awesome-malware-analysis/README.md

854 lines
47 KiB
Markdown
Raw Normal View History

2018-06-10 23:39:21 -04:00
# Awesome Malware Analysis [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)
2015-08-05 19:17:51 -04:00
A curated list of awesome malware analysis tools and resources. Inspired by
[awesome-python](https://github.com/vinta/awesome-python) and
[awesome-php](https://github.com/ziadoz/awesome-php).
2018-06-10 23:41:18 -04:00
- [Malware Collection](#malware-collection)
- [Anonymizers](#anonymizers)
- [Honeypots](#honeypots)
- [Malware Corpora](#malware-corpora)
- [Open Source Threat Intelligence](#open-source-threat-intelligence)
- [Tools](#tools)
- [Other Resources](#other-resources)
- [Detection and Classification](#detection-and-classification)
- [Online Scanners and Sandboxes](#online-scanners-and-sandboxes)
- [Domain Analysis](#domain-analysis)
- [Browser Malware](#browser-malware)
- [Documents and Shellcode](#documents-and-shellcode)
- [File Carving](#file-carving)
- [Deobfuscation](#deobfuscation)
- [Debugging and Reverse Engineering](#debugging-and-reverse-engineering)
- [Network](#network)
- [Memory Forensics](#memory-forensics)
- [Windows Artifacts](#windows-artifacts)
- [Storage and Workflow](#storage-and-workflow)
- [Miscellaneous](#miscellaneous)
- [Resources](#resources)
- [Books](#books)
- [Twitter](#twitter)
2015-05-08 23:51:11 -04:00
- [Other](#other)
- [Related Awesome Lists](#related-awesome-lists)
- [Contributing](#contributing)
2015-05-14 22:01:44 -04:00
- [Thanks](#thanks)
2018-06-10 23:44:52 -04:00
View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大合集.md).
---
## Malware Collection
### Anonymizers
*Web traffic anonymizers for analysts.*
2015-05-09 00:23:12 -04:00
* [Anonymouse.org](http://anonymouse.org/) - A free, web based anonymizer.
* [OpenVPN](https://openvpn.net/) - VPN software and hosting solutions.
* [Privoxy](http://www.privoxy.org/) - An open source proxy server with some
privacy features.
* [Tor](https://www.torproject.org/) - The Onion Router, for browsing the web
without leaving traces of the client IP.
2015-05-08 23:51:11 -04:00
### Honeypots
2015-05-09 00:24:53 -04:00
*Trap and collect your own samples.*
2015-11-13 22:37:29 -05:00
* [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot.
2016-01-20 19:34:18 -05:00
* [Cowrie](https://github.com/micheloosterhof/cowrie) - SSH honeypot, based
2017-10-22 02:03:05 -04:00
on Kippo.
* [DemoHunter](https://github.com/RevengeComing/DemonHunter) - Low interaction Distributed Honeypots.
* [Dionaea](https://github.com/DinoTools/dionaea) - Honeypot designed to trap malware.
2016-05-26 10:55:36 -04:00
* [Glastopf](https://github.com/mushorg/glastopf) - Web application honeypot.
2015-12-29 04:58:43 -05:00
* [Honeyd](http://www.honeyd.org/) - Create a virtual honeynet.
2017-03-26 16:57:01 -04:00
* [HoneyDrive](http://bruteforcelab.com/honeydrive) - Honeypot bundle Linux distro.
2018-03-15 22:52:13 -04:00
* [Honeytrap](https://github.com/honeytrap/honeytrap) - Opensource system for running, monitoring and managing honeypots.
2015-05-09 17:57:21 -04:00
* [Mnemosyne](https://github.com/johnnykv/mnemosyne) - A normalizer for
honeypot data; supports Dionaea.
2015-05-09 12:06:09 -04:00
* [Thug](https://github.com/buffer/thug) - Low interaction honeyclient, for
investigating malicious websites.
2015-05-08 23:51:11 -04:00
### Malware Corpora
2015-05-09 00:24:53 -04:00
*Malware samples collected for analysis.*
2015-05-09 11:17:07 -04:00
* [Clean MX](http://support.clean-mx.de/clean-mx/viruses.php) - Realtime
database of malware and malicious domains.
2015-05-08 23:51:11 -04:00
* [Contagio](http://contagiodump.blogspot.com/) - A collection of recent
malware samples and analyses.
* [Exploit Database](https://www.exploit-db.com/) - Exploit and shellcode
samples.
* [Infosec - CERT-PA](https://infosec.cert-pa.it/analyze/submission.html) - Malware samples collection and analysis.
* [Malpedia](https://malpedia.caad.fkie.fraunhofer.de/) - A resource providing
rapid identification and actionable context for malware investigations.
2017-09-24 20:14:52 -04:00
* [Malshare](https://malshare.com) - Large repository of malware actively
2015-09-22 11:41:10 -04:00
scrapped from malicious sites.
2015-09-22 11:41:56 -04:00
* [MalwareDB](http://malwaredb.malekal.com/) - Malware samples repository.
2016-06-05 01:28:51 -04:00
* [Open Malware Project](http://openmalware.org/) - Sample information and
downloads. Formerly Offensive Computing.
2016-09-28 23:47:04 -04:00
* [Ragpicker](https://github.com/robbyFux/Ragpicker) - Plugin based malware
crawler with pre-analysis and reporting functionalities
2015-09-22 11:41:10 -04:00
* [theZoo](https://github.com/ytisf/theZoo) - Live malware samples for
analysts.
2017-09-24 20:22:36 -04:00
* [Tracker h3x](http://tracker.h3x.eu/) - Agregator for malware corpus tracker
2016-12-15 19:09:18 -05:00
and malicious download sites.
2018-03-13 21:19:33 -04:00
* [vduddu malware repo](https://github.com/vduddu/Malware) - Collection of
various malware files and source code.
* [VirusBay](https://beta.virusbay.io/) - Community-Based malware repository and social network.
2017-09-24 19:52:56 -04:00
* [ViruSign](http://www.virussign.com/) - Malware database that detected by
2015-09-22 11:41:10 -04:00
many anti malware programs except ClamAV.
* [VirusShare](https://virusshare.com/) - Malware repository, registration
2016-04-27 12:12:14 -04:00
required.
2016-12-15 19:11:21 -05:00
* [VX Vault](http://vxvault.net) - Active collection of malware samples.
2015-05-09 11:17:07 -04:00
* [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - A list
of malware sample sources put together by Lenny Zeltser.
2015-05-15 09:31:44 -04:00
* [Zeus Source Code](https://github.com/Visgean/Zeus) - Source for the Zeus
trojan leaked in 2011.
2015-05-08 23:51:11 -04:00
2015-05-09 14:35:06 -04:00
## Open Source Threat Intelligence
### Tools
*Harvest and analyze IOCs.*
2016-05-26 15:44:51 -04:00
* [AbuseHelper](https://github.com/abusesa/abusehelper) - An open-source
framework for receiving and redistributing abuse feeds and threat intel.
2016-05-26 15:46:13 -04:00
* [AlienVault Open Threat Exchange](https://otx.alienvault.com/) - Share and
collaborate in developing Threat Intelligence.
2015-05-17 15:25:47 -04:00
* [Combine](https://github.com/mlsecproject/combine) - Tool to gather Threat
Intelligence indicators from publicly available sources.
2016-09-11 10:37:31 -04:00
* [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash.
* [Hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host.
