Shulou(Shulou.com)06/01 Report--

Editor to share with you what Windows security tools are, I hope you have something to gain after reading this article, let's discuss it together!

PEiD

A famous PE shell detection tool can detect some common shells in PE, but it is no longer available on the official website:

EXEInfoPE

PE shell detection tool, the enhanced version of PEiD, you can view EXE/DLL file compiler information, whether to shell, entry point address, output table / input table and other PE information:

Download address: http://www.exeinfo.xn.pl/

DetectIt Easy

The open source PE shell detection tool is a cross-platform application. Several versions of Windows, Linux and Mac OS are available:

Download address: http://ntinfo.biz/index.html

CFFExplorer

An excellent PE32 & PE64 editing tool, you can easily view and edit PE files. The .NET file format is fully supported:

Download address: https://ntcore.com/?page_id=388

StudyPE

PE32 & PE64 view and analysis integration tool, with powerful PE structure processing and analysis function, is slightly weak in shell checking:

Download address: https://bbs.pediy.com/thread-246459-1.htm

Debugging / decompilation tools

OllyDbg

The Ring3-level debugger supports plug-in extensions, but the only drawback is that OD is a 32-bit debugger that does not support debugging 64-bit programs. The official original program is plug-in-free, and children's shoes in need can be searched on my love cracking forum:

Download address: http://www.ollydbg.de/

WinDbg

Support Windows platform, user mode and kernel mode debugger, with graphical interface and command line debugging mode. Its powerful kernel debugging function has gained a large number of fans:

Download address: https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/debugger-download-tools

X32dbg/x64dbg

An open source debugger, similar to OD in interface and operation, supports debugging of 32-bit and 64-bit applications. The defect of debugging 64-bit application by OD has been solved:

Download address: https://x64dbg.com/#start

DnSpy

An open source reverse program tool for .NET programs. Includes functional components such as disassembler, debugger and assembly editor to support plug-in functions:

Download address: https://github.com/0xd4d/dnSpy

IDAPro

Full name: InteractiveDisassembler Professional, Interactive disassembler Professional Edition, currently the best static decompiler tool, is the first choice for many security people:

Download address: https://www.hex-rays.com/products/ida/

VB Decompiler

Decompiler for programs developed for Visual Basic 5.0 Universe 6.0:

Download address: https://www.vb-decompiler.org/products/cn.htm

Emergency tools

Log correlation

Sysmon

A tool in the Sysinternals series from WindowsSysinternals. It is installed on the system in the form of system services and device drivers and remains resident. Used to monitor and record system activity and log to the windows event log, providing detailed information about process creation, network links, and file creation time changes:

Download address: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

LastActivityView

It is a computer operation record viewer, which directly calls the system log to display the installation software, system startup, shutdown, network connection, and the occurrence time and path of exe execution:

Download address: http://www.nirsoft.net/utils/computer_activity_view.html

Registry related

Regshot

Registry comparison tool, through the quick comparison of the two registries to find out the differences between the two registries:

Download address: https://sourceforge.net/projects/regshot/

Autoruns

The management tool of automatic running program based on Windows platform. You can control startup items in various aspects of Windows, such as loader, driver load, service startup, task scheduling, and so on, at login:

Download address: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

Process related

ProcessHacker

A feature-rich open source system process assistant tool that can easily view the running status, memory and module information of the process, and manage the process:

Download address: https://processhacker.sourceforge.io/

PowerTool

A free process manager that can Unlock processes that occupy files, view files or folders occupied, view and manage kernel modules and drivers, dump memory of process modules, and other tools:

Download address: https://www.portablesoft.org/

ProcessLasso

A unique debugging process-level system optimization tool, the main function is to dynamically adjust the priority of each process based on its special algorithm to achieve the purpose of reducing the burden of the system. Can be used to monitor process actions:

Download address: https://bitsum.com/

File correlation

HashTab

Document verification tools are divided into free personal version and paid version. After downloading and installing, you can quickly get the hash value of the file by viewing the HashTab in the file attributes, and support a variety of hash algorithms:

Download address: http://implbits.com/products/hashtab/

HashChecker

An open source file verification tool, after installation, you can quickly get the hash value of the file through the file verification in the file properties. Support right-click menu to create check file function and batch check function:

Download address: http://code.kliu.org/hashcheck/

Unlocker

A right-click expansion tool that removes the occupation of files by deleting files and program associations. The occupancy file process is not forced to close when it is unoccupied:

Download address: http://emptyloop.com/unlocker/

Everything

Powerful Windows desktop search engine, you can quickly find files and directories by name on NTFS volumes:

Download address: https://www.voidtools.com/zh-cn/

Winhex

Is an excellent hexadecimal editor that is useful in the areas of computer forensics, data recovery, low-level data processing, and IT security:

Download address: https://www.x-ways.net/winhex/

BinDiff

An open source binary file comparison tool that helps security personnel quickly find differences and similarities in disassembly code. Support x86, MIPS, ARM/AArch74, PowerPC and other architectures for binary file comparison:

Download address: https://www.zynamics.com/software.html

BeyondCompare

A document comparison tool launched by ScooterSoftware. It is mainly used to compare two folders or files and color the differences. The scope of the comparison includes directories, document contents, etc.

