From 57a0928cd1c249dda3ebc62d34d612209eca68cf Mon Sep 17 00:00:00 2001
From: Amanda Rousseau <amanda@amanda-mbp.local>
Date: Mon, 20 Mar 2017 14:14:16 -0700
Subject: [PATCH] updating retools

---
 idacheatsheet.html  | 190 ++++++++++++++++++++++++++++++++++++++++++++
 images/Alt-50.png   | Bin 0 -> 995 bytes
 images/Ctrl-50.png  | Bin 0 -> 1014 bytes
 images/Enter-50.png | Bin 0 -> 1026 bytes
 images/Shift-50.png | Bin 0 -> 949 bytes
 malware.md          |  17 +++-
 retools.md          |  42 ++++++++--
 7 files changed, 242 insertions(+), 7 deletions(-)
 create mode 100644 idacheatsheet.html
 create mode 100644 images/Alt-50.png
 create mode 100644 images/Ctrl-50.png
 create mode 100644 images/Enter-50.png
 create mode 100644 images/Shift-50.png

diff --git a/idacheatsheet.html b/idacheatsheet.html
new file mode 100644
index 0000000..d486637
--- /dev/null
+++ b/idacheatsheet.html
@@ -0,0 +1,190 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="chrome=1">
+    <link rel="stylesheet" href="https://securedorg.github.io//assets/css/style.css?v=5e63b4f7f8d5ec379a428172f4517e17cf6f662e">
+</head>
+<body>
+
+
+<table>
+<tr><td>
+<h1>IDAPro</br>Cheat Sheet</h1>
+<table>
+<caption style="text-align: left;"><h3>Navigation<h3></caption>
+<tr><td>Jump to operand</td><td>Enter</td></tr>
+<tr><td>Jump in new window</td><td>Alt+Enter</td></tr>
+<tr><td>Jump to previous position</td><td>Esc</td></tr>
+<tr><td>Jump to Next position</td><td>Ctrl+Enter</td></tr>
+<tr><td>Jump to address</td><td>G</td></tr>
+<tr><td>Jump by name</td><td>Ctrl+L</td></tr>
+<tr><td>Jump to function</td><td>Ctrl+P</td></tr>
+<tr><td>Jump to segment</td><td>Ctrl+S</td></tr>
+<tr><td>Jump to segment register</td><td>Ctrl+G</td></tr>
+<tr><td>Jump to problem</td><td>Ctrl+Q</td></tr>
+<tr><td>Jump to cross reference</td><td>Ctrl+X</td></tr>
+<tr><td>Jump to xref to operand</td><td> X</td></tr>
+<tr><td>Jump to entry point</td><td>Ctrl+E</td></tr>
+<tr><td>Mark Position</td><td>Alt+M</td></tr>
+</table>
+<table>
+<caption style="text-align: left;"><h3>Search</h3></caption>
+<tr><td>Next code</td><td>Alt+C</td></tr>
+<tr><td>Next data</td><td>Ctrl+D</td></tr>
+<tr><td>Next explored</td><td>Ctrl+A</td></tr>
+<tr><td>Next unexplored</td><td>Ctrl+U</td></tr>
+<tr><td>Immediate value</td><td>Alt+I</td></tr>
+<tr><td>Next immediate value</td><td>Ctrl+I</td></tr>
+<tr><td>Text</td><td>Alt+T</td></tr>
+<tr><td>Next text</td><td>Ctrl+T</td></tr>
+<tr><td>Sequence of bytes</td><td>Alt+B</td></tr>
+<tr><td>Next sequence of bytes</td><td>Ctrl+B</td></tr>
+<tr><td>Not function</td><td>Alt+U</td></tr>
+</table>
+<table>
+<caption style="text-align: left;"><h3>Graphing</h3></caption>
+<tr><td>Flow chart</td><td>F12</td></tr>
+<tr><td>Function calls</td><td>Ctrl+F12</td></tr>
+</table>
+<table>
+<caption style="text-align: left;"><h3>Comments</h3></caption>
+<tr><td>Enter comment</td><td>Shift+; </td></tr>
+<tr><td>Enter repeatable comment</td><td>; </td></tr>
