2015-05-08 20:08:28 -04:00
# Awesome Malware Analysis
A curated list of awesome malware analysis tools and resources. Inspired by
[awesome-python ](https://github.com/vinta/awesome-python ) and
[awesome-php ](https://github.com/ziadoz/awesome-php ).
- [Awesome Malware Analysis ](#awesome-malware-analysis )
2015-05-08 23:40:28 -04:00
- [Malware Collection ](#malware-collection )
- [Anonymizers ](#anonymizers )
- [Honeypots ](#honeypots )
- [Malware Corpora ](#malware-corpora )
2015-05-09 14:35:06 -04:00
- [Open Source Threat Intelligence ](#open-source-threat-intelligence )
2015-05-14 21:33:30 -04:00
- [Tools ](#tools )
- [Other Resources ](#other-resources )
2015-05-09 00:28:10 -04:00
- [Detection and Classification ](#detection-and-classification )
2015-05-09 00:35:17 -04:00
- [Online Scanners and Sandboxes ](#online-scanners-and-sandboxes )
2015-05-09 00:46:55 -04:00
- [Domain Analysis ](#domain-analysis )
2015-05-09 13:19:48 -04:00
- [Browser Malware ](#browser-malware )
2015-05-09 11:25:59 -04:00
- [Documents and Shellcode ](#documents-and-shellcode )
2015-05-09 12:05:04 -04:00
- [File Carving ](#file-carving )
- [Deobfuscation ](#deobfuscation )
2015-05-09 12:41:13 -04:00
- [Debugging and Reverse Engineering ](#debugging-and-reverse-engineering )
2015-05-09 12:05:04 -04:00
- [Network ](#network )
2015-05-09 00:41:41 -04:00
- [Memory Forensics ](#memory-forensics )
2015-05-09 18:30:52 -04:00
- [Windows Artifacts ](#windows-artifacts )
2015-05-09 18:01:22 -04:00
- [Storage and Workflow ](#storage-and-workflow )
2015-05-09 00:31:31 -04:00
- [Miscellaneous ](#miscellaneous )
2015-05-08 20:08:28 -04:00
- [Resources ](#resources )
- [Books ](#books )
- [Twitter ](#twitter )
2015-05-08 23:51:11 -04:00
- [Other ](#other )
2015-05-08 20:08:28 -04:00
- [Related Awesome Lists ](#related-awesome-lists )
- [Contributing ](#contributing )
2015-05-14 22:01:44 -04:00
- [Thanks ](#thanks )
2015-05-08 20:08:28 -04:00
---
2015-05-08 23:40:28 -04:00
## Malware Collection
2015-05-08 20:08:28 -04:00
2015-05-08 23:40:28 -04:00
### Anonymizers
*Web traffic anonymizers for analysts.*
2015-05-09 00:23:12 -04:00
* [Anonymouse.org ](http://anonymouse.org/ ) - A free, web based anonymizer.
* [OpenVPN ](https://openvpn.net/ ) - VPN software and hosting solutions.
* [Privoxy ](http://www.privoxy.org/ ) - An open source proxy server with some
privacy features.
2015-05-08 23:40:28 -04:00
* [Tor ](https://www.torproject.org/ ) - The Onion Router, for browsing the web
without leaving traces of the client IP.
2015-05-08 23:51:11 -04:00
### Honeypots
2015-05-09 00:24:53 -04:00
*Trap and collect your own samples.*
2015-05-09 12:07:52 -04:00
* [Conpot ](https://github.com/glastopf/conpot ) - ICS/SCADA honeypot.
2015-05-09 12:15:29 -04:00
* [Dionaea ](http://dionaea.carnivore.it/ ) - Honeypot designed to trap
malware.
2015-05-09 12:07:52 -04:00
* [Glastopf ](http://glastopf.org/ ) - Web application honeypot.
2015-05-09 12:11:32 -04:00
* [Honeyd ](http://honeyd.org/ ) - Create a virtual honeynet.
2015-05-11 13:22:26 -04:00
* [HoneyDrive ](http://honeydrive.org/ ) - Honeypot bundle Linux distro.
2015-05-09 12:11:32 -04:00
* [Kippo ](https://github.com/desaster/kippo ) - Medium interaction SSH honeypot.
2015-05-09 17:57:21 -04:00
* [Mnemosyne ](https://github.com/johnnykv/mnemosyne ) - A normalizer for
honeypot data; supports Dionaea.
