mentebinaria / retoolkit Goto Github PK

A nice freeware tool to navigate and edit PE files

https://ntcore.com/?page_id=388

Looks like an .ico is missing

I've been trying to add a few tools to the right-click menu on Windows but without success. It works for single entries, but I wanted to have them under a retoolkit sub-menu. The later only worked with admin rights. 😢

Recent x64dbg versions provide a way to disable memory randomization at Options -> Preferences -> Engine -> Disable ASLR, thus the ASLR Removal plugin can be removed.

ref: https://twitter.com/AdmVonSchneider/status/1370849597170585600

Threadtear
ref: https://twitter.com/kanye2032/status/1370837360775110659

pe_unmapper is a simple but useful tool that works with PE alignments to map/unmap files.

https://github.com/hasherezade/pe_unmapper

Salve, Mercês. Obrigado pelo pacote disponibilizado neste repositório.

Apenas uma sugestão para que fosse possível "Reproducible builds":
Uma vez que temos o seu fonte do instalador, o ideal era que você também disponibilizasse a origem ou pelo menos a hash das ferramentas que você utiliza em cada release do retoolkit para que tivéssemos a plena certeza de que o instalador esteja de acordo com as fontes.

Até pelo aviso que você colocou, eu entendo que não tem como colocar exatamente a origem de certas ferramentas que você inclui. Mas o que estou sugerindo é que nesses casos extremos a hash sirva para quem deseja fazer a verificação (ou o "reproducible build").

Quem me garante que um dia você (conscientemente ou não) resolva colocar um spyware no meio da release? =) Justamente para evitar a confiança cega, sugiro essa mudança. Na minha opinião, você tem uma excelente reputação e eu confio que você não faria algo do tipo. Mas vai que? E se um dia tua conta aqui do Github é invadida e lançam sorrateiramente uma nova release com um malware?

Mais uma vez, eu sei que você avisou que talvez não seja seguro usar essas ferramentas mesmo que numa VM temporária. Mas o que estou sugerindo é uma forma de pegarmos seus fontes + arquivos das ferramentas = instalador "limpo" criado pelo usuário, tirando da equação a confiança em uma pessoa.

Obrigado

FileInsight-plugins: decoding toolbox of McAfee FileInsight hex editor for malware analysis
https://github.com/nmantani/FileInsight-plugins

Nice cli to work with OLE files https://github.com/decalage2/oletools

Originally posted by @AandersonL in https://github.com/mentebinaria/retoolkit/discussions/30

PE-sieve

ref: https://twitter.com/AlwaysOffMeta/status/1370911200712740865

I wrote this tool a couple time ago, I've been using to download malware samples inside Windows. Maybe can be useful :)

https://github.com/AandersonL/bazzar

Fakenet is a very useful tool for C2 emulation, it allows write custom Python scripts and dump packets, it's suspended for it's development but still works pretty well!

https://github.com/mandiant/flare-fakenet-ng

It would be nice to see ExtremeDumper as part of the toolkit. By far the easiest way to dump .NET assemblies from memory while they are running. As far as I know, none of the current tools are capable of doing that.

Debugger

• Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.
  https://www.immunityinc.com/products/debugger/

• OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
  https://www.ollydbg.de/

Network

- Wireshark is the world's foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.

- nmap is a free and open source utility for network discovery and security auditing. https://nmap.org/

PE analyser

• PEiD: https://www.aldeid.com/wiki/PEiD PEiD is old, Exeinfo PE is the replacement.

Disassembler (missing)

- IDA Freeware: https://hex-rays.com/ida-free/

Consider dex2jar

ref: https://twitter.com/ayatsubzero/status/1370955498170822660

Only binaries are included in the current release. License and readme file are needed.

https://github.com/HyperDbg/HyperDbg/releases

I can not open it with window 64bit.

Wireshark (network analysis and capture tool + USB capture) is GPL2. There should be no barrier to redistribution. The protocol analyzers are quite nice. Blah blah blah, everyone knows about Wireshark.

This is a tentative suggestion for a tool addition, because I do not know whether it fits the scope.

However, I can firmly recommend the Rohitab API Monitor as one of the best Windows API tracing tools I have ever used:

http://www.rohitab.com/apimonitor

dll_to_exe is a simple and useful tool to convert a "dll" into an "exe":

https://github.com/hasherezade/dll_to_exe

The current version does not add Python to the PATH variable, also if one types only python.exe a MS store pop-up will open, so it's good to remove the python.exe wrapper that MS uses to open the store.

del %localappdata%\Microsoft\WindowsApps\python.exe

The same also happen if type python3.exe and python3.7.

