Tools

Welcome to the Tools page. Below you’ll find infomation and links to recommended tools, scripts and commands to help you test you antivirus.

Virtualisation Tools

Virtualising your test environment is ideal – bordering on necessary – and provides several advantages.

1. You can easily snapshot a baseline (uninfected) image. This eases restoring a compromised machine to an uninfected state, thus decreasing downtime between tests.
2. Set up multiple operating systems on one machine. You can establish several test environments on one physical machine, which can include different operating systems – I.E.: Windows 7, Windows 8, OS X, etc. – as opposed to requiring several physical machines.

Windows Hosts

VMware Workstation Pro – Commercial virtualisation product

Linux Hosts

VMware Workstation Pro – Commercial virtualisation product

Apple OS X Hosts

Parallels – The big competitor to VMware on Macs.

VMware Fusion Pro – Mac version of VMware Workstation Pro

Process / System Monitoring Tools

Monitoring tools allow you to discover if your machine has been infected and gives you a glimpse into how the malware is affecting your test machine.

Windows Monitoring Tools

DiskMon is an application that logs and displays all hard disk activity on a Windows system.

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.

Portmon for Windows: Portmon is a utility that monitors and displays all serial and parallel port activity on a system.

Windows Performance Monitor is a Microsoft Management Console (MMC) snap-in that combines the functionality of previous stand-alone tools including Performance Logs and Alerts, Server Performance Advisor and System Monitor. It provides a graphical interface for customizing Data Collector Sets and Event Trace Sessions.

Process Hacker – A free, powerful, multi-purpose tool that helps you
monitor system resources, debug software and detect malware. Supports Windows XP (SP2)/Vista/7/8/10, 32-bit or 64-bit.

Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one – done after doing system changes or installing a new software product.

Apple OS X monitoring tools

Activity Monitor: Apple’s description “shows the processes that are running on your Mac, so you can see how they affect your Mac’s activity and performance”.

Network Monitoring Tools

Malware can be pretty noisy and almost always generates some kind of network traffic which you can monitor and analyse with these tools.

All Systems

Wireshark – Wireshark is the world’s foremost network protocol analyser. It lets you see what’s happening on your network at a microscopic level. It is the de facto standard across many industries and educational institutions.

Automation Tools

When you’re working with lots of files and repetitive tasks you’ll appreciate these tools and scripts to automate the process for you.

Windows Hosts

Rename and run all files:

  • Rename * *.exe && for %i in (*.exe) do start %i
  • (Renames all files to *.exe, and then for each .exe run it)

Compression Tools

Compression tools will allow you to open ZIP, RAR, TAR and other archived files and you’ll need this to open the malware zip files we supply on this website.

Windows Hosts

7-Zip: Free open source file archive tool which allows password protection and encryption.

Apple OS X Hosts

iZip: is free tool to manage ZIP, ZIPX, RAR, TAR, 7ZIP and other compressed files on your Mac.

Mutation Tools

Evade antivirus detection by modifying and crafting malware yourself, just like the malware authors do.

Windows Hosts

Hash Modifier (Powershell Script) – Cycles through the executables in a directory, adds a null byte to the file, calculates a new sha256 hash and then renames the file to its new hash value.

Aegis Crypter – Crypter Software

Armadillo v1.83 – Location to be provided

PELock v2.05 – PELock is a software security solution designed for the protection of any 32 bit Windows applications against cracking, tampering and reverse engineering analysis.

PESpin v1.33 32-bit & dotNetSpin v0.2 – PESpin is a Windows executable files (EXE, DLL) protector, compressor coded in pure assembly using MASM. It allows compression of the whole executable – code, data and resources, leaving them executable and protects against patching and disassembling.

Windows and Mac

Mpress – free, high-performance executable packer for PE32 / PE32+ /.NET / MAC-DARWIN executable formats.

VMProtect Pro – [COMMERCIAL PRODUCT] Protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyse and crack the software. Note: The free trial version of the software utilises a much more easily detectable packer than the paid product.

All Systems

Hyperion v1.2 – As an innovative AV evasion technique, this crypter creates a weak key that isn’t saved, then brute forces it at runtime. To compile on Windows install MinGW, then choose the GNU C++ compiler package. Note: you’ll need to run the compiled crypter from the root of the Hyperion directory in order for dependencies to load correctly.

Lab Components

Useful tools for building your antivirus testing lab.

Windows Hosts

ApateDNS™ is a tool for controlling DNS responses though an easy-to-use GUI. As a phony DNS server, ApateDNS spoofs DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine. ApateDNS also automatically sets the local DNS to localhost. Upon exiting the tool, it sets back the original local DNS settings. Supported Operating Systems: Windows 2000, Windows 2003, Windows XP, Windows 2008, Windows Vista, Windows 7 (32-bit and 64-bit)

All Systems

Various VPN providers to hide your organisation’s public IP address from Command and Control servers your malware will call back to.

CLI Commands

Windows Hosts

Hash Modifier (Powershell Script) – Cycles through the executables in a directory, adds a null byte to the file, calculates a new sha256 hash and then renames the file to its new hash value.

Apple OS X Terminal Commands

top: Display and update sorted information about processes.

iotop: Display top disk I/O events by process.

Nettop: Displays a list of sockets or routes.

Want a few pointers? Fancy a chat? Just want an antivirus product recommendation?