2016-04-17 16:21:19 -04:00
* [IntelMQ](https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation) -
A tool for CERTs for processing incident data using a message queue.
2015-12-29 05:00:59 -05:00
* [IOC Editor](https://www.fireeye.com/services/freeware/ioc-editor.html) -
A free editor for XML IOC files.
2018-04-20 13:46:04 -04:00
* [iocextract](https://github.com/InQuest/python-iocextract) - Advanced Indicator
of Compromise (IOC) extractor, Python library and command-line tool.
* [ioc_writer](https://github.com/mandiant/ioc_writer) - Python library for
working with OpenIOC objects, from Mandiant.
2018-05-08 21:42:21 -04:00
* [MalPipe](https://github.com/silascutler/MalPipe) - Malware/IOC ingestion and
processing engine, that enriches collected data.
* [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) -
Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
2017-09-24 20:22:36 -04:00
from various lists. Curated by the
[CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework).
2015-05-18 10:30:45 -04:00
* [MISP](https://github.com/MISP/MISP) - Malware Information Sharing
2015-05-20 04:40:16 -04:00
Platform curated by [The MISP Project](http://www.misp-project.org/).
* [Pulsedive](https://pulsedive.com) - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
2015-12-29 05:17:15 -05:00
* [PyIOCe](https://github.com/pidydx/PyIOCe) - A Python OpenIOC editor.
2017-09-24 20:14:52 -04:00
* [RiskIQ](https://community.riskiq.com/) - Research, connect, tag and
share IPs and domains. (Was PassiveTotal.)
* [threataggregator](https://github.com/jpsenior/threataggregator) -
Aggregates security threats from a number of sources, including some of
those listed below in [other resources](#other-resources).
2015-08-07 23:33:00 -04:00
* [ThreatCrowd](https://www.threatcrowd.org/) - A search engine for threats,
with graphical visualization.
* [ThreatTracker](https://github.com/michael-yip/ThreatTracker) - A Python
2015-11-04 03:55:43 -05:00
script to monitor and generate alerts based on IOCs indexed by a set of
Google Custom Search Engines.
2015-05-17 15:25:47 -04:00
* [TIQ-test](https://github.com/mlsecproject/tiq-test) - Data visualization
2015-05-14 22:21:35 -04:00
and statistical analysis of Threat Intelligence feeds.
### Other Resources
2015-05-09 14:35:06 -04:00
*Threat intelligence and IOC resources.*
2016-06-30 18:06:44 -04:00
* [Autoshun](https://www.autoshun.org/) ([list](https://www.autoshun.org/files/shunlist.csv)) -
2015-12-28 07:16:56 -05:00
Snort plugin and blocklist.
2016-07-30 00:54:24 -04:00
* [Bambenek Consulting Feeds](http://osint.bambenekconsulting.com/feeds/) -
OSINT feeds based on malicious DGA algorithms.
* [Fidelis Barncat](https://www.fidelissecurity.com/resources/fidelis-barncat) -
Extensive malware config database (must request access).
2015-12-29 04:56:08 -05:00
* [CI Army](http://cinsscore.com/) ([list](http://cinsscore.com/list/ci-badguys.txt)) -
2015-05-09 15:53:55 -04:00
Network security blocklists.
2016-08-27 20:40:57 -04:00
* [Critical Stack- Free Intel Market](https://intel.criticalstack.com) - Free
intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
2016-12-15 19:04:24 -05:00
* [Cybercrime tracker](http://cybercrime-tracker.net/) - Multiple botnet active tracker.
2015-05-15 11:30:26 -04:00
* [FireEye IOCs](https://github.com/fireeye/iocs) - Indicators of Compromise
shared publicly by FireEye.
* [FireHOL IP Lists](https://iplists.firehol.org/) - Analytics for 350+ IP lists
with a focus on attacks, malware and abuse. Evolution, Changes History,
Country Maps, Age of IPs listed, Retention Policy, Overlaps.
2018-11-15 06:31:07 -05:00
* [HoneyDB](https://riskdiscovery.com/honeydb) - Community driven honeypot sensor data collection and aggregation.
2015-05-09 15:49:07 -04:00
* [hpfeeds](https://github.com/rep/hpfeeds) - Honeypot feed protocol.
* [Infosec - CERT-PA lists](https://infosec.cert-pa.it/analyze/statistics.html) ([IPs](https://infosec.cert-pa.it/analyze/listip.txt) - [Domains](https://infosec.cert-pa.it/analyze/listdomains.txt) - [URLs](https://infosec.cert-pa.it/analyze/listurls.txt)) - Blocklist service.
2015-05-09 15:09:30 -04:00
* [Internet Storm Center (DShield)](https://isc.sans.edu/) - Diary and
2017-09-24 20:42:08 -04:00
searchable incident database, with a web [API](https://dshield.org/api/).
2015-05-09 15:09:30 -04:00
([unofficial Python library](https://github.com/rshipp/python-dshield)).
* [malc0de](http://malc0de.com/database/) - Searchable incident database.
* [Malware Domain List](http://www.malwaredomainlist.com/) - Search and share
malicious URLs.
2018-12-27 10:53:59 -05:00
* [MetaDefender Threat Intelligence Feed](https://www.opswat.com/developers/threat-intelligence-feed) -
List of the most looked up file hashes from MetaDefender Cloud.
2017-11-28 15:13:17 -05:00
* [OpenIOC](https://www.fireeye.com/services/freeware.html) - Framework for sharing threat intelligence.
2016-10-10 11:46:08 -04:00
* [Proofpoint Threat Intelligence](https://www.proofpoint.com/us/products/et-intelligence) -
Rulesets and more. (Formerly Emerging Threats.)
2017-09-24 20:22:36 -04:00
* [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) -
2016-12-15 18:58:20 -05:00
A list of ransomware overview with details, detection and prevention.
* [STIX - Structured Threat Information eXpression](http://stixproject.github.io) -
2015-09-22 11:11:56 -04:00
Standardized language to represent and share cyber threat information.
2016-04-12 11:16:09 -04:00
Related efforts from [MITRE](https://www.mitre.org/):
2015-09-22 11:11:56 -04:00
- [CAPEC - Common Attack Pattern Enumeration and Classification](http://capec.mitre.org/)
- [CybOX - Cyber Observables eXpression](http://cyboxproject.github.io)
2015-09-22 11:11:56 -04:00
- [MAEC - Malware Attribute Enumeration and Characterization](http://maec.mitre.org/)
- [TAXII - Trusted Automated eXchange of Indicator Information](http://taxiiproject.github.io)
2017-09-24 20:53:31 -04:00
* [ThreatMiner](https://www.threatminer.org/) - Data mining portal for threat
intelligence, with search.
2015-09-22 11:30:15 -04:00
* [threatRECON](https://threatrecon.co/) - Search for indicators, up to 1000
free per month.
2015-09-22 11:12:37 -04:00
* [Yara rules](https://github.com/Yara-Rules/rules) - Yara rules repository.
* [YETI](https://github.com/yeti-platform/yeti) - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
* [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS
blocklists.
2015-05-09 14:35:06 -04:00
## Detection and Classification
*Antivirus and other malware identification tools*
2015-05-09 11:36:04 -04:00
* [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a
variety of tools for reporting on Windows PE files.
2017-10-19 14:46:06 -04:00
* [Assemblyline](https://bitbucket.org/cse-assemblyline/assemblyline) - A scalable
distributed file analysis framework.
2017-09-24 20:22:36 -04:00
* [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless
2017-09-24 20:42:08 -04:00
AWS pipeline that scans and alerts on uploaded files based on a set of
YARA rules.
