mirror of
https://github.com/rshipp/awesome-malware-analysis.git
synced 2025-01-07 05:37:57 -05:00
Merge branch 'main' into master
This commit is contained in:
commit
c39411a266
29
README.md
29
README.md
@ -107,10 +107,12 @@ View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大
|
||||
of malware sample sources put together by Lenny Zeltser.
|
||||
* [Zeus Source Code](https://github.com/Visgean/Zeus) - Source for the Zeus
|
||||
trojan leaked in 2011.
|
||||
* [VX Underground](http://vx-underground.org/) - Massive and growing collection of free malware samples.
|
||||
* [BODMAS PE Malware Dataset](https://whyisyoung.github.io/BODMAS/) - Collection of 57,293 PE malware samples
|
||||
and 77,142 benign samples during 2019 and 2020.
|
||||
Binaries (malware only), feature vectors, malware families, timestamp are available.
|
||||
|
||||
|
||||
## Open Source Threat Intelligence
|
||||
|
||||
### Tools
|
||||
@ -212,6 +214,7 @@ View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大
|
||||
intelligence, with search.
|
||||
* [threatRECON](https://threatrecon.co/) - Search for indicators, up to 1000
|
||||
free per month.
|
||||
* [ThreatShare](https://threatshare.io/) - C2 panel tracker
|
||||
* [Yara rules](https://github.com/Yara-Rules/rules) - Yara rules repository.
|
||||
* [YETI](https://github.com/yeti-platform/yeti) - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
|
||||
* [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS
|
||||
@ -228,6 +231,7 @@ View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大
|
||||
* [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless
|
||||
AWS pipeline that scans and alerts on uploaded files based on a set of
|
||||
YARA rules.
|
||||
* [capa](https://github.com/fireeye/capa) - Detects capabilities in executable files.
|
||||
* [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection.
|
||||
* [ClamAV](http://www.clamav.net/) - Open source antivirus engine.
|
||||
* [Detect It Easy(DiE)](https://github.com/horsicq/Detect-It-Easy) - A program for
|
||||
@ -238,6 +242,8 @@ View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大
|
||||
edit file metadata.
|
||||
* [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) -
|
||||
Modular, recursive file scanning solution.
|
||||
* [fn2yara](https://github.com/cmu-sei/pharos) - FN2Yara is a tool to generate
|
||||
Yara signatures for matching functions (code) in an executable program.
|
||||
* [Generic File Parser](https://github.com/uppusaikiran/generic-parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
|
||||
* [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with
|
||||
a variety of algorithms.
|
||||
@ -413,6 +419,9 @@ executables.
|
||||
*Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and
|
||||
[documents and shellcode](#documents-and-shellcode) sections.*
|
||||
|
||||
* [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) - Combines
|
||||
multiple Java bytecode viewers and decompilers into one tool, including
|
||||
APK/DEX support.
|
||||
* [Firebug](https://getfirebug.com/) - Firefox extension for web development.
|
||||
* [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps.
|
||||
* [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java
|
||||
@ -504,6 +513,14 @@ the [browser malware](#browser-malware) section.*
|
||||
XOR key using frequency analysis.
|
||||
* [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker) - A generic
|
||||
hidden code extractor for Windows malware.
|
||||
* [PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor) -
|
||||
A Python script to extract the contents of a PyInstaller generated Windows
|
||||
executable file. The contents of the pyz file (usually pyc files) present
|
||||
inside the executable are also extracted and automatically fixed so that a
|
||||
Python bytecode decompiler will recognize it.
|
||||
* [uncompyle6](https://github.com/rocky/python-uncompyle6/) - A cross-version
|
||||
Python bytecode decompiler. Translates Python bytecode back into equivalent
|
||||
Python source code.
|
||||
* [un{i}packer](https://github.com/unipacker/unipacker) - Automatic and
|
||||
platform-independent unpacker for Windows binaries based on emulation.
|
||||
* [unpacker](https://github.com/malwaremusings/unpacker/) - Automated malware
|
||||
@ -536,6 +553,7 @@ the [browser malware](#browser-malware) section.*
|
||||
* [Binary ninja](https://binary.ninja/) - A reversing engineering platform
|
||||
that is an alternative to IDA.