Download address: http://www.beyondcompare.cc/xiazai.html

Memory dependent

SfAntiBotPro

The memory retrieval tool can quickly retrieve the computer memory according to the input string and output the process information containing the string, which can get twice the result with half the effort when detecting malicious domain names:

Download address:

(32-bit) http://edr.sangfor.com.cn/tool/SfabAntiBot_X86.7z

(64-bit) http://edr.sangfor.com.cn/tool/SfabAntiBot_X64.7z

DumpIt

Is an installation-free Windows memory image forensics tool, which can be used to easily mirror the complete memory of a system and use it for subsequent investigation and forensics work:

Download address: https://my.comae.com/tools

Equipment monitoring

USBLogView

A USB device monitoring software that runs in the background and can record the details of any USB plugged in or unplugged from the system:

Download address: https://www.nirsoft.net/utils/usb_log_view.html

Integration tool

PC Hunter

A driver-level system maintenance tool that can view all kinds of underlying system information of all kinds of Windows, including processes, driver modules, kernel hooks, application layer hooks, network, registry, files, startup items, system miscellaneous, computer physical examination, etc.:

Download address: http://www.xuetr.com/

MalwareDefender

A HIPS (host intrusion prevention system) software, users can write their own rules to prevent viruses, Trojans. In addition, MalwareDefender provides a number of effective tools to detect and remove malware that has been installed on your computer system:

Download address: https://labs.360.cn/malwaredefender/

Velvet sword

A security tool software for analyzing and dealing with malicious programs, it provides seven functions: "Program behavior Monitoring", "process Management", "File Management", "Registry Management", "system Startup key Management", "Kernel Program Management" and "Code Hook scanning":

Download address:

(independent version of velvet sword, does not support systems above win8.1) down4.huorong.cn/hrsword.exe

Traffic analysis tools

WireShark

A network packet analysis tool that can help users analyze network protocols in depth, covering hundreds of protocols and various major platforms. Browse data through GUI or TTY-mode:

Download address: wireshark.org/download.html

Fiddler

The http packet change tool written by C # is more lightweight than wireshark and is more professional in grabbing http and https packets. It can also set breakpoints, modify request and response data, and simulate a weak network environment. Support for plug-in extensions:

Download address: https://www.telerik.com/download/fiddler

MicrosoftNetwork Monitor

The network data analysis tool which only supports the Windows platform provides a professional graphical interface for real-time network traffic and has the ability to identify and monitor more than 300 network protocols:

Download address: https://www.microsoft.com/en-us/download/details.aspx?id=4865

CapsaPacket Sniffer

Network analysis tools for network monitoring, troubleshooting, and network diagnostics:

Download address: https://www.colasoft.com/capsa-free/

NetworkMiner

The network forensics analysis tool that supports the Windows platform can detect the operating system, hostname and open network port hosts by sniffing or analyzing PCAP files:

Download address: https://sourceforge.net/projects/networkminer/files/networkminer/

AngryIP Scanner

This is an open source network scanner that supports Linux,Windows and Mac OS X platforms. It can scan the IP operation of remote hosts in the shortest time, including hostname, currently open ports and IP operation:

Download address: https://angryip.org

WebShell killing tools

D Shield

D Shield is an active defense protection software designed for IIS, which has the functions of immunity, active backdoor interception, SESSION protection, anti-WEB sniffing, anti-CC, anti-tampering, injection defense, anti-XSS, anti-lift rights, upload defense, unknown 0day defense, alien script defense and other functions to prevent websites and servers from being invaded by internal and external protection.

Download address: http://www.d99net.net/

WebShellKiller

WebShellKiller is a Web backdoor kill tool that supports not only Webshell scanning but also dark chain scanning. The tool combines traditional technology with artificial intelligence technology, static scanning and dynamic analysis to more accurately detect known and unknown backdoor files on Web websites:

Download address:

(Windows platform) https://edr.sangfor.com.cn/tool/WebShellKillerTool.zip

(Linux platform) http://edr.sangfor.com.cn/api/download/WebShellKillerForLinux.tar.gz

WEBDIR+

Online WebShell scanner:

Link address: https://scanner.baidu.com/#/pages/intro

WebShellDetector

Online WebShell scanner:

Link address: http://www.shelldetector.com

WEBSHELL.PUB

Online WebShell scanner:

Download link: http://www.shellpub.com

After reading this article, I believe you have a certain understanding of "what are the Windows security tools". If you want to know more about it, you are welcome to follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.