2015-05-09 13:35:33 -04:00
* [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection.
2015-11-13 22:37:29 -05:00
* [ClamAV](http://www.clamav.net/) - Open source antivirus engine.
2016-05-26 10:35:52 -04:00
* [Detect-It-Easy](https://github.com/horsicq/Detect-It-Easy) - A program for
determining types of files.
2018-06-09 13:51:10 -04:00
* [Exeinfo PE](http://exeinfo.pe.hu/) - Packer, compressor detector, unpack
info, internal exe tools.
2017-09-24 20:14:52 -04:00
* [ExifTool](https://sno.phy.queensu.ca/~phil/exiftool/) - Read, write and
2015-05-09 12:38:12 -04:00
edit file metadata.
2016-11-24 23:55:28 -05:00
* [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) -
Modular, recursive file scanning solution.
2018-07-09 11:10:26 -04:00
* [Generic File Parser](https://github.com/uppusaikiran/generic-parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
2015-05-09 13:11:57 -04:00
* [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with
a variety of algorithms.
* [HashCheck](https://github.com/gurnec/HashCheck) - Windows shell extension
to compute hashes with a variety of algorithms.
2015-09-22 11:46:17 -04:00
* [Loki](https://github.com/Neo23x0/Loki) - Host based scanner for IOCs.
2015-10-02 12:28:37 -04:00
* [Malfunction](https://github.com/Dynetics/Malfunction) - Catalog and
compare malware at a function level.
* [Manalyze](https://github.com/JusticeRage/Manalyze) - Static analyzer for PE
executables.
2015-05-15 15:55:38 -04:00
* [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - Static analysis
framework.
* [MultiScanner](https://github.com/mitre/multiscanner) - Modular file
2015-05-20 14:35:54 -04:00
scanning/analysis framework
2015-05-09 13:14:18 -04:00
* [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking
up hashes in NIST's National Software Reference Library database.
2015-05-09 12:48:29 -04:00
* [packerid](http://handlers.sans.org/jclausing/packerid.py) - A cross-platform
Python alternative to PEiD.
2018-06-09 13:51:22 -04:00
* [PE-bear](https://hshrzd.wordpress.com/pe-bear/) - Reversing tool for PE
files.
2015-05-17 15:00:43 -04:00
* [PEV](http://pev.sourceforge.net/) - A multiplatform toolkit to work with PE
files, providing feature-rich tools for proper analysis of suspicious binaries.
2015-05-09 13:35:33 -04:00
* [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits.
2017-09-24 20:14:52 -04:00
* [ssdeep](https://ssdeep-project.github.io/ssdeep/) - Compute fuzzy hashes.
2017-09-24 20:22:36 -04:00
* [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) -
Python script for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/)
database.
2015-05-09 12:38:12 -04:00
* [TrID](http://mark0.net/soft-trid-e.html) - File identifier.
* [virustotal-falsepositive-detector](https://github.com/uppusaikiran/virustotal-falsepositive-detector) - A Tool to Analyze Virustotal Reports to Find Potential False Positives based on similarity of Detection Naming.
* [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for
analysts.
* [Yara rules generator](https://github.com/Neo23x0/yarGen) - Generate
yara rules based on a set of malware samples. Also contains a good
strings DB to avoid false positives.
2018-08-22 08:49:00 -04:00
* [Yara Finder](https://github.com/uppusaikiran/yara-finder) - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.
2015-05-09 00:35:17 -04:00
## Online Scanners and Sandboxes
2015-05-09 12:29:41 -04:00
*Web-based multi-AV scanners, and malware sandboxes for automated analysis.*
2017-09-24 20:53:31 -04:00
2017-09-25 03:18:26 -04:00
* [anlyz.io](https://sandbox.anlyz.io/) - Online sandbox.
* [any.run](https://app.any.run/) - Online interactive sandbox.
* [AndroTotal](https://andrototal.org/) - Free online analysis of APKs
2015-10-13 01:23:16 -04:00
against multiple mobile antivirus apps.
2015-05-18 10:47:05 -04:00
* [AVCaesar](https://avcaesar.malware.lu/) - Malware.lu online scanner and
malware repository.
2015-09-22 11:25:30 -04:00
* [Cryptam](http://www.cryptam.com/) - Analyze suspicious office documents.
2016-11-13 14:48:51 -05:00
* [Cuckoo Sandbox](https://cuckoosandbox.org/) - Open source, self hosted
sandbox and automated analysis system.
* [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - Modified
version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
legal concerns by the author.
2017-09-24 20:22:36 -04:00
* [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A
Python API used to control a cuckoo-modified sandbox.
2015-11-14 00:13:24 -05:00
* [DeepViz](https://www.deepviz.com/) - Multi-format file analyzer with
machine-learning classification.
2017-09-24 20:22:36 -04:00
* [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do
traffic analysis of Linux malwares and capturing IOCs.
2015-05-15 15:51:46 -04:00
* [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis
system.
2017-09-24 20:22:36 -04:00
* [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any
firmware package.
* [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - An Automated Malware
Analysis Tool for Linux ELF Files.
* [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware
analysis tool, powered by VxSandbox.
2017-11-16 17:27:23 -05:00
* [Intezer](https://analyze.intezer.com) - Detect, analyze, and categorize malware by
identifying code reuse and code similarities.
2015-09-22 11:38:56 -04:00
* [IRMA](http://irma.quarkslab.com/) - An asynchronous and customizable
analysis platform for suspicious files.
2016-06-30 22:05:30 -04:00
* [Joe Sandbox](https://www.joesecurity.org) - Deep malware analysis with Joe Sandbox.
2015-11-13 22:37:29 -05:00
* [Jotti](https://virusscan.jotti.org/en) - Free online multi-AV scanner.
2017-09-24 20:42:08 -04:00
* [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malware.
2015-05-15 16:16:58 -04:00
* [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis
of malware behavior.
2018-08-13 17:26:28 -04:00
* [malice.io](https://github.com/maliceio/malice) - Massively scalable malware analysis framework.
2017-09-24 20:22:36 -04:00
* [malsub](https://github.com/diogo-fernan/malsub) - A Python RESTful API framework for
online malware and URL analysis services.
* [Malware config](https://malwareconfig.com/) - Extract, decode and display online
2016-12-15 19:21:37 -05:00
the configuration settings from common malwares.
2015-05-15 15:50:47 -04:00
* [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox
instance.
* [Metadefender](https://metadefender.opswat.com/ ) - Scan a file, hash or IP
2017-09-24 20:42:08 -04:00
address for malware (free).
2016-06-30 22:05:30 -04:00
* [NetworkTotal](https://www.networktotal.com/index.html) - A service that analyzes
pcap files and facilitates the quick detection of viruses, worms, trojans, and all
2016-06-14 02:50:00 -04:00
kinds of malware using Suricata configured with EmergingThreats Pro.
2015-05-15 15:57:58 -04:00
* [Noriben](https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to
collect information about malware in a sandboxed environment.
2017-11-28 14:30:56 -05:00
* [PacketTotal](https://packettotal.com/) - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
2015-09-22 11:27:27 -04:00
* [PDF Examiner](http://www.pdfexaminer.com/) - Analyse suspicious PDF files.
2016-10-10 11:37:08 -04:00
* [ProcDot](http://www.procdot.com) - A graphical malware analysis tool kit.
