Merge remote-tracking branch 'refs/remotes/rshipp/master'

This commit is contained in:
PolluxAvenger 2018-04-09 20:18:39 +08:00
commit a19d5fb717
2 changed files with 174 additions and 99 deletions

233
README.md
View File

@ -1,7 +1,6 @@
# Awesome Malware Analysis # Awesome Malware Analysis
[![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome) [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)
[![Link Status](https://travis-ci.org/rshipp/awesome-malware-analysis.svg?branch=master)](https://travis-ci.org/rshipp/awesome-malware-analysis)
A curated list of awesome malware analysis tools and resources. Inspired by A curated list of awesome malware analysis tools and resources. Inspired by
[awesome-python](https://github.com/vinta/awesome-python) and [awesome-python](https://github.com/vinta/awesome-python) and
@ -57,11 +56,13 @@ A curated list of awesome malware analysis tools and resources. Inspired by
* [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot. * [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot.
* [Cowrie](https://github.com/micheloosterhof/cowrie) - SSH honeypot, based * [Cowrie](https://github.com/micheloosterhof/cowrie) - SSH honeypot, based
on Kippo. on Kippo.
[Dionaea](https://github.com/DinoTools/dionaea) - Honeypot designed to trap malware. * [DemoHunter](https://github.com/RevengeComing/DemonHunter) - Low interaction Distributed Honeypots.
* [Dionaea](https://github.com/DinoTools/dionaea) - Honeypot designed to trap malware.
* [Glastopf](https://github.com/mushorg/glastopf) - Web application honeypot. * [Glastopf](https://github.com/mushorg/glastopf) - Web application honeypot.
* [Honeyd](http://www.honeyd.org/) - Create a virtual honeynet. * [Honeyd](http://www.honeyd.org/) - Create a virtual honeynet.
* [HoneyDrive](http://bruteforce.gr/honeydrive) - Honeypot bundle Linux distro. * [HoneyDrive](http://bruteforcelab.com/honeydrive) - Honeypot bundle Linux distro.
* [Honeytrap](https://github.com/honeytrap/honeytrap) - Opensource system for running, monitoring and managing honeypots.
* [Mnemosyne](https://github.com/johnnykv/mnemosyne) - A normalizer for * [Mnemosyne](https://github.com/johnnykv/mnemosyne) - A normalizer for
honeypot data; supports Dionaea. honeypot data; supports Dionaea.
* [Thug](https://github.com/buffer/thug) - Low interaction honeyclient, for * [Thug](https://github.com/buffer/thug) - Low interaction honeyclient, for
@ -77,9 +78,9 @@ A curated list of awesome malware analysis tools and resources. Inspired by
malware samples and analyses. malware samples and analyses.
* [Exploit Database](https://www.exploit-db.com/) - Exploit and shellcode * [Exploit Database](https://www.exploit-db.com/) - Exploit and shellcode
samples. samples.
* [Malshare](http://malshare.com) - Large repository of malware actively * [Infosec - CERT-PA](https://infosec.cert-pa.it/analyze/submission.html) - Malware samples collection and analysis.
* [Malshare](https://malshare.com) - Large repository of malware actively
scrapped from malicious sites. scrapped from malicious sites.
samples directly from a number of online sources.
* [MalwareDB](http://malwaredb.malekal.com/) - Malware samples repository. * [MalwareDB](http://malwaredb.malekal.com/) - Malware samples repository.
* [Open Malware Project](http://openmalware.org/) - Sample information and * [Open Malware Project](http://openmalware.org/) - Sample information and
downloads. Formerly Offensive Computing. downloads. Formerly Offensive Computing.
@ -87,9 +88,11 @@ A curated list of awesome malware analysis tools and resources. Inspired by
crawler with pre-analysis and reporting functionalities crawler with pre-analysis and reporting functionalities
* [theZoo](https://github.com/ytisf/theZoo) - Live malware samples for * [theZoo](https://github.com/ytisf/theZoo) - Live malware samples for
analysts. analysts.
* [Tracker h3x](http://tracker.h3x.eu/) - Agregator for malware corpus tracker * [Tracker h3x](http://tracker.h3x.eu/) - Agregator for malware corpus tracker
and malicious download sites. and malicious download sites.
* [ViruSign](http://www.virusign.com/) - Malware database that detected by * [vduddu malware repo](https://github.com/vduddu/Malware) - Collection of
various malware files and source code.
* [ViruSign](http://www.virussign.com/) - Malware database that detected by
many anti malware programs except ClamAV. many anti malware programs except ClamAV.
* [VirusShare](https://virusshare.com/) - Malware repository, registration * [VirusShare](https://virusshare.com/) - Malware repository, registration
required. required.
@ -121,12 +124,14 @@ A curated list of awesome malware analysis tools and resources. Inspired by
working with OpenIOC objects, from Mandiant. working with OpenIOC objects, from Mandiant.
* [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) - * [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) -
Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
from various lists. Curated by the [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework). from various lists. Curated by the
[CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework).
* [MISP](https://github.com/MISP/MISP) - Malware Information Sharing * [MISP](https://github.com/MISP/MISP) - Malware Information Sharing
Platform curated by [The MISP Project](http://www.misp-project.org/). Platform curated by [The MISP Project](http://www.misp-project.org/).
* [PassiveTotal](https://www.passivetotal.org/) - Research, connect, tag and * [Pulsedive](https://pulsedive.com) - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
share IPs and domains.
* [PyIOCe](https://github.com/pidydx/PyIOCe) - A Python OpenIOC editor. * [PyIOCe](https://github.com/pidydx/PyIOCe) - A Python OpenIOC editor.
* [RiskIQ](https://community.riskiq.com/) - Research, connect, tag and
share IPs and domains. (Was PassiveTotal.)
* [threataggregator](https://github.com/jpsenior/threataggregator) - * [threataggregator](https://github.com/jpsenior/threataggregator) -
Aggregates security threats from a number of sources, including some of Aggregates security threats from a number of sources, including some of
those listed below in [other resources](#other-resources). those listed below in [other resources](#other-resources).
@ -152,8 +157,6 @@ A curated list of awesome malware analysis tools and resources. Inspired by
Network security blocklists. Network security blocklists.
* [Critical Stack- Free Intel Market](https://intel.criticalstack.com) - Free * [Critical Stack- Free Intel Market](https://intel.criticalstack.com) - Free
intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators. intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
* [CRDF ThreatCenter](http://threatcenter.crdf.fr/) - List of new threats detected
by CRDF anti-malware.
* [Cybercrime tracker](http://cybercrime-tracker.net/) - Multiple botnet active tracker. * [Cybercrime tracker](http://cybercrime-tracker.net/) - Multiple botnet active tracker.
* [FireEye IOCs](https://github.com/fireeye/iocs) - Indicators of Compromise * [FireEye IOCs](https://github.com/fireeye/iocs) - Indicators of Compromise
shared publicly by FireEye. shared publicly by FireEye.
@ -161,18 +164,19 @@ A curated list of awesome malware analysis tools and resources. Inspired by
with a focus on attacks, malware and abuse. Evolution, Changes History, with a focus on attacks, malware and abuse. Evolution, Changes History,
Country Maps, Age of IPs listed, Retention Policy, Overlaps. Country Maps, Age of IPs listed, Retention Policy, Overlaps.
* [hpfeeds](https://github.com/rep/hpfeeds) - Honeypot feed protocol. * [hpfeeds](https://github.com/rep/hpfeeds) - Honeypot feed protocol.
* [Infosec - CERT-PA lists](https://infosec.cert-pa.it/analyze/statistics.html) ([IPs](https://infosec.cert-pa.it/analyze/listip.txt) - [Domains](https://infosec.cert-pa.it/analyze/listdomains.txt) - [URLs](https://infosec.cert-pa.it/analyze/listurls.txt)) - Blocklist service.
