Tools
Taken From here: http://www.kahusecurity.com/tools/Disclaimer: All tools have been tested on 32-bit/64-bit Windows 7 but work on Windows 8.1 as well. They are available free for personal or business use. These tools have been compressed with UPX or Confuser and used to analyze malicious content so anti-virus software may falsely identify them as infected or suspicious. No warranties expressed or implied; use at your own risk!
If you find these tools helpful, please consider donating: 1D2149DqK33asrbwTvSLgQLbk1kXjJCui (BTC)
All files are compressed using 7-Zip with the password: kahusecurity
Binary File Converter
Version: 0.1
Download: Link
MD5: 4E3154C6F96DE47D068686DEC35AF565
Description: Converts small binary files into text and vice versa which enables you to move content into and out of locked-down, remote hosts via VPN, RDC, SecureDesktop, etc as long as access to the clipboard is allowed.
Credits: Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 07/27/13
Converter
Version: 0.13
Download: Link
MD5: B326787307445797EBDE4F3B81D7DB97
Description: Convert data to/from many different formats, format data, search/replace data, extract data, find XOR/ROT/SFT keys, import/export/split/join/convert files, and more. This tool was originally made for analyzing and deobfuscating malicious scripts so it wasn’t designed to handle large datasets.
Credits: Sebatian L. (XOR), James Johnston of TechKnow Professional Services (cZLIB). This program also contains cryptography software by David Ireland of DI Management Services Pty Ltd (Radix 64, MD5), Karim Wafi (Hash class), Shawn Stugart (VBS encoder), Jean-Luc Antoine (VBS decoder), David Zimmer of Sandsprite (sc2exe, Beautify), Einar Lielmanis (JSBeautifier), Paul Mather (splitter), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 06/20/15
Cover Fire
Version: 0.1
Download: Link
MD5: 1ED40D3D1F799D0BF33555050AAB5803
Description: Generates web requests to fill up log files with misleading information. This tool requires .NET Framework 4.5.
Last Update: 10/03/15
Data Converter
Version: 0.10
Download: Link
MD5: C7AD8E5CE78D8D93A1ED4766554BD170
Description: Converts text, hex, or decimal values using XOR, ROTate, and ShiFT methods. You can do an XOR keyword search or enumerate all keys to a file. You can import a binary file, perform add/subtracts before/after an XOR/ROT/SFT action, and write out the results to a text or binary file.
Credits: Sebatian L. (XOR), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 10/05/14
File Converter
Version: 0.7
Download: Link
MD5: FC9A55F0532CE086AB58D670955F2E7D
Description: Converts large binary files to/from hex files with or without XOR encryption/decryption. Supports hex and decimal XOR keys.
Credits: Sebatian L. (XOR), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 02/17/14
Javascript Deobfuscator
Version: 0.3
Download: Link
MD5: A8DA1D3596BAC763C29518851813C290
Description: Deobfuscate simple Javascript quickly and easily. Includes text highlighting and script beautification. This tool requires .NET Framework 4.5.
Credits: David Zimmer (MSScriptControl), Einar Lielmanis (JSBeautifier)
Last Update: 01/09/16
JS Packer
Version: 0.1
Download: Link
MD5: 8A15DFA39AE7CEE1056538950D9AE251
Description: Pack and unpack Javascript from DOS using Dean Edwards Packer and PhantomJS. This script requires PhantomJS.
Credits: Dean Edwards (Packer), Ariya Hidayat (PhantomJS)
Last Update: 02/06/16
PHP Converter
Version: 0.3
Download: Link
MD5: 0AF4562D8A8BDBB2F615AF17F00B47BF
Description: Deobfuscates/obfuscates PHP scripts.
Credits: James Johnston of TechKnow Professional Services (cZLIB). This program also contains cryptography software by David Ireland of DI Management Services Pty Ltd (Radix 64), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 07/11/14
PHP Script Decoder
Version: 0.1
Download: Link
MD5: A597D34D3B5D44EE96127B48F7B6C3BE
Description: Provides functionality to perform custom search/replace methods to deobfuscate PHP scripts.
Credits: Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 06/01/14
Pinpoint
Version: 0.2
Download: Link
MD5: F8467093A63A89DC419795196F41A0DF
Description: Fetches a webpage and then enumerates and analyzes its components to help identify any infected files. Pinpoint gives you various options when making an HTTP request including spoofing the user-agent string and referer. Pinpoint will not render any of the content.
Last Update: 02/08/14
Registry Dumper
Version: 0.1
Download: Link
MD5: 2B60FB450C217E114226752A1D6D9D25
Description: With Registry Dumper, you can scan for null characters in registry keys and dump them to a text file. You can also create and delete hidden keys by inserting the word “[null]” into the keyname. This tool requires .NET Framework 4.5.