2015-05-09 18:46:02 -04:00
* [Recomposer](https://github.com/secretsquirrel/recomposer) - A helper
script for safely uploading binaries to sandbox sites.
2018-03-13 21:17:13 -04:00
* [sandboxapi](https://github.com/InQuest/python-sandboxapi) - Python library for
building integrations with several open source and commercial malware sandboxes.
* [SEE](https://github.com/F-Secure/see) - Sandboxed Execution Environment (SEE)
2016-01-09 06:43:10 -05:00
is a framework for building test automation in secured Environments.
2017-11-28 14:34:34 -05:00
* [SEKOIA Dropper Analysis](https://malware.sekoia.fr/) - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
2015-05-09 00:35:53 -04:00
* [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware
samples and URLs
2016-11-13 14:49:18 -05:00
* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source
2017-09-24 20:22:36 -04:00
visualization library and command line tools for logs. (Cuckoo, Procmon, more
to come...)
* [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free
automated sandboxes and services, compiled by Lenny Zeltser.
2015-05-09 00:35:17 -04:00
2015-05-09 11:26:12 -04:00
## Domain Analysis
*Inspect domains and IP addresses.*
2017-09-24 20:53:31 -04:00
* [badips.com](https://www.badips.com/) - Community based IP blacklist service.
2017-09-24 20:22:36 -04:00
* [boomerang](https://github.com/EmersonElectricCo/boomerang) - A tool designed
for consistent and safe capture of off network web resources.
2017-09-24 20:53:31 -04:00
* [Cymon](https://cymon.io/) - Threat intelligence tracker, with IP/domain/hash
search.
* [Desenmascara.me](http://desenmascara.me) - One click tool to retrieve as
much metadata as possible for a website and to assess its good standing.
* [Dig](https://networking.ringofsaturn.com/) - Free online dig and other
2015-05-09 11:26:12 -04:00
network tools.
2016-04-17 16:16:33 -04:00
* [dnstwist](https://github.com/elceef/dnstwist) - Domain name permutation
2016-05-18 15:56:33 -04:00
engine for detecting typo squatting, phishing and corporate espionage.
2015-05-09 11:36:04 -04:00
* [IPinfo](https://github.com/hiddenillusion/IPinfo) - Gather information
about an IP or domain by searching online resources.
* [Machinae](https://github.com/hurricanelabs/machinae) - OSINT tool for
gathering information about URLs, IPs, or hashes. Similar to Automator.
2016-04-17 16:16:33 -04:00
* [mailchecker](https://github.com/FGRibreau/mailchecker) - Cross-language
2016-05-18 15:56:33 -04:00
temporary email detection library.
* [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - Maltego transform
for the VirusTotal API. Allows domain/IP research, and searching for file
hashes and scan reports.
2017-09-24 20:22:36 -04:00
* [Multi rbl](http://multirbl.valli.org/) - Multiple DNS blacklist and forward
2016-12-15 19:23:58 -05:00
confirmed reverse DNS lookup over more than 300 RBLs.
2017-09-24 20:22:36 -04:00
* [NormShield Services](https://services.normshield.com/) - Free API Services
for detecting possible phishing domains, blacklisted ip addresses and breached
2017-07-26 02:08:59 -04:00
accounts.
2018-10-05 15:52:51 -04:00
* [PhishStats](https://phishstats.info/) - Phishing Statistics with search for
IP, domain and website title
2015-09-22 11:22:46 -04:00
* [SpamCop](https://www.spamcop.net/bl.shtml) - IP based spam block list.
* [SpamHaus](https://www.spamhaus.org/lookup/) - Block list based on
2015-09-22 11:22:46 -04:00
domains and IPs.
* [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - Free Website Malware
and Security Scanner.
2017-09-24 20:22:36 -04:00
* [Talos Intelligence](https://talosintelligence.com/) - Search for IP, domain
or network owner. (Previously SenderBase.)
2016-08-21 17:13:14 -04:00
* [TekDefense Automater](http://www.tekdefense.com/automater/) - OSINT tool
for gathering information about URLs, IPs, or hashes.
2016-08-27 20:40:57 -04:00
* [URLQuery](http://urlquery.net/) - Free URL Scanner.
* [urlscan.io](https://urlscan.io/) - Free URL Scanner & domain information.
2016-04-12 11:36:24 -04:00
* [Whois](https://whois.domaintools.com/) - DomainTools free online whois
2015-05-09 11:26:12 -04:00
search.
* [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - Free
online tools for researching malicious websites, compiled by Lenny Zeltser.
2017-09-24 20:14:52 -04:00
* [ZScalar Zulu](https://zulu.zscaler.com/#) - Zulu URL Risk Analyzer.
2015-05-09 11:26:12 -04:00
2015-05-09 13:19:48 -04:00
## Browser Malware
2015-05-09 13:20:38 -04:00
*Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and
[documents and shellcode](#documents-and-shellcode) sections.*
2015-05-09 13:19:48 -04:00
2017-09-24 20:14:52 -04:00
* [Firebug](https://getfirebug.com/) - Firefox extension for web development.
2015-05-09 13:44:40 -04:00
* [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps.
* [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java
IDX cache files.
* [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript
malware analysis tool.
2015-11-13 22:37:29 -05:00
* [jsunpack-n](https://github.com/urule99/jsunpack-n) - A javascript
unpacker that emulates browser functionality.
2016-04-17 16:16:33 -04:00
* [Krakatau](https://github.com/Storyyeller/Krakatau) - Java decompiler,
2016-05-18 15:56:33 -04:00
assembler, and disassembler.
2015-05-09 13:44:40 -04:00
* [Malzilla](http://malzilla.sourceforge.net/) - Analyze malicious web pages.
2015-05-09 13:41:24 -04:00
* [RABCDAsm](https://github.com/CyberShadow/RABCDAsm) - A "Robust
ActionScript Bytecode Disassembler."
2018-06-09 13:51:31 -04:00
* [SWF Investigator](https://labs.adobe.com/technologies/swfinvestigator/) -
Static and dynamic analysis of SWF applications.
2015-05-09 13:39:46 -04:00
* [swftools](http://www.swftools.org/) - Tools for working with Adobe Flash
files.
* [xxxswf](http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html) - A
Python script for analyzing Flash files.
## Documents and Shellcode
*Analyze malicious JS and shellcode from PDFs and Office documents. See also
the [browser malware](#browser-malware) section.*
2015-05-09 12:29:41 -04:00
2015-05-09 11:36:04 -04:00
* [AnalyzePDF](https://github.com/hiddenillusion/AnalyzePDF) - A tool for
analyzing PDFs and attempting to determine whether they are malicious.
2016-11-14 06:25:41 -05:00
* [box-js](https://github.com/CapacitorSet/box-js) - A tool for studying JavaScript
malware, featuring JScript/WScript support and ActiveX emulation.
* [diStorm](http://www.ragestorm.net/distorm/) - Disassembler for analyzing
malicious shellcode.
2015-05-09 12:34:53 -04:00
* [JS Beautifier](http://jsbeautifier.org/) - JavaScript unpacking and deobfuscation.
2015-12-28 07:32:38 -05:00
* [JS Deobfuscator](http://www.kahusecurity.com/2015/new-javascript-deobfuscator-tool/) -
Deobfuscate simple Javascript that use eval or document.write to conceal
its code.
* [libemu](http://libemu.carnivore.it/) - Library and tools for x86 shellcode
emulation.
2015-05-09 11:52:49 -04:00
* [malpdfobj](https://github.com/9b/malpdfobj) - Deconstruct malicious PDFs
into a JSON representation.