* [Internet Storm Center (DShield)](https://isc.sans.edu/) - Diary and * [Internet Storm Center (DShield)](https://isc.sans.edu/) - Diary and
searchable incident database, with a web [API](https://dshield.org/api/) searchable incident database, with a web [API](https://dshield.org/api/).
([unofficial Python library](https://github.com/rshipp/python-dshield)). ([unofficial Python library](https://github.com/rshipp/python-dshield)).
* [malc0de](http://malc0de.com/database/) - Searchable incident database. * [malc0de](http://malc0de.com/database/) - Searchable incident database.
* [Malware Domain List](http://www.malwaredomainlist.com/) - Search and share * [Malware Domain List](http://www.malwaredomainlist.com/) - Search and share
malicious URLs. malicious URLs.
* [OpenIOC](http://openioc.org/) - Framework for sharing threat intelligence. * [Metadefender Threat Intelligence Feeds](https://metadefender.opswat.com/threat-intelligence-feeds) -
* [Palevo Blocklists](https://palevotracker.abuse.ch/blocklists.php) - Botnet List of the most looked up file hashes from Metadefender malware feed.
C&C blocklists. * [OpenIOC](https://www.fireeye.com/services/freeware.html) - Framework for sharing threat intelligence.
* [Proofpoint Threat Intelligence](https://www.proofpoint.com/us/products/et-intelligence) - * [Proofpoint Threat Intelligence](https://www.proofpoint.com/us/products/et-intelligence) -
Rulesets and more. (Formerly Emerging Threats.) Rulesets and more. (Formerly Emerging Threats.)
* [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) - * [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) -
A list of ransomware overview with details, detection and prevention. A list of ransomware overview with details, detection and prevention.
* [STIX - Structured Threat Information eXpression](http://stixproject.github.io) - * [STIX - Structured Threat Information eXpression](http://stixproject.github.io) -
Standardized language to represent and share cyber threat information. Standardized language to represent and share cyber threat information.
@ -181,6 +185,8 @@ A curated list of awesome malware analysis tools and resources. Inspired by
- [CybOX - Cyber Observables eXpression](http://cyboxproject.github.io) - [CybOX - Cyber Observables eXpression](http://cyboxproject.github.io)
- [MAEC - Malware Attribute Enumeration and Characterization](http://maec.mitre.org/) - [MAEC - Malware Attribute Enumeration and Characterization](http://maec.mitre.org/)
- [TAXII - Trusted Automated eXchange of Indicator Information](http://taxiiproject.github.io) - [TAXII - Trusted Automated eXchange of Indicator Information](http://taxiiproject.github.io)
* [ThreatMiner](https://www.threatminer.org/) - Data mining portal for threat
intelligence, with search.
* [threatRECON](https://threatrecon.co/) - Search for indicators, up to 1000 * [threatRECON](https://threatrecon.co/) - Search for indicators, up to 1000
free per month. free per month.
* [Yara rules](https://github.com/Yara-Rules/rules) - Yara rules repository. * [Yara rules](https://github.com/Yara-Rules/rules) - Yara rules repository.
@ -193,11 +199,16 @@ A curated list of awesome malware analysis tools and resources. Inspired by
* [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a * [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a
variety of tools for reporting on Windows PE files. variety of tools for reporting on Windows PE files.
* [Assemblyline](https://bitbucket.org/cse-assemblyline/assemblyline) - A scalable
distributed file analysis framework.
* [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless
AWS pipeline that scans and alerts on uploaded files based on a set of
YARA rules.
* [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection. * [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection.
* [ClamAV](http://www.clamav.net/) - Open source antivirus engine. * [ClamAV](http://www.clamav.net/) - Open source antivirus engine.
* [Detect-It-Easy](https://github.com/horsicq/Detect-It-Easy) - A program for * [Detect-It-Easy](https://github.com/horsicq/Detect-It-Easy) - A program for
determining types of files. determining types of files.
* [ExifTool](http://www.sno.phy.queensu.ca/~phil/exiftool/) - Read, write and * [ExifTool](https://sno.phy.queensu.ca/~phil/exiftool/) - Read, write and
edit file metadata. edit file metadata.
* [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) - * [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) -
Modular, recursive file scanning solution. Modular, recursive file scanning solution.
@ -206,9 +217,11 @@ A curated list of awesome malware analysis tools and resources. Inspired by
* [Loki](https://github.com/Neo23x0/Loki) - Host based scanner for IOCs. * [Loki](https://github.com/Neo23x0/Loki) - Host based scanner for IOCs.
* [Malfunction](https://github.com/Dynetics/Malfunction) - Catalog and * [Malfunction](https://github.com/Dynetics/Malfunction) - Catalog and
compare malware at a function level. compare malware at a function level.
* [Manalyze](https://github.com/JusticeRage/Manalyze) - Static analyzer for PE
executables.
* [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - Static analysis * [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - Static analysis
framework. framework.
* [MultiScanner](https://github.com/MITRECND/multiscanner) - Modular file * [MultiScanner](https://github.com/mitre/multiscanner) - Modular file
scanning/analysis framework scanning/analysis framework
* [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking * [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking
up hashes in NIST's National Software Reference Library database. up hashes in NIST's National Software Reference Library database.
@ -217,9 +230,10 @@ A curated list of awesome malware analysis tools and resources. Inspired by
* [PEV](http://pev.sourceforge.net/) - A multiplatform toolkit to work with PE * [PEV](http://pev.sourceforge.net/) - A multiplatform toolkit to work with PE
files, providing feature-rich tools for proper analysis of suspicious binaries. files, providing feature-rich tools for proper analysis of suspicious binaries.
* [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits. * [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits.
* [ssdeep](http://ssdeep.sourceforge.net/) - Compute fuzzy hashes. * [ssdeep](https://ssdeep-project.github.io/ssdeep/) - Compute fuzzy hashes.
* [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) - Python script * [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) -
for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/) database. Python script for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/)
database.
* [TrID](http://mark0.net/soft-trid-e.html) - File identifier. * [TrID](http://mark0.net/soft-trid-e.html) - File identifier.
* [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for * [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for
analysts. analysts.
@ -227,10 +241,12 @@ A curated list of awesome malware analysis tools and resources. Inspired by
yara rules based on a set of malware samples. Also contains a good yara rules based on a set of malware samples. Also contains a good
strings DB to avoid false positives. strings DB to avoid false positives.
## Online Scanners and Sandboxes ## Online Scanners and Sandboxes
*Web-based multi-AV scanners, and malware sandboxes for automated analysis.* *Web-based multi-AV scanners, and malware sandboxes for automated analysis.*
* [APK Analyzer](https://www.apk-analyzer.net/) - Free dynamic analysis of APKs.
* [anlyz.io](https://sandbox.anlyz.io/) - Online sandbox.
* [AndroTotal](https://andrototal.org/) - Free online analysis of APKs * [AndroTotal](https://andrototal.org/) - Free online analysis of APKs
against multiple mobile antivirus apps. against multiple mobile antivirus apps.
* [AVCaesar](https://avcaesar.malware.lu/) - Malware.lu online scanner and * [AVCaesar](https://avcaesar.malware.lu/) - Malware.lu online scanner and
@ -241,52 +257,57 @@ A curated list of awesome malware analysis tools and resources. Inspired by
* [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - Modified * [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - Modified
version of Cuckoo Sandbox released under the GPL. Not merged upstream due to version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
legal concerns by the author. legal concerns by the author.
* [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A Python API used to control * [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A
a cuckoo-modified sandbox. Python API used to control a cuckoo-modified sandbox.
