1
0
Fork
You've already forked ThreatRazor
0
Program to help dissect binaries to search for malware.
  • Rust 100%
Find a file
2026年07月13日 09:20:18 -04:00
LICENSES Added license info and a README. 2026年07月10日 13:38:04 -04:00
src Added license info and a README. 2026年07月10日 13:38:04 -04:00
.gitignore Updated license info. 2026年07月13日 08:46:18 -04:00
build.rs Added license info and a README. 2026年07月10日 13:38:04 -04:00
Cargo.lock Updated crates to new versions. 2026年07月10日 13:47:16 -04:00
Cargo.lock.license Updated license info. 2026年07月13日 08:46:18 -04:00
Cargo.toml Updated license info. 2026年07月13日 08:46:18 -04:00
README.md Small README Update. 2026年07月13日 09:20:18 -04:00
threatrazor.ico Renamed repo and updated some filenames to match. 2026年04月03日 09:07:07 -04:00
threatrazor.ico.license Updated license info. 2026年07月13日 08:46:18 -04:00

Threat Razor

This tool was inspired by ThreatCheck. The difference here is I had a need for a tool that could test other, non-Defender AV solutions so I needed an agnostic tool. This came with the tradeoff that automated scanning isn't guaranteed since the AV isn't known. The tool relies on the user manually checking for scan results and giving the answers back to the tool.

If you are just testing the binary against Defender, use ThreatCheck. Although Threat Razor can test against Defender, ThreatCheck is designed with Defender in mind so scanning is significantly faster.


Usage

Use -h for the small help menu.

./threatrazor -s [source] -d [destination]

-or-

.\threatrazor.exe -s [source] -d [destionation]

Explanation

This tool helps dissect binaries on a byte level and places the slices in a directory of the users choosing.

The user then checks to see if that slice is flagged by whatever AV tool they are wanting to test against either by automatic scanning, real time scanning, or by manually initiating a targetted scan, whatever is appropriate for the tool.

The source binary needs to be placed in an excluded directory to prevent conflicts when scanning.

Phase 1: Slicing

When the tool is intially kicked off, it will cut the target binary in half and begin testing halves. It'll ask the user if the section was flagged by whatever AV tool they have chosen. If the half was not flagged, the tool will flip to the other half and test again. If the current half was flagged, the tool will cut the current slice in half again and retest.

After the user answers no twice, meaning neither of the two current halves have been caught, the tool will take the last caught total slice and move into Phase 2.

Phase 2: Refinement

This phase takes a bit longer. It will continue to ask the user if different slices are caught but instead of cutting in half, it will now start cutting smaller and smaller increments of bytes off the end of slice. Refining down until, ideally, the exact byte that ends the signature is flagged.

Complete

Once the last byte is identified from the refinement phase, a hexdump is produced of the flagged section including the preceding 256 bytes. The hex and offset can be used in a decompiler like Ghidra to find the section of source code that caused the alert.

Notes

The tool will only flag one alert at a time so this process must be repeated after modifying the source code.


Non-AI Disclosure

No AI was used in any way shape or form during the creation of this software with the caveat that I cannot speak for any of the third party crates this project uses. I guarantee that I did not use any AI for any of the code I wrote.