|
||||
* [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool.
|
||||
* [BluePill](https://github.com/season-lab/bluepill) - Framework for executing and debugging evasive malware and protected executables.
|
||||
* [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for
|
||||
binary analysis and reversing, with support for many architectures and
|
||||
bindings in several languages.
|
||||
@ -581,6 +599,9 @@ the [browser malware](#browser-malware) section.*
|
||||
for static analysis of Linux binaries.
|
||||
* [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows
|
||||
executables.
|
||||
* [OllyDumpEx](https://low-priority.appspot.com/ollydumpex/) - Dump memory
|
||||
from (unpacked) malware Windows process and store raw or rebuild PE file.
|
||||
This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg.
|
||||
* [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral
|
||||
Dynamic Analysis.
|
||||
* [PEDA](https://github.com/longld/peda) - Python Exploit Development
|
||||
@ -617,6 +638,10 @@ the [browser malware](#browser-malware) section.*
|
||||
[API](https://retdec.com/api/) that you can use in your tools.
|
||||
* [ROPMEMU](https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect
|
||||
and decompile complex code-reuse attacks.
|
||||
* [Scylla Imports Reconstructor](https://github.com/NtQuery/Scylla) - Find and fix
|
||||
the IAT of an unpacked / dumped PE32 malware.
|
||||
* [ScyllaHide](https://github.com/x64dbg/ScyllaHide) - An Anti-Anti-Debug library
|
||||
and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.
|
||||
* [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a
|
||||
plugin for Sublime 3 to aid with malware analyis.
|
||||
* [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for
|
||||
@ -774,6 +799,7 @@ the [browser malware](#browser-malware) section.*
|
||||
environments in the same way as malware families do.
|
||||
* [REMnux](https://remnux.org/) - Linux distribution and docker images for
|
||||
malware reverse engineering and analysis.
|
||||
* [Tsurugi Linux](https://tsurugi-linux.org/) - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
|
||||
* [Santoku Linux](https://santoku-linux.com/) - Linux distribution for mobile
|
||||
forensics, malware analysis, and security.
|
||||
|
||||
@ -826,6 +852,9 @@ the [browser malware](#browser-malware) section.*
|
||||
Presentation introducing the concepts of malware analysis, threat intelligence
|
||||
and reverse engineering. Experience or prior knowledge is not required. Labs
|
||||
link in description.
|
||||
* [Malware Persistence](https://github.com/Karneades/malware-persistence) - Collection
|
||||
of various information focused on malware persistence: detection (techniques),
|
||||
response, pitfalls and the log collection (tools).
|
||||
* [Malware Samples and Traffic](http://malware-traffic-analysis.net/) - This
|
||||
blog focuses on network traffic related to malware infections.
|
||||
