Tools
Disclaimer: All tools have been tested on 32-bit/64-bit Windows 7 and Windows 10. They are available free for personal or business use. Many of these tools have been packed to combine DLLs and make them portable. Because of this anti-virus software may falsely identify these tools as infected or suspicious. No warranties expressed or implied; use at your own risk!
If you find these tools helpful, please consider donating: 3Mop83Vmwea1PfVgaFsxuy8gYAAYaqbf2p (BTC)
All files are compressed using 7-Zip with the password: kahusecurity
API Dumper
Version: 0.1
Download: Link
MD5: F9D81CEF38CA2D3BFAB250A4A86D9721
Description: Dumps strings from various API calls to reveal what VBA/XLM macros are doing. Works best in Windows 7 environment. Requires .NET Framework 4.5.
Credits: Justin Stenning (EasyHook)
Last Update: 04/17/20
Binary File Converter
Version: 0.1
Download: Link
MD5: 4E3154C6F96DE47D068686DEC35AF565
Description: Converts small binary files into text and vice versa which enables you to move content into and out of locked-down, remote hosts via VPN, RDC, SecureDesktop, etc as long as access to the clipboard is allowed.
Credits: Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 07/27/13
CMD Watcher
Version: 0.4
Download: Link
MD5: 477266EC255352F3E1D183A628E48073
Description: Watches for the CMD, PowerShell and other processes, suspends it, extracts the command line data, then optionally kills it. There's also an interactive mode to handle any LOLBin. This tool enables you to quickly obtain deobfuscated output from VBA macros. This is a single, portable executable (32 and 64-bit versions) that requires .NET Framework 2.0.
Credits: Atif Aziz (LINQBridge), Andy (GetProcCmdLine), Magnus Johansson (SuspendProcess), Daniel Belz (ProcessWatcher), Bruno Zell (GetMainModule)
Last Update: 12/11/21
Converter
Version: 0.14
Download: Link
MD5: B8F5BD1766ECCC344006ABBBD1831CB6
Description: Convert data to/from many different formats, format data, search/replace data, extract data, find XOR/ROT/SFT keys, import/export/split/join/convert files, and more. This tool was originally made for analyzing and deobfuscating malicious scripts so it wasn’t designed to handle large datasets. Development discontinued; replaced with ConverterNET.
Credits: Sebatian L. (XOR), James Johnston of TechKnow Professional Services (cZLIB). This program also contains cryptography software by David Ireland of DI Management Services Pty Ltd
Last Update: 09/30/16
ConverterNET
Version: 0.1
Download: Link
MD5: D59CD55B31575FCB656747CF0DFCF660
Description: Convert data to/from many different formats, format data, search/replace data, extract data, find XOR/SFT keys, import/export/convert files, and more. 32-bit and 64-bit binaries are included.
Credits: Sam Allen (AlphanumComparatorFast), kadzus (CRC32HashAlgorithm), Rob Tillaart (convert radix), Einar Lielmanis (js-beautify), David Zimmer (sc2exe), Simone Spagna (RC4), DotNetZip (zlib), Rohit Gupta (convert IP), Don Rollings (tags regex), Timwi (comments regex)
Last Update: 06/24/17
Cover Fire
Version: 0.1
Download: Link
MD5: 1ED40D3D1F799D0BF33555050AAB5803
Description: Generates web requests to fill up log files with misleading information. This tool requires .NET Framework 4.5.
Last Update: 10/03/15
Data Converter
Version: 0.10
Download: Link
MD5: C7AD8E5CE78D8D93A1ED4766554BD170
Description: Converts text, hex, or decimal values using XOR, ROTate, and ShiFT methods. You can do an XOR keyword search or enumerate all keys to a file. You can import a binary file, perform add/subtracts before/after an XOR/ROT/SFT action, and write out the results to a text or binary file.
Credits: Sebatian L. (XOR), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 10/05/14
Difference Calculator
Version: 0.1
Download: Link
MD5: FD9D901E7FB772B8E0A7DBF413F4D605
Description: Calculates the difference between two sets of strings based on the user-defined method (e.g. subtraction, addition, etc). Right-clicking in each text box brings up a context menu and offers the ability to read/save files (binary file reads are limited to 1KB to save time).
Last Update: 10/22/16
File Converter
Version: 0.7
Download: Link
MD5: FC9A55F0532CE086AB58D670955F2E7D
Description: Converts large binary files to/from hex files with or without XOR encryption/decryption. Supports hex and decimal XOR keys.