Credits: Hoang Khanh Nguyen (NTRegistry.DLL)
Last Update: 12/06/14
Revelo
Version: 0.6
Download: Link
MD5: 78311BC107613ADF3C9A32EC8A242C26
Description: Deobfuscate Javascript using a variety of different methods; includes a built-in JS beautifier, DOM walker, firewall, packet sniffer, and proxy. Note: If analyzing malicious content, please use in a virtual machine. If the script calls Java, Acrobat, or some other plug-in, Revelo won’t protect you.
Credits: Eric Wolcott (firewall), Michael D. (proxy), Einar Lielmanis (JSBeautifier), David Zimmer (Beautify), James Crowley (cookies), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 02/15/15
Sandbox Tester
Version: 0.1
Download: Link
MD5: 3FE44D098469DD06BD2C79671DDCD0DF
Description: Creates a dropper that deploys several methods to get past automated malware analysis tools. The dropper safely drops an Eicar file and pops up a message upon execution.
Last Update: 08/16/12
Scout
Version: 0.2
Download: Link
MD5: 6AE5AF75365B58AB2CD9A21A8B87E29B
Description: Uses the Pinpoint engine to download and analyze webpage components to identify infected files. This function works fine in 32-bit Windows. Scout has a built-in HTTP Request Simulator that will render user-specified HTML files, catch the resulting HTTP requests, then drop the responses. Scout includes the ability to screenshot the webpage using PhantomJS (download PhantomJS and copy the .exe to the same folder as Scout). Use Scout in a VM since it could potentially cause your computer to become infected.
Credits: Michael D. (proxy), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 10/05/14
Script Decoder
Version: 0.1
Download: Link
MD5: 6035692452FC88B90CF71AA6FBD357D6
Description: Decodes data that has been encoded using Microsoft Script Encoder (ScrEnc).
Credits: Lewis E. Moten III (Script Decoder Program)
Last Update: 12/06/14
Script Deobfuscator
Version: 0.1
Download: Link
MD5: DBE68F5281326EB542E129F9CF642FB3
Description: Helps you conduct static analysis by performing a series of search/replaces to deobfuscate PHP, Javascript, VBA, and VBS scripts. This tool requires .NET Framework 4.5.
Credits: David Zimmer (MSScriptControl)
Last Update: 02/15/16
Secret Decoder Ring
Version: 0.1
Download: Link
MD5: 5646D0EC95CFE15BF7412F549439BBC2
Description: Performs character substitution and position-based character lookups. Several exploit packs use this technique to hide URLs. Now you can analyze, decode, and encode URLs.
Last Update: 11/17/12
Sounder
Version: 0.2
Download: Link
MD5: 5473C6A96F8525BC9D3EF077E03BAAC2
Description: Analyzes web server logs to find possible phishing sites via URLs left behind in referers. It also checks the potential websites for phishing keywords and takes screenshots. Sounder requires PhantomJS if you wish to take screenshots (download PhantomJS and copy the .exe to the same folder as Sounder).
Credits: Rocky Mountain Computer Consulting (ctrl-a select), Rocky Mountain Computer Consulting (ini read/write)
Last Update: 10/05/14
Text Decoder Toolkit
Version: 0.1
Download: Link
MD5: 391035278FFF43A7E1B1308CF978257D
Description: Decode text using XOR and character shift methods. Provides three different ways to help you determine what the XOR/shift value is. This tool requires .NET Framework 4.5.
Credits: Sam Allen (AlphanumComparatorFast class), ProgramFOX (arithmetic functions), Hans Passant (sync scrollbar class)
Last Update: 11/17/15
Welcome Mat
Version: 0.1
Download: Link
MD5: 1099C8F48637DEAE306140B336003F8E
Description: Opens listening ports on the host to spoof running services. This tool
requires .NET Framework 4.5.
Last Update: 10/03/15
Word to Decimal
Version: 0.1
Download: Link
MD5: 204253B6D3D9515F444AE76B78595BED
Description: Converts Qword, Dword, and Word values to decimal. It can also perform basic XOR decoding.
Credits: Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 05/23/14
ZeuS ENC Decrypter
Version: 0.1
Download: Link
MD5: 35821DB452F71F1731A82264039B6DAE
Description: Automatically finds the four-byte XOR key then XOR-decrypts and LZNT1-decompresses GameOver ZeuS’ .enc files into PE files.
Credits: ALex Ionescu (NZNT1), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 02/11/14
