Malware Analysis Tools Static Analysis Behavioral Analysis

 
Malware Analysis Tools Static Analysis Behavioral Analysis

    PeStudio
    Process Hacker
    Process Monitor (ProcMon)
    ProcDot
    Autoruns
    Fiddler
    Wireshark
    x64dbg
    Ghidra
    Radare2/Cutter
    Cuckoo Sandbox
    Process Explorer
https://github.com/x64dbg/x64dbg
https://www.immunityinc.com/products/debugger/
http://www.ollydbg.de/
https://www.telerik.com/fiddler
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools


hacking-resources/tools
https://github.com/Lifka/hacking-resources/blob/main/tools.md
https://www.hackerone.com/ethical-hacker/100-hacking-tools-and-resources

Automated Online Sandbox Services To Analyze Suspicious
ThreatExpert.
Malwr.
IObit Cloud.
ViCheck.
CWSandbox.
Comodo Instant
Anubis.
GFI ThreatTrack.
Joe Sandbox Web.


 comprehensive listing hosted services perform automated malware analysis

    AMAaaS (Android files)
    Any.run (Community Edition)
    Binary Guard True Bare Metal
    Intezer Analyze (Community Edition)
    IRIS-H (focuses on document files)
    CAPE Sandbox
    Comodo Valkyrie
    Detux Sandbox (Linux binaries)
    FileScan.IO (static analysis)
    Gatewatcher Intelligence
    Hatching Triage (Individual and researcher licenses)
    Hybrid Analysis
    InQuest Labs Deep File Inspection
    Joe Sandbox Cloud (Community Edition)
    Manalyzer (static analysis)
    sandbox.pikker.ee
    SandBlast Analysis
    SecondWrite (free version)
    SNDBOX
    ThreatConnect
    ThreatTrack
    ViCheck
    VirusTotal
    Yomi

SysWOW64 Information Process

 https://en.wikipedia.org/wiki/WoW64
NTSystem/Commons/ProcessAPI.pas
https://github.com/wyrover/NTSystem/find/master
delphi-code-coverage/JwaWinternl.pas at master - GitHub
freepascal/jwanative.pas at master - GitHub
Process API pas jedi NtQueryInformationProcess
 NTSystem/NTLauncher 3.0/
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocessid
https://docs.microsoft.com/en-us/dotnet/api/system.management?redirectedfrom=MSDN&view=dotnet-plat-ext-6.0
https://docs.microsoft.com/en-us/windows/win32/api/wow64apiset/nf-wow64apiset-iswow64process

https://docs.microsoft.com/en-us/windows/win32/winprog64/file-system-redirector

https://stackoverflow.com/questions/3540930/getting-syswow64-directory-using-32-bit-application

https://blog.30cm.tw/2021/06/32-wow64.html
TurboThunkDispatch Windows 10 TurboDispatchJumpAddressEnd CpupReturnFromSimulatedCode
CpupReturnFromSimulatedCode system interrupt wow64cpu.dll TurboDispatchJumpAddressEnd  64-bit ntdll
TurboDispatchJumpAddressEnd  wow64.dll Wow64SystemServiceEx TurboDispatchJumpAddressStart Wow64SystemServiceEx  

dumpbin /exports %windir%\SysWOW64\ntdll.dll"

        663  288 0006A8C0 NtWorkerFactoryWorkerReady
        664  289 0006C690 NtWow64AllocateVirtualMemory64
        665  28A 0006C6C0 NtWow64CallFunction64
        666  28B 0006C5E0 NtWow64CsrAllocateCaptureBuffer
        667  28C 0006C600 NtWow64CsrAllocateMessagePointer
        668  28D 0006C610 NtWow64CsrCaptureMessageBuffer
        669  28E 0006C620 NtWow64CsrCaptureMessageString
        670  28F 0006C5D0 NtWow64CsrClientCallServer
        671  290 0006C5B0 NtWow64CsrClientConnectToServer
        672  291 0006C5F0 NtWow64CsrFreeCaptureBuffer
        673  292 0006C630 NtWow64CsrGetProcessId
        674  293 0006C5C0 NtWow64CsrIdentifyAlertableThread
        675  294 0006C640 NtWow64CsrVerifyRegion
        676  295 0006C650 NtWow64DebuggerCall
        677  296 0006C660 NtWow64GetCurrentProcessorNumberEx
        678  297 0006C670 NtWow64GetNativeSystemInformation
        679  298 0006C6D0 NtWow64IsProcessorFeaturePresent
        680  299 0006C680 NtWow64QueryInformationProcess64
        681  29A 0006C6A0 NtWow64ReadVirtualMemory64
        682  29B 0006C6B0 NtWow64WriteVirtualMemory64
        683  29C 0006A930 NtWriteFile