+<tr><td>Enter anterior lines</td><td>Ins </td></tr>
+<tr><td>Enter posterior lines</td><td>Shift+Ins </td></tr>
+<tr><td>Insert predefined comment</td><td>Shift+F1</td></tr>
+</table>
+<table>
+<caption style="text-align: left;"><h3>Data Format Options</h3></caption>
+<tr><td>ASCII strings style</td><td>Alt+A</td></tr>
+<tr><td>Setup data types</td><td>Alt+D</td></tr>
+</table>
+</td>
+<td>
+<table>
+<caption style="text-align: left;"><h3>Open Subviews</h3></caption>
+<tr><td>Names</td><td>Shift+F4</td></tr>
+<tr><td>Functions</td><td>Shift+F3</td></tr>
+<tr><td>Strings</td><td>Shift+F12</td></tr>
+<tr><td>Segments</td><td>Shift+F7</td></tr>
+<tr><td>Segment registers</td><td>Shift+F8</td></tr>
+<tr><td>Signatures</td><td>Shift+F5</td></tr>
+<tr><td>Type libraries</td><td>Shift+F11</td></tr>
+<tr><td>Structures</td><td>Shift+F9</td></tr>
+<tr><td>Enumerations</td><td>Shift+F10</td></tr>
+</table>
+
+
+
+<table>
+<caption style="text-align: left;"><h3>File Operations</h3></caption>
+<tr><td>Parse C header file</td><td>Ctrl+F9</td></tr>
+<tr><td>Create ASM file</td><td>Alt+F10</td></tr>
+<tr><td>Save database</td><td>Ctrl+W</td></tr>
+</table>
+
+<table>
+<caption style="text-align: left;"><h3>Debugger</h3></caption>
+<tr><td>Star process</td><td>F9</td></tr>
+<tr><td>Terminate process</td><td>Ctrl+F2</td></tr>
+<tr><td>Step into</td><td>F7</td></tr>
+<tr><td>Step over</td><td>F8</td></tr>
+<tr><td>Run until return</td><td>Ctrl+F7</td></tr>
+<tr><td>Run to cursor</td><td>F4</td></tr>
+<tr><td>Breakpoints</td></tr>
+<tr><td>Breakpoint list</td><td>Ctrl+Alt+B</td></tr>
+</table>
+
+<table>
+<caption style="text-align: left;"><h3>Watches</caption>
+<tr><td>Delete watch</td><td>Del</td></tr>
+</table>
+
+<table>
+<caption style="text-align: left;"><h3>Tracing</caption>
+<tr><td>Stack trace</td><td>Ctrl+Alt+S</td></tr>
+</table>
+
+<table>
+<caption style="text-align: left;"><h3>Miscellaneous</h3></caption>
+<tr><td>Calculator</td><td>Shift+/ </td></tr>
+<tr><td>Cycle through open views</td><td>Ctrl+Tab </td></tr>
+<tr><td>Select tab</td><td>Alt + [1…N] </td></tr>
+<tr><td>Close current view</td><td>Ctrl+F4</td></tr>
+<tr><td>Exit</td><td>Alt+X </td></tr>
+<tr><td>IDC Command</td><td>Shift+F2</td></tr>
+</table>
+
+</td>
+<td>
+<table>
+<caption style="text-align: left;"><h3>Edit (Data Types – etc)</h3></caption>
+<tr><td>Copy</td><td>Ctrl+Ins</td></tr>
+<tr><td>Begin selection</td><td>Alt+L</td></tr>
+<tr><td>Manual instruction</td><td>Alt+F2</td></tr>
+<tr><td>Code</td><td>C</td></tr>
+<tr><td>Data</td><td>D</td></tr>
+<tr><td>Struct variable</td><td>Alt+Q</td></tr>
+<tr><td>ASCII string</td><td>A</td></tr>
+<tr><td>Array</td><td>Num *</td></tr>
+<tr><td>Undefine</td><td>U</td></tr>
+<tr><td>Rename</td><td>N</td></tr>
+</table>
+
+
+<table>
+<caption style="text-align: left;"><h3>Operand Type</caption>
+<tr><td>Offset (data segment)</td><td>O</td></tr>