* [DeepViz](https://www.deepviz.com/) - Multi-format file analyzer with * [DeepViz](https://www.deepviz.com/) - Multi-format file analyzer with
machine-learning classification. machine-learning classification.
* [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do traffic analysis * [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do
of Linux malwares and capturing IOCs. traffic analysis of Linux malwares and capturing IOCs.
* [Document Analyzer](https://www.document-analyzer.net/) - Free dynamic analysis of DOC and PDF files.
* [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis * [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis
system. system.
* [File Analyzer](https://www.file-analyzer.net/) - Free dynamic analysis of PE files. * [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any
* [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any firmware package. firmware package.
* [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - An Automated Malware
Analysis Tool for Linux ELF Files.
* [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware * [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware
analysis tool, powered by VxSandbox. analysis tool, powered by VxSandbox.
* [Intezer](https://analyze.intezer.com) - Detect, analyze, and categorize malware by
identifying code reuse and code similarities.
* [IRMA](http://irma.quarkslab.com/) - An asynchronous and customizable * [IRMA](http://irma.quarkslab.com/) - An asynchronous and customizable
analysis platform for suspicious files. analysis platform for suspicious files.
* [Joe Sandbox](https://www.joesecurity.org) - Deep malware analysis with Joe Sandbox. * [Joe Sandbox](https://www.joesecurity.org) - Deep malware analysis with Joe Sandbox.
* [Jotti](https://virusscan.jotti.org/en) - Free online multi-AV scanner. * [Jotti](https://virusscan.jotti.org/en) - Free online multi-AV scanner.
* [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malwares * [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malware.
* [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis * [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis
of malware behavior. of malware behavior.
* [Malware config](https://malwareconfig.com/) - Extract, decode and display online * [malsub](https://github.com/diogo-fernan/malsub) - A Python RESTful API framework for
online malware and URL analysis services.
* [Malware config](https://malwareconfig.com/) - Extract, decode and display online
the configuration settings from common malwares. the configuration settings from common malwares.
* [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox * [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox
instance. instance.
* [MASTIFF Online](https://mastiff-online.korelogic.com/) - Online static * [Metadefender](https://metadefender.opswat.com/ ) - Scan a file, hash or IP
analysis of malware. address for malware (free).
* [Metadefender.com](https://www.metadefender.com) - Scan a file, hash or IP
address for malware (free)
* [NetworkTotal](https://www.networktotal.com/index.html) - A service that analyzes * [NetworkTotal](https://www.networktotal.com/index.html) - A service that analyzes
pcap files and facilitates the quick detection of viruses, worms, trojans, and all pcap files and facilitates the quick detection of viruses, worms, trojans, and all
kinds of malware using Suricata configured with EmergingThreats Pro. kinds of malware using Suricata configured with EmergingThreats Pro.
* [Noriben](https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to * [Noriben](https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to
collect information about malware in a sandboxed environment. collect information about malware in a sandboxed environment.
* [PacketTotal](https://packettotal.com/) - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
* [PDF Examiner](http://www.pdfexaminer.com/) - Analyse suspicious PDF files. * [PDF Examiner](http://www.pdfexaminer.com/) - Analyse suspicious PDF files.
* [ProcDot](http://www.procdot.com) - A graphical malware analysis tool kit. * [ProcDot](http://www.procdot.com) - A graphical malware analysis tool kit.
* [Recomposer](https://github.com/secretsquirrel/recomposer) - A helper * [Recomposer](https://github.com/secretsquirrel/recomposer) - A helper
script for safely uploading binaries to sandbox sites. script for safely uploading binaries to sandbox sites.
* [Sand droid](http://sanddroid.xjtu.edu.cn/) - Automatic and complete * [sandboxapi](https://github.com/InQuest/python-sandboxapi) - Python library for
Android application analysis system. building integrations with several open source and commercial malware sandboxes.
* [SEE](https://github.com/F-Secure/see) - Sandboxed Execution Environment (SEE) * [SEE](https://github.com/F-Secure/see) - Sandboxed Execution Environment (SEE)
is a framework for building test automation in secured Environments. is a framework for building test automation in secured Environments.
* [URL Analyzer](https://www.url-analyzer.net/) - Free dynamic analysis of URL files. * [SEKOIA Dropper Analysis](https://malware.sekoia.fr/) - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
* [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware * [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware
samples and URLs samples and URLs
* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source * [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source
visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...) visualization library and command line tools for logs. (Cuckoo, Procmon, more
to come...)
* [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free * [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free
automated sandboxes and services, compiled by Lenny Zeltser. automated sandboxes and services, compiled by Lenny Zeltser.
@ -294,9 +315,14 @@ A curated list of awesome malware analysis tools and resources. Inspired by
*Inspect domains and IP addresses.* *Inspect domains and IP addresses.*
* [badips.com](https://www.badips.com/) - Community based IP blacklist service.
* [boomerang](https://github.com/EmersonElectricCo/boomerang) - A tool designed
for consistent and safe capture of off network web resources.
* [Cymon](https://cymon.io/) - Threat intelligence tracker, with IP/domain/hash
search.
* [Desenmascara.me](http://desenmascara.me) - One click tool to retrieve as * [Desenmascara.me](http://desenmascara.me) - One click tool to retrieve as
much metadata as possible for a website and to assess its good standing. much metadata as possible for a website and to assess its good standing.
* [Dig](http://networking.ringofsaturn.com/) - Free online dig and other * [Dig](https://networking.ringofsaturn.com/) - Free online dig and other
network tools. network tools.
* [dnstwist](https://github.com/elceef/dnstwist) - Domain name permutation * [dnstwist](https://github.com/elceef/dnstwist) - Domain name permutation
engine for detecting typo squatting, phishing and corporate espionage. engine for detecting typo squatting, phishing and corporate espionage.
@ -309,30 +335,34 @@ A curated list of awesome malware analysis tools and resources. Inspired by
* [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - Maltego transform * [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - Maltego transform
for the VirusTotal API. Allows domain/IP research, and searching for file for the VirusTotal API. Allows domain/IP research, and searching for file
hashes and scan reports. hashes and scan reports.
* [Multi rbl](http://multirbl.valli.org/) - Multiple DNS blacklist and forward * [Multi rbl](http://multirbl.valli.org/) - Multiple DNS blacklist and forward
confirmed reverse DNS lookup over more than 300 RBLs. confirmed reverse DNS lookup over more than 300 RBLs.
* [SenderBase](http://www.senderbase.org/) - Search for IP, domain or network * [NormShield Services](https://services.normshield.com/) - Free API Services
owner. for detecting possible phishing domains, blacklisted ip addresses and breached
accounts.
* [SpamCop](https://www.spamcop.net/bl.shtml) - IP based spam block list. * [SpamCop](https://www.spamcop.net/bl.shtml) - IP based spam block list.
* [SpamHaus](https://www.spamhaus.org/lookup/) - Block list based on * [SpamHaus](https://www.spamhaus.org/lookup/) - Block list based on
domains and IPs. domains and IPs.
* [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - Free Website Malware * [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - Free Website Malware
and Security Scanner. and Security Scanner.
* [Talos Intelligence](https://talosintelligence.com/) - Search for IP, domain
or network owner. (Previously SenderBase.)
* [TekDefense Automater](http://www.tekdefense.com/automater/) - OSINT tool * [TekDefense Automater](http://www.tekdefense.com/automater/) - OSINT tool
for gathering information about URLs, IPs, or hashes. for gathering information about URLs, IPs, or hashes.
* [URLQuery](http://urlquery.net/) - Free URL Scanner. * [URLQuery](http://urlquery.net/) - Free URL Scanner.
* [urlscan.io](https://urlscan.io/) - Free URL Scanner & domain information.