Credits: Sebatian L. (XOR), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 02/17/14
Javascript Deobfuscator
Version: 0.3
Download: Link
MD5: A8DA1D3596BAC763C29518851813C290
Description: Deobfuscate simple Javascript quickly and easily. Includes text highlighting and script beautification. This tool requires .NET Framework 4.5.
Credits: David Zimmer (MSScriptControl), Einar Lielmanis (JSBeautifier)
Last Update: 01/09/16
JS Packer
Version: 0.1
Download: Link
MD5: 8A15DFA39AE7CEE1056538950D9AE251
Description: Pack and unpack Javascript from DOS using Dean Edwards Packer and PhantomJS. This script requires PhantomJS.
Credits: Dean Edwards (Packer), Ariya Hidayat (PhantomJS)
Last Update: 02/06/16
PHP Converter
Version: 0.3
Download: Link
MD5: 0AF4562D8A8BDBB2F615AF17F00B47BF
Description: Deobfuscates/obfuscates PHP scripts.
Credits: James Johnston of TechKnow Professional Services (cZLIB). This program also contains cryptography software by David Ireland of DI Management Services Pty Ltd
Last Update: 07/11/14
PHP Script Decoder
Version: 0.1
Download: Link
MD5: A597D34D3B5D44EE96127B48F7B6C3BE
Description: Provides functionality to perform custom search/replace methods to deobfuscate PHP scripts.
Credits: Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 06/01/14
Pinpoint
Version: 0.2
Download: Link
MD5: F8467093A63A89DC419795196F41A0DF
Description: Fetches a webpage and then enumerates and analyzes its components to help identify any infected files. Pinpoint gives you various options when making an HTTP request including spoofing the user-agent string and referer. Pinpoint will not render any of the content.
Last Update: 02/08/14
PSUnveil
Version: 0.3
Download: Link
MD5: 7ED89B1F0CB117954C9B2AFB4DFC5D41
Description: Deobfuscate PowerShell scripts in manual, semi-auto, and auto mode. You can also clean-up, beautify, and decompress PowerShell scripts as well. This is a single, portable executable (32 and 64-bit versions) that requires .NET Framework 2.0.
Credits: R3MRUM (PSDecode), ICSharpCode (SharpZipLib), DotNetZip (Zlib)
Last Update: 12/11/21
Registry Dumper
Version: 0.2
Download: Link
MD5: E17377257421F2A94BFC4F85B0E175BB
Description: With Registry Dumper, you can scan for null characters in registry keys and dump them to a text file. You can also create and delete hidden keys by inserting the word “[null]” into the keyname. This tool requires .NET Framework 4.5.
Credits: Hoang Khanh Nguyen (NTRegistry.DLL)
Last Update: 09/30/16
Reneo
Version: 0.4
Download: Link
MD5: CAFB676075465B66DD237BAD29BAAAED
Description: Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings. This is a single, portable executable that requires .NET Framework 2.0.
Credits: 7-Zip (LZMA), David Zimmer (JSEval), DotNetZip (Zlib), Einar Lielmanis (JSBeautify), Eric Domke (Compressed RTF, UTF-7, Qdecode), ghundal (Ionic.Zlib), jimplode (SplitCSV), Jorgen Ibsen (aPLib), kadzus (CRC32), Legion of the Bouncy Castle Inc. (BouncyCastle), luanpeng825485697 (LZNT1), Marc Climent (Base58), Microsoft TechNet (LZNT1, MSScriptEncoder), Mark Kruger (SharpZipLib), Oleg Ingat (Base32), Ramon Smits (Base62), Rekna Anker (Beautify Script), Sam Allen (AlphanumComparatorFast), Szymon Kobalczyk (uuencode), user2748365 (SecureString), R3MRUM (PSDecode)
Last Update: 12/11/21
Revelo
Version: 0.6
Download: Link
MD5: 78311BC107613ADF3C9A32EC8A242C26
Description: Deobfuscate Javascript using a variety of different methods; includes a built-in JS beautifier, DOM walker, firewall, packet sniffer, and proxy. Note: If analyzing malicious content, please use in a virtual machine. If the script calls Java, Acrobat, or some other plug-in, Revelo won’t protect you.
Credits: Eric Wolcott (firewall), Michael D. (proxy), Einar Lielmanis (JSBeautifier), David Zimmer (Beautify), James Crowley (cookies), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 02/15/15
Sandbox Tester
Version: 0.1
Download: Link
MD5: 3FE44D098469DD06BD2C79671DDCD0DF
Description: Creates a dropper that deploys several methods to get past automated malware analysis tools. The dropper safely drops an Eicar file and pops up a message upon execution.