+<tr><td>Offset (current segment)</td><td>Ctrl+O</td></tr>
+<tr><td>Offset by (any segment)</td><td>Alt+R</td></tr>
+<tr><td>Offset (user-defined)</td><td>Ctrl+R</td></tr>
+<tr><td>Offset (struct)</td><td>T</td></tr>
+<tr><td>Number (default)</td><td>Shift+3</td></tr>
+<tr><td>Hexadecimal</td><td>Q</td></tr>
+<tr><td>Decimal</td><td>H</td></tr>
+<tr><td>Binary</td><td>B</td></tr>
+<tr><td>Character</td><td>R </td></tr>
+<tr><td>Segment</td><td>S</td></tr>
+<tr><td>Enum member</td><td>M </td></tr>
+<tr><td>Stack variable</td><td>K</td></tr>
+<tr><td>Change sign</td><td>Shift+-</td></tr>
+<tr><td>Bitwise negate</td><td> Shift+`</td></tr>
+<tr><td>Manual</td><td>Alt+F1</td></tr>
+</table>
+
+<table>
+<caption style="text-align: left;"><h3>Segments</caption>
+<tr><td>Edit segment</td><td>Alt+S</td>
+<tr><td>Change segment register value</td><td>Alt+G</td></tr>
+</table>
+
+<table>
+<caption style="text-align: left;"><h3>Structs</caption>
+<tr><td>Struct var</td><td>Alt+Q</td><tr>
+<tr><td>Force zero offset field</td><td>Ctrl+Z</td></tr>
+<tr><td>Select union member</td><td>Alt+Y</td></tr>
+</table>
+
+
+<table>
+<caption style="text-align: left;"><h3>Functions</caption>
+<tr><td>Create function</td><td>P</td></tr>
+<tr><td>Edit function</td><td>Alt+P </td></tr>
+<tr><td>Set function end</td><td>E </td></tr>
+<tr><td>Stack variables</td><td>Ctrl+K </td></tr>
+<tr><td>Change stack pointer</td><td>Alt+K</td></tr>
+<tr><td>Rename register</td><td>V</td></tr>
+<tr><td>Set function type</td><td>Y</td></tr>
+</table>
+</td>
+
+</tr>
+
+</table>
+
+
+
+</body>
+
+</html>
\ No newline at end of file
diff --git a/images/Alt-50.png b/images/Alt-50.png
new file mode 100644
index 0000000000000000000000000000000000000000..78f6b07c676adca6f5cf1bde9db91493cf3fad82
GIT binary patch
literal 995
zcmeAS@N?(olHy`uVBq!ia0vp^k|4~%1|*NXY)uAIjKx9jP7LeL$-D$|I14-?iy0WW
zg+Z8+Vb&Z8pn}NEkcg59UmvUF{9L`nl>DSry^7odplSvNn+hu+GdHy)QK2F?C$HG5
z!d3~a!V1U+3F|8<fR&VF+bTu)1}He^7o{qg>Y3;nDA{o-C@9zzrKDK}xwt{K19`Se
z86_nJR{Hwo<>h+i#(Mch>H3D2mX`VkM*2oZx<D1W#g%y_i50qe#mW#vVCJ}_7AF^F
z7L;V>=P7{9O-#x!EwNQn0$BtH5O<bjrXg&~D~5Ut=s|sujJ~0sfj-=9pjI1@sFi<F
zW-8ETkok6oHei(~Vo-Z*^g)&*IR@fWuqe>0c3d|4@L;p!@;Rg)$-uy*?CIhd;=#Li
z+F36dM}dax`)91+>}Zs!X?Sq3q5TKLO@X}?AD$RL(WnqOYZ_<EY3Cu(qEpEz$ip(p
zd6Id@IysS}^WRG^zjO2CoB7tP_shyl%R@`U%g={teK&G2oO127)|TaWpQKOtbd1f2
z>HOrVdi!*r{a(I2YV$H|TF-A_&{y~pQavp?ZO$RPoI|b0+#YJjG@Y9N;FX;AyHnXW
zn$$nUsoyrpW<E7difw=P7xOcbj%Paie!E(qivE%Oltt;Ll)m$!b1cXF?)>i9HTUD6
z8F~HHN&9EBygneTEcmcgD)3(Asysa_OHTI5KC{~jzV!Xtyk+gW#aARB-VIQ?^gHaa
z=ncn@=2ND`KM-AWNJ-;n!{NTN*Ejo8Ql1@e%scHpqltM%)1$<XH`X6iH*mk#Z{W98
z@$DR!`|NGjHy7`i<R`n>rp5LKYxBjxhu2yafBm04V}r|iiydDo4eYJH=1Q^6U$X7e
zsZO_;eQdhZA1c={%l>6({$N>D8fO<Cyd(C7c4@}cisl08IWj-wTKlq!PJKGqwprz)
z-uAgWx&+jv_VQ<T?E0LsMeDPmNN@KFCHI?#uNK*_&R_NVNaM|p*=$SxR>p3NePZ)#
zYxU~M^#+r(?%FB8p6=0H)^Gak`xD-fg*ht|KX|C$)PKzOHvWR|I*BliyucdC*uYTr
zF7Z?6mu|nEEMB$Bw%f8R|BuyI?Ow@Jm3!Wz@&>E=r!A}3PIOI=+hFwc;h}qssTrYj
TCpLvMgL0mytDnm{r-UW|NScj3