* [Malware Search+++](https://addons.mozilla.org/fr/firefox/addon/malware-search-plusplusplus/) Firefox extension allows
|
||||
|
10
恶意软件分析大合集.md
10
恶意软件分析大合集.md
@ -54,6 +54,8 @@
|
||||
* [Glastopf](http://glastopf.org/) - Web 应用蜜罐
|
||||
* [Honeyd](http://honeyd.org/) - 创建一个虚拟蜜罐
|
||||
* [HoneyDrive](http://bruteforcelab.com/honeydrive) - 蜜罐包的 Linux 发行版
|
||||
* [Honeytrap](https://github.com/honeytrap/honeytrap) - 运行、监控、管理蜜罐的开源系统
|
||||
* [MHN](https://github.com/pwnlandia/mhn) - MHN 是管理蜜罐的集中式服务器,可以快速部署蜜罐收集数据,并提供统一的 Web 界面
|
||||
* [Mnemosyne](https://github.com/johnnykv/mnemosyne) - 受 Dinoaea 支持的蜜罐数据标准化
|
||||
* [Thug](https://github.com/buffer/thug) - 用来调查恶意网站的低交互蜜罐
|
||||
|
||||
@ -141,6 +143,7 @@
|
||||
* [SystemLookup](https://www.systemlookup.com/) - SystemLookup 可以提供合法的或PUP的组件信息
|
||||
* [ThreatMiner](https://www.threatminer.org/) - 威胁情报数据挖掘接口
|
||||
* [threatRECON](https://threatrecon.co/) - 搜索指标,每月最多一千次
|
||||
* [ThreatShare](https://threatshare.io/) - C2 面板跟踪
|
||||
* [Yara rules](https://github.com/Yara-Rules/rules) - Yara 规则集
|
||||
* [YETI](https://github.com/yeti-platform/yeti) - Yeti 是一个旨在组织数据中的可观察性、IOC 指标、TTP 和威胁情报
|
||||
* [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS 黑名单
|
||||
@ -152,6 +155,7 @@
|
||||
* [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Windows PE 文件的分析器
|
||||
* [Assemblyline](https://bitbucket.org/cse-assemblyline/assemblyline) - 大规模分布式文件分析框架
|
||||
* [BinaryAlert](https://github.com/airbnb/binaryalert) - 开源、无服务 AWS 管道,用于对上传的文件使用 YARA 进行扫描和报警
|
||||
* [capa](https://github.com/fireeye/capa) - 检测可执行文件的攻击能力
|
||||
* [chkrootkit](http://www.chkrootkit.org/) - 本地 Linux rootkit 检测
|
||||
* [ClamAV](http://www.clamav.net/) - 开源反病毒引擎
|
||||
* [Detect It Easy(DiE)](https://github.com/horsicq/Detect-It-Easy) - 用于确定文件类型的程序
|
||||
@ -170,6 +174,7 @@
|
||||
* [nsrllookup](https://github.com/rjhansen/nsrllookup) - 查询 NIST's National Software Reference Library 数据库中哈希的工具
|
||||
* [packerid](http://handlers.sans.org/jclausing/packerid.py) - 跨平台的 PEiD 的替代品
|
||||
* [PE-bear](https://hshrzd.wordpress.com/pe-bear/) - PE 文件的逆向工具
|
||||
* [PEframe](https://github.com/guelfoweb/peframe) - PEframe 可以对 PE 文件与 Office 文档文件进行静态分析
|
||||
* [PEV](http://pev.sourceforge.net/) - 为正确分析可疑的二进制文件提供功能丰富工具的 PE 文件多平台分析工具集
|
||||
* [PortEx](https://github.com/katjahahn/PortEx) - 聚焦于与 PE 文件相关恶意软件分析的 Java 库
|
||||
* [Quark-Engine](https://github.com/quark-engine/quark-engine) - 能够对抗混淆的 Android 恶意软件评估系统
|
||||
@ -177,7 +182,6 @@
|
||||
* [ssdeep](https://ssdeep-project.github.io/ssdeep/) - 计算模糊哈希值
|
||||
* [totalhash.py](https://gist.github.com/malc0de/10270150) - 一个简单搜索[TotalHash.com](http://totalhash.com/) 数据库的 Python 脚本
|
||||
* [TrID](http://mark0.net/soft-trid-e.html) - 文件识别
|
||||
* [virustotal-falsepositive-detector](https://github.com/uppusaikiran/virustotal-falsepositive-detector) - 基于命名相似性来分析 Virustotal Report 来寻找潜在误报的工具
|
||||
* [YARA](https://plusvic.github.io/yara/) - 分析师利用的模式识别工具
|
||||
* [Yara rules generator](https://github.com/Neo23x0/yarGen) - 基于恶意样本生成 yara 规则,也包含避免误报的字符串数据库
