top of page



Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product.



This is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ Chapter.



SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare:

  • Running Processes

  • Open Ports

  • Loaded Drivers

  • Injected Libraries

  • Key Registry Changes

  • APIs called by a target process

  • File Modifications

  • HTTP, IRC, and DNS traffic

SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:

  • Create a memory dump of target process

  • parse memory dump for strings

  • parse strings output for exe, reg, and url references

  • scan memory dump for known exploit signatures



A free, powerful, multi-purpose tool that helps you monitor system resources, debug software, and detect malware.


Many of you have probably used Process Explorer in the past. Process Hacker has several advantages:

  • Process Hacker allows you to copy data by simply pressing Ctrl+C.

  • Process Hacker is open source and can be modified or redistributed.

  • Process Hacker does not have several year old bugs that still remain unfixed.

  • Process Hacker is more customizable.

  • Process Hacker shows symbolic access masks (e.g. Read, Write), rather than just numbers (e.g. 0x12019f).



GMER is an application that detects and removes rootkits .

It scans for:

  • hidden processes

  • hidden threads

  • hidden modules

  • hidden services

  • hidden files

  • hidden disk sectors (MBR)

  • hidden Alternate Data Streams

  • hidden registry keys

  • drivers hooking SSDT

  • drivers hooking IDT

  • drivers hooking IRP calls

  • inline hooks



There are plenty of tools for behavioral malware analysis. The defacto standard ones, though, are Sysinternals’s Process Monitor (also known as Procmon) and PCAP generating network sniffers like Windump, Tcpdump, Wireshark, and the like. These “two” tools cover almost everything a malware analyst might be interested in when doing behavioral malware analysis. 


But there’s a major problem with these tools. Any of them works in a so to say separated or isolated way, not knowing anything from each other. Hence it’s kinda hard to get accordingly recorded activities together in one piece or picture. That’s where ProcDOT enters the stage. It fills this actual gap by merging those records together.But ProcDOT does much more. It turns those thousands of monitored activities into a big behavioral picture - actually a graph - which can be interactively explored making behavioral malware analysis as efficient as you it never was before.


In this terms ProcDOT enables you to ...

• Get an overall guts feeling for an entire situation within a glance,

• Spot relevant parts and understand the correlation between them in minutes



Radiography is a forensic tool which grabs as much information as possible from a Windows system.

Its checks:

  • Registry keys related to startup process

  • Registry keys with Internet Explorer settings

  • System Accounts and properties

  • Startup files

  • System services

  • Hosts file contents

  • TaskScheduler tasks

  • Loaded System Drivers

  • NetBios Shares

  • Hidden Windows

  • System processes running (and their location if possible)

  • Network information (Open connections, listening ports ...) 



RunScanner is a freeware windows system utility which scans your system for all running programs, autostart locations, drivers, services and hijack points. You can use Runscanner to detect changes and misconfigurations in your system caused by spyware, virusses or human errors.


Runscanner website has a database of over 900.000 different windows system files.
Users can find more information about .exe .dll .sys files and learn more about the technical details of these windows startup files.



Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample's activities.

Noriben allows you to not only run malware similar to a sandbox, but to also log system-wide events while you manually run malware in ways particular to making it run. For example, it can listen as you run malware that requires varying command line options. Or, watch the system as you step through malware in a debugger.

Noriben only requires Sysinternals procmon.exe to operate. It requires no pre-filtering (though it may help) as it contains numerous black list items to reduce unwanted noise from system activity (particular to Windows XP).



API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.


API Monitor supports monitoring of 64-bit applications and services. The 64-bit version can only be used to monitor 64-bit applications and the 32-bit version can be only be used to monitor 32-bit applications. To monitor a 32-bit application on 64-bit Windows, you must use the 32-bit version. Note that the 64-bit installer for API Monitor includes both 64-bit and 32-bit versions.



The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications

  • Autoruns – See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.

  • Diskmon – This utility captures all hard disk activity or acts like a software disk activity light in your system tray.

  • ListDLLs - List all the DLLs that are currently loaded, including where they are loaded and their version numbers.

  • Process Explorer – Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.

  • Process Monitor – Monitor file system, Registry, process, thread and DLL activity in real-time.

  • PsFile -See what files are opened remotely.

  • PsInfo - Obtain information about a system.

  • PsList - Show information about processes and threads.

  • RootkitRevealer- Scan your system for rootkit-based malware.

  • Strings - Search for ANSI and UNICODE strings in binary images.

  • TCPView - Active socket command-line viewer.

Anchor 33
Anchor 34
Anchor 35
Anchor 4
Anchor 5
Anchor 6
Anchor 7
Anchor 8
Anchor 9
Anchor 10
Anchor 11

Subscribe for Updates

Congrats! You’re subscribed

bottom of page