literal 0
HcmV?d00001

diff --git a/images/Ctrl-50.png b/images/Ctrl-50.png
new file mode 100644
index 0000000000000000000000000000000000000000..0e0d8e45952c6ed08283003e63fdef9280533109
GIT binary patch
literal 1014
zcmeAS@N?(olHy`uVBq!ia0vp^k|4~%1|*NXY)uAIjKx9jP7LeL$-D$|I14-?iy0WW
zg+Z8+Vb&Z8pn}NEkcg59UmvUF{9L`nl>DSry^7odplSvNn+hu+GdHy)QK2F?C$HG5
z!d3~a!V1U+3F|8<fR&VF+bTu)1}He^7o{qg>Y3;nDA{o-C@9zzrKDK}xwt{K19`Se
z86_nJR{Hwo<>h+i#(Mch>H3D2mX`VkM*2oZx<D1W#g%y_i50qe#mW#vVCJ}_7AF^F
z7L;V>=P7{9O-#x!EwNQn0$BtH5O<bjrXg&~D~5Ut=s|sujJ~0sfj-=9pjI1@sFi<F
zW-8ETkok6oHei(~Vo-Z*^g)&*IR@fWuqe>0c3d|4@L;p!@;Rg)$-uy5=IP=X;=#Li
zs;{?LphVk!oy`i$zu22nbcLK^RC9Y`b`&PRu5%R3TeR(^nNq>?`hWuEC)<1luB>7?
z+UqEN*+n@1%DUGU{k@ORXum(sd;LuDxjDu5#?P~}whG5SDzogiF1_r3zvShkx)jDz
z=lrf)yWd>cJ1??isgKCIgC;!(eLJcSEi3iux8J~$pAf%U?gs~Z!qf5(ucM|eHexU?
z5S5$#ME1^hhPl^_+U}dgwz9LGurw^({bF%j;@Jf5q)n#pTMj*EON;KS-BUVsXRh9?
z#UC`Qmi%&?`#5)wN9VRc`L=7n?}UcdOuOZBJmf@dPLBFlff!w>l`G7*&Hd_pfq!Y|
zsYxzO>iKf>4$JIm(f%No*Id-OYPrFrMgQaHi27U26)WoH>zv<Mox$|(fQ3&}^-J+L
zhq-68?hj}W3a#zz{r#Z$T6XL1-zR-{Gsr*Ct6`jcWRj}Q`b{c^&*o>?vGJW$uHdg0
zIDL2LhmwG8g&N+W-wrG+iW57?8OzpwOl9{5zTgdva;~q`bC$h$bLhmXtgX39{H{wY
z1Glfx*mtJ%mCdQg-yhi8Ydu{2zHFm$X?lvgKTE32=^LHrPOo2o#nscKcY7Dh)U;53
zpGPj{MjfpIPcN>ByPw>CfOGfsttKn;@97yj{rY$9%vXDk#TPPn8ttETBv!Wm*!3g!
z3j2dJ%v9Sm7}5^tOPO|llFxrCTyWFXHt}*1-(&gzT|3rA)@4@N9O+ZbiM0OGv-wR)
mh>w``>eS~>?td?J{9$hEh+ogbf6@n(89iP7T-G@yGywprgOV)(