2015-05-09 12:06:09 -04:00
* [Thug ](https://github.com/buffer/thug ) - Low interaction honeyclient, for
investigating malicious websites.
2015-05-08 23:51:11 -04:00
### Malware Corpora
2015-05-09 00:24:53 -04:00
*Malware samples collected for analysis.*
2015-05-09 11:17:07 -04:00
* [Clean MX ](http://support.clean-mx.de/clean-mx/viruses.php ) - Realtime
database of malware and malicious domains.
2015-05-08 23:51:11 -04:00
* [Contagio ](http://contagiodump.blogspot.com/ ) - A collection of recent
malware samples and analyses.
2015-05-09 11:34:23 -04:00
* [Exploit Database ](https://www.exploit-db.com/ ) - Exploit and shellcode
samples.
2015-05-09 17:58:14 -04:00
* [theZoo ](https://github.com/ytisf/theZoo ) - Live malware samples for
analysts.
2015-05-09 17:59:14 -04:00
* [maltrieve ](https://github.com/krmaxwell/maltrieve ) - Retrieve malware
samples directly from a number of online sources.
2015-05-09 11:17:07 -04:00
* [Zeltser's Sources ](https://zeltser.com/malware-sample-sources/ ) - A list
of malware sample sources put together by Lenny Zeltser.
2015-05-15 09:31:44 -04:00
* [Zeus Source Code ](https://github.com/Visgean/Zeus ) - Source for the Zeus
trojan leaked in 2011.
2015-05-18 10:29:13 -04:00
* [Malshare ](http://malshare.com ) - Large repository of malware actively
scrapped from malicious sites.
2015-05-08 23:51:11 -04:00
2015-05-09 14:35:06 -04:00
## Open Source Threat Intelligence
2015-05-14 21:33:30 -04:00
### Tools
*Harvest and analyze IOCs.*
2015-05-11 23:01:53 -04:00
2015-05-17 15:25:47 -04:00
* [Combine ](https://github.com/mlsecproject/combine ) - Tool to gather Threat
2015-05-11 23:01:53 -04:00
Intelligence indicators from publicly available sources.
2015-05-15 11:35:08 -04:00
* [IOC Editor ](https://www.mandiant.com/resources/download/ioc-editor/ ) -
A free editor for XML IOC files, from Mandiant.
* [ioc_writer ](https://github.com/mandiant/ioc_writer ) - Python library for
working with OpenIOC objects, from Mandiant.
2015-05-18 10:30:45 -04:00
* [MISP ](https://github.com/MISP/MISP ) - Malware Information Sharing
Platform.
2015-05-14 21:33:30 -04:00
* [threataggregator ](https://github.com/jpsenior/threataggregator ) -
Aggregates security threats from a number of sources, including some of
those listed below in [other resources ](#other-resources ).
2015-05-17 15:25:47 -04:00
* [TIQ-test ](https://github.com/mlsecproject/tiq-test ) - Data visualization
2015-05-14 22:21:35 -04:00
and statistical analysis of Threat Intelligence feeds.
2015-05-14 21:33:30 -04:00
### Other Resources
2015-05-11 23:01:53 -04:00
2015-05-09 14:35:06 -04:00
*Threat intelligence and IOC resources.*
2015-05-09 15:04:59 -04:00
* [Autoshun ](http://autoshun.org/ ) ([list](http://autoshun.org/)) - Snort
plugin and blocklist.
2015-05-09 15:53:55 -04:00
* [CI Army ](http://www.ciarmy.com/ ) ([list](http://www.ciarmy.com/list/ci-badguys.txt)) -
Network security blocklists.
2015-05-09 14:48:40 -04:00
* [Emerging Threats ](http://www.emergingthreats.net/ ) - Rulesets and more.
2015-05-15 11:30:26 -04:00
* [FireEye IOCs ](https://github.com/fireeye/iocs ) - Indicators of Compromise
shared publicly by FireEye.
2015-05-09 15:49:07 -04:00
* [hpfeeds ](https://github.com/rep/hpfeeds ) - Honeypot feed protocol.
2015-05-09 15:09:30 -04:00
* [Internet Storm Center (DShield) ](https://isc.sans.edu/ ) - Diary and
searchable incident database, with a web [API ](https://dshield.org/api/ )
([unofficial Python library](https://github.com/rshipp/python-dshield)).
