From Collaborative RCE Tool Library

Jump to: navigation, search

Entropy Analyzers

Tool name: Ent
Rating: 5.0 (1 vote)
Author: Gynvael Coldwind                        
Current version: 0.0.3
Last updated: March 9, 2009
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Ent does two things:
1) it measures entropy of a file
2) it measures density of FPU instructions in the code section, if the file is a PE
(Why file entropy measurement is interesting is a story for another day (follow the link in 'related URLs') ;>)

The tool was made in C++, and currently it's Windows only (the next version will be portable, I'm just using some structures from winnt.h), and it uses libpng for PNG creation. The executable binary with the source code is (as always) available on the end of this post.

Ent is run from the command line, and we provide him with the name of a file that we won't to measure entropy of. Then, Ent divides the file to 256-byte fragments, and calculates entropy (using some entropy formula I found somewhere - check the source code for details) and draws a chart. If the file is a PE file, it additionally mark the sections (blue for data, green for code, gray for unused/headers), and in the code section it calculates FPU density and draws another small red chart. The FPU calculating is not very precise - it works by finding bytes from range D8 to DF inclusive, which are used as FPU opcodes. However, excluding some false-positives in high-entropy area, this method is sufficient.

Below in the screen shot you can see a chart of a sample PE file.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name: RDG Packer Detector
Rating: 3.5 (2 votes)
Author: RDGMax                        
Current version: 0.6.7
Last updated: June 26, 2011
Direct D/L link:
License type: Free
Description: RDG Packer Detector is a detector packers, Cryptors, Compilers,
Packers Scrambler,Joiners,Installers.

-Holds Fast detection system..
-Has detection system Powerful Analyzing the complete file, allowing the detection of Muli-packers in several cases.
-You can create your own Signatures detection.
-Holds Crypto-Graphic Analyzer.
-Allows you to calculate the checksum of a file.
-Allows you to calculate the Entropy, reporting if the program looked at the compressed, encrypted or not.
-OEP-Detector (Original Point of Entry) of a program.
-You can Check and download and you always signaturas.RDG Packer Detector will be updated.
-Plug-ins Loader..
-Signatures converter.
-Detector distortive Entry Point.
-De-Binder an extractor attachments.
-System Improved heuristic.

What's New! v0.6.6

-New Interface!

-Fast Mode Detection and Mode Powerful Improved!
-Super base signatures Updated!
-Heuristic detection of Binders
-Detection and Extraction Overlay!
-Check and Auto-Update of signatures!
-Super Fast Detection of MD5 Hash!
-Support for Multiple Plug-ins for both RDG Packer Detector and other detectors!
-Detection of Multiple-MPG formats, GIF, RAR, ZIP, MP3 etc..
-Detection and removal of attachments!
Also listed in: Compiler Identifiers, PE EXE Signature Tools, Packer Identifier Signatures, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name: Androguard
Rating: 0.0 (0 votes)
Author: Anthony Desnos                        
Current version: 0.9
Last updated: September 25, 2011
Direct D/L link:
License type: LGPL
Description: Androguard (Android Guard) is primarily a tool written in full python to play with :
- .class (JavaVM)
- .dex (DalvikVM)
- Android's binary xml

Androguard has the following features :
- Map and manipulate (read/write) DEX/CLASS/APK/JAR files into full Python objects,
- Native support of DEX code in a c++ library,
- Access to the static analysis of your code (basic blocks, instructions, permissions (with database from ...) and create your own static analysis tool,
- Check if an android application is present in a database (malwares, goodwares ?),
- Open source database of android malwares,
- Diffing of android applications,
- Measure the efficiency of obfuscators (proguard, ...),
- Determine if your application has been pirated (rip-off indicator),
- Risk indicator of malicious application,
- Reverse engineering of applications (goodwares, malwares),
- Transform Android's binary xml (like AndroidManifest.xml) into classic xml,
- Visualize your application into cytoscape (by using xgmml format), or PNG/DOT output,
- Patch JVM classes, add native library dependencies,
- Dump the jvm process to find classes into memory,
- ...
Also listed in: Android Tools, Binary Diff Tools, Disassembler Libraries, Disassemblers, Java Disassembler Libraries, Malware Analysis Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name: Detect It Easy
Rating: 0.0 (0 votes)
Author: Hors                        
Current version: 1.01
Last updated: March 23, 2016
Direct D/L link:
License type: Free (both for commercial and non-commercial usage) and open source
Description: Detect it Easy

Detect It Easy, or abbreviated “DIE” is a program for determining types of files.

