Reverse Engineering

Instrumentation-driven fuzzer for binary formats that uses compile-time instrumentation and genetic algorithms to discover test cases triggering new internal states.

Metapackage that installs the complete Android Software Development Kit (SDK) for developing mobile applications on the Android platform. It pulls in SDK Tools, Platform-tools, and Build-tools required for Android app development and analysis.

Apktool is a tool for reverse engineering Android APK files. It decodes resources to nearly original form, rebuilds them after modifications, and enables debugging of smali code.

Binwalk is a tool for searching binary images for embedded files and executable code, particularly designed for analyzing firmware images. It uses libmagic signatures and includes custom signatures for firmware-specific content like compressed files, kernels, and filesystems.

Binwalk3 is a tool library for analyzing binary blobs and executable code, identifying and optionally extracting embedded files and data. This Rust-rewritten version of Binwalk focuses on firmware analysis with support for various file types and entropy analysis for unknown compression or encryption.

bpf-linker simplifies building modern BPF programs by statically linking multiple BPF object files together and optionally performing optimizations for older kernels. It operates on LLVM bitcode from .bc, .o, or .a files.

Bytecode Viewer is an advanced lightweight Java bytecode viewer and reverse engineering suite for Java 8+ JAR files and Android APKs. It provides a comprehensive GUI toolkit including decompilers, editors, debuggers, and a plugin system for custom analysis.

Capstone is a lightweight multi-platform, multi-architecture disassembly framework. It provides a command-line tool cstool to disassemble hexadecimal strings.

code-oss is an open source package of VSCode, providing a code editor with comprehensive editing, navigation, understanding support, lightweight debugging, rich extensibility, and integration with existing tools.

Detect It Easy (DiE) is a program for determining types of files, popular among malware analysts, cybersecurity experts, and reverse engineers. It supports both signature-based and heuristic analysis for efficient file inspections across Windows, Linux, and MacOS.

dex2jar converts Android Dalvik Executable (.dex) and APK files to Java .class JAR files for analysis. It provides tools for deobfuscation, disassembly, signing, and manipulation of Android binaries.

diStorm3 is a powerful disassembler library for x86/AMD64 binary streams that decomposes instructions into binary structures for advanced analysis. It provides Python bindings and supports 16-bit, 32-bit, and 64-bit decoding.

edb is a graphical cross-platform x86/x86-64 debugger and disassembler for ELF binaries. It supports debugging on Linux with additional ports in development for other operating systems.

A Python script to convert a Windows PE executable file to a batch file and vice versa. It supports output methods like DEBUG.exe for x86 and PowerShell for x86/x64.

The Firmware Mod Kit allows for easy deconstruction and reconstruction of firmware images for various embedded devices. It primarily targets Linux-based routers and supports common formats like TRX/uImage and SquashFS/CramFS.

flashrom identifies, reads, writes, verifies, and erases BIOS/ROM/flash chips. It supports in-system flashing on mainboards and external devices like network cards and programmers.

gdb-peda is a Python GDB script that provides handy commands to speed up exploit development on Linux/Unix systems. It also serves as a framework for writing custom interactive Python GDB commands.

GEF provides a modern experience for GDB with advanced debugging capabilities for x86/64, ARM, MIPS, PowerPC, and SPARC architectures. It enhances GDB using the Python API to assist exploit developers, reverse-engineers, and application developers during dynamic analysis and exploit development.

Ghidra is a software reverse engineering framework developed by the NSA that provides tools for analyzing compiled code across Windows, macOS, and Linux platforms. It supports disassembly, decompilation, graphing, scripting, and more for interactive and automated analysis.

GDB is a source-level debugger capable of breaking programs at any specific line, displaying variable values, and determining where errors occurred. It supports multiple languages including C, C++, Fortran, Java, and assembly.

Google Nexus Tools provides ADB (Android Debug Bridge) and Fastboot command-line tools for Nexus devices. It enables debugging, file transfer, shell access, and flashing on Android devices via USB or TCP/IP.

HexWalk is a cross-platform hex editor, viewer, and analyzer for binary files. It integrates features like advanced pattern searching, binwalk support, entropy analysis, and more.

Hyperion is a runtime encrypter for 32-bit portable executables that uses AES-128 encryption. The encrypted executable self-decrypts on startup by bruteforcing the AES key.

Heterogeneous set of I2C tools for Linux including bus probing, chip dumping, register access, and EEPROM decoding. Provides userspace access to I2C devices and related protocols.

ImHex is a hex editor designed for reverse engineers, programmers, and users who need a retina-friendly interface for late-night work. It provides tools for analyzing and editing binary data.

jadx is a Dex to Java decompiler that produces Java source code from Android Dex and APK files. It includes both command-line and GUI tools with features like resource decoding and deobfuscation.

JavaSnoop intercepts Java applications locally by attaching to existing processes, allowing tampering with method calls, running custom code, or monitoring system activity without needing original source code.