* [Whois](https://whois.domaintools.com/) - DomainTools free online whois * [Whois](https://whois.domaintools.com/) - DomainTools free online whois
search. search.
* [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - Free * [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - Free
online tools for researching malicious websites, compiled by Lenny Zeltser. online tools for researching malicious websites, compiled by Lenny Zeltser.
* [ZScalar Zulu](http://zulu.zscaler.com/#) - Zulu URL Risk Analyzer. * [ZScalar Zulu](https://zulu.zscaler.com/#) - Zulu URL Risk Analyzer.
## Browser Malware ## Browser Malware
*Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and *Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and
[documents and shellcode](#documents-and-shellcode) sections.* [documents and shellcode](#documents-and-shellcode) sections.*
* [Firebug](http://getfirebug.com/) - Firefox extension for web development. * [Firebug](https://getfirebug.com/) - Firefox extension for web development.
* [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps. * [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps.
* [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java * [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java
IDX cache files. IDX cache files.
@ -397,10 +427,12 @@ the [browser malware](#browser-malware) section.*
Event Log files from raw binary data. Event Log files from raw binary data.
* [Foremost](http://foremost.sourceforge.net/) - File carving tool designed * [Foremost](http://foremost.sourceforge.net/) - File carving tool designed
by the US Air Force. by the US Air Force.
* [Hachoir](https://bitbucket.org/haypo/hachoir) - A collection of Python * [hachoir3](https://github.com/vstinner/hachoir3) - Hachoir is a Python library
libraries for dealing with binary files. to view and edit a binary stream field by field.
* [Scalpel](https://github.com/sleuthkit/scalpel) - Another data carving * [Scalpel](https://github.com/sleuthkit/scalpel) - Another data carving
tool. tool.
* [SFlock](https://github.com/jbremer/sflock) - Nested archive
extraction/unpacking (used in Cuckoo Sandbox).
## Deobfuscation ## Deobfuscation
@ -448,22 +480,25 @@ the [browser malware](#browser-malware) section.*
source Binary Analysis and Reverse engineering Framework. source Binary Analysis and Reverse engineering Framework.
* [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for * [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for
reverse engineering based on graph visualization. reverse engineering based on graph visualization.
* [Binary ninja](https://binary.ninja/) - A reversing engineering platform that is an alternative to IDA. * [Binary ninja](https://binary.ninja/) - A reversing engineering platform
* [Binwalk](http://binwalk.org/) - Firmware analysis tool. that is an alternative to IDA.
* [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool.
* [Bokken](http://www.bokken.re/) - GUI for Pyew and Radare. * [Bokken](http://www.bokken.re/) - GUI for Pyew and Radare.
([mirror](https://github.com/inguma/bokken)) ([mirror](https://github.com/inguma/bokken))
* [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for * [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for
binary analysis and reversing, with support for many architectures and binary analysis and reversing, with support for many architectures and
bindings in several languages. bindings in several languages.
* [codebro](https://github.com/hugsy/codebro) - Web based code browser using * [codebro](https://github.com/hugsy/codebro) - Web based code browser using
clang to provide basic code analysis.  clang to provide basic code analysis.
* [DECAF (Dynamic Executable Code Analysis Framework)](https://github.com/sycurelab/DECAF)
- A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
* [dnSpy](https://github.com/0xd4d/dnSpy) - .NET assembly editor, decompiler * [dnSpy](https://github.com/0xd4d/dnSpy) - .NET assembly editor, decompiler
and debugger. and debugger.
* [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A * [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A
modular debugger with a Qt GUI. modular debugger with a Qt GUI.
* [Fibratus](https://github.com/rabbitstack/fibratus) - Tool for exploration * [Fibratus](https://github.com/rabbitstack/fibratus) - Tool for exploration
and tracing of the Windows kernel. and tracing of the Windows kernel.
* [FPort](http://www.mcafee.com/us/downloads/free-tools/fport.aspx#) - Reports * [FPort](https://www.mcafee.com/us/downloads/free-tools/fport.aspx) - Reports
open TCP/IP and UDP ports in a live system and maps them to the owning application. open TCP/IP and UDP ports in a live system and maps them to the owning application.
* [GDB](http://www.sourceware.org/gdb/) - The GNU debugger. * [GDB](http://www.sourceware.org/gdb/) - The GNU debugger.
* [GEF](https://github.com/hugsy/gef) - GDB Enhanced Features, for exploiters * [GEF](https://github.com/hugsy/gef) - GDB Enhanced Features, for exploiters
@ -471,51 +506,68 @@ the [browser malware](#browser-malware) section.*
* [hackers-grep](https://github.com/codypierce/hackers-grep) - A utility to * [hackers-grep](https://github.com/codypierce/hackers-grep) - A utility to
search for strings in PE executables including imports, exports, and debug search for strings in PE executables including imports, exports, and debug
symbols. symbols.
* [Hopper](https://www.hopperapp.com/) - The macOS and Linux Disassembler.
* [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows * [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows
disassembler and debugger, with a free evaluation version. disassembler and debugger, with a free evaluation version.
* [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for * [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for
malware analysis and more, with a Python API. malware analysis and more, with a Python API.
* [ILSpy](http://ilspy.net/) - ILSpy is the open-source .NET assembly browser and decompiler.
* [Kaitai Struct](http://kaitai.io/) - DSL for file formats / network protocols /
data structures reverse engineering and dissection, with code generation
for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
* [LIEF](https://lief.quarkslab.com/) - LIEF provides a cross-platform library
to parse, modify and abstract ELF, PE and MachO formats.
* [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables. * [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables.
* [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils, * [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils,
for static analysis of Linux binaries. for static analysis of Linux binaries.
* [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows * [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows
executables. executables.
* [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral Dynamic Analysis * [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral
Dynamic Analysis.
* [PEDA](https://github.com/longld/peda) - Python Exploit Development * [PEDA](https://github.com/longld/peda) - Python Exploit Development
Assistance for GDB, an enhanced display with added commands. Assistance for GDB, an enhanced display with added commands.
* [pestudio](https://winitor.com/) - Perform static analysis of Windows * [pestudio](https://winitor.com/) - Perform static analysis of Windows
executables. executables.
* [plasma](https://github.com/joelpx/plasma) - Interactive disassembler for * [Pharos](https://github.com/cmu-sei/pharos) - The Pharos binary analysis framework
x86/ARM/MIPS. can be used to perform automated static analysis of binaries.
* [plasma](https://github.com/plasma-disassembler/plasma) - Interactive
disassembler for x86/ARM/MIPS.
* [PPEE (puppy)](https://www.mzrst.com/) - A Professional PE file Explorer for * [PPEE (puppy)](https://www.mzrst.com/) - A Professional PE file Explorer for
reversers, malware researchers and those who want to statically inspect PE reversers, malware researchers and those who want to statically inspect PE
files in more detail. files in more detail.
* [Process Explorer](https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx) - * [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) -
Advanced task manager for Windows. Advanced task manager for Windows.
* [Process Hacker] (http://processhacker.sourceforge.net/) - Tool that monitors system resources * [Process Hacker](http://processhacker.sourceforge.net/) - Tool that monitors
* [Process Monitor](https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) - system resources.
* [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) -
Advanced monitoring tool for Windows programs. Advanced monitoring tool for Windows programs.
* [PSTools](https://technet.microsoft.com/en-us/sysinternals/pstools.aspx) - Windows * [PSTools](https://docs.microsoft.com/en-us/sysinternals/downloads/pstools) - Windows
command-line tools that help manage and investigate live systems. command-line tools that help manage and investigate live systems.
* [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware * [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware
analysis. analysis.
* [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse
engineering sandbox by the Talos team at Cisco.
* [QKD](https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg
server for stealth debugging.
* [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with * [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with
debugger support. debugger support.