“DIE” is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.

Many programs of the kind (PEID, PE tools) allow to use third-party signatures. Unfortunately, those signatures scan only bytes by the pre-set mask, and it is not possible to specify additional parameters. As the result, false triggering often occur. More complicated algorithms are usually strictly set in the program itself. Hence, to add a new complex detect one needs to recompile the entire project. No one, except the authors themselves, can change the algorithm of a detect. As time passes, such programs lose relevance without the constant support.

Detect It Easy has totally open architecture of signatures. You can easily add your own algorithms of detects or modify those that already exist. This is achieved by using scripts. The script language is very similar to JavaScript and any person, who understands the basics of programming, will understand easily how it works. Possibly, someone may decide the scripts are working very slow. Indeed, scripts run slower than compiled code, but, thanks to the good optimization of Script Engine, this doesn\'t cause any special inconvenience. The possibilities of open architecture compensate these limitations.

DIE exists in three versions. Basic version (“DIE”), Lite version (“DIEL”) and console version (“DIEC”). All the three use the same signatures, which are located in the folder “db”. If you open this folder, nested sub-folders will be found (“Binary”, “PE” and others). The names of sub-folders correspond to the types of files. First, DIE determines the type of file, and then sequentially loads all the signatures, which lie in the corresponding folder. Currently the program defines the following types:

• MSDOS executable files MS-DOS

• PE executable files Windows

• ELF executable files Linux

• MACH executable files Mac OS

• Text files

• Binary all other files
Also listed in: .NET Packers, Compiler Identifiers, Exe Analyzers, Linux Tools, Mac OS Tools, PE EXE Signature Tools, PE Executable Editors, Packer Identifiers, Tool Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name: Entyzer
Rating: 0.0 (0 votes)
Author: Mohamad Fadel Mokbel                        
Current version: 0.6
Last updated: February 23, 2014
Direct D/L link:
License type: Free
Description: Entyzer+ - Revision History

Version 0.6 {Orezmus Build:220214}

[?] Released on (February 23, 2014).
[+] Added four new features
[+] Decoder for the multiplication operation in case of an overflow.
(Available under -h:hex)
[+] Compute Signal to Noise Ratio option (Available under -h:stat
help option; Entyzer -f <file name> -snr)
[+] Added xrand option (Available under -h:hex). Please Consult
Help.html file for more info about it (lengthy description)
[+] Added xorkeybf (Available under -h:hex). A brute forcer for data
XORed/encrypted with 1-byte key.
[!] Fixed a bug in the parsing of the option keyword "xorxv". It was
set to a wrong keyword 'xorexv'.
[!] Fixed a bug in the 'rxor' implementation. It was missing the key length
by one with respect to the file size.
[!] Fixed a bug in the CPP array dump feature (Type conversion problem).
[*] Some other minor and major architectural improvements.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name: Hexer Plugin - Calculating the entropy of a file
Rating: 0.0 (0 votes)
Author: Sebastian Porst                        
Current version: 1.4.0
Last updated: July 1, 2008
Direct D/L link:
License type: Free / Open Source
Description: I finally got around to write an example plugin for my hex editor Hexer to show how simple it is to extend Hexer according to your own needs. The Java plugin I am going to present calculates the entropy of files according to the method presented on Ero Carrera's blog. The plugin adds a new tab containing a line chart and a button to the File Statistics dialog. When the user clicks the button, the entropy of the active file (that is the file in the last active hex window) is calculated and shown in the line chart. The screenshot below shows the entropy distribution of Notepad.exe.

You can download the source file of the plugin here. The archive contains the source file as well as two class files which were created by compiling the source file using Java 1.6. To install the plugin, simply copy the two class files to the plugins directory of your Hexer installation. Since the plugin uses the JFreeChart library to display the graph it is also necessary to get the files jcommon-1.0.12.jar and jfreechart-1.0.9.jar from the JFreeChart package. Copy those files into the jars directory of your Hexer installation.

At the beginning of the source file the methods getDescription(), getGuid(), getName(), and init() are implemented. These methods must be implemented by all classes that implement the Hexer plugin interface IPlugin. The first three methods return the name, the description, and the GUID of the plugin. These values are necessary for plugin management. The init() method is called once by Hexer when the plugin is loaded for the first time. Its parameter of type IPluginInterface can be used by the plugin to interact with Hexer.