* [OfficeMalScanner](http://www.reconstructer.org/code.html) - Scan for
malicious traces in MS Office documents.
2015-05-09 17:03:32 -04:00
* [olevba](http://www.decalage.info/python/olevba) - A script for parsing OLE
and OpenXML documents and extracting useful information.
* [Origami PDF](https://code.google.com/archive/p/origami-pdf) - A tool for
2015-05-09 11:57:05 -04:00
analyzing malicious PDFs, and more.
2016-04-12 11:16:09 -04:00
* [PDF Tools](https://blog.didierstevens.com/programs/pdf-tools/) - pdfid,
2015-05-09 11:46:37 -04:00
pdf-parser, and more from Didier Stevens.
2015-05-09 11:57:26 -04:00
* [PDF X-Ray Lite](https://github.com/9b/pdfxray_lite) - A PDF analysis tool,
2015-05-09 11:52:49 -04:00
the backend-free version of PDF X-RAY.
2015-05-09 11:58:39 -04:00
* [peepdf](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - Python
tool for exploring possibly malicious PDFs.
2016-06-30 22:05:30 -04:00
* [QuickSand](https://www.quicksand.io/) - QuickSand is a compact C framework
to analyze suspected malware documents to identify exploits in streams of different
2016-06-12 03:45:00 -04:00
encodings and to locate and extract embedded executables.
* [Spidermonkey](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) -
Mozilla's JavaScript engine, for debugging malicious JS.
## File Carving
*For extracting files from inside disk and memory images.*
* [bulk_extractor](https://github.com/simsong/bulk_extractor) - Fast file
carving tool.
* [EVTXtract](https://github.com/williballenthin/EVTXtract) - Carve Windows
Event Log files from raw binary data.
* [Foremost](http://foremost.sourceforge.net/) - File carving tool designed
by the US Air Force.
* [hachoir3](https://github.com/vstinner/hachoir3) - Hachoir is a Python library
to view and edit a binary stream field by field.
* [Scalpel](https://github.com/sleuthkit/scalpel) - Another data carving
tool.
2017-08-09 20:12:16 -04:00
* [SFlock](https://github.com/jbremer/sflock) - Nested archive
extraction/unpacking (used in Cuckoo Sandbox).
2015-05-09 13:07:39 -04:00
## Deobfuscation
*Reverse XOR and other code obfuscation methods.*
2015-05-09 13:07:39 -04:00
* [Balbuzard](https://bitbucket.org/decalage/balbuzard/wiki/Home) - A malware
analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
2015-09-22 12:07:01 -04:00
* [de4dot](https://github.com/0xd4d/de4dot) - .NET deobfuscator and
unpacker.
2015-05-14 21:53:06 -04:00
* [ex_pe_xor](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html)
& [iheartxor](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html) -
Two tools from Alexander Hanel for working with single-byte XOR encoded
files.
2016-06-30 22:05:30 -04:00
* [FLOSS](https://github.com/fireeye/flare-floss) - The FireEye Labs Obfuscated
String Solver uses advanced static analysis techniques to automatically
2016-06-11 03:15:00 -04:00
deobfuscate strings from malware binaries.
* [NoMoreXOR](https://github.com/hiddenillusion/NoMoreXOR) - Guess a 256 byte
XOR key using frequency analysis.
2015-11-04 04:02:54 -05:00
* [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker) - A generic
hidden code extractor for Windows malware.
2016-06-30 22:05:30 -04:00
* [unpacker](https://github.com/malwaremusings/unpacker/) - Automated malware
2016-06-10 03:11:00 -04:00
unpacker for Windows malware based on WinAppDbg.
2015-05-14 21:47:34 -04:00
* [unxor](https://github.com/tomchop/unxor/) - Guess XOR keys using
known-plaintext attacks.
2015-11-04 03:54:07 -05:00
* [VirtualDeobfuscator](https://github.com/jnraber/VirtualDeobfuscator) -
Reverse engineering tool for virtualization wrappers.
2015-05-14 21:54:50 -04:00
* [XORBruteForcer](http://eternal-todo.com/var/scripts/xorbruteforcer) -
A Python script for brute forcing single-byte XOR keys.
2016-04-12 11:16:09 -04:00
* [XORSearch & XORStrings](https://blog.didierstevens.com/programs/xorsearch/) -
2015-05-14 21:53:06 -04:00
A couple programs from Didier Stevens for finding XORed data.
2015-05-14 21:46:08 -04:00
* [xortool](https://github.com/hellman/xortool) - Guess XOR key length, as
well as the key itself.
2015-05-09 12:41:13 -04:00
## Debugging and Reverse Engineering
2015-05-09 12:48:55 -04:00
*Disassemblers, debuggers, and other static and dynamic analysis tools.*
2015-11-04 03:47:37 -05:00
* [angr](https://github.com/angr/angr) - Platform-agnostic binary analysis
framework developed at UCSB's Seclab.
2016-06-30 22:05:30 -04:00
* [bamfdetect](https://github.com/bwall/bamfdetect) - Identifies and extracts
2016-06-09 03:20:00 -04:00
information from bots and other malware.
2016-11-13 14:49:39 -05:00
* [BAP](https://github.com/BinaryAnalysisPlatform/bap) - Multiplatform and
open source (MIT) binary analysis framework developed at CMU's Cylab.
2015-11-04 03:48:58 -05:00
* [BARF](https://github.com/programa-stic/barf-project) - Multiplatform, open
source Binary Analysis and Reverse engineering Framework.
2015-11-04 03:42:57 -05:00
* [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for
reverse engineering based on graph visualization.
2017-09-24 20:22:36 -04:00
* [Binary ninja](https://binary.ninja/) - A reversing engineering platform
that is an alternative to IDA.
2017-04-08 09:09:37 -04:00
* [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool.
2015-11-04 03:50:31 -05:00
* [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for
binary analysis and reversing, with support for many architectures and
bindings in several languages.
2015-11-04 03:46:31 -05:00
* [codebro](https://github.com/hugsy/codebro) - Web based code browser using
2017-10-06 23:04:03 -04:00
 clang to provide basic code analysis.
2018-09-01 05:42:31 -04:00
* [Cutter](https://github.com/radareorg/cutter) - GUI for Radare2.
2017-10-06 23:04:03 -04:00
* [DECAF (Dynamic Executable Code Analysis Framework)](https://github.com/sycurelab/DECAF)
- A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
2015-09-22 12:07:01 -04:00
* [dnSpy](https://github.com/0xd4d/dnSpy) - .NET assembly editor, decompiler
and debugger.
2018-06-09 13:51:42 -04:00
* [dotPeek](https://www.jetbrains.com/decompiler/) - Free .NET Decompiler and
Assembly Browser.
2015-05-09 12:57:48 -04:00
* [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A
modular debugger with a Qt GUI.
2016-05-26 10:33:56 -04:00
* [Fibratus](https://github.com/rabbitstack/fibratus) - Tool for exploration
and tracing of the Windows kernel.
2017-03-26 16:57:01 -04:00
* [FPort](https://www.mcafee.com/us/downloads/free-tools/fport.aspx) - Reports
2016-11-13 15:21:25 -05:00
open TCP/IP and UDP ports in a live system and maps them to the owning application.
2015-05-09 12:57:48 -04:00
* [GDB](http://www.sourceware.org/gdb/) - The GNU debugger.
