHeavy Build:100318
Download – Size: 333.0 KB
SHA-256: 2d560c8cb964713616ed6150c1d1cbd01f12254bae156ce491776cf3199ba410
Description: IDAEye is an IDA Pro plugin that enables you to perform different operations at the mnemonic level, independent of any particular processor type. These operations are facilitated through a parameterized template, which include the capabilities to de/highlight instructions, gather statistical information about the frequency of each instruction, and search for sequences of mnemonics with support for wildcard, among other features. Note that two releases of IDAEye are included (pre sdk 7.0 and post sdk 7.0).
For more information about the plugin, please check the following online documentation: IDAEye – Documentation
| Entyzer+ v0.6 – Orezmus Build:220214
Download – Size: 388.0 KB
SHA-256: d1de3b8997c223da23c086928e3558c2b281f29291c16a366585cc2899774a29
Description: Entyzer+ is an Advanced Entropy Analyzer armed with various mathematical binary editing capabilities. It features many custom and known algorithms that align with the concept of information theory. Moreover, it is a command-line tool with around 30 major features. The tool can be used in the fields of Reverse Code Engineering, Malware Analysis (with an optimized and generalized implementation of Flame’s Worm substitution algorithm), System Forensics and other related areas.
Two technical research papers have been published featuring Entyzer+ as the main framework for implementing the proposed algorithms in both papers. Thus, the interested reader is advised to consult the relevant papers for more information about the internals of some of the features implemented in Entyzer+. Other features are self-explanatory.
For more information about the tool, please refer to the following online “help” file: Entyzer – Help
| Solution: KeyGenerator for KGM #2 by Sharpe
Download – Size: 47.7 KB
SHA-256: 2ac8cd3aa76d696fca544288db1385b05105c3f006dc2659f4cdb3afdf456170
Description: This is a keygenerator solution for Keygenme #2 challenge by Sharpe.
| STiGmaTaMe [!Alpha.Zeta] }: Proof of Concept
Download – Size: 53.5 KB
SHA-256: 5410058e08e70f7319f993b33a6065c15a7a1e7e9504defd2a313a7382d15551
Description: A keygenme challenge I wrote a while back.
Solutions: [-j00ru//vx-] and [ – anhsirk – ]