Windows Malware Analysis Tools
Static Analysis

HxD – Hex viewer and editor.

010 Editor – Advanced hex viewer and editor.

strings (Sysinternals Suite) – Extracts strings from a file.

HashMyFiles –¬†Calculate MD5/SHA1/CRC32 hashes of your files.

DiE (Detect it Easy) – Packer identifier (recommended).

PEiD – Packer identifier.

PeStudio – Advanced PE viewer and more (recommended).

PEBear – PE viewer.

CFF Explorer – PE editor.

Resource Hacker – Resource editor. – OLE files analyzer.

OfficeMalScanner – Office files malware scanner.

PDFiD – PDF string scanner and identifier.

PDFStreamDumper – PDF malicious file scanner.

PDFParser – PDF file data extractor.

Malwoverview.pyIncident response tool to perform an initial and quick triage in a directory containing malware samples and more.

YARA – The pattern matching swiss knife for malware researchers.

Dynamic Analysis

Process Explorer (ProcExp, Sysinternals Suite) – Advanced Task Manager.

Process Hacker – Advanced Task Manager.

Process Monitor (ProcMon, Sysinternals Suite) – Monitors for system processes events (File System, Registry, Network).

Regshot – Registry compare utility.

API Monitor – Monitors for Windows API functions.

tiny_tracer – API tracing tool.

APIMiner – Logs Windows API functions of an executed program.

Pinitor – An API Monitor based on instrumentation.

PE-SieveScans for malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

TCPView (Sysinternals Suite) – Displays network connections.

Fiddler – The free web debugging proxy for any browser, system or platform.

FakeNet-NG – Emulates services/open ports for malware behavior analysis purposes.

INetSim – Emulates services/open ports for malware behavior analysis purposes.

ApateDNS – Control DNS responses.

Wireshark – Network Sniffer and Protocol Analyzer.

MiTMProxyAn interactive SSL/TLS-capable intercepting HTTP proxy (great for HTTPS inspection).

NetworkMiner – Sniffer and PCAP parser.

ProcDot – A new way of visual malware analysis.

WinJa – A lightweight but powerful tool for discovering malware hiding on your system.

CMD Watcher – Watches for the CMD, PowerShell, and other processes, suspends it, extracts the command line data, then optionally kills it.

Reverse Engineering

IDA Free/Pro – Disassembler and debugger.

radare2 – Free and open source disassembler and debugger.

Cutter – GUI for radare2.

x64dbg – User-Mode debugger.

OllyDbg – User-Mode debugger.

WinDbg – Kernel-Mode debugger.

WinDBG2IDA (IDA Plugin) – Shows WinDBG steps in IDA.

dnSpy.NET debugger and assembly editor.

ILSpy – .NET Decompiler.

de4dotNET deobfuscator and unpacker.

RetDec – Retargetable machine-code decompiler based on LLVM.

IDR (Interactive Delphi Reconstructor) – Delphi decompiler.

Ghidra – NSA software reverse engineering framework.

Binary Ninja – A New Type of Reversing Platform.

Unpacking & Deobfuscation

ViperMonkey – VBA Emulation and Deobuscation.

FLOSSAutomatically extract obfuscated strings from malware.

NoMoreXor – Tool to help guess files 256 byte XOR key by using frequency analysis.

PackerAttacker – C++ application that uses memory and code hooks to detect packers.

UniPacker – Automatic and platform-independent unpacker for Windows binaries based on emulation.

unpacker – WinAppDbg script to automate malware unpacking.

XorSearch -XORSearch is a program to search for a given string in an XOR, ROL, ROT or SHIFT encoded binary file.


aPLib (Ibsen Software) – Compression library based on the algorithm used in aPACK.

UPX (Ultimate Packer eXecutables) – Windows PE Packer.

Alternate EXE Packer – based on the UPX packer.

ASProtect – PE Packer (great for .NET based PE executables).

Enigma Protector – A professional system for licensing and protecting
executable files for Windows.

MPRESS – .NET-based PE packer.

ExeStealth – Delphi, Visual Basic, and C++ PE packer.

Themida -Advanced Windows software protection system.

MEW – LZMA algorithm-based PE packer.

VMProtect – VMProtect protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyze and crack the software.

Obsidium – Windows PE Packer.


WinDD – Hard drive forensics acquisition tool.

WinPmem – Memory forensics acquisition tool.

DumpIt – Memory forensics acquisition tool.

FTK Imager – Hard drive and memory forensics acquisition tool.

Autopsy – Hard drive forensics analysis tool.

Event Log Explorer – Windows event log analysis tool.

Volatility – Memory forensics analysis framework.

Memoryze – Find evil in live memory.

Rekall – Memory forensic framework.

Redline – Memory forensics accelerated live response.

FOG Project – A free open-source network computer cloning and management solution.


Sysinternals Suite – Microsoft’s tool to analyze Windows system internals.

Cuckoo Sandbox – Free and open-source automated malware analysis sandbox.

Flare-VM – Windows-based Malware analysis security distribution.