2015-05-08 20:08:28 -04:00
|
|
|
# Awesome Malware Analysis
|
|
|
|
|
|
|
|
A curated list of awesome malware analysis tools and resources. Inspired by
|
|
|
|
[awesome-python](https://github.com/vinta/awesome-python) and
|
|
|
|
[awesome-php](https://github.com/ziadoz/awesome-php).
|
|
|
|
|
2015-05-09 15:51:27 -04:00
|
|
|
*Work in progress!*
|
|
|
|
|
2015-05-08 20:08:28 -04:00
|
|
|
- [Awesome Malware Analysis](#awesome-malware-analysis)
|
2015-05-08 23:40:28 -04:00
|
|
|
- [Malware Collection](#malware-collection)
|
|
|
|
- [Anonymizers](#anonymizers)
|
|
|
|
- [Honeypots](#honeypots)
|
|
|
|
- [Malware Corpora](#malware-corpora)
|
2015-05-09 14:35:06 -04:00
|
|
|
- [Open Source Threat Intelligence](#open-source-threat-intelligence)
|
2015-05-09 00:28:10 -04:00
|
|
|
- [Detection and Classification](#detection-and-classification)
|
2015-05-09 00:35:17 -04:00
|
|
|
- [Online Scanners and Sandboxes](#online-scanners-and-sandboxes)
|
2015-05-09 00:46:55 -04:00
|
|
|
- [Domain Analysis](#domain-analysis)
|
2015-05-09 13:19:48 -04:00
|
|
|
- [Browser Malware](#browser-malware)
|
2015-05-09 11:25:59 -04:00
|
|
|
- [Documents and Shellcode](#documents-and-shellcode)
|
2015-05-09 12:05:04 -04:00
|
|
|
- [File Carving](#file-carving)
|
|
|
|
- [Deobfuscation](#deobfuscation)
|
2015-05-09 12:41:13 -04:00
|
|
|
- [Debugging and Reverse Engineering](#debugging-and-reverse-engineering)
|
2015-05-09 12:05:04 -04:00
|
|
|
- [Network](#network)
|
2015-05-09 00:41:41 -04:00
|
|
|
- [Memory Forensics](#memory-forensics)
|
2015-05-09 18:01:22 -04:00
|
|
|
- [Storage and Workflow](#storage-and-workflow)
|
2015-05-09 00:31:31 -04:00
|
|
|
- [Miscellaneous](#miscellaneous)
|
2015-05-08 20:08:28 -04:00
|
|
|
- [Resources](#resources)
|
|
|
|
- [Books](#books)
|
|
|
|
- [Twitter](#twitter)
|
2015-05-08 23:51:11 -04:00
|
|
|
- [Other](#other)
|
2015-05-08 20:08:28 -04:00
|
|
|
- [Related Awesome Lists](#related-awesome-lists)
|
|
|
|
- [Contributing](#contributing)
|
|
|
|
|
|
|
|
---
|
|
|
|
|
2015-05-08 23:40:28 -04:00
|
|
|
## Malware Collection
|
2015-05-08 20:08:28 -04:00
|
|
|
|
2015-05-08 23:40:28 -04:00
|
|
|
### Anonymizers
|
|
|
|
|
|
|
|
*Web traffic anonymizers for analysts.*
|
|
|
|
|
2015-05-09 00:23:12 -04:00
|
|
|
* [Anonymouse.org](http://anonymouse.org/) - A free, web based anonymizer.
|
|
|
|
* [OpenVPN](https://openvpn.net/) - VPN software and hosting solutions.
|
|
|
|
* [Privoxy](http://www.privoxy.org/) - An open source proxy server with some
|
|
|
|
privacy features.
|
2015-05-08 23:40:28 -04:00
|
|
|
* [Tor](https://www.torproject.org/) - The Onion Router, for browsing the web
|
|
|
|
without leaving traces of the client IP.
