These tools were originally designed as part of a research project on industrial control systems (ICS), the Internet of Things (IoT) and Operational Technology (OT). A drop-in replacement for readelf, objcopy, and objdump that utilises the Capstone disassembly framework. The project then grew into a collection of tools for malware and binary analysis supporting x86, x86-64, ARM, ARM Thumb, AARCH64, MIPS and RISC-V architectures.
This suite of tools was inspired by a problem I encountered while comparing two subtly different executables that were compiled from the same source code. Also, having binaries built with different cross-compilers raises the question of which flavour of readelf or objdump to use? After I reached 12 and started thinking about a simple solution that could be automated and didn't require a $ 7,000-a-year software license.
This problem is solved by the Heuristic Assembly Language Analysis Engine (HALAE), which converts x86-64, ARM, MIPS or RISC-V assembly language into an Intermediate Language (IL) for the comparison and analysis.
convert-ng is a Swiss Army Knife for manipulating data in complex ways using operations, xor, addition, subtraction, logical shifts and rotations, base32, base58, base64, base85 and vigeneree cipher. READ MORE...
detect-ng is a tool for file and compiler identification supporting signature-based and heuristic analysis. READ MORE...
enumerate-ng.py is a script inspired by rebootuser’s LinEnum for enumeration and privilege escalation, and enhanced to be used with both devices and firmware images. This information is useful for hardening devices or for understanding how an adversary obtained persistence, privilege escalation, or lateral movement. READ MORE...
objcopy-ng copies the contents of an object file to another using the GNU BFD Library to readand write the object files. It can write the destination object file in a format different from the source object files.
objdump-ng displays information about one or more object files. This information is useful to malware researchers and binary analysis, as this utility is lightweight compared to many commercial applications (x86, ARM, AARCH64, MIPS and RISC-V). READ MORE...
objdwarf-ng displays the dwarf information about one or more ELF format object files in standard and enhanced formats. READ MORE...
objhash-ng generates hashes of ELF format object files for malware detection and digital forensics. The utility is supports fuzz-hashing and context-triggered piecewise hashing. READ MORE...
readelf-ng displays information about one or more ELF format object files. READ MORE...
readpe-ng displays information about one or more PE format object files. READ MORE...
strings-ng is a script that is used to print the sequences of printable characters in files. To search for possible privilege escalation, lateral movement, binary execution and data exfiltration methods.
yara-rules-ng is a bash script that was inspired by the REMnux yara-rules script. This script can be used to scan against a collection of open-source YARA rules, including Yara-Rules Project, Yara-Forge and my collection of YARA rules. READ MORE...
Download the latest release.
See the BUILD.md for detailed instructions.
If you find this project useful and would like to keep it maintained, with new features and a regular release cycle or want to support my research. Then, you can sponsor me at PayPal, or you can buy me a coffee at PayPal. I will be really thankful for anything, even if it is a coffee, because that helps me a lot to know that you care:)
If you require a service contract that includes: email support, technical help, support tickets, prioritised bug fixes with immediate release. Drop me an email: enquiries@uber-techie.co.uk
https://github.com/capstone-engine/capstone - BSD license
https://github.com/ssdeep-project/ssdeep - GPL-2.0 license
https://github.com/davea42/libdwarf-code - LGPL license
https://github.com/packing-box/peid - GPL-3.0 license
objtools-ng is published under the MIT license.