2015-05-09 14:48:40 -04:00
* [malc0de ](http://malc0de.com/database/ ) - Searchable incident database.
* [Malware Domain List ](http://www.malwaredomainlist.com/ ) - Search and share
malicious URLs.
2015-05-09 14:35:06 -04:00
* [OpenIOC ](http://openioc.org/ ) - Framework for sharing threat intelligence.
2015-05-09 14:48:40 -04:00
* [Palevo Blocklists ](https://palevotracker.abuse.ch/blocklists.php ) - Botnet
C& C blocklists.
* [ZeuS Tracker ](https://zeustracker.abuse.ch/blocklist.php ) - ZeuS
blocklists.
2015-05-15 16:05:16 -04:00
* [Critical Stack- Free Intel Market ](https://intel.CriticalStack.com ) - Free
intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
2015-05-20 05:44:56 -04:00
* [CRDF ThreatCenter ](http://threatcenter.crdf.fr/ ) - List of new threats detected by CRDF anti-malware.
2015-05-20 05:53:45 -04:00
* [Yara rules ](https://github.com/Yara-Rules/rules ) - Yara rules repository.
2015-05-09 14:35:06 -04:00
2015-05-09 00:28:10 -04:00
## Detection and Classification
*Antivirus and other malware identification tools*
2015-05-09 11:36:04 -04:00
* [AnalyzePE ](https://github.com/hiddenillusion/AnalyzePE ) - Wrapper for a
variety of tools for reporting on Windows PE files.
2015-05-09 13:35:33 -04:00
* [chkrootkit ](http://www.chkrootkit.org/ ) - Local Linux rootkit detection.
2015-05-09 00:28:10 -04:00
* [ClamAV ](http://www.clamav.net/index.html ) - Open source antivirus engine.
2015-05-09 12:38:12 -04:00
* [ExifTool ](http://www.sno.phy.queensu.ca/~phil/exiftool/ ) - Read, write and
edit file metadata.
2015-05-09 13:11:57 -04:00
* [hashdeep ](https://github.com/jessek/hashdeep ) - Compute digest hashes with
a variety of algorithms.
2015-05-15 15:55:38 -04:00
* [MASTIFF ](https://github.com/KoreLogicSecurity/mastiff ) - Static analysis
framework.
2015-05-09 13:14:18 -04:00
* [nsrllookup ](https://github.com/rjhansen/nsrllookup ) - A tool for looking
up hashes in NIST's National Software Reference Library database.
2015-05-09 12:48:29 -04:00
* [packerid ](http://handlers.sans.org/jclausing/packerid.py ) - A cross-platform
Python alternative to PEiD.
2015-05-09 14:01:36 -04:00
* [PEiD ](http://woodmann.com/BobSoft/Pages/Programs/PEiD ) - Packer identifier
for Windows binaries.
2015-05-17 15:00:43 -04:00
* [PEV ](http://pev.sourceforge.net/ ) - A multiplatform toolkit to work with PE
files, providing feature-rich tools for proper analysis of suspicious binaries.
2015-05-09 13:35:33 -04:00
* [Rootkit Hunter ](http://rkhunter.sourceforge.net/ ) - Detect Linux rootkits.
2015-05-09 13:11:57 -04:00
* [ssdeep ](http://ssdeep.sourceforge.net/ ) - Compute fuzzy hashes.
2015-05-09 13:23:18 -04:00
* [totalhash.py ](https://gist.github.com/malc0de/10270150 ) - Python script
for easy searching of the [TotalHash.com ](http://totalhash.com/ ) database.
2015-05-09 12:38:12 -04:00
* [TrID ](http://mark0.net/soft-trid-e.html ) - File identifier.
2015-05-09 00:28:10 -04:00
* [YARA ](https://plusvic.github.io/yara/ ) - Pattern matching tool for
analysts.
2015-05-20 05:38:06 -04:00
* [Loki ](https://github.com/Neo23x0/Loki ) - Host based scanner for IOCs.
2015-05-20 05:41:29 -04:00
* [Yara rules generator ](https://github.com/Neo23x0/yarGen ) - Generate yara rules based on a set of malware samples. Also contains a good_strings DB to avoid false positives.