* [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility that compares snapshots. * [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility
that compares snapshots.
* [RetDec](https://retdec.com/) - Retargetable machine-code decompiler with an * [RetDec](https://retdec.com/) - Retargetable machine-code decompiler with an
[online decompilation service](https://retdec.com/decompilation/) and [online decompilation service](https://retdec.com/decompilation/) and
[API](https://retdec.com/api/) that you can use in your tools. [API](https://retdec.com/api/) that you can use in your tools.
* [ROPMEMU](https://github.com/vrtadmin/ROPMEMU) - A framework to analyze, dissect * [ROPMEMU](https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect
and decompile complex code-reuse attacks. and decompile complex code-reuse attacks.
* [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a * [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a
plugin for Sublime 3 to aid with malware analyis. plugin for Sublime 3 to aid with malware analyis.
* [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for * [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for
Linux executables. Linux executables.
* [Triton](http://triton.quarkslab.com/) - A dynamic binary analysis (DBA) framework. * [Triton](https://triton.quarkslab.com/) - A dynamic binary analysis (DBA) framework.
* [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool * [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool
for x86 and x86_64. for x86 and x86_64.
* [Vivisect](https://github.com/vivisect/vivisect) - Python tool for * [Vivisect](https://github.com/vivisect/vivisect) - Python tool for
malware analysis. malware analysis.
* [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/download-windbg) - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
* [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows. * [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows.
## Network ## Network
@ -529,12 +581,17 @@ the [browser malware](#browser-malware) section.*
explorer. explorer.
* [chopshop](https://github.com/MITRECND/chopshop) - Protocol analysis and * [chopshop](https://github.com/MITRECND/chopshop) - Protocol analysis and
decoding framework. decoding framework.
* [Fiddler](http://www.telerik.com/fiddler) - Intercepting web proxy designed * [CloudShark](https://www.cloudshark.org) - Web-based tool for packet analysis
and malware traffic detection.
* [Fiddler](https://www.telerik.com/fiddler) - Intercepting web proxy designed
for "web debugging." for "web debugging."
* [Hale](https://github.com/pjlantz/Hale) - Botnet C&C monitor. * [Hale](https://github.com/pjlantz/Hale) - Botnet C&C monitor.
* [Haka](http://www.haka-security.org/) - An open source security oriented * [Haka](http://www.haka-security.org/) - An open source security oriented
language for describing protocols and applying security policies on (live) language for describing protocols and applying security policies on (live)
captured traffic. captured traffic.
* [HTTPReplay](https://github.com/jbremer/httpreplay) - Library for parsing
and reading out PCAP files, including TLS streams using TLS Master Secrets
(used in Cuckoo Sandbox).
* [INetSim](http://www.inetsim.org/) - Network service emulation, useful when * [INetSim](http://www.inetsim.org/) - Network service emulation, useful when
building a malware lab. building a malware lab.
* [Laika BOSS](https://github.com/lmco/laikaboss) - Laika BOSS is a file-centric * [Laika BOSS](https://github.com/lmco/laikaboss) - Laika BOSS is a file-centric
@ -552,7 +609,14 @@ the [browser malware](#browser-malware) section.*
forensic analysis tool, with a free version. forensic analysis tool, with a free version.
* [ngrep](http://ngrep.sourceforge.net/) - Search through network traffic * [ngrep](http://ngrep.sourceforge.net/) - Search through network traffic
like grep. like grep.
* [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and traffic visualizer. * [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and
traffic visualizer.
* [Python ICAP Yara](https://github.com/RamadhanAmizudin/python-icap-yara) - An
ICAP Server with yara scanner for URL or content.
* [Squidmagic](https://github.com/ch3k1/squidmagic) - squidmagic is a tool
designed to analyze a web-based network traffic to detect central command
and control (C&C) servers and malicious sites, using Squid proxy server and
Spamhaus.
* [Tcpdump](http://www.tcpdump.org/) - Collect network traffic. * [Tcpdump](http://www.tcpdump.org/) - Collect network traffic.
* [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams * [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams
from network traffic. from network traffic.
@ -565,14 +629,17 @@ the [browser malware](#browser-malware) section.*
*Tools for dissecting malware in memory images or running systems.* *Tools for dissecting malware in memory images or running systems.*
* [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS forensics * [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS
client supporting hiberfil, pagefile, raw memory analysis forensics client supporting hiberfil, pagefile, raw memory analysis.
* [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of * [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of
Malware in Memory, built on Volatility Malware in Memory, built on Volatility.
* [evolve](https://github.com/JamesHabben/evolve) - Web interface for the * [evolve](https://github.com/JamesHabben/evolve) - Web interface for the
Volatility Memory Forensics Framework. Volatility Memory Forensics Framework.
* [FindAES](http://jessekornblum.livejournal.com/269749.html) - Find AES * [FindAES](https://sourceforge.net/projects/findaes/) - Find AES
encryption keys in memory. encryption keys in memory.
* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - High speed memory
analysis framework developed in .NET supports all Windows x64, includes
code integrity and write support.
* [Muninn](https://github.com/ytisf/muninn) - A script to automate portions * [Muninn](https://github.com/ytisf/muninn) - A script to automate portions
of analysis using Volatility, and create a readable report. of analysis using Volatility, and create a readable report.
* [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework, * [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework,
@ -585,6 +652,8 @@ the [browser malware](#browser-malware) section.*
memory forensics framework. memory forensics framework.
* [VolUtility](https://github.com/kevthehermit/VolUtility) - Web Interface for * [VolUtility](https://github.com/kevthehermit/VolUtility) - Web Interface for
Volatility Memory Analysis framework. Volatility Memory Analysis framework.
* [WDBGARK](https://github.com/swwwolf/wdbgark) -
WinDBG Anti-RootKit Extension.
* [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit) - * [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit) -
Live memory inspection and kernel debugging for Windows systems. Live memory inspection and kernel debugging for Windows systems.
@ -602,10 +671,14 @@ the [browser malware](#browser-malware) section.*
## Storage and Workflow ## Storage and Workflow
* [Aleph](https://github.com/trendmicro/aleph) - OpenSource Malware Analysis * [Aleph](https://github.com/merces/aleph) - Open Source Malware Analysis
Pipeline System. Pipeline System.
* [CRITs](https://crits.github.io/) - Collaborative Research Into Threats, a * [CRITs](https://crits.github.io/) - Collaborative Research Into Threats, a
malware and threat repository. malware and threat repository.
* [FAME](https://certsocietegenerale.github.io/fame/) - A malware analysis
framework featuring a pipeline that can be extended with custom modules,
which can be chained and interact with each other to perform end-to-end
analysis.
* [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and * [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and
search malware. search malware.
* [Polichombr](https://github.com/ANSSI-FR/polichombr) - A malware analysis * [Polichombr](https://github.com/ANSSI-FR/polichombr) - A malware analysis
@ -620,14 +693,15 @@ the [browser malware](#browser-malware) section.*
* [al-khaser](https://github.com/LordNoteworthy/al-khaser) - A PoC malware * [al-khaser](https://github.com/LordNoteworthy/al-khaser) - A PoC malware
with good intentions that aimes to stress anti-malware systems. with good intentions that aimes to stress anti-malware systems.
* [Binarly](http://www.binar.ly/search) - Search engine for bytes in a large
corpus of malware.
* [DC3-MWCP](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP) - * [DC3-MWCP](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP) -
The Defense Cyber Crime Center's Malware Configuration Parser framework. The Defense Cyber Crime Center's Malware Configuration Parser framework.
* [FLARE VM](https://github.com/fireeye/flare-vm) - A fully customizable,
Windows-based, security distribution for malware analysis.