literal 0
HcmV?d00001

diff --git a/images/Enter-50.png b/images/Enter-50.png
new file mode 100644
index 0000000000000000000000000000000000000000..e88513e75f8113a912db0b642749f0a2f3ec1e36
GIT binary patch
literal 1026
zcmeAS@N?(olHy`uVBq!ia0vp^k|4~%1|*NXY)uAIjKx9jP7LeL$-D$|I14-?iy0WW
zg+Z8+Vb&Z8pn}NEkcg59UmvUF{9L`nl>DSry^7odplSvNn+hu+GdHy)QK2F?C$HG5
z!d3~a!V1U+3F|8<fR&VF+bTu)1}He^7o{qg>Y3;nDA{o-C@9zzrKDK}xwt{K19`Se
z86_nJR{Hwo<>h+i#(Mch>H3D2mX`VkM*2oZx<D1W#g%y_i50qe#mW#vVCJ}_7AF^F
z7L;V>=P7{9O-#x!EwNQn0$BtH5O<bjrXg&~D~5Ut=s|sujJ~0sfj-=9pjI1@sFi<F
zW-8ETkok6oHei(~Vo-Z*^g)&*IR@fWuqe>0c3d|4@L;p!@;Rg)$-uzm<muuV;=#Li
znr**tph(+U*N3YmFG{l>te+4dVAA!nHQ*=nABI*J<%^nb{wqXPRI0cZPRdyEV#1HQ
zdB(qOH^1Ncd`@+KlIr<6d#}f3uity^-;T|jat&uDd|N)_-Sgk&jNA2(rfu5PP{_0<
zaW|v;19hICyBcIah^;&HThaMg+7ruJ;RVcP2LsH`{gll+SZKkzc#><xBL5B5SE{NC
z;y*@i73uC+z0D<U!HefizfR1tmb|`v<=p$OM>vC(_GhMFlIf{hw@k=z1^cwj*YBSg
zSxjHPV47Od(i5+CSNRG(aM@TNSaNd1itVRF+t)e%vj6a6T5|QpSe?z1E_c^o%C}FO
z#GtiX{45Vo0mC<kc(?eA{aubR52bP(?z<M>VbE9HJ|j(AuP9`b`uB~W7R_yb=jt8F
zlkoG5TIv$Zc%GzAzQd6}!X6lF++`?kp0&#FtLx>HSGD6-WKZy3u}*t`V9zw2=C4^-
zUaqidEd8Ksl;A7&=(FLjpErfyM0qx_XV@KBYIMm)aP8H!Z^vKk?qA+*w{PmrYqm3k
zE>-e~KhV3wXnexfFkAgLclrahJ#5+wdLIX0n%>D~+%|Q3^@{uH7X0&0u`ICEc6L1T
zNU_3R@BA*`OgH9?m5$+?7UunMtO(<I<?COa$51PLL}-c2HPgm5Kb1dl?EbjV+w|k*
z?QMC=ede1^-S6LUX8pZo&wt$iHr;S_eb-;<9eiImKiYBgo1E{L+C}}}Uzy3YPUbA?
zIJbAv7MY8eW1@<F-FsNcI_rPftFxO+{(FB)^8d$pji-pGlcy7ye;F7&UHx3vIVCg!
E0C<<A)c^nh

