English English  Deutsch Deutsch

Solutions For Malware Analysis And Security Audit

Digital Forensics and Malware Code Analysis

Malware analysis is quickly becoming a skill that every security professional must have. Reverse engineers within the antivirus and forensics companies face the challenge of analysing a large number of malicious software appearing at an incredible rate.

Though antivirus software is continually getting better, a very significant percentage of malware escapes the automated screening process and manages to wreak havoc on networks. Unfortunately, this percentage is also growing everyday. Antivirus software does little in terms of showing what the malware is doing, and also can mostly only detect previously identified malware, not new malware.

One of the primary tools used in reverse engineering and malware analysis is, and has always been, a disassembler. Heaventools can provide you with the solutions for disassembly and inspection of executable files that will let you fulfil extensive binary security analysis and binary auditing processes. Enjoy the comfort of being able to have all the necessary tools in one simple, clean interface.

PE Explorer PE Explorer has a rich GUI that allows you to navigate through the various parts of the PE file. You can edit certain parts of the PE file, and its included resource editor is great for browsing and editing the file’s resources. It greatly reduces the time needed to understand the structure of complex malware and reveal the secrets of its design. Sometimes you have to dig into the file headers in order to determine if there is no trickery happening, especially if it's a malicious binary. If your daily work involves reverse engineering of malware, source code reviews, testing and evaluation of vulnerabilities, PE Explorer will help you accelerate and improve the quality of security audit procedures, and save you hours of time.

  PE Explorer Data SheetPE Explorer Data Sheet (PDF)

Digital Signature Viewer lets you examine a certificate-based digital signature of a particular executable file, validate the identity of the software publisher, and verify that the signature is valid, and that an application came from a particular source, and that it wasn't tampered with after it was signed.

“A great tool for detecting viruses, malware, and other executable nasties, you can use the PE Explorer's Digital Signature Viewer to review and validate the Microsoft Authenticode digital signature, if present, in the loaded executable file. This is a powerful way to verify the publisher and the integrity of the executable.”

Greg Steen,
Microsoft TechNet Magazine


Dissassembling the code makes it possible to study exactly how the program works, and even identify potential vulnerabilities. For example, if you reverse engineer spyware on a system, you could determine exactly what type of information the application was trying to snoop, as well as its other capabilities. Other uses for reverse engineering include the discovery of undocumented APIs or porting drivers, and for software patch analysis. You can also detect meaningful strings across the entire file and get hints about the functionality of an executable. And if we find extremely few numbers of strings then then it's highly likely that the code is malicious.

The PE Explorer Disassembler is designed to be easy to use compared with other disassemblers. While as powerful as the more expensive, dedicated disassemblers, PE Explorer focuses on ease of use, clarity and navigation. We just made a good disassembler at a reasonable price.

Reversing Packed Worms and Trojans

Many authors of malicious software use UPX and Upack scramblers to further reduce size of the exploit so it is more flexible and can fit in smaller places. Previously, you had to run the executable and dump the packed segments right after the executable had been completely unpacked in memory.

PE Explorer provides a better solution for the Incident Response and Computer Forensics communities. PE Explorer works on packed malware executables and can handle a file even if it has been packed with UPX and modified manually so that the standard UPX uncompressing method cannot be used directly to unpack the file.

PE Explorer supports for files modified with Upack and many UPX scramblers such as Advanced UPX Scrambler, UPoLyX, UPX Lock, and more. Now you can open these obfuscated files with PE Explorer even without knowing that: the files will be unpacked automatically.

PE Explorer exposes entire structure and all resources in suspect file in order to research and reverse engineer it. With PE Explorer, you can rapidly analyze the procedures and libraries a malware executable uses without ever activating the executable itself - a great advantage over debuggers where malicious code needs to be run to be analyzed.

Hex Editor

Flex Hex Editor Things in the world of malware are not always as they seem. A large part of the malware world evolves around fooling the user. Now that you have a piece of malware in hand, you need the power to look inside it, you need the most commonly used tool - a good hex editor.

FlexHex is specially designed to help you securely view and edit binary files, OLE compound files, logical devices, and physical drives.

Unlike other hex editors, FlexHEX provides full support for NTFS files. Specifically, FlexHEX supports sparse files and Alternate Data Streams of files on any NTFS volume. Now you can audit your files for the presence of Alternate Data Streams, and edit the hidden data.