* [MalSploitBase](https://github.com/misterch0c/malSploitBase) - A database * [MalSploitBase](https://github.com/misterch0c/malSploitBase) - A database
containing exploits used by malware. containing exploits used by malware.
* [Malware Museum](https://archive.org/details/malwaremuseum) - Collection of * [Malware Museum](https://archive.org/details/malwaremuseum) - Collection of
malware programs that were distributed in the 1980s and 1990s. malware programs that were distributed in the 1980s and 1990s.
* [Malware Organiser](https://github.com/uppusaikiran/malware-organiser) - A simple tool to organise large malicious/benign files into a organised Structure.
* [Pafish](https://github.com/a0rtega/pafish) - Paranoid Fish, a demonstration * [Pafish](https://github.com/a0rtega/pafish) - Paranoid Fish, a demonstration
tool that employs several techniques to detect sandboxes and analysis tool that employs several techniques to detect sandboxes and analysis
environments in the same way as malware families do. environments in the same way as malware families do.
@ -644,10 +718,12 @@ the [browser malware](#browser-malware) section.*
* [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) - * [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) -
Tools and Techniques for Fighting Malicious Code. Tools and Techniques for Fighting Malicious Code.
* [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On Guide * [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On
to Dissecting Malicious Software. Guide to Dissecting Malicious Software.
* [Practical Reverse Engineering](http://a.co/63SQsH2) - Intermediate Reverse Engineering * [Practical Reverse Engineering](https://www.amzn.com/dp/1118787315/) -
* [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer Security and Incident Response Intermediate Reverse Engineering.
* [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer
Security and Incident Response.
* [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting * [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting
Malware and Threats in Windows, Linux, and Mac Memory. Malware and Threats in Windows, Linux, and Mac Memory.
* [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide * [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide
@ -684,8 +760,8 @@ the [browser malware](#browser-malware) section.*
of commonly used file format (including PE & ELF). of commonly used file format (including PE & ELF).
* [Honeynet Project](http://honeynet.org/) - Honeypot tools, papers, and * [Honeynet Project](http://honeynet.org/) - Honeypot tools, papers, and
other resources. other resources.
* [Kernel Mode](http://www.kernelmode.info/forum/) - An active community devoted to * [Kernel Mode](http://www.kernelmode.info/forum/) - An active community
malware analysis and kernel development. devoted to malware analysis and kernel development.
* [Malicious Software](https://zeltser.com/malicious-software/) - Malware * [Malicious Software](https://zeltser.com/malicious-software/) - Malware
blog and resources by Lenny Zeltser. blog and resources by Lenny Zeltser.
* [Malware Analysis Search](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) - * [Malware Analysis Search](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) -
@ -728,6 +804,7 @@ the [browser malware](#browser-malware) section.*
* [Pentesting](https://github.com/enaqx/awesome-pentest) * [Pentesting](https://github.com/enaqx/awesome-pentest)
* [Security](https://github.com/sbilly/awesome-security) * [Security](https://github.com/sbilly/awesome-security)
* [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence) * [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence)
* [YARA](https://github.com/InQuest/awesome-yara)
# [Contributing](CONTRIBUTING.md) # [Contributing](CONTRIBUTING.md)

View File

@ -1,4 +1,4 @@
# 恶意软件分析大合集 # 恶意软件分析大合集
这个列表记录着那些令人称赞的恶意软件分析工具和资源。受到 [awesome-python](https://github.com/vinta/awesome-python) 和 [awesome-php](https://github.com/ziadoz/awesome-php) 的启迪。 这个列表记录着那些令人称赞的恶意软件分析工具和资源。受到 [awesome-python](https://github.com/vinta/awesome-python) 和 [awesome-php](https://github.com/ziadoz/awesome-php) 的启迪。
@ -15,21 +15,21 @@
- [在线扫描与沙盒](#在线扫描与沙盒) - [在线扫描与沙盒](#在线扫描与沙盒)
- [域名分析](#域名分析) - [域名分析](#域名分析)
- [浏览器恶意软件](#浏览器恶意软件) - [浏览器恶意软件](#浏览器恶意软件)
- [文档和 Shellcode](#文档和 Shellcode) - [文档和 Shellcode](#文档和-Shellcode)
- [文件提取](#文件提取) - [文件提取](#文件提取)
- [去混淆](#去混淆) - [去混淆](#去混淆)
- [调试与逆向工程](#调试与逆向工程) - [调试与逆向工程](#调试与逆向工程)
- [网络](#网络) - [网络](#网络)
- [内存取证](#内存取证) - [内存取证](#内存取证)
- [Windows 神器](#Windows 神器) - [Windows 神器](#Windows-神器)
- [存储和工作流](#存储和工作流) - [存储和工作流](#存储和工作流)
- [杂项](#杂项) - [杂项](#杂项)
- [资源](#资源) - [资源](#资源)
- [书籍](#书籍) - [书籍](#书籍)
- [Twitter](#Twitter) - [Twitter](#Twitter)
- [其它](#其它) - [其它](#其它)
- [相关 Awesome 清单](#相关 Awesome 清单) - [相关 Awesome 清单](#相关-Awesome-清单)
- [贡献者](#贡献) - [贡献者](#做出贡献)
- [致谢](#致谢) - [致谢](#致谢)
--- ---
@ -65,13 +65,13 @@
* [Clean MX](http://support.clean-mx.de/clean-mx/viruses.php) - 恶意软件和恶意域名的实时数据库 * [Clean MX](http://support.clean-mx.de/clean-mx/viruses.php) - 恶意软件和恶意域名的实时数据库
* [Contagio](http://contagiodump.blogspot.com/) - 近期的恶意软件样本和分析的收集 * [Contagio](http://contagiodump.blogspot.com/) - 近期的恶意软件样本和分析的收集
* [Exploit Database](https://www.exploit-db.com/) - Exploit 和 shellcode 样本 * [Exploit Database](https://www.exploit-db.com/) - Exploit 和 shellcode 样本
* [Malshare](http://malshare.com) - 在恶意网站上得到的大量恶意样本库 * [Malshare](https://malshare.com) - 在恶意网站上得到的大量恶意样本库
* [MalwareDB](http://malwaredb.malekal.com/) - 恶意软件样本库 * [MalwareDB](http://malwaredb.malekal.com/) - 恶意软件样本库
* [Open Malware Project](http://openmalware.org/) - 样本信息和下载 * [Open Malware Project](http://openmalware.org/) - 样本信息和下载
* [Ragpicker](https://github.com/robbyFux/Ragpicker) - 基于 malware crawler 的一个插件 * [Ragpicker](https://github.com/robbyFux/Ragpicker) - 基于 malware crawler 的一个插件