2015-11-04 03:51:38 -05:00
* [GEF](https://github.com/hugsy/gef) - GDB Enhanced Features, for exploiters
and reverse engineers.
2015-09-22 12:02:36 -04:00
* [hackers-grep](https://github.com/codypierce/hackers-grep) - A utility to
search for strings in PE executables including imports, exports, and debug
2015-09-22 12:13:12 -04:00
symbols.
* [Hopper](https://www.hopperapp.com/) - The macOS and Linux Disassembler.
2015-05-09 12:48:55 -04:00
* [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows
disassembler and debugger, with a free evaluation version.
2015-05-09 15:48:03 -04:00
* [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for
malware analysis and more, with a Python API.
* [ILSpy](http://ilspy.net/) - ILSpy is the open-source .NET assembly browser and decompiler.
2017-02-16 03:06:17 -05:00
* [Kaitai Struct](http://kaitai.io/) - DSL for file formats / network protocols /
data structures reverse engineering and dissection, with code generation
for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
2017-09-24 20:22:36 -04:00
* [LIEF](https://lief.quarkslab.com/) - LIEF provides a cross-platform library
2017-04-08 08:53:52 -04:00
to parse, modify and abstract ELF, PE and MachO formats.
2015-05-09 12:57:48 -04:00
* [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables.
2018-10-06 06:44:00 -04:00
* [mac-a-mal](https://github.com/phdphuc/mac-a-mal) - An automated framework
for mac malware hunting.
2015-05-09 12:51:23 -04:00
* [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils,
for static analysis of Linux binaries.
2015-05-09 12:57:48 -04:00
* [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows
executables.
2017-09-24 20:22:36 -04:00
* [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral
Dynamic Analysis.
2015-11-04 03:53:00 -05:00
* [PEDA](https://github.com/longld/peda) - Python Exploit Development
Assistance for GDB, an enhanced display with added commands.
2015-05-18 12:20:28 -04:00
* [pestudio](https://winitor.com/) - Perform static analysis of Windows
executables.
2017-11-02 18:26:53 -04:00
* [Pharos](https://github.com/cmu-sei/pharos) - The Pharos binary analysis framework
can be used to perform automated static analysis of binaries.
2017-09-24 20:22:36 -04:00
* [plasma](https://github.com/plasma-disassembler/plasma) - Interactive
disassembler for x86/ARM/MIPS.
2016-05-26 10:38:19 -04:00
* [PPEE (puppy)](https://www.mzrst.com/) - A Professional PE file Explorer for
reversers, malware researchers and those who want to statically inspect PE
files in more detail.
2017-10-19 14:55:57 -04:00
* [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) -
2016-11-13 15:13:24 -05:00
Advanced task manager for Windows.
2017-09-24 20:22:36 -04:00
* [Process Hacker](http://processhacker.sourceforge.net/) - Tool that monitors
system resources.
2017-10-19 14:55:57 -04:00
* [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) -
2015-05-09 16:04:20 -04:00
Advanced monitoring tool for Windows programs.
2017-10-19 14:55:57 -04:00
* [PSTools](https://docs.microsoft.com/en-us/sysinternals/downloads/pstools) - Windows
2016-11-13 15:13:24 -05:00
command-line tools that help manage and investigate live systems.
2015-05-09 12:48:55 -04:00
* [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware
analysis.
2017-09-24 20:22:36 -04:00
* [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse
engineering sandbox by the Talos team at Cisco.
* [QKD](https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg
server for stealth debugging.
2015-05-09 12:41:13 -04:00
* [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with
debugger support.
2017-09-24 20:22:36 -04:00
* [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility
that compares snapshots.
2016-08-09 09:25:38 -04:00
* [RetDec](https://retdec.com/) - Retargetable machine-code decompiler with an
[online decompilation service](https://retdec.com/decompilation/) and
[API](https://retdec.com/api/) that you can use in your tools.
* [ROPMEMU](https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect
2016-06-04 17:47:58 -04:00
and decompile complex code-reuse attacks.
2015-11-04 03:45:14 -05:00
* [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a
plugin for Sublime 3 to aid with malware analyis.
* [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for
2015-09-22 11:44:27 -04:00
Linux executables.
2017-03-26 16:57:01 -04:00
* [Triton](https://triton.quarkslab.com/) - A dynamic binary analysis (DBA) framework.
2015-05-09 12:51:23 -04:00
* [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool
for x86 and x86_64.
2015-05-15 15:32:32 -04:00
* [Vivisect](https://github.com/vivisect/vivisect) - Python tool for
2015-05-09 12:57:48 -04:00
malware analysis.
* [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/download-windbg) - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
2015-10-08 19:20:31 -04:00
* [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows.
2015-05-09 12:41:13 -04:00
2015-05-09 13:07:39 -04:00
## Network
*Analyze network interactions.*
2015-05-15 16:05:16 -04:00
* [Bro](https://www.bro.org) - Protocol analyzer that operates at incredible
scale; both file and network protocols.
2015-11-04 04:00:56 -05:00
* [BroYara](https://github.com/hempnall/broyara) - Use Yara rules from Bro.
2015-08-07 23:29:40 -04:00
* [CapTipper](https://github.com/omriher/CapTipper) - Malicious HTTP traffic
explorer.
2015-05-17 16:06:29 -04:00
* [chopshop](https://github.com/MITRECND/chopshop) - Protocol analysis and
decoding framework.
2017-09-24 20:22:36 -04:00
* [CloudShark](https://www.cloudshark.org) - Web-based tool for packet analysis
and malware traffic detection.
2017-10-19 14:55:57 -04:00
* [Fiddler](https://www.telerik.com/fiddler) - Intercepting web proxy designed
2015-05-15 11:23:29 -04:00
for "web debugging."
2015-05-15 11:21:53 -04:00
* [Hale](https://github.com/pjlantz/Hale) - Botnet C&C monitor.
2016-05-18 15:56:33 -04:00
* [Haka](http://www.haka-security.org/) - An open source security oriented
language for describing protocols and applying security policies on (live)
captured traffic.
2017-08-09 20:12:16 -04:00
* [HTTPReplay](https://github.com/jbremer/httpreplay) - Library for parsing
and reading out PCAP files, including TLS streams using TLS Master Secrets
(used in Cuckoo Sandbox).
2015-05-09 14:20:31 -04:00
* [INetSim](http://www.inetsim.org/) - Network service emulation, useful when
building a malware lab.
2016-04-16 07:37:35 -04:00
* [Laika BOSS](https://github.com/lmco/laikaboss) - Laika BOSS is a file-centric
2016-04-02 10:15:33 -04:00
malware analysis and intrusion detection system.
2015-05-09 17:50:03 -04:00
* [Malcom](https://github.com/tomchop/malcom) - Malware Communications
Analyzer.
* [Maltrail](https://github.com/stamparm/maltrail) - A malicious traffic
detection system, utilizing publicly available (black)lists containing
malicious and/or generally suspicious trails and featuring an reporting
and analysis interface.
2015-05-09 14:20:31 -04:00
* [mitmproxy](https://mitmproxy.org/) - Intercept network traffic on the fly.
* [Moloch](https://github.com/aol/moloch) - IPv4 traffic capturing, indexing
and database system.
2015-05-09 14:20:31 -04:00
* [NetworkMiner](http://www.netresec.com/?page=NetworkMiner) - Network
forensic analysis tool, with a free version.
* [ngrep](https://github.com/jpr5/ngrep) - Search through network traffic
2015-05-09 14:20:31 -04:00
like grep.
