awesome-malware-analysis/README.md

259 lines
10 KiB
Markdown
Raw Normal View History

# Awesome Malware Analysis
A curated list of awesome malware analysis tools and resources. Inspired by
[awesome-python](https://github.com/vinta/awesome-python) and
[awesome-php](https://github.com/ziadoz/awesome-php).
- [Awesome Malware Analysis](#awesome-malware-analysis)
- [Malware Collection](#malware-collection)
- [Anonymizers](#anonymizers)
- [Honeypots](#honeypots)
- [Malware Corpora](#malware-corpora)
- [Detection and Classification](#detection-and-classification)
2015-05-09 04:35:17 +00:00
- [Online Scanners and Sandboxes](#online-scanners-and-sandboxes)
- [Domain Analysis](#domain-analysis)
2015-05-09 17:19:48 +00:00
- [Browser Malware](#browser-malware)
2015-05-09 15:25:59 +00:00
- [Documents and Shellcode](#documents-and-shellcode)
2015-05-09 16:05:04 +00:00
- [File Carving](#file-carving)
- [Deobfuscation](#deobfuscation)
2015-05-09 16:41:13 +00:00
- [Debugging and Reverse Engineering](#debugging-and-reverse-engineering)
2015-05-09 16:05:04 +00:00
- [Network](#network)
2015-05-09 04:41:41 +00:00
- [Memory Forensics](#memory-forensics)
2015-05-09 04:31:31 +00:00
- [Miscellaneous](#miscellaneous)
- [Resources](#resources)
- [Books](#books)
- [Twitter](#twitter)
2015-05-09 03:51:11 +00:00
- [Other](#other)
- [Related Awesome Lists](#related-awesome-lists)
- [Contributing](#contributing)
---
## Malware Collection
### Anonymizers
*Web traffic anonymizers for analysts.*
2015-05-09 04:23:12 +00:00
* [Anonymouse.org](http://anonymouse.org/) - A free, web based anonymizer.
* [OpenVPN](https://openvpn.net/) - VPN software and hosting solutions.
* [Privoxy](http://www.privoxy.org/) - An open source proxy server with some
privacy features.
* [Tor](https://www.torproject.org/) - The Onion Router, for browsing the web
without leaving traces of the client IP.
2015-05-09 03:51:11 +00:00
### Honeypots
2015-05-09 04:24:53 +00:00
*Trap and collect your own samples.*
2015-05-09 16:07:52 +00:00
* [Conpot](https://github.com/glastopf/conpot) - ICS/SCADA honeypot.
2015-05-09 16:15:29 +00:00
* [Dionaea](http://dionaea.carnivore.it/) - Honeypot designed to trap
malware.
2015-05-09 16:07:52 +00:00
* [Glastopf](http://glastopf.org/) - Web application honeypot.
2015-05-09 16:11:32 +00:00
* [Honeyd](http://honeyd.org/) - Create a virtual honeynet.
* [Kippo](https://github.com/desaster/kippo) - Medium interaction SSH honeypot.
2015-05-09 16:06:09 +00:00
* [Thug](https://github.com/buffer/thug) - Low interaction honeyclient, for
investigating malicious websites.
2015-05-09 03:51:11 +00:00
### Malware Corpora
2015-05-09 04:24:53 +00:00
*Malware samples collected for analysis.*
2015-05-09 15:17:07 +00:00
* [Clean MX](http://support.clean-mx.de/clean-mx/viruses.php) - Realtime
database of malware and malicious domains.
2015-05-09 03:51:11 +00:00
* [Contagio](http://contagiodump.blogspot.com/) - A collection of recent
malware samples and analyses.
* [Exploit Database](https://www.exploit-db.com/) - Exploit and shellcode
samples.
2015-05-09 15:17:07 +00:00
* [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - A list
of malware sample sources put together by Lenny Zeltser.
2015-05-09 03:51:11 +00:00
## Detection and Classification
*Antivirus and other malware identification tools*
2015-05-09 15:36:04 +00:00
* [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a
variety of tools for reporting on Windows PE files.
* [ClamAV](http://www.clamav.net/index.html) - Open source antivirus engine.
2015-05-09 16:38:12 +00:00
* [ExifTool](http://www.sno.phy.queensu.ca/~phil/exiftool/) - Read, write and
edit file metadata.
2015-05-09 17:11:57 +00:00
* [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with
a variety of algorithms.
