Binary Analysis Tools.md

• Executables
  • Linux Native
    • Static Analysis
      • strings: For listing down displayable text
      • objdump: For parsing binaries
      • file: For checking architecture of executable
      • readelf: For parsing ELF Headers
      • checksec: Checks active protection mechanisms for executables
        • https://tk-blog.blogspot.com/search/label/checksec.sh
        • https://github.com/kholia/checksec
    • Dynamic Analysis
      • gdb: Step through a program
      • netstat: Identifies list of connections between local and remore sockets
      • strace: Track system calls invoked by program
      • ftrace: Track function calls invoked by the program
      • ltrace: Trace calls to shared libraries
      • lsof: List files opened by processes
      • tcpdump: Sniff packets from port (and process if you know the port)
      • fuser: Identifies users of files and sockets
      • dmesg | tail: Identify instruction pointer and stack pointer of the last program that crashed
      • r2: Radare2, debugger
  • Windows Native
    • API Monitor: Track system calls invoked by a program
    • Process Monitor: Get an overview of system processes
    • HxD: View the memory contents of a process in memory
  • Java
    • Decompilers (http://www.javadecompilers.com/)
      • jdcore
      • cfr: http://www.benf.org/other/cfr/
      • jadx:
      • procyon: https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler
      • fernflower: https://github.com/fesh0r/fernflower
      • jad
• Data
  • Binaries
    • strings: For listing down displayable text
    • file: For detecting file types
    • binwalk: For finding and extracting embedded files
  • Images
    • stegsolve: For detecting if stegonography was used
    • exiftool: For inspecting the metadata information of PDF/Image files
      • GPS Location => Might be a clue in CTFs
  • PDFs
    • peepdf: For inspecting suspicious elements in a PDF file
    • exiftool: For inspecting the metadata information of PDF/Image files
      • GPS Location => Might be a clue in CTFs
  • MemDumps
    • volatility: For inspecting memory dumps
  • Packers
    • packerid: For detecting packers
      • https://github.com/sooshie/packerid
    • peid: For detecting packers as well
      • https://www.aldeid.com/wiki/PEiD
    • https://security.stackexchange.com/questions/43528/possible-to-detect-packed-executable#43534