Analysis Tooling
Tools I use for malware analysis and reverse engineering, with context on when and why.
Disassemblers
Ghidra
When I use it: Primary disassembler for static analysis
Why: Free, powerful decompiler, excellent for malware analysis
IDA Pro
When I use it: Complex binaries and advanced analysis
Why: Industry standard, best-in-class analysis capabilities
Radare2
When I use it: Command-line analysis and scripting
Why: Scriptable, lightweight, good for automation
Debuggers
x64dbg
When I use it: Dynamic analysis on Windows
Why: Clean interface, good plugin ecosystem
OllyDbg
When I use it: Legacy 32-bit analysis
Why: Simple, effective for older malware
WinDbg
When I use it: Kernel debugging and crash analysis
Why: Microsoft's debugger, essential for Windows internals
Dynamic Analysis Environment
VMware Workstation
When I use it: Isolated malware execution environment
Why: Reliable snapshots, good performance
Process Monitor
When I use it: File/registry/network monitoring
Why: Real-time system activity monitoring
Wireshark
When I use it: Network traffic analysis
Why: Comprehensive protocol analysis
API Monitor
When I use it: API call monitoring and hooking
Why: Detailed API call logging and modification
Utilities
HxD
When I use it: Hex editing and binary analysis
Why: Fast, reliable hex editor
PEiD
When I use it: Packer and compiler detection
Why: Quick identification of protection mechanisms
Strings
When I use it: Extract readable strings from binaries
Why: First step in static analysis
UPX
When I use it: Unpacking UPX-compressed binaries
Why: Common packer, easy to reverse
Environment Setup
Host OS: Windows 11 for native malware execution and tool compatibility
Analysis VMs: Isolated Windows 10/11 VMs with snapshots for safe malware execution
Network: Isolated lab network with controlled internet access for behavioral analysis
Backup: Regular snapshots before analysis, automated sample archiving