2015-05-09 17:14:18 +00:00
* [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking
up hashes in NIST's National Software Reference Library database.
2015-05-09 16:48:29 +00:00
* [packerid](http://handlers.sans.org/jclausing/packerid.py) - A cross-platform
Python alternative to PEiD.
2015-05-09 17:11:57 +00:00
* [ssdeep](http://ssdeep.sourceforge.net/) - Compute fuzzy hashes.
2015-05-09 16:38:12 +00:00
* [TrID](http://mark0.net/soft-trid-e.html) - File identifier.
* [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for
analysts.
2015-05-09 04:35:17 +00:00
## Online Scanners and Sandboxes
2015-05-09 16:29:41 +00:00
*Web-based multi-AV scanners, and malware sandboxes for automated analysis.*
* [Cuckoo Sandbox](http://cuckoosandbox.org/) - Open source, self hosted
sandbox and automated analysis system.
2015-05-09 04:35:17 +00:00
* [Jotti]() - Free online multi-AV scanner.
* [Malwr]() - Free analysis with an online Cuckoo Sandbox instance.
2015-05-09 04:35:53 +00:00
* [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware
samples and URLs
* [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free
automated sandboxes and services, compiled by Lenny Zeltser.
2015-05-09 04:35:17 +00:00
2015-05-09 15:26:12 +00:00
## Domain Analysis
*Inspect domains and IP addresses.*
* [Dig](http://networking.ringofsaturn.com/) - Free online dig and other
network tools.
2015-05-09 15:36:04 +00:00
* [IPinfo](https://github.com/hiddenillusion/IPinfo) - Gather information
about an IP or domain by searching online resources.
2015-05-09 17:17:09 +00:00
* [TekDefense Automator](http://www.tekdefense.com/automater/) - OSINT tool
for gatherig information about URLs, IPs, or hashes.
2015-05-09 15:26:12 +00:00
* [Whois](http://whois.domaintools.com/) - DomainTools free online whois
search.
* [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - Free
online tools for researching malicious websites, compiled by Lenny Zeltser.
2015-05-09 17:19:48 +00:00
## Browser Malware
*Malicious URLs. See also the [domain analysis](#domain-analysis) and [documents
and shellcode](#documents-and-shellcode) sections.*
## Documents and Shellcode
2015-05-09 16:29:41 +00:00
*Analyze malicious JS and shellcode from PDFs and Office documents.*
2015-05-09 15:36:04 +00:00
* [AnalyzePDF](https://github.com/hiddenillusion/AnalyzePDF) - A tool for
analyzing PDFs and attempting to determine whether they are malicious.
* [diStorm](http://www.ragestorm.net/distorm/) - Disassembler for analyzing
malicious shellcode.
2015-05-09 16:34:53 +00:00
* [JS Beautifier](http://jsbeautifier.org/) - JavaScript unpacking and deobfuscation.
2015-05-09 15:42:00 +00:00
* [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript
malware analysis tool.
* [jsunpack-n](https://code.google.com/p/jsunpack-n/) - A javascript
unpacker that emulates browser functionality.
* [libemu](http://libemu.carnivore.it/) - Library and tools for x86 shellcode
emulation.
2015-05-09 15:52:49 +00:00
* [malpdfobj](https://github.com/9b/malpdfobj) - Deconstruct malicious PDFs
into a JSON representation.
* [OfficeMalScanner](http://www.reconstructer.org/code.html) - Scan for
malicious traces in MS Office documents.
* [officeparser](https://github.com/unixfreak0037/officeparser) - A Python
script for parsing the MS Office OLE document format.
2015-05-09 15:57:05 +00:00
* [Origami PDF](https://code.google.com/p/origami-pdf/) - A tool for
analyzing malicious PDFs, and more.
2015-05-09 15:46:37 +00:00
* [PDF Tools](http://blog.didierstevens.com/programs/pdf-tools/) - pdfid,
pdf-parser, and more from Didier Stevens.
2015-05-09 15:57:26 +00:00
* [PDF X-Ray Lite](https://github.com/9b/pdfxray_lite) - A PDF analysis tool,
2015-05-09 15:52:49 +00:00
the backend-free version of PDF X-RAY.
2015-05-09 15:58:39 +00:00
* [peepdf](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - Python
tool for exploring possibly malicious PDFs.
