From 34cadb9f0249b459acb37cf6fd0c2a42f9e48ec8 Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 02:17:42 +0000 Subject: [PATCH 1/9] add Bytecode Viewer --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 134561e..c38055d 100644 --- a/README.md +++ b/README.md @@ -412,6 +412,9 @@ executables. *Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and [documents and shellcode](#documents-and-shellcode) sections.* +* [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) - combines + multiple Java bytecode viewers and decompilers into one tool, including + APK/DEX support. * [Firebug](https://getfirebug.com/) - Firefox extension for web development. * [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps. * [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java From d5e5032656add9b8d1061c37959f4b5f86203258 Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 02:32:44 +0000 Subject: [PATCH 2/9] add PyInstaller Extractor --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index c38055d..e086ca4 100644 --- a/README.md +++ b/README.md @@ -506,6 +506,11 @@ the [browser malware](#browser-malware) section.* XOR key using frequency analysis. * [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker) - A generic hidden code extractor for Windows malware. +* [PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor) - + a Python script to extract the contents of a PyInstaller generated Windows + executable file. The contents of the pyz file (usually pyc files) present + inside the executable are also extracted and automatically fixed so that a + Python bytecode decompiler will recognize it. * [un{i}packer](https://github.com/unipacker/unipacker) - Automatic and platform-independent unpacker for Windows binaries based on emulation. * [unpacker](https://github.com/malwaremusings/unpacker/) - Automated malware From 34799bcd505b129f30f9cc0a58cda312160c82bf Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 02:36:32 +0000 Subject: [PATCH 3/9] add uncompyle6 --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index e086ca4..bcb5c17 100644 --- a/README.md +++ b/README.md @@ -511,6 +511,9 @@ the [browser malware](#browser-malware) section.* executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it. +* [uncompyle6](https://github.com/rocky/python-uncompyle6/) - A cross-version + Python bytecode decompiler. Translates Python bytecode back into equivalent + Python source code. * [un{i}packer](https://github.com/unipacker/unipacker) - Automatic and platform-independent unpacker for Windows binaries based on emulation. * [unpacker](https://github.com/malwaremusings/unpacker/) - Automated malware From 1ce7f02103b7e8adbc7323a13b4420739707ff21 Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 02:48:27 +0000 Subject: [PATCH 4/9] add OllyDumpEx --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index bcb5c17..8a15501 100644 --- a/README.md +++ b/README.md @@ -592,6 +592,9 @@ the [browser malware](#browser-malware) section.* for static analysis of Linux binaries. * [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows executables. +* [OllyDumpEx](https://low-priority.appspot.com/ollydumpex/) - Dump memory + from (unpacked) malware Windows process and store raw or rebuild PE file. + This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg. * [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral Dynamic Analysis. * [PEDA](https://github.com/longld/peda) - Python Exploit Development From 2dd42682bd1727daaa45bb725d86e7ce8cb712fb Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 02:52:01 +0000 Subject: [PATCH 5/9] add ScyllaHide --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 8a15501..35c80c6 100644 --- a/README.md +++ b/README.md @@ -631,6 +631,8 @@ the [browser malware](#browser-malware) section.* [API](https://retdec.com/api/) that you can use in your tools. * [ROPMEMU](https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect and decompile complex code-reuse attacks. +* [ScyllaHide](https://github.com/x64dbg/ScyllaHide) - An Anti-Anti-Debug library + and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine. * [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis. * [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for From 986dc7717411deb964bb1baf9c0ff21d25be1a1e Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 02:55:25 +0000 Subject: [PATCH 6/9] add Scylla Imports Reconstructor --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 35c80c6..73ab7aa 100644 --- a/README.md +++ b/README.md @@ -631,6 +631,8 @@ the [browser malware](#browser-malware) section.* [API](https://retdec.com/api/) that you can use in your tools. * [ROPMEMU](https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect and decompile complex code-reuse attacks. +* [Scylla Imports Reconstructor](https://github.com/NtQuery/Scylla) - Find and fix + the IAT of an unpacked / dumped PE32 malware. * [ScyllaHide](https://github.com/x64dbg/ScyllaHide) - An Anti-Anti-Debug library and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine. * [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a From 78f1c9611ded404848ba7d98322dc65f40324922 Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 03:10:20 +0000 Subject: [PATCH 7/9] add fn2yara --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 73ab7aa..f4d2b38 100644 --- a/README.md +++ b/README.md @@ -237,6 +237,8 @@ View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大 edit file metadata. * [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) - Modular, recursive file scanning solution. +* [fn2yara](https://github.com/cmu-sei/pharos) - FN2Yara is a tool to generate + Yara signatures for matching functions (code) in an executable program. * [Generic File Parser](https://github.com/uppusaikiran/generic-parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files. * [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with a variety of algorithms. From 0dcd51b2173cdc8af97503fbc9aa3d41c380a536 Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 03:13:44 +0000 Subject: [PATCH 8/9] fix capitalization for Bytecode Viewer --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f4d2b38..ac07577 100644 --- a/README.md +++ b/README.md @@ -414,7 +414,7 @@ executables. *Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and [documents and shellcode](#documents-and-shellcode) sections.* -* [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) - combines +* [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) - Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support. * [Firebug](https://getfirebug.com/) - Firefox extension for web development. From 3b24662087e0a92b6672b20e798739a2e33de381 Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 03:14:29 +0000 Subject: [PATCH 9/9] fix capitalization for PyInstaller Extractor --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ac07577..0cc38eb 100644 --- a/README.md +++ b/README.md @@ -509,7 +509,7 @@ the [browser malware](#browser-malware) section.* * [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker) - A generic hidden code extractor for Windows malware. * [PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor) - - a Python script to extract the contents of a PyInstaller generated Windows + A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it.