|
2015-05-08 23:51:11 -04:00
|
|
|
|
|
|
|
### Honeypots
|
|
|
|
|
2015-05-09 00:24:53 -04:00
|
|
|
*Trap and collect your own samples.*
|
|
|
|
|
2015-05-09 12:07:52 -04:00
|
|
|
* [Conpot](https://github.com/glastopf/conpot) - ICS/SCADA honeypot.
|
2015-05-09 12:15:29 -04:00
|
|
|
* [Dionaea](http://dionaea.carnivore.it/) - Honeypot designed to trap
|
|
|
|
malware.
|
2015-05-09 12:07:52 -04:00
|
|
|
* [Glastopf](http://glastopf.org/) - Web application honeypot.
|
2015-05-09 12:11:32 -04:00
|
|
|
* [Honeyd](http://honeyd.org/) - Create a virtual honeynet.
|
|
|
|
* [Kippo](https://github.com/desaster/kippo) - Medium interaction SSH honeypot.
|
2015-05-09 17:57:21 -04:00
|
|
|
* [Mnemosyne](https://github.com/johnnykv/mnemosyne) - A normalizer for
|
|
|
|
honeypot data; supports Dionaea.
|
2015-05-09 12:06:09 -04:00
|
|
|
* [Thug](https://github.com/buffer/thug) - Low interaction honeyclient, for
|
|
|
|
investigating malicious websites.
|
|
|
|
|
2015-05-08 23:51:11 -04:00
|
|
|
### Malware Corpora
|
|
|
|
|
2015-05-09 00:24:53 -04:00
|
|
|
*Malware samples collected for analysis.*
|
|
|
|
|
2015-05-09 11:17:07 -04:00
|
|
|
* [Clean MX](http://support.clean-mx.de/clean-mx/viruses.php) - Realtime
|
|
|
|
database of malware and malicious domains.
|
2015-05-08 23:51:11 -04:00
|
|
|
* [Contagio](http://contagiodump.blogspot.com/) - A collection of recent
|
|
|
|
malware samples and analyses.
|
2015-05-09 11:34:23 -04:00
|
|
|
* [Exploit Database](https://www.exploit-db.com/) - Exploit and shellcode
|
|
|
|
samples.
|
2015-05-09 17:58:14 -04:00
|
|
|
* [theZoo](https://github.com/ytisf/theZoo) - Live malware samples for
|
|
|
|
analysts.
|
2015-05-09 17:59:14 -04:00
|
|
|
* [maltrieve](https://github.com/krmaxwell/maltrieve) - Retrieve malware
|
|
|
|
samples directly from a number of online sources.
|
2015-05-09 11:17:07 -04:00
|
|
|
* [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - A list
|
|
|
|
of malware sample sources put together by Lenny Zeltser.
|
2015-05-08 23:51:11 -04:00
|
|
|
|
2015-05-09 14:35:06 -04:00
|
|
|
## Open Source Threat Intelligence
|
|
|
|
|
|
|
|
*Threat intelligence and IOC resources.*
|
|
|
|
|
2015-05-09 15:04:59 -04:00
|
|
|
* [Autoshun](http://autoshun.org/) ([list](http://autoshun.org/)) - Snort
|
|
|
|
plugin and blocklist.
|
2015-05-09 15:53:55 -04:00
|
|
|
* [CI Army](http://www.ciarmy.com/) ([list](http://www.ciarmy.com/list/ci-badguys.txt)) -
|
|
|
|
Network security blocklists.
|
2015-05-09 14:48:40 -04:00
|
|
|
* [Emerging Threats](http://www.emergingthreats.net/) - Rulesets and more.
|
2015-05-09 15:49:07 -04:00
|
|
|
* [hpfeeds](https://github.com/rep/hpfeeds) - Honeypot feed protocol.
|
2015-05-09 15:09:30 -04:00
|
|
|
* [Internet Storm Center (DShield)](https://isc.sans.edu/) - Diary and
|
|
|
|
searchable incident database, with a web [API](https://dshield.org/api/)
|
|
|
|
([unofficial Python library](https://github.com/rshipp/python-dshield)).
