rnicrosoft.net - The home of Nick Harbour's tools and techniques

[rnicrosoft.net]
The home of Nick Harbour's tools and techniques

Software
- Forensics Software
  - dcfldd
    - A modified version of the unix "dd" command with hashing and many, many other custom features.
  - tcpxtract
    - A data carving program for extracting files directly from network traffic. Carves based on signatures from the headers of known file types. You can add your own file types as well.
  - fatback
    - A unix command line tool for undeleting files from FAT filesystems. FAT12/16/32 support with long filenames.
  - FindEvil
    - An early alpha release of a malware discovery tool. Uses disassembly to detect packed executables.
  - pecarve
    - Intelligently carves PE binaries from a datastream. For an EnScript version of this algorithm check out Kelcey Tietjen's PEvil Carver
  - nstrings
    - My version of the "strings" command for windows. Unlike every other strings tool on the market, this displays both unicode and ascii strings with one single pass through the data so that unicode strings are displayed in their proper location relative to the ascii strings.
  - pestat
    - Prints important information from PE binaries including compile time, checksum and MD5.
- Packers
  - PE-Scrambler
    - Scrambles and obfuscates compiled binaries at the machine code instruction level. Also obfuscates function calls. Presented at DEFCON 16 in August 2008, "Advanced Software Armoring and Polymorphic Kung-Fu".
  - CoreDpack (comming soon)
    - A packer which uses process injection to infect the packed binary into a process of your choosing.
  - slickpack
    - A cheesy simple packer. Blasts away the import table.
  - slackpack
    - A version of slickpack with additional anti-reverse engineering armoring.
  - UPXFail
    - A mangler for UPX. Pack a binary with UPX and use this to thwart detection and static UPX unpacking.
- Misc
  - nickisofs
    - A modified version of the mkisofs command that splits up the input files into multiple ISO image files of a specified size. With this you could, for example, split an entire hard drive full of files into CD-ROM images containing those logical files.
  - cl-cgi
    - A dynamic web page programming library for the Common Lisp programming language.
  - tcopy-linux
    - A linux port of the BSD tcopy program used to duplicate tape devices.
  - FileInsight_plugins
    - My collection of essential plugins for the excellent FileInsight hex editor. Unpack this in your %Documents%\FileInsight\plugins directory. (Since the official FileInsight download site seems to be down I have mirrored it here: download FileInsight)
  - ClipTools
    - A suite of tools for interacting with windows clipboard data from the command line with standard input and output streams. Allows you to specify datatypes and comes with a command ("showclip") to list the current contents of your clipboard with datatype values and descriptions.
Presentations
- Advanced Software Armoring and Polymorphic Kung-Fu
  - First presented at DEFCON 16, August 2008
  - Discusses the software armoring technology behind PE-Scrambler and briefly introduces FindEvil
- Stealth Secrets of the Malware Ninjas
  - First presented at BlackHat USA 2007
  - Discusses process injection techniques under Windows and new approaches under Unix.
- Investigating Advanced Malware Stealth and Persistence
  - First presented at DoD Cyber Crime Conference 2009
  - A case study involving the evolution of DLL persistence techniques for a continually advancing malware family.
Other Files
- X86/Win32 Reverse Engineering Cheat-Sheet
  - A one page cheat sheet for people learning to reverse engineer.
- Random Threat Generator Page
  - Just keep hitting your browser's refresh button until you find a really fitting threat or insult.
- Chinese Restaurant Name Generator Page
  - Just keep hitting your browser's refresh button until you find a delicious sounding name. Useful for forging company travel vouchers.
Contact
- Email: nickharbour at gmail dawt calm
- Twitter
- Facebook
- LinkedIn