JD-GUI is a standalone graphical utility that displays Java source codes of .class files. It allows browsing the reconstructed source code for instant access to methods and fields.

libsmali-java provides libraries for smali/baksmali, an assembler and disassembler for Android's dex format used by Dalvik, Android's Java VM. It supports full dex format functionality including annotations, debug info, and line info.

llvm-defaults is a metapackage that installs the default LLVM toolchain on Kali Linux, including clang, clang++, and clang-format. Used in reverse engineering and exploit development for compiling, sanitizing, and analyzing C/C++ code with LLVM-based tooling.

msitools provides utilities to create, inspect, extract, and manipulate Windows Installer (.msi) files. It includes tools like msiinfo, msibuild, msidiff, msidump, and msiextract for handling MSI package contents and databases.

NASM is a general-purpose x86 assembler that outputs various object file formats including flat binary, a.out, COFF, ELF, and Microsoft DOS/Win32 files. It includes NDISASM, a prototype x86 binary-file disassembler using the same instruction table.

OllyDbg is a 32-bit assembler level analysing debugger for Microsoft Windows. It emphasizes binary code analysis, making it useful when source code is unavailable.

OpenOCD is an open on-chip JTAG/SWD debug solution for embedded target devices. It provides debugging, in-system programming, and boundary-scan testing for ARM, MIPS, and other microcontroller systems.

Utility to bundle a Python application into a single package or executable file. Analyzes Python scripts to discover and include all required modules and libraries.

PyInstaller Extractor is a Python script that extracts the contents of executable files generated by PyInstaller. It enables analysis of packed Python applications.

Provides dependency packages and tools for all supported Python 2 versions, runtime, development, and debugging support in Kali Linux. Includes utilities like debuggers, documentation tools, and source code scanners for internationalization.

virtualenv creates isolated Python environments, each with its own Python executable and independent set of modules installable via pip. Virtual environments can be created without root access.

QEMU is a fast processor emulator supporting multiple architectures including ARM, x86-64, RISC-V, and others. It provides full system emulation for testing, debugging, and virtual hosting.

Quark-Engine is a rule-based Android malware analysis framework for scoring threats in APK and DEX files. It provides detailed reports, call graphs, and summaries to identify high-risk behaviors quickly.

radare2 is a free and advanced command line hexadecimal editor, disassembler, and debugger for reverse engineering. It provides a complete, portable, multi-architecture unix-like toolchain including various utilities for binary analysis and manipulation.

Rake is a Ruby make-like utility for defining and executing build tasks. It uses standard Ruby syntax for Rakefiles, avoiding traditional Makefile complexities.

readpe is a toolkit to analyze Microsoft Windows PE binary files, parsing and comparing PE32/PE32+ executables like EXE, DLL, OCX. It provides multiple command-line tools to inspect headers, sections, resources, dependencies, packers, and suspicious characteristics.

Rfcat is a Swiss army knife for sub-GHz radio analysis. It aids security researchers in reverse-engineering hardware by reducing the time needed to create custom tools for unknown targets.

Rizin is a fork of the radare2 reverse engineering framework focused on usability, working features, and code cleanliness. It is a portable tool for analyzing binaries, disassembling code, debugging programs, forensics, and scriptable hexadecimal editing.

Cutter is a free and open-source reverse engineering platform powered by rizin. It provides an advanced and customizable interface designed for reverse engineers.

ruby-pedump is a pure Ruby tool for dumping headers, sections, and extracting resources from Win32 PE executable files like EXEs and DLLs. It provides flexible output formats and extraction options for analyzing PE structures.

rz-ghidra integrates the Ghidra decompiler and Sleigh disassembler into rizin for binary analysis. It uses only the C++ decompiler part of Ghidra, making it self-contained without requiring the full Ghidra application.

Shellnoob is a shellcode writing toolkit that converts shellcode between various formats including asm, bin, hex, obj, exe, C, Python, ruby, and more. It offers interactive mode for asm-to-opcode conversion, supports 32/64-bit architectures, and includes utilities for syscall resolution and binary patching.

UPX-UCL is an efficient live-compressor for executable files that reduces program and DLL sizes by 50%-70%. It supports executables for DOS, Linux/ELF (i386, amd64, ppc32) and other OS formats.

vboot-utils provides Chrome OS verified boot utilities for manipulating GPT partitions, signing kernels and firmware, and handling Chromebook internals including verified u-boot. It includes tools like cgpt for GPT manipulation, vboot-kernel-utils for kernel signing, and various firmware utilities.

Vim is an enhanced Vi editor with advanced features like multi-level undo, syntax highlighting, and Unicode support. It includes various packages for terminal, GUI, and utility tools like hex dumping with xxd.

YARA is a pattern matching tool for malware researchers to identify and classify malware samples using textual or binary patterns. It allows creation of descriptions based on strings and Boolean expressions with advanced features like wildcards and regular expressions.