2015-05-09 00:28:10 -04:00
2015-05-09 00:35:17 -04:00
## Online Scanners and Sandboxes
2015-05-09 12:29:41 -04:00
*Web-based multi-AV scanners, and malware sandboxes for automated analysis.*
2015-05-18 10:47:05 -04:00
* [AVCaesar ](https://avcaesar.malware.lu/ ) - Malware.lu online scanner and
malware repository.
2015-05-09 11:24:09 -04:00
* [Cuckoo Sandbox ](http://cuckoosandbox.org/ ) - Open source, self hosted
sandbox and automated analysis system.
2015-05-15 15:51:46 -04:00
* [DRAKVUF ](https://github.com/tklengyel/drakvuf ) - Dynamic malware analysis
system.
2015-05-17 11:05:09 -04:00
* [Hybrid Analysis ](https://www.hybrid-analysis.com/ ) - Online malware
analysis tool, powered by VxSandbox.
2015-05-15 15:50:47 -04:00
* [Jotti ](http://virusscan.jotti.org/en ) - Free online multi-AV scanner.
2015-05-15 16:16:58 -04:00
* [Malheur ](https://github.com/rieck/malheur ) - Automatic sandboxed analysis
of malware behavior.
2015-05-15 15:50:47 -04:00
* [Malwr ](https://malwr.com/ ) - Free analysis with an online Cuckoo Sandbox
instance.
2015-05-15 15:55:38 -04:00
* [MASTIFF Online ](https://mastiff-online.korelogic.com/ ) - Online static
analysis of malware.
2015-05-15 15:57:58 -04:00
* [Noriben ](https://github.com/Rurik/Noriben ) - Uses Sysinternals Procmon to
collect information about malware in a sandboxed environment.
2015-05-09 18:46:02 -04:00
* [Recomposer ](https://github.com/secretsquirrel/recomposer ) - A helper
script for safely uploading binaries to sandbox sites.
2015-05-09 00:35:53 -04:00
* [VirusTotal ](https://www.virustotal.com/ ) - Free online analysis of malware
samples and URLs
2015-05-09 11:24:09 -04:00
* [Zeltser's List ](https://zeltser.com/automated-malware-analysis/ ) - Free
automated sandboxes and services, compiled by Lenny Zeltser.
2015-05-09 00:35:17 -04:00
2015-05-09 11:26:12 -04:00
## Domain Analysis
*Inspect domains and IP addresses.*
* [Dig ](http://networking.ringofsaturn.com/ ) - Free online dig and other
network tools.
2015-05-09 11:36:04 -04:00
* [IPinfo ](https://github.com/hiddenillusion/IPinfo ) - Gather information
about an IP or domain by searching online resources.
2015-05-09 13:17:09 -04:00
* [TekDefense Automator ](http://www.tekdefense.com/automater/ ) - OSINT tool
for gatherig information about URLs, IPs, or hashes.
2015-05-09 11:26:12 -04:00
* [Whois ](http://whois.domaintools.com/ ) - DomainTools free online whois
search.
* [Zeltser's List ](https://zeltser.com/lookup-malicious-websites/ ) - Free
online tools for researching malicious websites, compiled by Lenny Zeltser.
2015-05-09 13:19:48 -04:00
## Browser Malware
2015-05-09 13:20:38 -04:00
*Analyze malicious URLs. See also the [domain analysis ](#domain-analysis ) and
[documents and shellcode ](#documents-and-shellcode ) sections.*
2015-05-09 13:19:48 -04:00
2015-05-09 13:59:46 -04:00
* [Firebug ](http://getfirebug.com/ ) - Firefox extension for web development.
2015-05-09 13:44:40 -04:00
* [Java Decompiler ](http://jd.benow.ca/ ) - Decompile and inspect Java apps.
* [Java IDX Parser ](https://github.com/Rurik/Java_IDX_Parser/ ) - Parses Java
IDX cache files.
2015-05-09 14:50:43 -04:00
* [JSDetox ](http://www.relentless-coding.com/projects/jsdetox/ ) - JavaScript
malware analysis tool.
* [jsunpack-n ](https://code.google.com/p/jsunpack-n/ ) - A javascript
unpacker that emulates browser functionality.
2015-05-09 13:44:40 -04:00
* [Malzilla ](http://malzilla.sourceforge.net/ ) - Analyze malicious web pages.
2015-05-09 13:41:24 -04:00
* [RABCDAsm ](https://github.com/CyberShadow/RABCDAsm ) - A "Robust
ActionScript Bytecode Disassembler."