|
||||
* [Yara Finder](https://github.com/uppusaikiran/yara-finder) - 使用不同 yara 规则匹配文件的简单工具,以期找到可疑指标
|
||||
@ -245,6 +249,7 @@
|
||||
* [Multi rbl](http://multirbl.valli.org/) - 多个 DNS 黑名单,反向查找超过 300 个 RBL
|
||||
* [NormShield Services](https://services.normshield.com/) - 用于检测潜在的钓鱼域名、黑名单中的 IP 地址与非法账户
|
||||
* [PhishStats](https://phishstats.info/) - 搜索IP、域名和网站标题的钓鱼统计信息
|
||||
* [Spyse](https://spyse.com/) - 子域名、whois、相关域名、DNS、主机自治域、证书信息
|
||||
* [SecurityTrails](https://securitytrails.com/) - 历史与当前WHOIS、DNS数据,相似域名、证书信息以及其他与域名和 IP 相关的数据
|
||||
* [SpamCop](https://www.spamcop.net/bl.shtml) - 垃圾邮件 IP 黑名单IP
|
||||
* [SpamHaus](http://www.spamhaus.org/lookup/) - 基于域名和 IP 的黑名单
|
||||
@ -282,7 +287,6 @@
|
||||
* [box-js](https://github.com/CapacitorSet/box-js) - 用于研究 JavaScript 恶意软件的工具,支持 JScript/WScript 和 ActiveX 仿真功能
|
||||
* [diStorm](http://www.ragestorm.net/distorm/) - 分析恶意 Shellcode 的反汇编器
|
||||
* [JS Beautifier](http://jsbeautifier.org/) - JavaScript 脱壳和去混淆
|
||||
* [JS Deobfuscator ](http://www.kahusecurity.com/2015/new-javascript-deobfuscator-tool/) - 对那些使用 eval 或 document.write 的简单 Javascript 去混淆
|
||||
* [libemu](http://libemu.carnivore.it/) - x86 shellcode 仿真的库和工具
|
||||
* [malpdfobj](https://github.com/9b/malpdfobj) - 解构恶意 PDF 为 JSON 表示
|
||||
* [OfficeMalScanner](http://www.reconstructer.org/code.html) - 扫描 MS Office 文档中的恶意跟踪
|
||||
@ -334,6 +338,7 @@
|
||||
* [binnavi](https://github.com/google/binnavi) - 基于图形可视化的二进制分析 IDE
|
||||
* [Binary ninja](https://binary.ninja/) - 可替换 IDA 的逆向工程平台
|
||||
* [Binwalk](http://binwalk.org/) - 固件分析工具
|
||||
* [BluePill](https://github.com/season-lab/bluepill) - 用于执行和调试逃避型恶意软件和受保护的可执行文件的框架
|
||||
* [Capstone](https://github.com/aquynh/capstone) - 二进制分析反汇编框架,支持多种架构和许多语言
|
||||
* [codebro](https://github.com/hugsy/codebro) - 使用 clang 提供基础代码分析的 Web 端代码浏览器
|
||||
* [Cutter](https://github.com/radareorg/cutter) - Radare2 的 GUI
|
||||
@ -492,6 +497,7 @@
|
||||
* [Malware Analysis Search](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) - [Corey Harrell](journeyintoir.blogspot.com/) 自定义的用于恶意软件分析的 Google 搜索
|
||||
* [Malware Analysis Tutorials](http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html) - 由 Xiang Fu 博士提供的恶意软件分析教程,是一个学习恶意软件分析的重要资源
|
||||
* [Malware analysis, threat intelligence and reverse engineering](https://www.slideshare.net/bartblaze/malware-analysis-threat-intelligence-and-reverse-engineering) - 不需要先验知识的恶意软件分析、威胁情报和逆向工程概念介绍
|
||||
* [Malware Persistence](https://github.com/Karneades/malware-persistence) - 专注于恶意软件持久化的仓库,包括检测、响应与日志收集等
|
||||
* [Malware Samples and Traffic](http://malware-traffic-analysis.net/) - 此博客重点介绍与恶意软件感染相关的网络流量
|
||||
* [Malware Search+++](https://addons.mozilla.org/fr/firefox/addon/malware-search-plusplusplus/) - 搜索常用恶意软件数据库的 Firefox 浏览器插件
|
||||
* [Practical Malware Analysis Starter Kit](https://bluesoul.me/practical-malware-analysis-starter-kit/) - 此软件包包含 Practical Malware Analysis 书中引用的大多数软件
|
||||
|
Loading…
Reference in New Issue
Block a user