2017-09-24 20:22:36 -04:00
* [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and
traffic visualizer.
* [Python ICAP Yara](https://github.com/RamadhanAmizudin/python-icap-yara) - An
ICAP Server with yara scanner for URL or content.
* [Squidmagic](https://github.com/ch3k1/squidmagic) - squidmagic is a tool
designed to analyze a web-based network traffic to detect central command
and control (C&C) servers and malicious sites, using Squid proxy server and
Spamhaus.
2015-05-09 14:20:31 -04:00
* [Tcpdump](http://www.tcpdump.org/) - Collect network traffic.
* [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams
from network traffic.
* [tcpxtract](http://tcpxtract.sourceforge.net/) - Extract files from network
traffic.
* [Wireshark](https://www.wireshark.org/) - The network traffic analysis
tool.
2015-05-09 00:41:41 -04:00
## Memory Forensics
*Tools for dissecting malware in memory images or running systems.*
2017-09-24 20:22:36 -04:00
* [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS
2017-09-24 20:42:08 -04:00
forensics client supporting hiberfil, pagefile, raw memory analysis.
2015-05-09 17:51:31 -04:00
* [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of
2017-09-24 20:42:08 -04:00
Malware in Memory, built on Volatility.
2016-04-17 16:16:33 -04:00
* [evolve](https://github.com/JamesHabben/evolve) - Web interface for the
2016-05-18 15:56:33 -04:00
Volatility Memory Forensics Framework.
* [FindAES](https://sourceforge.net/projects/findaes/) - Find AES
2015-05-09 00:41:41 -04:00
encryption keys in memory.
2017-09-24 20:22:36 -04:00
* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - High speed memory
analysis framework developed in .NET supports all Windows x64, includes
code integrity and write support.
2015-05-09 17:53:25 -04:00
* [Muninn](https://github.com/ytisf/muninn) - A script to automate portions
of analysis using Volatility, and create a readable report.
2015-05-09 00:41:41 -04:00
* [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework,
forked from Volatility in 2013.
* [TotalRecall](https://github.com/sketchymoose/TotalRecall) - Script based
on Volatility for automating various malware analysis tasks.
2015-05-18 12:19:02 -04:00
* [VolDiff](https://github.com/aim4r/VolDiff) - Run Volatility on memory
images before and after malware execution, and report changes.
2015-05-09 00:41:41 -04:00
* [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced
memory forensics framework.
2016-04-17 16:16:33 -04:00
* [VolUtility](https://github.com/kevthehermit/VolUtility) - Web Interface for
2016-05-18 15:56:33 -04:00
Volatility Memory Analysis framework.
2017-03-23 06:51:50 -04:00
* [WDBGARK](https://github.com/swwwolf/wdbgark) -
WinDBG Anti-RootKit Extension.
2016-06-30 22:05:30 -04:00
* [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit) -
Live memory inspection and kernel debugging for Windows systems.
2015-05-09 00:41:41 -04:00
2015-05-09 18:30:52 -04:00
## Windows Artifacts
2015-09-22 12:04:13 -04:00
* [AChoir](https://github.com/OMENScan/AChoir) - A live incident response
script for gathering Windows artifacts.
* [python-evt](https://github.com/williballenthin/python-evt) - Python
library for parsing Windows Event Logs.
* [python-registry](http://www.williballenthin.com/registry/) - Python
library for parsing registry files.
* [RegRipper](http://brettshavers.cc/index.php/brettsblog/tags/tag/regripper/)
2015-05-09 18:30:52 -04:00
([GitHub](https://github.com/keydet89/RegRipper2.8)) -
Plugin-based registry analysis tool.
## Storage and Workflow
2017-03-26 16:57:01 -04:00
* [Aleph](https://github.com/merces/aleph) - Open Source Malware Analysis
2015-05-17 15:00:43 -04:00
Pipeline System.
2015-05-17 16:08:50 -04:00
* [CRITs](https://crits.github.io/) - Collaborative Research Into Threats, a
malware and threat repository.
2017-09-24 20:22:36 -04:00
* [FAME](https://certsocietegenerale.github.io/fame/) - A malware analysis
framework featuring a pipeline that can be extended with custom modules,
which can be chained and interact with each other to perform end-to-end
analysis.
* [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and
search malware.
2016-06-30 22:05:30 -04:00
* [Polichombr](https://github.com/ANSSI-FR/polichombr) - A malware analysis
2016-06-18 02:24:00 -04:00
platform designed to help analysts to reverse malwares collaboratively.
2016-11-20 10:38:27 -05:00
* [stoQ](http://stoq.punchcyber.com) - Distributed content analysis
framework with extensive plugin support, from input to output, and everything
in between.
2016-11-13 14:48:51 -05:00
* [Viper](http://viper.li/) - A binary management and analysis framework for
2015-05-09 18:02:53 -04:00
analysts and researchers.
2015-05-09 00:31:31 -04:00
## Miscellaneous
2016-06-30 22:05:30 -04:00
* [al-khaser](https://github.com/LordNoteworthy/al-khaser) - A PoC malware
2016-06-17 02:54:00 -04:00
with good intentions that aimes to stress anti-malware systems.
* [CryptoKnight](https://github.com/AbertayMachineLearningGroup/CryptoKnight) - Automated cryptographic algorithm reverse engineering and classification framework.
2015-05-17 15:25:23 -04:00
* [DC3-MWCP](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP) -
The Defense Cyber Crime Center's Malware Configuration Parser framework.
2017-09-24 20:22:36 -04:00
* [FLARE VM](https://github.com/fireeye/flare-vm) - A fully customizable,
2017-07-28 05:49:22 -04:00
Windows-based, security distribution for malware analysis.
2016-06-30 22:05:30 -04:00
* [MalSploitBase](https://github.com/misterch0c/malSploitBase) - A database
2016-06-16 02:13:00 -04:00
containing exploits used by malware.
2016-12-15 18:42:51 -05:00
* [Malware Museum](https://archive.org/details/malwaremuseum) - Collection of
malware programs that were distributed in the 1980s and 1990s.
2017-11-28 14:40:48 -05:00
* [Malware Organiser](https://github.com/uppusaikiran/malware-organiser) - A simple tool to organise large malicious/benign files into a organised Structure.
2015-09-22 12:10:22 -04:00
* [Pafish](https://github.com/a0rtega/pafish) - Paranoid Fish, a demonstration
tool that employs several techniques to detect sandboxes and analysis
environments in the same way as malware families do.
2015-05-09 00:31:31 -04:00
* [REMnux](https://remnux.org/) - Linux distribution and docker images for
malware reverse engineering and analysis.
2015-05-15 16:20:11 -04:00
* [Santoku Linux](https://santoku-linux.com/) - Linux distribution for mobile
forensics, malware analysis, and security.
2015-05-09 00:31:31 -04:00
2015-05-08 23:51:11 -04:00
# Resources
## Books
2015-05-09 12:29:41 -04:00
*Essential malware analysis reading material.*
2015-05-09 12:25:31 -04:00
* [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) -
Tools and Techniques for Fighting Malicious Code.
2017-09-24 20:22:36 -04:00
* [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On
Guide to Dissecting Malicious Software.
* [Practical Reverse Engineering](https://www.amzn.com/dp/1118787315/) -
2017-09-24 20:42:08 -04:00
Intermediate Reverse Engineering.
2017-09-24 20:22:36 -04:00
* [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer
2017-09-24 20:42:08 -04:00
Security and Incident Response.