2015-05-09 13:39:46 -04:00
* [swftools ](http://www.swftools.org/ ) - Tools for working with Adobe Flash
files.
* [xxxswf ](http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html ) - A
Python script for analyzing Flash files.
2015-05-09 11:34:23 -04:00
## Documents and Shellcode
2015-05-09 14:53:33 -04:00
*Analyze malicious JS and shellcode from PDFs and Office documents. See also
the [browser malware ](#browser-malware ) section.*
2015-05-09 12:29:41 -04:00
2015-05-09 11:36:04 -04:00
* [AnalyzePDF ](https://github.com/hiddenillusion/AnalyzePDF ) - A tool for
analyzing PDFs and attempting to determine whether they are malicious.
2015-05-09 11:50:57 -04:00
* [diStorm ](http://www.ragestorm.net/distorm/ ) - Disassembler for analyzing
malicious shellcode.
2015-05-09 12:34:53 -04:00
* [JS Beautifier ](http://jsbeautifier.org/ ) - JavaScript unpacking and deobfuscation.
2015-05-09 11:50:57 -04:00
* [libemu ](http://libemu.carnivore.it/ ) - Library and tools for x86 shellcode
emulation.
2015-05-09 11:52:49 -04:00
* [malpdfobj ](https://github.com/9b/malpdfobj ) - Deconstruct malicious PDFs
into a JSON representation.
2015-05-09 11:50:57 -04:00
* [OfficeMalScanner ](http://www.reconstructer.org/code.html ) - Scan for
malicious traces in MS Office documents.
2015-05-09 17:03:32 -04:00
* [olevba ](http://www.decalage.info/python/olevba ) - A script for parsing OLE
and OpenXML documents and extracting useful information.
2015-05-09 11:57:05 -04:00
* [Origami PDF ](https://code.google.com/p/origami-pdf/ ) - A tool for
analyzing malicious PDFs, and more.
2015-05-09 11:46:37 -04:00
* [PDF Tools ](http://blog.didierstevens.com/programs/pdf-tools/ ) - pdfid,
pdf-parser, and more from Didier Stevens.
2015-05-09 11:57:26 -04:00
* [PDF X-Ray Lite ](https://github.com/9b/pdfxray_lite ) - A PDF analysis tool,
2015-05-09 11:52:49 -04:00
the backend-free version of PDF X-RAY.
2015-05-09 11:58:39 -04:00
* [peepdf ](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool ) - Python
tool for exploring possibly malicious PDFs.
2015-05-09 11:34:23 -04:00
* [Spidermonkey ](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey ) -
Mozilla's JavaScript engine, for debugging malicious JS.
2015-05-09 13:05:07 -04:00
## File Carving
*For extracting files from inside disk and memory images.*
* [bulk_extractor ](https://github.com/simsong/bulk_extractor ) - Fast file
carving tool.
2015-05-09 18:35:00 -04:00
* [EVTXtract ](https://github.com/williballenthin/EVTXtract ) - Carve Windows
Event Log files from raw binary data.
2015-05-09 13:05:07 -04:00
* [Foremost ](http://foremost.sourceforge.net/ ) - File carving tool designed
by the US Air Force.
* [Hachoir ](https://bitbucket.org/haypo/hachoir ) - A collection of Python
libraries for dealing with binary files.
* [Scalpel ](https://github.com/sleuthkit/scalpel ) - Another data carving
tool.
2015-05-09 13:07:39 -04:00
## Deobfuscation
2015-05-14 21:37:48 -04:00
*Reverse XOR and other code obfuscation methods.*
2015-05-09 13:07:39 -04:00
2015-05-14 21:55:57 -04:00
* [Balbuzard ](https://bitbucket.org/decalage/balbuzard/wiki/Home ) - A malware
analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
2015-05-14 21:53:06 -04:00
* [ex_pe_xor ](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html )
& [iheartxor ](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html ) -
Two tools from Alexander Hanel for working with single-byte XOR encoded
files.
2015-05-14 21:44:14 -04:00
* [NoMoreXOR ](https://github.com/hiddenillusion/NoMoreXOR ) - Guess a 256 byte
XOR key using frequency analysis.
2015-05-14 21:47:34 -04:00
* [unxor ](https://github.com/tomchop/unxor/ ) - Guess XOR keys using
known-plaintext attacks.
