Tools

While I was looking over my tools list, I noticed that I have not included a couple of tools that I use on a daily basis for reversing engineering malware.

The first one is Frank Boldewin’s OfficeMalScanner. OfficeMalScanner is a MS Office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files.

The second Didier Steven’s PDF Tools. PDF Tools includes pdf-parser.py, make-pdf-javascript.py, and pdfid.py. Pdf-parser and pdfid are obviously the most popular and most used in the reverse engineering community. Pdf-parser.py will parse a PDF document to identify the fundamental elements used in the analyzed file. Pdfid.py is not a PDF parser, but it will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened.

And speaking of the PDF Tools, a friend of mine put together an Ubuntu ppa repository to easily add the PDF Tools to your Ubuntu workstation. To add the PDF Tools using his ppa do the following:

sudo apt-add-repository ppa:pi-rho/security
sudo apt-get update
sudo apt-get install pdf-tools

In addition to the PDF Tools, he has included nmap-5.35DC1, kismet-newcore, tshark 1.4.3, and wireshark 1.4.3.