Tool Request

The OllyDumpEx plugin supports x64dbg and is a fantastic plugin to dump payloads from memory:

https://low-priority.appspot.com/ollydumpex/#download

I feel like this would be very useful to include this with the x64dbg that comes with retoolkit.
OllyDumpEx can be downloaded from the following location:

https://low-priority.appspot.com/ollydumpex/OllyDumpEx.zip

4n4lDetector is an analysis tool for Microsoft Windows executable files, libraries, drivers and mdumps for x86 and x64. As of v1.8 an extended use for analyzing anomalies in Linux ELF executables was also included. Its main objective is to collect the necessary information to facilitate the identification of malicious code inside the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.

https://www.enelpc.com/p/4n4ldetector.html
https://github.com/4n0nym0us/4n4lDetector

https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

In order to IDR works we need the knowledge base (kb) files, the current folder contains the syskb*.bin files but it's missing the kb<version>.bin files, without them the analysis wont work. It can be found here inside the 7zip files.

Some of these are not open source but he is okay with sharing them and you can see the code with dnspy, they are not obfuscated.
https://github.com/CodeCracker-Tools
https://github.com/CodeCrackerSND
https://gitlab.com/CodeCracker

and here is a list of a lot .Net Tools for reverse engineering
https://github.com/NotPrab/.NET-Deobfuscator

I also have more tools on my repo which can be found here, however I don't have the source code : https://github.com/InstinctEx/deobfuscatetools/
I'm not asking for every single bit of those tools to get added but some of them are really useful.
Making this issue so you can check them out.

I want to add some other tools in retoolkit and build my own version. But I don't know how to. Where can I download the programs so that I can build retoolkit.exe by myself? Thanks.

VBDec is a amazing tool for Visual Basic P-Code disassembling and debugging, it's free and very powerful!

http://sandsprite.com/vbdec/

Add entropy for fast entropy calculation.

xntsv is a nice utility tool to inspect process structures such as PEB, TEB, etc using a nice GUI:

https://github.com/horsicq/xntsv

GoReSym is a Golang symbol recovery tool, it's useful against obfuscated Golang samples:

https://github.com/mandiant/GoReSym

Currently Cutter debugger is on Beta and is not considered stable enough like x64dbg, so it's fit better in the decompiler/disassembler section as this is his main purpose.

The current software management solution is not very aesthetically pleasing and can be optimised by using similar software as in the example below
Website:
https://dawnlauncher.com/
https://github.com/fanchenio/Dawn-Launcher
Advantages: Can create subcategories (this allows for better classification)

Note: The international UI needs to be improved

wouldn't it be better to just add the retoolkit in the first context menu? it's annoying to have to right click and then click send to everytime

Since 2022-10-10 the minidump command was added so you can remove that plugin as well.

After installing it installs a bunch of applications including 7-zip i believe. But after uninstalling the applications go away except 7-Zip.

Why?
Because the current README.md is described in English, this translation was done to facilitate the replacement of non-English users to understand the tool set retoolkit. I hope it can be adopted and improved.
中文简体 (Chinese Simplified):
Please see the uploaded attachment
README_zh_CN.md

gftrace is a tool I created some time ago. It's a Windows API tracing tool for Golang programs that abuses the Golang runtime to perform the tracing and ignores most part of the Golang runtime noise. It's useful for dynamic analysis of obfuscated and/or trojanized Golang samples:

https://github.com/leandrofroes/gftrace

Tool Request

Can you add PEiD, please?

For malware analysis, peid and its plugin Kanal are very useful

Thanks in advance!

The project is currently missing the issue templates which might help the users to submit category-based issues. If you would like to add them, then I would like to submit a Pull Request with some relevant issue templates.

Thanks.

XOpcodeCalc is a nice utility tool for opcode calculation. It's useful as a fast assembly reference during RE:

https://github.com/horsicq/XOpcodeCalc

Adicione o IDA Pro

Hi,
Thanks for your great work of gathering these amazing tools together!

Yesterday, we released the first version (v0.1) of the HyperDbg debugger along with its compiled binaries. It would be a pleasure to be in RE Toolkit again.

Thanks,

mal_unpack is a dynamic unpacker based on PE-sieve. It's very useful for automated malware unpacking:

https://github.com/hasherezade/mal_unpack

Please consider adding Jadx (https://github.com/skylot/jadx) to the list of decompilers as well.

ref: https://twitter.com/ThatAndroidUser/status/1379244013308502017

WinObjEx64 is a tool that allows you to inspect the Windows Object Manager namespace and information such as list of deployed drivers, process information, callbacks information, etc:

https://github.com/hfiref0x/WinObjEx64

dumpulator is an amazing tool that emulates process dumps. It's very useful for string decryption, desobfuscation, etc:

https://github.com/mrexodia/dumpulator

hollows_hunter is a process analysis tool that can be used to recognize and dump malicious implants such as shellcodes, hooks, etc:

https://github.com/hasherezade/hollows_hunter