2015-05-14 21:54:50 -04:00
* [XORBruteForcer ](http://eternal-todo.com/var/scripts/xorbruteforcer ) -
A Python script for brute forcing single-byte XOR keys.
2015-05-14 21:53:06 -04:00
* [XORSearch & XORStrings ](http://blog.didierstevens.com/programs/xorsearch/ ) -
A couple programs from Didier Stevens for finding XORed data.
2015-05-14 21:46:08 -04:00
* [xortool ](https://github.com/hellman/xortool ) - Guess XOR key length, as
well as the key itself.
2015-05-14 21:44:14 -04:00
2015-05-09 12:41:13 -04:00
## Debugging and Reverse Engineering
2015-05-09 12:48:55 -04:00
*Disassemblers, debuggers, and other static and dynamic analysis tools.*
* [Bokken ](https://inguma.eu/projects/bokken ) - GUI for Pyew and Radare.
2015-05-09 12:57:48 -04:00
* [Evan's Debugger (EDB) ](http://codef00.com/projects#debugger ) - A
modular debugger with a Qt GUI.
* [GDB ](http://www.sourceware.org/gdb/ ) - The GNU debugger.
2015-05-09 12:48:55 -04:00
* [IDA Pro ](https://www.hex-rays.com/products/ida/index.shtml ) - Windows
disassembler and debugger, with a free evaluation version.
2015-05-09 15:48:03 -04:00
* [Immunity Debugger ](http://debugger.immunityinc.com/ ) - Debugger for
malware analysis and more, with a Python API.
2015-05-09 12:57:48 -04:00
* [ltrace ](http://ltrace.org/ ) - Dynamic analysis for Linux executables.
2015-05-09 12:51:23 -04:00
* [objdump ](https://en.wikipedia.org/wiki/Objdump ) - Part of GNU binutils,
for static analysis of Linux binaries.
2015-05-09 12:57:48 -04:00
* [OllyDbg ](http://www.ollydbg.de/ ) - An assembly-level debugger for Windows
executables.
2015-05-18 12:20:28 -04:00
* [pestudio ](https://winitor.com/ ) - Perform static analysis of Windows
executables.
2015-05-09 16:04:20 -04:00
* [Process Monitor ](https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx ) -
Advanced monitoring tool for Windows programs.
2015-05-09 12:48:55 -04:00
* [Pyew ](https://github.com/joxeankoret/pyew ) - Python tool for malware
analysis.
2015-05-09 12:57:48 -04:00
* [strace ](https://sourceforge.net/projects/strace/ ) - Dynamic analysis for
Linux executables.
2015-05-09 12:41:13 -04:00
* [Radare2 ](http://www.radare.org/r/ ) - Reverse engineering framework, with
debugger support.
2015-05-09 12:51:23 -04:00
* [Udis86 ](https://github.com/vmt/udis86 ) - Disassembler library and tool
for x86 and x86_64.
2015-05-15 15:32:32 -04:00
* [Vivisect ](https://github.com/vivisect/vivisect ) - Python tool for
2015-05-09 12:57:48 -04:00
malware analysis.
2015-05-09 12:41:13 -04:00
2015-05-09 13:07:39 -04:00
## Network
*Analyze network interactions.*
2015-05-15 16:05:16 -04:00
* [Bro ](https://www.bro.org ) - Protocol analyzer that operates at incredible
scale; both file and network protocols.
2015-05-17 16:06:29 -04:00
* [chopshop ](https://github.com/MITRECND/chopshop ) - Protocol analysis and
decoding framework.
2015-05-15 11:23:29 -04:00
* [Fiddler ](http://www.telerik.com/fiddler ) - Intercepting web proxy designed
for "web debugging."
2015-05-15 11:21:53 -04:00
* [Hale ](https://github.com/pjlantz/Hale ) - Botnet C& C monitor.
2015-05-09 14:20:31 -04:00
* [INetSim ](http://www.inetsim.org/ ) - Network service emulation, useful when
building a malware lab.
2015-05-09 17:50:03 -04:00
* [Malcom ](https://github.com/tomchop/malcom ) - Malware Communications
Analyzer.
2015-05-09 14:20:31 -04:00
* [mitmproxy ](https://mitmproxy.org/ ) - Intercept network traffic on the fly.
2015-05-17 16:05:31 -04:00
* [Moloch ](https://github.com/aol/moloch ) - IPv4 traffic capturing, indexing
and database system.