 [DllImport("NTDll.dll", SetLastError = true, CharSet = CharSet.Unicode)]
        public static extern int NtWow64ReadVirtualMemory64(IntPtr Process, UInt64 BaseAddress, IntPtr Buffer, UInt64 Size,  UInt64[] NumberOfBytesRead);


https://stackoverflow.com/questions/42789199/why-there-are-three-unexpected-worker-threads-when-a-win32-console-application-s/42789684
 TppWorkerThread Peb->ProcessParameters->LoaderThreads.

 LoaderThreads

_RTL_USER_PROCESS_PARAMETERS
LoaderThreads CreateProcess ZwCreateUserProcess
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<app name>
MaxLoaderThreads=dword:xxxx
 
LdrpWorkQueue
LdrpEnableParallelLoading

 ntdll LdrpMapAndSnapDependency
 ntdll LdrpWorkCallback
 ntdll LdrpProcessWork
 ntdll LdrpDrainWorkQueue

 ntdll!LdrpWorkQueue (LIST_ENTRY)
 ntdll!LdrpWorkQueueTail (LIST_ENTRY)
 ntdll!LdrpWorkQueueLock (CRITICAL_SECTION)
 ntdll!LdrpRetryQueue (LIST_ENTRY)
 ntdll!LdrpRetryQueueTail (LIST_ENTRY)
 ntdll!LdrpLoadCompleteEvent (HANDLE)
 ntdll!LdrpWorkCompleteEvent (HANDLE)
NtTerminateThread LdrShutdownThread LdrpDrainWorkQueue LdrpLoadCompleteEvent msvcrt!CrtLock_Exit DLL_PROCESS_ATTACH

  https://stackoverflow.com/questions/42789199/why-there-are-three-unexpected-worker-threads-when-a-win32-console-application-s

  https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Bing%20Sun%20and%20Chong%20Xu%20-%20Bypassing%20Memory%20Mitigation%20Using%20Data-Only%20Exploitation%20Techniques.pdf

syswow64  VirtualAlloc  ntdll virtualalloc  globalalloc
virtualalloc heapalloc globalalloc localalloc _malloca CoTaskMemAlloc

https://docs.microsoft.com/zh-tw/windows/win32/memory/comparing-memory-allocation-methods

https://blogs.blackberry.com/en/2018/03/windows-maps-64-bit-ntdll-to-wow64-process

 

Reverse Engineering cheat DynamoRio Validation and Tracking of Scatter Gather Patterns list DynamoRIO dynamic program analysis Tracking

 https://github.com/DynamoRIO/dynamorio

DynamoRIO is a runtime code manipulation system that supports code transformations on any part of a program, while it executes. DynamoRIO exports an interface for building dynamic tools for a wide variety of uses: program analysis and understanding, profiling, instrumentation, optimization, translation, etc. Unlike many dynamic tool systems, DynamoRIO is not limited to insertion of callouts/trampolines and allows arbitrary modifications to application instructions via a powerful IA-32/AMD64/ARM/AArch64 instruction manipulation library. DynamoRIO provides efficient, transparent, and comprehensive manipulation of unmodified applications running on stock operating systems (Windows, Linux, or Android) and commodity IA-32, AMD64, ARM, and AArch64 hardware. Mac OSX support is in progress.

 DynamoRio Validation and Tracking of Scatter Gather Patterns

list DynamoRIO  dynamic program analysis  Tracking Reverse Engineering

 https://en.wikipedia.org/wiki/Dynamic_program_analysis

 https://en.wikipedia.org/wiki/DynamoRIO

https://medium.com/syncedreview/imhex-tops-github-trending-repos-with-1600-stars-in-24-hours-9d67e81c668b

https://github.com/topics/reverse-engineering

https://fossies.org/linux/fpcbuild/fpcsrc/packages/winunits-jedi/src/jwanative.pas

https://www.codeproject.com/Articles/19685/Get-Process-Info-with-NtQueryInformationProcess

Process API pas jedi NtQueryInformationProcess