|
2015-05-09 14:48:40 -04:00
|
|
|
* [malc0de](http://malc0de.com/database/) - Searchable incident database.
|
|
|
|
* [Malware Domain List](http://www.malwaredomainlist.com/) - Search and share
|
|
|
|
malicious URLs.
|
2015-05-09 14:35:06 -04:00
|
|
|
* [OpenIOC](http://openioc.org/) - Framework for sharing threat intelligence.
|
2015-05-09 14:48:40 -04:00
|
|
|
* [Palevo Blocklists](https://palevotracker.abuse.ch/blocklists.php) - Botnet
|
|
|
|
C&C blocklists.
|
|
|
|
* [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS
|
|
|
|
blocklists.
|
2015-05-09 14:35:06 -04:00
|
|
|
|
2015-05-09 00:28:10 -04:00
|
|
|
## Detection and Classification
|
|
|
|
|
|
|
|
*Antivirus and other malware identification tools*
|
|
|
|
|
2015-05-09 11:36:04 -04:00
|
|
|
* [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a
|
|
|
|
variety of tools for reporting on Windows PE files.
|
2015-05-09 13:35:33 -04:00
|
|
|
* [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection.
|
2015-05-09 00:28:10 -04:00
|
|
|
* [ClamAV](http://www.clamav.net/index.html) - Open source antivirus engine.
|
2015-05-09 12:38:12 -04:00
|
|
|
* [ExifTool](http://www.sno.phy.queensu.ca/~phil/exiftool/) - Read, write and
|
|
|
|
edit file metadata.
|
2015-05-09 13:11:57 -04:00
|
|
|
* [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with
|
|
|
|
a variety of algorithms.
|
2015-05-09 13:14:18 -04:00
|
|
|
* [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking
|
|
|
|
up hashes in NIST's National Software Reference Library database.
|
2015-05-09 12:48:29 -04:00
|
|
|
* [packerid](http://handlers.sans.org/jclausing/packerid.py) - A cross-platform
|
|
|
|
Python alternative to PEiD.
|
2015-05-09 14:01:36 -04:00
|
|
|
* [PEiD](http://woodmann.com/BobSoft/Pages/Programs/PEiD) - Packer identifier
|
|
|
|
for Windows binaries.
|
2015-05-09 13:35:33 -04:00
|
|
|
* [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits.
|
2015-05-09 13:11:57 -04:00
|
|
|
* [ssdeep](http://ssdeep.sourceforge.net/) - Compute fuzzy hashes.
|
2015-05-09 13:23:18 -04:00
|
|
|
* [totalhash.py](https://gist.github.com/malc0de/10270150) - Python script
|
|
|
|
for easy searching of the [TotalHash.com](http://totalhash.com/) database.
|
2015-05-09 12:38:12 -04:00
|
|
|
* [TrID](http://mark0.net/soft-trid-e.html) - File identifier.
|
2015-05-09 00:28:10 -04:00
|
|
|
* [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for
|
|
|
|
analysts.
|
|
|
|
|
2015-05-09 00:35:17 -04:00
|
|
|
## Online Scanners and Sandboxes
|
|
|
|
|
2015-05-09 12:29:41 -04:00
|
|
|
*Web-based multi-AV scanners, and malware sandboxes for automated analysis.*
|
|
|
|
|
2015-05-09 11:24:09 -04:00
|
|
|
* [Cuckoo Sandbox](http://cuckoosandbox.org/) - Open source, self hosted
|
|
|
|
sandbox and automated analysis system.
|
2015-05-09 00:35:17 -04:00
|
|
|
* [Jotti]() - Free online multi-AV scanner.
|
|
|
|
* [Malwr]() - Free analysis with an online Cuckoo Sandbox instance.
