查看程序的熵
PEStudio,是否加密是否有壳是否混淆(找不到下载地址了 谁有可以补充)
xml格式的office文档
1、oletools:Release oletools v0.60.1 · decalage2/oletools · GitHub https://github.com/decalage2/oletools/releases/tag/v0.60.1
2、rtfdump:https://blog.didierstevens.com/2016/08/29/update-rtfdump-version-0-0-4/(记得使用python2环境)
从流量包中提取文件
1、networkMiner:https://www.netresec.com/?page=NetworkMiner
针对提取的shellcode
1、xorsearch:针对注入到进程equation的shellcode,寻找偏移处理shellcode,避免指令未对齐 https://blog.didierstevens.com/programs/xorsearch/
2、scDBG:寻找shellcode起始地址,对shellcode进行解密并dump
.NET程序逆向
1、DnSpy - https://github.com/dnSpy/dnSpy
2、CFF Explorer PE查看器 – https://ntcore.com/?page_id=388
3、Cerbero Suite - https://cerbero.io/
4、De4dot - https://github.com/de4dot/de4dot
5、ILSpy - https://github.com/icsharpcode/ILSpy