Last Update: 08/16/12
Scout
Version: 0.2
Download: Link
MD5: 6AE5AF75365B58AB2CD9A21A8B87E29B
Description: Uses the Pinpoint engine to download and analyze webpage components to identify infected files. This function works fine in 32-bit Windows. Scout has a built-in HTTP Request Simulator that will render user-specified HTML files, catch the resulting HTTP requests, then drop the responses. Scout includes the ability to screenshot the webpage using PhantomJS (download PhantomJS and copy the .exe to the same folder as Scout). Use Scout in a VM since it could potentially cause your computer to become infected.
Credits: Michael D. (proxy), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 10/05/14
Script Decoder
Version: 0.1
Download: Link
MD5: 6035692452FC88B90CF71AA6FBD357D6
Description: Decodes data that has been encoded using Microsoft Script Encoder (ScrEnc).
Credits: Lewis E. Moten III (Script Decoder Program)
Last Update: 12/06/14
Script Deobfuscator
Version: 0.2
Download: Link
MD5: A3F20818F64FC67FDE046A7AECDD970C
Description: Helps you conduct static analysis by performing a series of search/replaces to deobfuscate PHP, Javascript, VBA, and VBS scripts. This tool requires .NET Framework 4.5.
Credits: David Zimmer (MSScriptControl)
Last Update: 02/22/16
Secret Decoder Ring
Version: 0.1
Download: Link
MD5: 5646D0EC95CFE15BF7412F549439BBC2
Description: Performs character substitution and position-based character lookups. Several exploit packs use this technique to hide URLs. Now you can analyze, decode, and encode URLs.
Last Update: 11/17/12
Sounder
Version: 0.2
Download: Link
MD5: 5473C6A96F8525BC9D3EF077E03BAAC2
Description: Analyzes web server logs to find possible phishing sites via URLs left behind in referers. It also checks the potential websites for phishing keywords and takes screenshots. Sounder requires PhantomJS if you wish to take screenshots (download PhantomJS and copy the .exe to the same folder as Sounder).
Credits: Rocky Mountain Computer Consulting (ctrl-a select), Rocky Mountain Computer Consulting (ini read/write)
Last Update: 10/05/14
SpiderMonkey for Windows
Version: 1.8.5
Download: Link
MD5: 8AFCEDFC1ABFD225CA6CF21A17F8EAB8
Description: The source code was downloaded from Mozilla's Mercurial repository via on 2010-11-24 and built with Microsoft Visual Studio C++ 2008 Express Edition with the Microsoft Platform SDK for Windows Server 2003 R2. It has been tested to run on Windows XP Service Pack 2.
Last Update: 11/26/10
Text Decoder Toolkit
Version: 0.2
Download: Link
MD5: B703C0BB8F54BB4747D8A4EBD285F160
Description: Convert, transform, and decode text in a number of ways. Provides three different methods to help you determine what the XOR/shift value is. This tool requires .NET Framework 4.5.
Credits: Sam Allen (AlphanumComparatorFast class), ProgramFOX (arithmetic functions), Hans Passant (sync scrollbar class)
Last Update: 09/30/16
URL Monitor
Version: 0.1
Download: Link
MD5: BCBBB289A835B23EA7FCF135914D49D3
Description: This is a web proxy that collects and displays the URLs from downloaders. You can automatically allow, drop, or interactively allow/drop HTTP/HTTPS requests. This tool requires .NET Framework 4.5.
Credits: Az3r (HttpsProxy)
Last Update: 05/24/20
URL Revealer
Version: 0.2
Download: Link
MD5: E317D668710967D6C2591C98001DE8EF
Description: This is a web proxy that collects and displays the URLs from downloaders then drops the request automatically. This tool requires .NET Framework 2.0.
Credits: matt-dot-net (proxy class)
Last Update: 09/30/16
Welcome Mat
Version: 0.1
Download: Link
MD5: 1099C8F48637DEAE306140B336003F8E
Description: Opens listening ports on the host to spoof running services. This tool requires .NET Framework 4.5.
Last Update: 10/03/15
Word to Decimal
Version: 0.1
Download: Link
MD5: 204253B6D3D9515F444AE76B78595BED
Description: Converts Qword, Dword, and Word values to decimal. It can also perform basic XOR decoding.
Credits: Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 05/23/14
ZeuS ENC Decrypter
Version: 0.1
Download: Link
MD5: 35821DB452F71F1731A82264039B6DAE
Description: Automatically finds the four-byte XOR key then XOR-decrypts and LZNT1-decompresses GameOver ZeuS’ .enc files into PE files.
Credits: Alex Ionescu (NZNT1), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 02/11/14