|
2015-05-09 00:35:53 -04:00
|
|
|
* [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware
|
|
|
|
samples and URLs
|
2015-05-09 11:24:09 -04:00
|
|
|
* [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free
|
|
|
|
automated sandboxes and services, compiled by Lenny Zeltser.
|
2015-05-09 00:35:17 -04:00
|
|
|
|
2015-05-09 17:55:44 -04:00
|
|
|
Related:
|
|
|
|
|
|
|
|
* [Recomposer](https://github.com/secretsquirrel/recomposer) - A helper
|
|
|
|
script for safely uploading binaries to sandbox sites.
|
|
|
|
|
2015-05-09 11:26:12 -04:00
|
|
|
## Domain Analysis
|
|
|
|
|
|
|
|
*Inspect domains and IP addresses.*
|
|
|
|
|
|
|
|
* [Dig](http://networking.ringofsaturn.com/) - Free online dig and other
|
|
|
|
network tools.
|
2015-05-09 11:36:04 -04:00
|
|
|
* [IPinfo](https://github.com/hiddenillusion/IPinfo) - Gather information
|
|
|
|
about an IP or domain by searching online resources.
|
2015-05-09 13:17:09 -04:00
|
|
|
* [TekDefense Automator](http://www.tekdefense.com/automater/) - OSINT tool
|
|
|
|
for gatherig information about URLs, IPs, or hashes.
|
2015-05-09 11:26:12 -04:00
|
|
|
* [Whois](http://whois.domaintools.com/) - DomainTools free online whois
|
|
|
|
search.
|
|
|
|
* [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - Free
|
|
|
|
online tools for researching malicious websites, compiled by Lenny Zeltser.
|
|
|
|
|
2015-05-09 13:19:48 -04:00
|
|
|
## Browser Malware
|
|
|
|
|
2015-05-09 13:20:38 -04:00
|
|
|
*Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and
|
|
|
|
[documents and shellcode](#documents-and-shellcode) sections.*
|
2015-05-09 13:19:48 -04:00
|
|
|
|
2015-05-09 13:59:46 -04:00
|
|
|
* [Firebug](http://getfirebug.com/) - Firefox extension for web development.
|
2015-05-09 13:44:40 -04:00
|
|
|
* [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps.
|
|
|
|
* [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java
|
|
|
|
IDX cache files.
|
2015-05-09 14:50:43 -04:00
|
|
|
* [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript
|
|
|
|
malware analysis tool.
|
|
|
|
* [jsunpack-n](https://code.google.com/p/jsunpack-n/) - A javascript
|
|
|
|
unpacker that emulates browser functionality.
|
2015-05-09 13:44:40 -04:00
|
|
|
* [Malzilla](http://malzilla.sourceforge.net/) - Analyze malicious web pages.
|
2015-05-09 13:41:24 -04:00
|
|
|
* [RABCDAsm](https://github.com/CyberShadow/RABCDAsm) - A "Robust
|
|
|
|
ActionScript Bytecode Disassembler."
|
2015-05-09 13:39:46 -04:00
|
|
|
* [swftools](http://www.swftools.org/) - Tools for working with Adobe Flash
|
|
|
|
files.
|
|
|
|
* [xxxswf](http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html) - A
|
|
|
|
Python script for analyzing Flash files.
|
|
|
|
|
2015-05-09 11:34:23 -04:00
|
|
|
## Documents and Shellcode
|
|
|
|
|
2015-05-09 14:53:33 -04:00
|
|
|
*Analyze malicious JS and shellcode from PDFs and Office documents. See also
|
|
|
|
the [browser malware](#browser-malware) section.*
|
2015-05-09 12:29:41 -04:00
|
|
|
|
2015-05-09 11:36:04 -04:00
|
|
|
* [AnalyzePDF](https://github.com/hiddenillusion/AnalyzePDF) - A tool for
|
|
|
|
analyzing PDFs and attempting to determine whether they are malicious.
|
2015-05-09 11:50:57 -04:00
|
|
|
* [diStorm](http://www.ragestorm.net/distorm/) - Disassembler for analyzing
|
|
|
|
malicious shellcode.