* [theZoo](https://github.com/ytisf/theZoo) - 分析人员的实时恶意样本库 * [theZoo](https://github.com/ytisf/theZoo) - 分析人员的实时恶意样本库
* [Tracker h3x](http://tracker.h3x.eu/) - Agregator 的恶意软件跟踪和下载地址 * [Tracker h3x](http://tracker.h3x.eu/) - Agregator 的恶意软件跟踪和下载地址
* [ViruSign](http://www.virusign.com/) - 除 ClamAV 外的反病毒程序检出的恶意软件数据库 * [ViruSign](http://www.virussign.com/) - 除 ClamAV 外的反病毒程序检出的恶意软件数据库
* [VirusShare](http://virusshare.com/) - 恶意软件库 * [VirusShare](http://virusshare.com/) - 恶意软件库
* [VX Vault](http://vxvault.net/) - 恶意软件样本的主动收集 * [VX Vault](http://vxvault.net/) - 恶意软件样本的主动收集
* [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - 由 Lenny Zeltser 整理的恶意软件样本源列表 * [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - 由 Lenny Zeltser 整理的恶意软件样本源列表
@ -93,8 +93,8 @@
* [ioc_writer](https://github.com/mandiant/ioc_writer) - 开发的用于 OpenIOC 对象的 Python 库 * [ioc_writer](https://github.com/mandiant/ioc_writer) - 开发的用于 OpenIOC 对象的 Python 库
* [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) - 由 [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework)发起,之前叫做 CIF (Collective Intelligence Framework),从各种信息源聚合 IOC 信息 * [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) - 由 [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework)发起,之前叫做 CIF (Collective Intelligence Framework),从各种信息源聚合 IOC 信息
* [MISP](https://github.com/MISP/MISP) - 由 [The MISP Project](http://www.misp-project.org/) 发起的恶意软件信息共享平台 * [MISP](https://github.com/MISP/MISP) - 由 [The MISP Project](http://www.misp-project.org/) 发起的恶意软件信息共享平台
* [PassiveTotal](https://www.passivetotal.org/) - 研究、链接、标注和分享 IP 与 域名
* [PyIOCe](https://github.com/pidydx/PyIOCe) - 一个 Python OpenIOC 编辑器 * [PyIOCe](https://github.com/pidydx/PyIOCe) - 一个 Python OpenIOC 编辑器
* [RiskIQ](https://community.riskiq.com/) - 研究、链接、标注和分享 IP 与 域名
* [threataggregator](https://github.com/jpsenior/threataggregator) - 聚合来自多个信息源的安全威胁,包括 [other resources](#other-resources) 列表中的一些 * [threataggregator](https://github.com/jpsenior/threataggregator) - 聚合来自多个信息源的安全威胁,包括 [other resources](#other-resources) 列表中的一些
* [ThreatCrowd](https://www.threatcrowd.org/) - 带有图形可视化的威胁搜索引擎 * [ThreatCrowd](https://www.threatcrowd.org/) - 带有图形可视化的威胁搜索引擎
* [TIQ-test](https://github.com/mlsecproject/tiq-test) - 威胁情报源的数据可视化和统计分析 * [TIQ-test](https://github.com/mlsecproject/tiq-test) - 威胁情报源的数据可视化和统计分析
@ -138,7 +138,7 @@
* [chkrootkit](http://www.chkrootkit.org/) - 本地 Linux rootkit 检测 * [chkrootkit](http://www.chkrootkit.org/) - 本地 Linux rootkit 检测
* [ClamAV](http://www.clamav.net/) - 开源反病毒引擎 * [ClamAV](http://www.clamav.net/) - 开源反病毒引擎
* [Detect-It-Easy](https://github.com/horsicq/Detect-It-Easy) - 用于确定文件类型的程序 * [Detect-It-Easy](https://github.com/horsicq/Detect-It-Easy) - 用于确定文件类型的程序
* [ExifTool](http://www.sno.phy.queensu.ca/~phil/exiftool/) - 读、写、编辑文件的元数据 * [ExifTool](https://sno.phy.queensu.ca/~phil/exiftool/) - 读、写、编辑文件的元数据
* [File Scanning Framework](http://www.sno.phy.queensu.ca/%7Ephil/exiftool/) - 模块化的递归文件扫描解决方案 * [File Scanning Framework](http://www.sno.phy.queensu.ca/%7Ephil/exiftool/) - 模块化的递归文件扫描解决方案
* [hashdeep](https://github.com/jessek/hashdeep) - 用各种算法计算哈希值 * [hashdeep](https://github.com/jessek/hashdeep) - 用各种算法计算哈希值
* [Loki](https://github.com/Neo23x0/Loki) - 基于主机的 IOC 扫描器 * [Loki](https://github.com/Neo23x0/Loki) - 基于主机的 IOC 扫描器
@ -149,7 +149,7 @@
* [packerid](http://handlers.sans.org/jclausing/packerid.py) - 跨平台的 PEiD 的替代品 * [packerid](http://handlers.sans.org/jclausing/packerid.py) - 跨平台的 PEiD 的替代品
* [PEV](http://pev.sourceforge.net/) - 为正确分析可疑的二进制文件提供功能丰富工具的 PE 文件多平台分析工具集 * [PEV](http://pev.sourceforge.net/) - 为正确分析可疑的二进制文件提供功能丰富工具的 PE 文件多平台分析工具集
* [Rootkit Hunter](http://rkhunter.sourceforge.net/) - 检测 Linux 的 rootkits * [Rootkit Hunter](http://rkhunter.sourceforge.net/) - 检测 Linux 的 rootkits
* [ssdeep](http://ssdeep.sourceforge.net/) - 计算模糊哈希值 * [ssdeep](https://ssdeep-project.github.io/ssdeep/) - 计算模糊哈希值
* [totalhash.py](https://gist.github.com/malc0de/10270150) - 一个简单搜索[TotalHash.com](http://totalhash.com/) 数据库的 Python 脚本 * [totalhash.py](https://gist.github.com/malc0de/10270150) - 一个简单搜索[TotalHash.com](http://totalhash.com/) 数据库的 Python 脚本
* [TrID](http://mark0.net/soft-trid-e.html) - 文件识别 * [TrID](http://mark0.net/soft-trid-e.html) - 文件识别
* [YARA](https://plusvic.github.io/yara/) - 分析师利用的模式识别工具 * [YARA](https://plusvic.github.io/yara/) - 分析师利用的模式识别工具
@ -159,7 +159,6 @@
*基于 Web 的多反病毒引擎扫描器和恶意软件自动分析的沙盒* *基于 Web 的多反病毒引擎扫描器和恶意软件自动分析的沙盒*
* [APK Analyzer](https://www.apk-analyzer.net/) - APK 免费动态分析
* [AndroTotal](https://andrototal.org/) - 利用多个移动反病毒软件进行免费在线分析 App * [AndroTotal](https://andrototal.org/) - 利用多个移动反病毒软件进行免费在线分析 App
* [AVCaesar](https://avcaesar.malware.lu/) - Malware.lu 在线扫描器和恶意软件集合 * [AVCaesar](https://avcaesar.malware.lu/) - Malware.lu 在线扫描器和恶意软件集合
* [Cryptam](http://www.cryptam.com/) - 分析可疑的 Office 文档 * [Cryptam](http://www.cryptam.com/) - 分析可疑的 Office 文档
@ -168,10 +167,9 @@
* [cuckoo-modified-api](https://github.com/brad-accuvant/cuckoo-modified) - 用于控制 cuckoo-modified 沙盒的 Python API * [cuckoo-modified-api](https://github.com/brad-accuvant/cuckoo-modified) - 用于控制 cuckoo-modified 沙盒的 Python API
* [DeepViz](https://www.deepviz.com/) - 通过机器学习分类来分析的多格式文件分析器 * [DeepViz](https://www.deepviz.com/) - 通过机器学习分类来分析的多格式文件分析器
* [detux](https://github.com/detuxsandbox/detux/) - 一个用于对 Linux 恶意软件流量分析与 IOC 信息捕获的沙盒 * [detux](https://github.com/detuxsandbox/detux/) - 一个用于对 Linux 恶意软件流量分析与 IOC 信息捕获的沙盒
* [Document Analyzer](https://www.document-analyzer.net/) - DOC 和 PDF 文件的免费动态分析
* [DRAKVUF](https://github.com/tklengyel/drakvuf) - 动态恶意软件分析系统 * [DRAKVUF](https://github.com/tklengyel/drakvuf) - 动态恶意软件分析系统
* [File Analyzer](https://www.file-analyzer.net/) - 免费 PE 文件动态分析 * [firmware.re](http://firmware.re/) - 解包、扫描、分析绝大多数固件包
* [firmware.re](http://firmware.re/) - 解包、扫描、分析绝大多数固件包 * [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - Linux平台上的自动化恶意代码分析工具.