literal 0
HcmV?d00001

diff --git a/images/Shift-50.png b/images/Shift-50.png
new file mode 100644
index 0000000000000000000000000000000000000000..1fbb5d84d58faf1a934c961a05264cd99494dd89
GIT binary patch
literal 949
zcmeAS@N?(olHy`uVBq!ia0vp^k|4~%1|*NXY)uAIjKx9jP7LeL$-D$|I14-?iy0WW
zg+Z8+Vb&Z8pn}NEkcg59UmvUF{9L`nl>DSry^7odplSvNn+hu+GdHy)QK2F?C$HG5
z!d3~a!V1U+3F|8<fR&VF+bTu)1}He^7o{qg>Y3;nDA{o-C@9zzrKDK}xwt{K19`Se
z86_nJR{Hwo<>h+i#(Mch>H3D2mX`VkM*2oZx<D1W#g%y_i50qe#mW#vVCJ}_7AF^F
z7L;V>=P7{9O-#x!EwNQn0$BtH5O<bjrXg&~D~5Ut=s|sujJ~0sfj-=9pjI1@sFi<F
zW-8ETkok6oHei(~Vo-Z*^g)&*IR@fWuqe>0c3d|4@L;p!@;Rg)2@K?~o-U3d9=v;}
z?Dk@I6luG@!Z51C?4Fh4`h@hytlHesTSXlOzIfL3B&4P%u5Vo`7N*JK_~Fu$iz4^_
z<<AjLYnQ##dPM%;oY!-TpS?-j{6^kD<cov6m~*_qx+Qhmzk^-AIec_Ha5eSStRJf9
zx~!9e&-g0r=2~%6Ec(&ph|O%fjq;9$PRw2w)>i+d-{Sd7XWLgrjXAM3qSFn3alG2w
zapk<;QD>2bdVOvwp9}>}jxg(Q{3zUiK7d`OGhE|ME}N@Hl(4qx9M6Z9ioA(;YQox|
z|M5Ar<44{_5214FsW#%`N38WXGJag-cI4g>Hb=G1=Ypy^q+?Ea-<x&f)Px&999K<T
zJ%3iiGMSY7B8TpM`PMT1#*fa)?sYag%_{3N>(ABJ7c{3dvj2IgYF5WJnf=Y3^`d{u
zmiSj$&uh8bGGp3D1tsSrm0|6>=3d#g#^Jj5wDfl0S@%D^iSdgHIv1I+<8Ii8=Rs>b
zeW!7MJ6KSf*>q@jpjgf9Q-}5znk3HOGcEOiLvYf~*}>aSYj1zbAM1V1Rq8Q+runiT
ziz}3i78|Hv>wMq&dC_mLPg`ZKgjXD0ceeb$%M-KjO2MLg1D^;dp9-0CW6=&3x$fmM
zNuo9jEDNJ^x?EYG=&@#PJ38%z_`HQORb7_9RAOUyNnI#xv+E9>nxnM!(yFbep8jW8
X;S_wFW0TejP+szM^>bP0l+XkKTSj*)