|
2015-05-09 12:34:53 -04:00
|
|
|
* [JS Beautifier](http://jsbeautifier.org/) - JavaScript unpacking and deobfuscation.
|
2015-05-09 11:50:57 -04:00
|
|
|
* [libemu](http://libemu.carnivore.it/) - Library and tools for x86 shellcode
|
|
|
|
emulation.
|
2015-05-09 11:52:49 -04:00
|
|
|
* [malpdfobj](https://github.com/9b/malpdfobj) - Deconstruct malicious PDFs
|
|
|
|
into a JSON representation.
|
2015-05-09 11:50:57 -04:00
|
|
|
* [OfficeMalScanner](http://www.reconstructer.org/code.html) - Scan for
|
|
|
|
malicious traces in MS Office documents.
|
2015-05-09 17:03:32 -04:00
|
|
|
* [olevba](http://www.decalage.info/python/olevba) - A script for parsing OLE
|
|
|
|
and OpenXML documents and extracting useful information.
|
2015-05-09 11:57:05 -04:00
|
|
|
* [Origami PDF](https://code.google.com/p/origami-pdf/) - A tool for
|
|
|
|
analyzing malicious PDFs, and more.
|
2015-05-09 11:46:37 -04:00
|
|
|
* [PDF Tools](http://blog.didierstevens.com/programs/pdf-tools/) - pdfid,
|
|
|
|
pdf-parser, and more from Didier Stevens.
|
2015-05-09 11:57:26 -04:00
|
|
|
* [PDF X-Ray Lite](https://github.com/9b/pdfxray_lite) - A PDF analysis tool,
|
2015-05-09 11:52:49 -04:00
|
|
|
the backend-free version of PDF X-RAY.
|
2015-05-09 11:58:39 -04:00
|
|
|
* [peepdf](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - Python
|
|
|
|
tool for exploring possibly malicious PDFs.
|
2015-05-09 11:34:23 -04:00
|
|
|
* [Spidermonkey](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) -
|
|
|
|
Mozilla's JavaScript engine, for debugging malicious JS.
|
|
|
|
|
2015-05-09 13:05:07 -04:00
|
|
|
## File Carving
|
|
|
|
|
|
|
|
*For extracting files from inside disk and memory images.*
|
|
|
|
|
|
|
|
* [bulk_extractor](https://github.com/simsong/bulk_extractor) - Fast file
|
|
|
|
carving tool.
|
|
|
|
* [Foremost](http://foremost.sourceforge.net/) - File carving tool designed
|
|
|
|
by the US Air Force.
|
|
|
|
* [Hachoir](https://bitbucket.org/haypo/hachoir) - A collection of Python
|
|
|
|
libraries for dealing with binary files.
|
|
|
|
* [Scalpel](https://github.com/sleuthkit/scalpel) - Another data carving
|
|
|
|
tool.
|
|
|
|
|
2015-05-09 13:07:39 -04:00
|
|
|
## Deobfuscation
|
|
|
|
|
|
|
|
*Reverse XOR and other code obfuscation methods*
|
|
|
|
|
2015-05-09 12:41:13 -04:00
|
|
|
## Debugging and Reverse Engineering
|
|
|
|
|
2015-05-09 12:48:55 -04:00
|
|
|
*Disassemblers, debuggers, and other static and dynamic analysis tools.*
|
|
|
|
|
|
|
|
* [Bokken](https://inguma.eu/projects/bokken) - GUI for Pyew and Radare.
|
2015-05-09 12:57:48 -04:00
|
|
|
* [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A
|
|
|
|
modular debugger with a Qt GUI.
|
|
|
|
* [GDB](http://www.sourceware.org/gdb/) - The GNU debugger.
|
2015-05-09 12:48:55 -04:00
|
|
|
* [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows
|
|
|
|
disassembler and debugger, with a free evaluation version.