* [Spidermonkey](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) -
Mozilla's JavaScript engine, for debugging malicious JS.
## File Carving
*For extracting files from inside disk and memory images.*
* [bulk_extractor](https://github.com/simsong/bulk_extractor) - Fast file
carving tool.
* [Foremost](http://foremost.sourceforge.net/) - File carving tool designed
by the US Air Force.
* [Hachoir](https://bitbucket.org/haypo/hachoir) - A collection of Python
libraries for dealing with binary files.
* [Scalpel](https://github.com/sleuthkit/scalpel) - Another data carving
tool.
2015-05-09 17:07:39 +00:00
## Deobfuscation
*Reverse XOR and other code obfuscation methods*
2015-05-09 16:41:13 +00:00
## Debugging and Reverse Engineering
2015-05-09 16:48:55 +00:00
*Disassemblers, debuggers, and other static and dynamic analysis tools.*
* [Bokken](https://inguma.eu/projects/bokken) - GUI for Pyew and Radare.
2015-05-09 16:57:48 +00:00
* [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A
modular debugger with a Qt GUI.
* [GDB](http://www.sourceware.org/gdb/) - The GNU debugger.
2015-05-09 16:48:55 +00:00
* [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows
disassembler and debugger, with a free evaluation version.
2015-05-09 16:57:48 +00:00
* [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables.
2015-05-09 16:51:23 +00:00
* [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils,
for static analysis of Linux binaries.
2015-05-09 16:57:48 +00:00
* [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows
executables.
2015-05-09 16:48:55 +00:00
* [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware
analysis.
2015-05-09 16:57:48 +00:00
* [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for
Linux executables.
2015-05-09 16:41:13 +00:00
* [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with
debugger support.
2015-05-09 16:51:23 +00:00
* [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool
for x86 and x86_64.
2015-05-09 16:57:48 +00:00
* [Vivisect](http://visi.kenshoto.com/viki/Vivisect) - Python tool for
malware analysis.
2015-05-09 16:41:13 +00:00
2015-05-09 17:07:39 +00:00
## Network
*Analyze network interactions.*
2015-05-09 04:41:41 +00:00
## Memory Forensics
*Tools for dissecting malware in memory images or running systems.*
2015-05-09 04:41:41 +00:00
* [FindAES](https://jessekornblum.livejournal.com/269749.html) - Find AES
encryption keys in memory.
* [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework,
forked from Volatility in 2013.
* [TotalRecall](https://github.com/sketchymoose/TotalRecall) - Script based
on Volatility for automating various malware analysis tasks.
* [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced
memory forensics framework.
2015-05-09 04:42:55 +00:00
* [WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365) - Live
memory inspection and kernel debugging for Windows systems.
2015-05-09 04:41:41 +00:00
2015-05-09 04:31:31 +00:00
## Miscellaneous
* [REMnux](https://remnux.org/) - Linux distribution and docker images for
malware reverse engineering and analysis.
2015-05-09 03:51:11 +00:00
# Resources
## Books
2015-05-09 16:29:41 +00:00
*Essential malware analysis reading material.*
2015-05-09 16:25:31 +00:00
* [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) -
Tools and Techniques for Fighting Malicious Code.
* [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On Guide
to Dissecting Malicious Software.
* [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting
Malware and Threats in Windows, Linux, and Mac Memory.
* [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide
to the World's Most Popular Disassembler.
2015-05-09 03:51:11 +00:00
## Twitter
## Other
2015-05-09 16:15:29 +00:00
* [Honeynet Project](http://honeynet.org/) - Honeypot tools, papers, and
other resources.
2015-05-09 15:17:07 +00:00
* [Malicious Software](https://zeltser.com/malicious-software/) - Malware
blog and resources by Lenny Zeltser.
* [/r/Malware](https://www.reddit.com/r/Malware) - The malware subreddit.
* [/r/ReverseEngineering](https://www.reddit.com/r/ReverseEngineering) -
Reverse engineering subreddit, not limited to just malware.
2015-05-09 03:51:11 +00:00
# Related Awesome Lists
* [Android Security](https://github.com/ashishb/android-security-awesome)
* [Pentesting](https://github.com/enaqx/awesome-pentest)
* [Security](https://github.com/sbilly/awesome-security)
# [Contributing](CONTRIBUTING.md)
Pull requests and issues with suggestions are welcome!