* [Hybrid Analysis](https://www.hybrid-analysis.com/) - 由 VxSandbox 支持的在线恶意软件分析工具 * [Hybrid Analysis](https://www.hybrid-analysis.com/) - 由 VxSandbox 支持的在线恶意软件分析工具
* [IRMA](http://irma.quarkslab.com/) - 异步、可定制的可疑文件分析平台 * [IRMA](http://irma.quarkslab.com/) - 异步、可定制的可疑文件分析平台
* [Joe Sandbox](https://www.joesecurity.org/) - 深度恶意软件分析 * [Joe Sandbox](https://www.joesecurity.org/) - 深度恶意软件分析
@ -189,7 +187,6 @@
* [Recomposer](https://github.com/secretsquirrel/recomposer) - 安全上传二进制程序到沙盒网站的辅助脚本 * [Recomposer](https://github.com/secretsquirrel/recomposer) - 安全上传二进制程序到沙盒网站的辅助脚本
* [Sand droid](http://sanddroid.xjtu.edu.cn/) - 自动化、完整的 Android 应用程序分析系统 * [Sand droid](http://sanddroid.xjtu.edu.cn/) - 自动化、完整的 Android 应用程序分析系统
* [SEE](https://github.com/F-Secure/see) - 在安全环境中构建测试自动化的框架 * [SEE](https://github.com/F-Secure/see) - 在安全环境中构建测试自动化的框架
* [URL Analyzer](https://www.url-analyzer.net/) - 对 URL 文件的动态分析
* [VirusTotal](https://www.virustotal.com/) - 免费的在线恶意软件样本和 URL 分析 * [VirusTotal](https://www.virustotal.com/) - 免费的在线恶意软件样本和 URL 分析
* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - 用于日志的开源可视化库和命令行工具Cuckoo、Procmon 等) * [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - 用于日志的开源可视化库和命令行工具Cuckoo、Procmon 等)
* [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Lenny Zeltser 创建的免费自动沙盒服务 * [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Lenny Zeltser 创建的免费自动沙盒服务
@ -206,21 +203,21 @@
* [mailchecker](https://github.com/FGRibreau/mailchecker) - 跨语言临时邮件检测库 * [mailchecker](https://github.com/FGRibreau/mailchecker) - 跨语言临时邮件检测库
* [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - 让 Maltego 使用 VirusTotal API允许搜索域名、IP 地址、文件哈希、报告 * [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - 让 Maltego 使用 VirusTotal API允许搜索域名、IP 地址、文件哈希、报告
* [Multi rbl](http://multirbl.valli.org/) - 多个 DNS 黑名单,反向查找超过 300 个 RBL。 * [Multi rbl](http://multirbl.valli.org/) - 多个 DNS 黑名单,反向查找超过 300 个 RBL。
* [SenderBase](http://www.senderbase.org/) - 搜索 IP、域名或网络的所有者
* [SpamCop](https://www.spamcop.net/bl.shtml) - 垃圾邮件 IP 黑名单IP * [SpamCop](https://www.spamcop.net/bl.shtml) - 垃圾邮件 IP 黑名单IP
* [SpamHaus](http://www.spamhaus.org/lookup/) - 基于域名和 IP 的黑名单 * [SpamHaus](http://www.spamhaus.org/lookup/) - 基于域名和 IP 的黑名单
* [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - 免费的网站恶意软件与安全扫描器 * [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - 免费的网站恶意软件与安全扫描器
* [Talos Intelligence](https://talosintelligence.com/) - 搜索 IP、域名或网络的所有者
* [TekDefense Automator](http://www.tekdefense.com/automater/) - 收集关于 URL、IP 和哈希值的 OSINT 工具 * [TekDefense Automator](http://www.tekdefense.com/automater/) - 收集关于 URL、IP 和哈希值的 OSINT 工具
* [URLQuery](http://urlquery.net/) - 免费的 URL 扫描器 * [URLQuery](http://urlquery.net/) - 免费的 URL 扫描器
* [Whois](http://whois.domaintools.com/) - DomainTools 家免费的 whois 搜索 * [Whois](http://whois.domaintools.com/) - DomainTools 家免费的 whois 搜索
* [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - 由 Lenny Zeltser 整理的免费在线恶意软件工具集 * [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - 由 Lenny Zeltser 整理的免费在线恶意软件工具集
* [ZScalar Zulu](http://zulu.zscaler.com/#) - Zulu URL 风险分析 * [ZScalar Zulu](https://zulu.zscaler.com/#) - Zulu URL 风险分析
## 浏览器恶意软件 ## 浏览器恶意软件
*分析恶意 URL也可以参考 [domain analysis](#domain-analysis) 和 [documents and shellcode](#documents-and-shellcode) 部分* *分析恶意 URL也可以参考 [domain analysis](#domain-analysis) 和 [documents and shellcode](#documents-and-shellcode) 部分*
* [Firebug](http://getfirebug.com/) - Firefox Web 开发扩展 * [Firebug](https://getfirebug.com/) - Firefox Web 开发扩展
* [Java Decompiler](http://jd.benow.ca/) - 反编译并检查 Java 的应用 * [Java Decompiler](http://jd.benow.ca/) - 反编译并检查 Java 的应用
* [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - 解析 Java IDX 缓存文件 * [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - 解析 Java IDX 缓存文件
* [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript 恶意软件分析工具 * [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript 恶意软件分析工具
@ -308,9 +305,9 @@
* [pestudio](https://winitor.com/) - Windows 可执行程序的静态分析 * [pestudio](https://winitor.com/) - Windows 可执行程序的静态分析
* [plasma](https://github.com/joelpx/plasma) - 面向 x86/ARM/MIPS 的交互式反汇编器 * [plasma](https://github.com/joelpx/plasma) - 面向 x86/ARM/MIPS 的交互式反汇编器
* [PPEE (puppy)](https://www.mzrst.com/) - 专业的 PE 文件资源管理器 * [PPEE (puppy)](https://www.mzrst.com/) - 专业的 PE 文件资源管理器
* [Process Explorer ](https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx) - 高级 Windows 任务管理器 * [Process Explorer](https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx) - 高级 Windows 任务管理器
* [Process Monitor](https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) - Windows 下高级程序监控工具 * [Process Monitor](https://docs.microsoft.com/sysinternals/downloads/procmon) - Windows 下高级程序监控工具
* [PSTools](https://technet.microsoft.com/en-us/sysinternals/pstools.aspx) - 可以帮助管理员实时管理系统的 Windows 命令行工具 * [PSTools](https://docs.microsoft.com/sysinternals/downloads/pstools) - 可以帮助管理员实时管理系统的 Windows 命令行工具
* [Pyew](https://github.com/joxeankoret/pyew) - 恶意软件分析的 Python 工具 * [Pyew](https://github.com/joxeankoret/pyew) - 恶意软件分析的 Python 工具
* [Radare2](http://www.radare.org/r/) - 带有调试器支持的逆向工程框架 * [Radare2](http://www.radare.org/r/) - 带有调试器支持的逆向工程框架
* [RetDec](https://retdec.com/) - 可重定向的机器码反编译器,同时有在线反编译服务和 API * [RetDec](https://retdec.com/) - 可重定向的机器码反编译器,同时有在线反编译服务和 API
@ -455,6 +452,7 @@
* [Pentesting](https://github.com/enaqx/awesome-pentest) * [Pentesting](https://github.com/enaqx/awesome-pentest)
* [Security](https://github.com/sbilly/awesome-security) * [Security](https://github.com/sbilly/awesome-security)
* [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence) * [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence)
* [YARA](https://github.com/InQuest/awesome-yara)
# [做出贡献](CONTRIBUTING.md) # [做出贡献](CONTRIBUTING.md)