KernelCBFind-x86.wdbg is a small Windbg script i use while rootkit hunting and searching for kernel callbacks. See the readme.txt for usage infos.



OfficeMalScanner v0.5 is a Ms Office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. Found files are being extracted to disk. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and if found, it will be extracted for further analysis. The "inflate" feature extracts Ms Office 2007 documents into a directory and marks potentially malicious files. Also included in this package is a tool called MalHost-Setup, some kind of MS Office runtime emulation environment to debug shellcode in malicious documents in realtime.



This small IDAPython script includes all vtable structures that can be found in the files of the Microsoft PSDK 2003-R2. After running the script in IDA it adds these vtable structures to an IDB file. This will save time while reconstructing COM code.



This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA



MFC42Ord2FuncNames is a small IDAPython script which converts MFC42 functions into its realnames. Normally IDA Pro should do this automatically, but in some cases the IDA auto-analysis fails. Watch the short flash movie included in the package for details.



VMEDetect v0.1 is a small commandline tool written in assembly, which makes use of the RDTSC trick to check for the presence of VMWare and VirtualPC.

VMEDetect v0.1.zip


This is a little proof of concept code to test, if your application-firewall alerts when bitscode.exe tries to download and execute fwbypassalert.exe from this site.


Also check out Elia Florio's blog for more information on this problem.



IDAAPIHelp is a small IDAPython script, that saves time when searching for API Information while e.g. analyzing a malware with IDA Pro. It looks at cursor position for a valid api call and if found it tries to show you the eligible API Info from the provided helpfile.

IDAAPIHelp v0.3.zip


Superkill is a is small tool to kill processes, which are normally protected from being stopped on application level. After starting Superkill it detaches its driver from the RC_DATA resource area, installs it as service and runs the driver. Communication between applevel code and driver is being handled through the DeviceIoControl() function. Full source code included.

Superkill V1.0