2015-05-09 12:25:31 -04:00
* [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting
Malware and Threats in Windows, Linux, and Mac Memory.
* [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide
to the World's Most Popular Disassembler.
2016-11-13 14:49:18 -05:00
* [The Rootkit Arsenal](https://amzn.com/dp/144962636X) - The Rootkit Arsenal:
Escape and Evasion in the Dark Corners of the System
2015-05-09 12:25:31 -04:00
2015-05-08 23:51:11 -04:00
## Twitter
2015-05-09 18:13:49 -04:00
*Some relevant Twitter accounts.*
2015-05-18 13:59:18 -04:00
* Adamb [@Hexacorn](https://twitter.com/Hexacorn)
2015-05-09 18:11:27 -04:00
* Andrew Case [@attrc](https://twitter.com/attrc)
2016-06-30 21:54:21 -04:00
* Binni Shah [@binitamshah](https://twitter.com/binitamshah)
2015-05-09 18:11:27 -04:00
* Claudio [@botherder](https://twitter.com/botherder)
2015-05-15 16:05:16 -04:00
* Dustin Webber [@mephux](https://twitter.com/mephux)
* Glenn [@hiddenillusion](https://twitter.com/hiddenillusion)
2015-05-09 18:11:27 -04:00
* jekil [@jekil](https://twitter.com/jekil)
* Jurriaan Bremer [@skier_t](https://twitter.com/skier_t)
2015-05-09 18:20:41 -04:00
* Lenny Zeltser [@lennyzeltser](https://twitter.com/lennyzeltser)
* Liam Randall [@hectaman](https://twitter.com/hectaman)
2015-05-09 18:11:27 -04:00
* Mark Schloesser [@repmovsb](https://twitter.com/repmovsb)
* Michael Ligh (MHL) [@iMHLv2](https://twitter.com/iMHLv2)
2016-06-30 17:56:51 -04:00
* Monnappa [@monnappa22](https://twitter.com/monnappa22)
2015-09-22 12:57:17 -04:00
* Open Malware [@OpenMalware](https://twitter.com/OpenMalware)
2015-05-15 16:05:16 -04:00
* Richard Bejtlich [@taosecurity](https://twitter.com/taosecurity)
2015-05-09 18:15:26 -04:00
* Volatility [@volatility](https://twitter.com/volatility)
2015-05-09 18:11:27 -04:00
2015-05-08 23:51:11 -04:00
## Other
2016-11-16 09:34:10 -05:00
* [APT Notes](https://github.com/aptnotes/data) - A collection of papers
2015-10-02 12:25:51 -04:00
and notes related to Advanced Persistent Threats.
2016-04-17 16:16:33 -04:00
* [File Formats posters](https://github.com/corkami/pics) - Nice visualization
2016-05-18 15:56:33 -04:00
of commonly used file format (including PE & ELF).
2015-05-09 12:15:29 -04:00
* [Honeynet Project](http://honeynet.org/) - Honeypot tools, papers, and
other resources.
2017-09-24 20:42:08 -04:00
* [Kernel Mode](http://www.kernelmode.info/forum/) - An active community
devoted to malware analysis and kernel development.
2015-05-09 11:17:07 -04:00
* [Malicious Software](https://zeltser.com/malicious-software/) - Malware
blog and resources by Lenny Zeltser.
2015-11-13 22:37:29 -05:00
* [Malware Analysis Search](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) -
Custom Google search engine from [Corey Harrell](journeyintoir.blogspot.com/).
2016-05-18 15:56:33 -04:00
* [Malware Analysis Tutorials](http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html) - The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning
practical malware analysis.
2016-01-22 09:26:02 -05:00
* [Malware Samples and Traffic](http://malware-traffic-analysis.net/) - This
blog focuses on network traffic related to malware infections.
2016-05-18 15:56:33 -04:00
* [Practical Malware Analysis Starter Kit](https://bluesoul.me/practical-malware-analysis-starter-kit/) -
This package contains most of the software referenced in the Practical Malware
Analysis book.
2016-01-22 09:26:02 -05:00
* [RPISEC Malware Analysis](https://github.com/RPISEC/Malware) - These are the
course materials used in the Malware Analysis course at at Rensselaer Polytechnic
Institute during Fall 2015.
2015-05-09 18:30:52 -04:00
* [WindowsIR: Malware](http://windowsir.blogspot.com/p/malware.html) - Harlan
Carvey's page on Malware.
2016-04-17 16:16:33 -04:00
* [Windows Registry specification](https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md) - Windows registry file format specification.
2015-09-22 12:35:43 -04:00
* [/r/csirt_tools](https://www.reddit.com/r/csirt_tools/) - Subreddit for CSIRT
tools and resources, with a
[malware analysis](https://www.reddit.com/r/csirt_tools/search?q=flair%3A%22Malware%20analysis%22&sort=new&restrict_sr=on) flair.
2015-05-09 11:17:07 -04:00
* [/r/Malware](https://www.reddit.com/r/Malware) - The malware subreddit.
* [/r/ReverseEngineering](https://www.reddit.com/r/ReverseEngineering) -
Reverse engineering subreddit, not limited to just malware.
2018-04-18 07:50:48 -04:00
* [Ember](https://github.com/endgameinc/ember) - Endgame Malware BEnchmark for Research, a repository that makes it easy to (re)create a machine learning model that can be used to predict a score for a PE file based on static analysis.
2016-01-22 09:26:02 -05:00
2015-05-09 11:17:07 -04:00
2015-05-08 23:51:11 -04:00
# Related Awesome Lists
* [Android Security](https://github.com/ashishb/android-security-awesome)
2015-10-01 10:14:43 -04:00
* [AppSec](https://github.com/paragonie/awesome-appsec)
2015-08-07 23:52:40 -04:00
* [CTFs](https://github.com/apsdehal/awesome-ctf)
2016-12-07 07:33:20 -05:00
* [Forensics](https://github.com/Cugu/awesome-forensics)
* ["Hacking"](https://github.com/carpedm20/awesome-hacking)
2015-08-07 23:23:32 -04:00
* [Honeypots](https://github.com/paralax/awesome-honeypots)
2016-06-05 01:25:14 -04:00
* [Industrial Control System Security](https://github.com/hslatman/awesome-industrial-control-system-security)
2016-02-27 14:35:50 -05:00
* [Incident-Response](https://github.com/meirwah/awesome-incident-response)
2015-09-25 14:44:44 -04:00
* [Infosec](https://github.com/onlurking/awesome-infosec)
* [PCAP Tools](https://github.com/caesar0301/awesome-pcaptools)
2015-05-08 23:51:11 -04:00
* [Pentesting](https://github.com/enaqx/awesome-pentest)
* [Security](https://github.com/sbilly/awesome-security)
2016-06-05 01:25:14 -04:00
* [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence)
2017-10-17 15:56:53 -04:00
* [YARA](https://github.com/InQuest/awesome-yara)
2015-05-08 23:51:11 -04:00
# [Contributing](CONTRIBUTING.md)
Pull requests and issues with suggestions are welcome! Please read the
[CONTRIBUTING](CONTRIBUTING.md) guidelines before submitting a PR.
2015-05-14 22:01:44 -04:00
# Thanks
This list was made possible by:
* Lenny Zeltser and other contributors for developing REMnux, where I
found many of the tools in this list;
* Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for
writing the *Malware Analyst's Cookbook*, which was a big inspiration for
creating the list;
* And everyone else who has sent pull requests or suggested links to add here!
Thanks!