2015-05-09 14:20:31 -04:00
* [NetworkMiner ](http://www.netresec.com/?page=NetworkMiner ) - Network
forensic analysis tool, with a free version.
* [ngrep ](http://ngrep.sourceforge.net/ ) - Search through network traffic
like grep.
* [Tcpdump ](http://www.tcpdump.org/ ) - Collect network traffic.
* [tcpick ](http://tcpick.sourceforge.net/ ) - Trach and reassemble TCP streams
from network traffic.
* [tcpxtract ](http://tcpxtract.sourceforge.net/ ) - Extract files from network
traffic.
* [Wireshark ](https://www.wireshark.org/ ) - The network traffic analysis
tool.
2015-05-09 00:41:41 -04:00
## Memory Forensics
2015-05-09 00:46:55 -04:00
*Tools for dissecting malware in memory images or running systems.*
2015-05-09 17:51:31 -04:00
* [DAMM ](https://github.com/504ensicsLabs/DAMM ) - Differential Analysis of
Malware in Memory, built on Volatility
2015-05-09 00:41:41 -04:00
* [FindAES ](https://jessekornblum.livejournal.com/269749.html ) - Find AES
encryption keys in memory.
2015-05-09 17:53:25 -04:00
* [Muninn ](https://github.com/ytisf/muninn ) - A script to automate portions
of analysis using Volatility, and create a readable report.
2015-05-09 00:41:41 -04:00
* [Rekall ](http://www.rekall-forensic.com/ ) - Memory analysis framework,
forked from Volatility in 2013.
* [TotalRecall ](https://github.com/sketchymoose/TotalRecall ) - Script based
on Volatility for automating various malware analysis tasks.
2015-05-18 12:19:02 -04:00
* [VolDiff ](https://github.com/aim4r/VolDiff ) - Run Volatility on memory
images before and after malware execution, and report changes.
2015-05-09 00:41:41 -04:00
* [Volatility ](https://github.com/volatilityfoundation/volatility ) - Advanced
memory forensics framework.
2015-05-09 00:42:55 -04:00
* [WinDbg ](https://msdn.microsoft.com/en-us/windows/hardware/hh852365 ) - Live
memory inspection and kernel debugging for Windows systems.
2015-05-09 00:41:41 -04:00
2015-05-09 18:30:52 -04:00
## Windows Artifacts
2015-05-09 18:35:00 -04:00
* [python-evt ](https://github.com/williballenthin/python-evt ) - Python
library for parsing Windows Event Logs.
* [python-registry ](http://www.williballenthin.com/registry/ ) - Python
library for parsing registry files.
2015-05-09 18:30:52 -04:00
* [RegRipper ](https://regripper.wordpress.com/ )
([GitHub](https://github.com/keydet89/RegRipper2.8)) -
Plugin-based registry analysis tool.
2015-05-09 18:01:22 -04:00
## Storage and Workflow
2015-05-17 15:00:43 -04:00
* [Aleph ](https://github.com/trendmicro/aleph ) - OpenSource Malware Analysis
Pipeline System.
2015-05-17 16:08:50 -04:00
* [CRITs ](https://crits.github.io/ ) - Collaborative Research Into Threats, a
malware and threat repository.
2015-05-09 18:01:22 -04:00
* [Malwarehouse ](https://github.com/sroberts/malwarehouse ) - Store, tag, and
search malware.
2015-05-20 05:50:05 -04:00
* [MISP ](https://github.com/MISP/MISP ) - Malware Information Sharing
Platform curated by [The MISP Project ](http://www.misp-project.org/ ).
2015-05-09 18:02:53 -04:00
* [Viper ](http://viper.li/ ) - A binary management and analysis framework for
analysts and researchers.
2015-05-09 18:01:22 -04:00
2015-05-09 00:31:31 -04:00
## Miscellaneous
2015-05-17 15:25:23 -04:00
* [DC3-MWCP ](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP ) -
The Defense Cyber Crime Center's Malware Configuration Parser framework.
2015-05-09 00:31:31 -04:00
* [REMnux ](https://remnux.org/ ) - Linux distribution and docker images for
malware reverse engineering and analysis.
2015-05-15 16:20:11 -04:00
* [Santoku Linux ](https://santoku-linux.com/ ) - Linux distribution for mobile
forensics, malware analysis, and security.