|
2015-05-09 15:48:03 -04:00
|
|
|
* [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for
|
|
|
|
malware analysis and more, with a Python API.
|
2015-05-09 12:57:48 -04:00
|
|
|
* [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables.
|
2015-05-09 12:51:23 -04:00
|
|
|
* [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils,
|
|
|
|
for static analysis of Linux binaries.
|
2015-05-09 12:57:48 -04:00
|
|
|
* [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows
|
|
|
|
executables.
|
2015-05-09 16:04:20 -04:00
|
|
|
* [Process Monitor](https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) -
|
|
|
|
Advanced monitoring tool for Windows programs.
|
2015-05-09 12:48:55 -04:00
|
|
|
* [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware
|
|
|
|
analysis.
|
2015-05-09 12:57:48 -04:00
|
|
|
* [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for
|
|
|
|
Linux executables.
|
2015-05-09 12:41:13 -04:00
|
|
|
* [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with
|
|
|
|
debugger support.
|
2015-05-09 12:51:23 -04:00
|
|
|
* [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool
|
|
|
|
for x86 and x86_64.
|
2015-05-09 12:57:48 -04:00
|
|
|
* [Vivisect](http://visi.kenshoto.com/viki/Vivisect) - Python tool for
|
|
|
|
malware analysis.
|
2015-05-09 12:41:13 -04:00
|
|
|
|
2015-05-09 13:07:39 -04:00
|
|
|
## Network
|
|
|
|
|
|
|
|
*Analyze network interactions.*
|
|
|
|
|
2015-05-09 14:20:31 -04:00
|
|
|
* [INetSim](http://www.inetsim.org/) - Network service emulation, useful when
|
|
|
|
building a malware lab.
|
2015-05-09 17:50:03 -04:00
|
|
|
* [Malcom](https://github.com/tomchop/malcom) - Malware Communications
|
|
|
|
Analyzer.
|
2015-05-09 14:20:31 -04:00
|
|
|
* [mitmproxy](https://mitmproxy.org/) - Intercept network traffic on the fly.
|
|
|
|
* [NetworkMiner](http://www.netresec.com/?page=NetworkMiner) - Network
|
|
|
|
forensic analysis tool, with a free version.
|
|
|
|
* [ngrep](http://ngrep.sourceforge.net/) - Search through network traffic
|
|
|
|
like grep.
|
|
|
|
* [Tcpdump](http://www.tcpdump.org/) - Collect network traffic.
|
|
|
|
* [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams
|
|
|
|
from network traffic.
|
|
|
|
* [tcpxtract](http://tcpxtract.sourceforge.net/) - Extract files from network
|
|
|
|
traffic.
|
|
|
|
* [Wireshark](https://www.wireshark.org/) - The network traffic analysis
|
|
|
|
tool.
|
|
|
|
|
2015-05-09 00:41:41 -04:00
|
|
|
## Memory Forensics
|
|
|
|
|
2015-05-09 00:46:55 -04:00
|
|
|
*Tools for dissecting malware in memory images or running systems.*
|
|
|
|
|
2015-05-09 17:51:31 -04:00
|
|
|
* [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of
|
|
|
|
Malware in Memory, built on Volatility
|
2015-05-09 00:41:41 -04:00
|
|
|
* [FindAES](https://jessekornblum.livejournal.com/269749.html) - Find AES
|
|
|
|
encryption keys in memory.
|
2015-05-09 17:53:25 -04:00
|
|
|
* [Muninn](https://github.com/ytisf/muninn) - A script to automate portions
|
|
|
|
of analysis using Volatility, and create a readable report.
|
2015-05-09 00:41:41 -04:00
|
|
|
* [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework,
|
|
|
|
forked from Volatility in 2013.
|
|
|
|
* [TotalRecall](https://github.com/sketchymoose/TotalRecall) - Script based
|
|
|
|
on Volatility for automating various malware analysis tasks.