literal 0
HcmV?d00001

diff --git a/malware.md b/malware.md
index 58b269a..efc1946 100644
--- a/malware.md
+++ b/malware.md
@@ -43,7 +43,7 @@ title: Malware Techniques
   * [Enigma Protector](http://www.enigmaprotector.com)
   * [EXE Bundle](http://www.webtoolmaster.com/exebundle.htm)
   * [EXE Stealth](http://www.webtoolmaster.com/exestealth.htm)
-  * [eXPressor(http://www.cgsoftlabs.ro/express.html)
+  * [eXPressor](http://www.cgsoftlabs.ro/express.html)
   * [FSG](http://xtreeme.prv.pl/)
   * [kkrunchy](http://www.farbrausch.de/~fg/kkrunchy/)
   * [MEW](https://web.archive.org/web/20070831063728/http://northfox.uw.hu/index.php?lang=eng&amp;id=dev)
@@ -58,6 +58,8 @@ title: Malware Techniques
   * [VMProtect](http://vmpsoft.com/products/vmprotect)
   * [XComp/XPack](http://soft-lab.de/JoKo)
   
+  <center>[Top^](#techniques-overview)</center>
+  
 ## Obfuscation
 
 * Deliberate act of creating obfuscated code that is difficult for humans to understand
@@ -116,15 +118,26 @@ Example: Mimikatz credential theft
 
 * Gain knowledge about the system and internal network.
 
-## Lateral Movement     
+## Lateral Movement   
+
+* Enable an adversary to access and control remote systems on a network and could  
 
 ## Execution
 
+* Techniques that result in execution of adversary-controlled code on a local or remote system
+* scripts
+* post-exploitation
+
 ## Collection
 
+* Identify and gather information, such as sensitive files, from a target network prior to exfiltration
+
 ## Exfiltration
 
+* Removing files and information
+
 ## Command and Control
 
+* Communicate with systems under their control 
 
 [x86 Assembly <- Back](https://securedorg.github.io/RE101/section1.3) | [Next -> Section 3](https://securedorg.github.io/RE101/section3)
diff --git a/retools.md b/retools.md
index 51b4ded..61e6a53 100644
--- a/retools.md
+++ b/retools.md
@@ -7,10 +7,42 @@ title: RE Tools
 
 # Section 3: Reverse Engineering (RE) Tools #
 
-* Disassembler
-* Decompilers
-* Debugger
-* Information Gathering
-* Support
+
+## Disassembler
+
+* [Ida](https://www.hex-rays.com/products/ida/)
+  * Free (Used in this worksop)
+  * Pro
+* [Radare](https://www.radare.org)
+* [Capstone](http://www.capstone-engine.org/)
+
+## Decompilers
+
+* [Snowman](https://derevenets.com/)
+* [dotPeek](https://www.jetbrains.com/decompiler/) .NET decompiler
+
+## Debuggers
+
+* [x64dbg](http://x64dbg.com/) (Used in this worksop)
+* [Immunity](https://www.immunityinc.com/products/debugger/)
+* [OllyDbg](http://www.ollydbg.de/)  (Most Popular)
+* [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit)
+
+## Information Gathering
+
+* [CFF Explorer](http://www.ntcore.com/exsuite.php)
+* [Sysinternals Suite](https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx)
+  * procmon
+  * procexplorer
+* [InetSim: Internet Services Simulation Suite](http://www.inetsim.org/downloads.html)
+* [Yara: pattern matching rule engine](https://virustotal.github.io/yara/)
+* [Wireshark](https://www.wireshark.org/download.html) - network sniffing
+* [API Monitor](http://www.rohitab.com/downloads)
+  
+## Support
+
+* [HxD Hex Editor](https://mh-nexus.de/en/hxd/)
+* [Python](https://www.python.org/downloads/) - used for automating tasks
+
 
 [Section 2 <- Back](https://securedorg.github.io/RE101/section2) | [Next -> Section 4](https://securedorg.github.io/RE101/section4)