Top picks: de4dot, Binwalk, GrammaTech DDisasm — plus 45 more compared.
Security Operationsxortool.py is a free tool. Security professionals most commonly compare it with . All 48 alternatives are matched by shared capabilities, tags, and NIST CSF 2.0 coverage.
A closer look at the 8 most relevant alternatives and competitors to xortool.py, including their key features and shared capabilities.
An open source .NET deobfuscator and unpacker that restores packed and obfuscated assemblies by reversing various obfuscation techniques.
Binwalk is a firmware analysis tool that enables reverse engineering and extraction of embedded file systems and archives from firmware images.
Fast disassembler producing reassemblable assembly code using Datalog
A Yara ruleset designed to detect PHP shells and other webserver malware for malware analysis and threat detection.
Ghidra is an NSA-developed software reverse engineering framework that provides disassembly, decompilation, and analysis tools for examining compiled code across multiple platforms and processor architectures.
An OCaml Ctypes wrapper for the YARA matching engine that enables malware identification capabilities in OCaml applications.
FLARE-VM is a Windows virtual machine setup tool that automates the installation and configuration of reverse engineering and malware analysis software using Chocolatey and Boxstarter technologies.
PINT is a PIN tool that enables Lua scripting for Intel's PIN dynamic instrumentation framework, allowing researchers to inject custom code during binary analysis processes.
An open source .NET deobfuscator and unpacker that restores packed and obfuscated assemblies by reversing various obfuscation techniques.
Binwalk is a firmware analysis tool that enables reverse engineering and extraction of embedded file systems and archives from firmware images.
Fast disassembler producing reassemblable assembly code using Datalog
A Yara ruleset designed to detect PHP shells and other webserver malware for malware analysis and threat detection.
Ghidra is an NSA-developed software reverse engineering framework that provides disassembly, decompilation, and analysis tools for examining compiled code across multiple platforms and processor architectures.
An OCaml Ctypes wrapper for the YARA matching engine that enables malware identification capabilities in OCaml applications.
FLARE-VM is a Windows virtual machine setup tool that automates the installation and configuration of reverse engineering and malware analysis software using Chocolatey and Boxstarter technologies.
PINT is a PIN tool that enables Lua scripting for Intel's PIN dynamic instrumentation framework, allowing researchers to inject custom code during binary analysis processes.
A declarative language for describing binary data structures that compiles into parsers for multiple programming languages.
Binkit is a binary analysis tool that merged with DarunGrim and incorporates its analysis algorithms, currently in internal testing before official release.
Interactive incremental disassembler with data/control flow analysis capabilities.
A Vim syntax-highlighting plugin for YARA rules that supports versions up to v4.3 and provides enhanced code readability for malware analysts.
Plugin that decompiles malware PE files into readable C code using hybrid analysis.
Agentic AI tool for automated malware reverse engineering & phishing analysis.
AI-powered malware analysis & threat research platform with chat interface.
AI-powered binary analysis platform for reverse engineering & malware analysis.
A reverse engineering tool that extracts and organizes Samsung ODIN3 protocol messages from USB packet captures into human-readable files.
A read-only FUSE driver that enables Linux systems to mount and access Apple File System (APFS) volumes, including encrypted and fusion drives.
An open-source incident response case management tool
HexPrism is a fast, privacy-first hex editor built for CTFs and digital forensics.
libevt is a library to access and parse Windows Event Log (EVT) files.
Unfurl is a URL analysis tool that extracts and visualizes data from URLs, breaking them down into components and presenting the information visually.
A library to access and manipulate RAW image files.
Free software for extracting Microsoft cabinet files, supporting all features and formats of Microsoft cabinet files and Windows CE installation files.
A library for accessing and parsing Windows NT Registry File (REGF) format files, designed for digital forensics and registry analysis applications.
A library for accessing and parsing OLE 2 Compound File (OLECF) format files, including Microsoft Office documents and thumbs.db files.
A static analysis tool for PE files that identifies potential malicious indicators through compiler detection, packing analysis, signature matching, and suspicious string identification.
edb is a powerful debugger for Linux binaries, enhancing reverse engineering efforts with a user-friendly interface and extensible plugins.
A .NET assembly debugger and editor that enables reverse engineering and dynamic analysis of compiled .NET applications without source code access.
An open source tool that generates YARA rules from installed software on running operating systems for efficient software identification in digital forensic investigations.
wxHexEditor is a free cross-platform hex editor and disk editor for editing binary files, disk devices, and logical drives with data manipulation and checksum calculation features.
FSF is a modular, recursive file scanning solution that enables analysts to extend the utility of Yara signatures and define actionable intelligence within a file.
Dynamic binary analysis library with various analysis and emulation capabilities.
DMG2IMG converts Apple compressed DMG archives to standard HFS+ image files supporting zlib, bzip2, and LZFSE compression formats.
Fnord is a pattern extraction tool that analyzes obfuscated code using sliding window techniques to identify frequent byte sequences and generate experimental YARA rules for malware analysis.
A script for extracting common Windows artifacts from source images and VSCs with detailed dependencies and usage instructions.
UDcide is an Android malware analysis tool that detects and removes specific malicious behaviors from malware samples while preserving the binary for investigation purposes.
BinaryAlert is an open-source serverless AWS pipeline that automatically scans files uploaded to S3 buckets with YARA rules and generates immediate alerts when malware is detected.
A disassembly framework with support for multiple hardware architectures and clean API.
RetDec is an LLVM-based decompiler that converts machine code from various architectures and file formats back into readable C-like source code for reverse engineering and malware analysis.
AfterGlow Cloud is a Django-based web application that allows users to upload data and generate graph visualizations through a browser interface.
A GNU Emacs editor mode that provides syntax highlighting, indentation, and language server integration for editing YARA rule files.
A Python wrapper for the Libemu library that enables shellcode analysis and malicious code examination through programmatic interfaces.
FIR is a Python-based cybersecurity incident management platform designed for CSIRTs, CERTs, and SOCs to create, track, and report security incidents.
COPS is a YAML-based schema standard for creating collaborative DFIR playbooks that provide structured guidance for incident response processes.
A C library that enables cross-platform execution of functions from stripped binaries using file names, offsets, and function signatures.
OCaml bindings to the YARA scanning engine for integrating YARA scanning capabilities into OCaml projects
StringSifter is a machine learning tool that automatically ranks strings extracted from malware samples based on their relevance for analysis.
Common questions security professionals ask when evaluating alternatives and competitors to xortool.py.
The most popular alternatives to xortool.py include de4dot, Binwalk, GrammaTech DDisasm, lw-yara, and Ghidra Software Reverse Engineering Framework. These Digital Forensics and Incident Response tools offer similar capabilities and are frequently compared by security professionals evaluating their options.