|
|
|
|
* [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced
|
|
|
|
memory forensics framework.
|
2015-05-09 00:42:55 -04:00
|
|
|
* [WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365) - Live
|
|
|
|
memory inspection and kernel debugging for Windows systems.
|
2015-05-09 00:41:41 -04:00
|
|
|
|
2015-05-09 18:01:22 -04:00
|
|
|
## Storage and Workflow
|
|
|
|
|
|
|
|
* [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and
|
|
|
|
search malware.
|
2015-05-09 18:02:53 -04:00
|
|
|
* [Viper](http://viper.li/) - A binary management and analysis framework for
|
|
|
|
analysts and researchers.
|
2015-05-09 18:01:22 -04:00
|
|
|
|
2015-05-09 00:31:31 -04:00
|
|
|
## Miscellaneous
|
|
|
|
|
|
|
|
* [REMnux](https://remnux.org/) - Linux distribution and docker images for
|
|
|
|
malware reverse engineering and analysis.
|
|
|
|
|
2015-05-08 23:51:11 -04:00
|
|
|
# Resources
|
|
|
|
|
|
|
|
## Books
|
|
|
|
|
2015-05-09 12:29:41 -04:00
|
|
|
*Essential malware analysis reading material.*
|
|
|
|
|
2015-05-09 12:25:31 -04:00
|
|
|
* [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) -
|
|
|
|
Tools and Techniques for Fighting Malicious Code.
|
|
|
|
* [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On Guide
|
|
|
|
to Dissecting Malicious Software.
|
|
|
|
* [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting
|
|
|
|
Malware and Threats in Windows, Linux, and Mac Memory.
|
|
|
|
* [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide
|
|
|
|
to the World's Most Popular Disassembler.
|
|
|
|
|
2015-05-08 23:51:11 -04:00
|
|
|
## Twitter
|
|
|
|
|
2015-05-09 18:13:49 -04:00
|
|
|
*Some relevant Twitter accounts.*
|
|
|
|
|
2015-05-09 18:11:27 -04:00
|
|
|
* Andrew Case [@attrc](https://twitter.com/attrc)
|
|
|
|
* Claudio [@botherder](https://twitter.com/botherder)
|
|
|
|
* jekil [@jekil](https://twitter.com/jekil)
|
|
|
|
* Jurriaan Bremer [@skier_t](https://twitter.com/skier_t)
|
|
|
|
* Mark Schloesser [@repmovsb](https://twitter.com/repmovsb)
|
|
|
|
* Michael Ligh (MHL) [@iMHLv2](https://twitter.com/iMHLv2)
|
|
|
|
|
2015-05-08 23:51:11 -04:00
|
|
|
## Other
|
|
|
|
|
2015-05-09 12:15:29 -04:00
|
|
|
* [Honeynet Project](http://honeynet.org/) - Honeypot tools, papers, and
|
|
|
|
other resources.
|
2015-05-09 11:17:07 -04:00
|
|
|
* [Malicious Software](https://zeltser.com/malicious-software/) - Malware
|
|
|
|
blog and resources by Lenny Zeltser.
|
|
|
|
* [/r/Malware](https://www.reddit.com/r/Malware) - The malware subreddit.
|
|
|
|
* [/r/ReverseEngineering](https://www.reddit.com/r/ReverseEngineering) -
|
|
|
|
Reverse engineering subreddit, not limited to just malware.
|
|
|
|
|
2015-05-08 23:51:11 -04:00
|
|
|
# Related Awesome Lists
|
|
|
|
|
|
|
|
* [Android Security](https://github.com/ashishb/android-security-awesome)
|
|
|
|
* [Pentesting](https://github.com/enaqx/awesome-pentest)
|
|
|
|
* [Security](https://github.com/sbilly/awesome-security)
|
|
|
|
|
|
|
|
# [Contributing](CONTRIBUTING.md)
|
|
|
|
|
|
|
|
Pull requests and issues with suggestions are welcome!
|