Afterwards the necessary methods of the IStatsPlugin plugin are implemented. This interface must be implemented by all plugins that want to extend the File Statistics dialog. The method getStatsDescription() returns the description of the file statistic as displayed in the tab header of the File Statistics dialog ("Entropy" in this case). The method getStatsComponent() returns the component that is used to display the calculated file statistic in the File Statistics dialog. For the Entropy Calculator plugin we only need the line chart and the button.

That's all that is necessary to extend the Hexer File Statistics dialog. The remaining methods are used to calculate and display the entropy. They are basically a direct Python-to-Java conversion of the code from Ero Carrera's blog. The only difference is that I averaged the entropies of larger files to make sure that the dataset is small enough for the line chart component to handle.

If you do not want to extend the File Statistics dialog but prefer to have your own Entropy dialog you can simply modify the plugin. Just implement the interface IPlugin instead of IStatsPlugin, add a menu to the Hexer main menu in the init() method, and create the dialog when the menu is clicked.
Also listed in: Hexer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name: PPEE (puppy)
Rating: 0.0 (0 votes)
Author: Zaderostam                        
Current version: 1.12
Last updated: August 17, 2018
Direct D/L link:
License type: Free
Description: This is a professional PE file explorer that lets you dig into all data directories available in the PE/PE64 file and edit them.
Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR are supported.
Two companion plugins are also provided. FileInfo, to query the file in the well-known malware repositories and take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on. YaraPlugin, to test Yara rules against opened file.

Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!


Both PE32 and PE64 support
Examine YARA rules against opened file
Virustotal and OPSWAT's Metadefender query report
Statically analyze windows native and .Net executables
Robust Parsing of exe, dll, sys, scr, drv, cpl, ocx and more
Parse Rich Header
Edit almost every data structure
Easily dump sections, resources and .Net assembly directories
Entropy and MD5 calculation of the sections and resource items
View strings including URL, Registry, Suspicious, ... embedded in files
Resolve ordinal to name in imported APIs
Detect common resource types
Extract artifacts remained in PE file
Anomaly detection
Right-click for Copy, Search in web, Whois and dump
Built in hex editor
Explorer context menu integration
Descriptive information for data members
Refresh, Save and Save as menu commands
Drag and drop support
List view columns can sort data in an appropriate way
Open file from command line
Checksum validation
Plugin enabled

Feel free to use it ;)
Also listed in: .NET Executable Editors, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Executable File Editors & Patchers, Export Editors, Hex Editors, Import Editors, Malware Analysis Tools, PE Executable Editors, Relocation Tools, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name: pev
Rating: 0.0 (0 votes)
Author: Fernando Mercês, Jardel Weyrich                        
Current version: 0.70
Last updated: December 27, 2013
Direct D/L link:
License type: Open Source (GPLv3)
Description: pev is a free and open source multi-platform PE file analysis toolkit,
that provide the following tools:

* pehash - calculate PE file hashes
* pedis - PE disassembler
* pepack - packer detector
* peres - view and extract PE file resources
* pescan - search for suspicious things in PE files, including TLS callbacks
* pesec - check security features and certificates in PE files
* pestr - search for unicode and ascii strings in PE files
* readpe - show PE file headers, sections and more
* rva2ofs - convert RVA to raw file offsets
* ofs2rva - convert raw file offsets to RVA

Features include:

* Based on own PE library, called libpe
* Support for PE32 and PE32+ (64-bit) files
* Formatted output in text and CSV (other formats in development)
* pesec: check security features in PE files, extract certificates and more
* readpe: parse PE headers, sections, imports and exports
* pescan: detect TLS callback functions, DOS stub modification,
suspicious sections and more
* pedis: disassembly a PE file section or function with support for
Intel and AT&T syntax
* Include tools to convert RVA from file offset and vice-versa
* pehash: calculate PE file hashes
* pepack: detect if an executable is packed or not
* pestr: search for hardcoded Unicode and ASCII strings simultaneously
in PE files
* peres: show and extract PE file resources
Also listed in: Disassemblers, Exe Analyzers, Malware Analysis Tools, Packer Identifiers, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.

Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (23)
   Needs New Category  (3)