RCE: List of 64-bit tools

Posted on by

Update  (June, 4th, 2014): Added Hex-Rays Decompiler  x64

64-bits platform is becoming a standard and reverse engineering of the PE32+ files is now a daily bread to many malware analysts. Tools that are designed to make things easier are luckily out there and new ones keep popping up all over the place. Unfortunately, many of the tools are not mature enough yet and often crash or do some funny stuff, but this is developing really fast and hopefully the RCE arsenal will expand soon.

Here is a short list of the tools I came across and use most of them in my research and analysis of PE32+ files. If you know any other useful tools, I’d be grateful if you let me know. Thanks!

Docs

Bypassing signature checks/disabling PageGuard

PE Viewer/Editors supporting PE32+

Disassembler

Decompiler

Debugger (they are also disassemblers)

Ollydbg 64 is still not ready, but there are a couple of tools that can be useful even if not that user-friendly:

Process / Memory Viewer

Process dumpers

Hook Detector

API Monitor

 Hiding Processes

Thanks to Ange and Nanu Jogi for fixes and suggestions.

Beyond good ol’ Run key, Part 11

Posted on by

I must admit that finding new paths that could be exploited as a persistence mechanism is a silly hobby of mine. When I started this series I thought that a few posts will suffice, but to my surprise it’s already #11. For your convenience, these are links to the older posts::

You may also want to have a look at ‘A Collection of Autostart Locations’ – a very large and comprehensive list of autostart entries collected by Tony Klein

Back to the #11.

In the part #10 (Office Test) I mentioned that Microsoft products seem to be heavily integrated with various testing platforms. I also referenced various aspects of performance analysis, profiling, monitoring and debugging in parts #4 (various debuggers), #6 (VBA Monitors), #7 (OAClient). There is one more trick that we can add to the list – legitimate, developer-friendly profiling mechanisms that can be enabled on non-developer systems and… act as a persistence mechanism.

The profiling mechanisms described further require a persistent environment variable to be set. This can be achieved by setting the respective values under HKCU or HKLM:

  • HKEY_CURRENT_USER\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

The values that need to be placed under the Environment keys depend on the profiling mechanism – these are listed below:

 

 

Example for JS_PROFILER:

Adding the following Registry entries:

[HKEY_CLASSES_ROOT\CLSID\{12345678-1234-1234-1234-123456789abc}\InprocServer32]
@=hex(2):63,00,3A,00,5C,00,74,00,65,00,73,00,74,00,5C,00,74,00,65,00,\
  73,00,74,00,2E,00,64,00,6C,00,6C,00,00,00

[HKEY_CURRENT_USER\Environment]
"JS_PROFILER"="{12345678-1234-1234-1234-123456789abc}"

will ensure that c:\test\test.dll (added as a REG_EXPAND_SZ value using ‘@=hex(2):…’) is loaded anytime Internet Explorer is executed or its control instantiated (JS_PROFILER is used internally by JSCRIPT*.DLLs – they handle scripting and they are used by Internet Explorer).