2015-05-09 00:31:31 -04:00
2015-05-08 23:51:11 -04:00
# Resources
## Books
2015-05-09 12:29:41 -04:00
*Essential malware analysis reading material.*
2015-05-09 12:25:31 -04:00
* [Malware Analyst's Cookbook and DVD ](https://amzn.com/dp/0470613033 ) -
Tools and Techniques for Fighting Malicious Code.
* [Practical Malware Analysis ](https://amzn.com/dp/1593272901 ) - The Hands-On Guide
to Dissecting Malicious Software.
* [The Art of Memory Forensics ](https://amzn.com/dp/1118825098 ) - Detecting
Malware and Threats in Windows, Linux, and Mac Memory.
* [The IDA Pro Book ](https://amzn.com/dp/1593272898 ) - The Unofficial Guide
to the World's Most Popular Disassembler.
2015-05-08 23:51:11 -04:00
## Twitter
2015-05-09 18:13:49 -04:00
*Some relevant Twitter accounts.*
2015-05-18 13:59:18 -04:00
* Adamb [@Hexacorn ](https://twitter.com/Hexacorn )
2015-05-09 18:11:27 -04:00
* Andrew Case [@attrc ](https://twitter.com/attrc )
* Claudio [@botherder ](https://twitter.com/botherder )
2015-05-15 16:05:16 -04:00
* Dustin Webber [@mephux ](https://twitter.com/mephux )
2015-05-14 21:44:14 -04:00
* Glenn [@hiddenillusion ](https://twitter.com/hiddenillusion )
2015-05-09 18:11:27 -04:00
* jekil [@jekil ](https://twitter.com/jekil )
* Jurriaan Bremer [@skier_t ](https://twitter.com/skier_t )
2015-05-09 18:20:41 -04:00
* Lenny Zeltser [@lennyzeltser ](https://twitter.com/lennyzeltser )
2015-05-17 23:57:03 -04:00
* Liam Randall [@hectaman ](https://twitter.com/hectaman )
2015-05-09 18:11:27 -04:00
* Mark Schloesser [@repmovsb ](https://twitter.com/repmovsb )
* Michael Ligh (MHL) [@iMHLv2 ](https://twitter.com/iMHLv2 )
2015-05-15 16:05:16 -04:00
* Richard Bejtlich [@taosecurity ](https://twitter.com/taosecurity )
2015-05-09 18:15:26 -04:00
* Volatility [@volatility ](https://twitter.com/volatility )
2015-05-09 18:11:27 -04:00
2015-05-08 23:51:11 -04:00
## Other
2015-05-09 12:15:29 -04:00
* [Honeynet Project ](http://honeynet.org/ ) - Honeypot tools, papers, and
other resources.
2015-05-09 11:17:07 -04:00
* [Malicious Software ](https://zeltser.com/malicious-software/ ) - Malware
blog and resources by Lenny Zeltser.
2015-05-09 18:25:17 -04:00
* [Malware Analysis Search ](http://www.google.com/cse/home?cx=011750002002865445766:pc60zx1rliu ) -
Custom Google search engine from [Corey Harrell ](journeyintoir.blogspot.com/ ).
2015-05-09 18:30:52 -04:00
* [WindowsIR: Malware ](http://windowsir.blogspot.com/p/malware.html ) - Harlan
Carvey's page on Malware.
2015-05-09 11:17:07 -04:00
* [/r/Malware ](https://www.reddit.com/r/Malware ) - The malware subreddit.
* [/r/ReverseEngineering ](https://www.reddit.com/r/ReverseEngineering ) -
Reverse engineering subreddit, not limited to just malware.
2015-05-08 23:51:11 -04:00
# Related Awesome Lists
* [Android Security ](https://github.com/ashishb/android-security-awesome )
* [Pentesting ](https://github.com/enaqx/awesome-pentest )
* [Security ](https://github.com/sbilly/awesome-security )
# [Contributing](CONTRIBUTING.md)
Pull requests and issues with suggestions are welcome!
2015-05-14 22:01:44 -04:00
# Thanks
This list was made possible by:
* Lenny Zeltser and other contributors for developing REMnux, where I
found many of the tools in this list;
* Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for
writing the *Malware Analyst's Cookbook* , which was a big inspiration for
creating the list;
* And everyone else who has sent pull requests or suggested links to add here!
Thanks!