Merge 6d6e44b320 into a3f07a0452

Added Qiling Framework

README.md

@@ -6,29 +6,30 @@ A curated list of awesome malware analysis tools and resources. Inspired by
 
 [![Drop ICE](drop.png)](https://twitter.com/githubbers/status/1182017616740663296)
 
-- [Malware Collection](#malware-collection)
+- [Awesome Malware Analysis ![Awesome](https://github.com/sindresorhus/awesome)](#awesome-malware-analysis-)
+  - [Malware Collection](#malware-collection)
     - [Anonymizers](#anonymizers)
     - [Honeypots](#honeypots)
     - [Malware Corpora](#malware-corpora)
-- [Open Source Threat Intelligence](#open-source-threat-intelligence)
+  - [Open Source Threat Intelligence](#open-source-threat-intelligence)
     - [Tools](#tools)
     - [Other Resources](#other-resources)
-- [Detection and Classification](#detection-and-classification)
-- [Online Scanners and Sandboxes](#online-scanners-and-sandboxes)
-- [Domain Analysis](#domain-analysis)
-- [Browser Malware](#browser-malware)
-- [Documents and Shellcode](#documents-and-shellcode)
-- [File Carving](#file-carving)
-- [Deobfuscation](#deobfuscation)
-- [Debugging and Reverse Engineering](#debugging-and-reverse-engineering)
-- [Network](#network)
-- [Memory Forensics](#memory-forensics)
-- [Windows Artifacts](#windows-artifacts)
-- [Storage and Workflow](#storage-and-workflow)
-- [Miscellaneous](#miscellaneous)
+  - [Detection and Classification](#detection-and-classification)
+  - [Online Scanners and Sandboxes](#online-scanners-and-sandboxes)
+  - [Domain Analysis](#domain-analysis)
+  - [Browser Malware](#browser-malware)
+  - [Documents and Shellcode](#documents-and-shellcode)
+  - [File Carving](#file-carving)
+  - [Deobfuscation](#deobfuscation)
+  - [Debugging and Reverse Engineering](#debugging-and-reverse-engineering)
+  - [Network](#network)
+  - [Memory Forensics](#memory-forensics)
+  - [Windows Artifacts](#windows-artifacts)
+  - [Storage and Workflow](#storage-and-workflow)
+  - [Miscellaneous](#miscellaneous)
 - [Resources](#resources)
-    - [Books](#books)
-    - [Other](#other)
+  - [Books](#books)
+  - [Other](#other)
 - [Related Awesome Lists](#related-awesome-lists)
 - [Contributing](#contributing)
 - [Thanks](#thanks)
@@ -222,8 +223,7 @@ View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大
 
 * [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a
   variety of tools for reporting on Windows PE files.
-* [Assemblyline](https://bitbucket.org/cse-assemblyline/assemblyline) - A scalable
-  distributed file analysis framework.
+* [Assemblyline](https://cybercentrecanada.github.io/assemblyline4_docs/) - A scalable file triage and malware analysis system integrating the cyber security community's best tools..
 * [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless
   AWS pipeline that scans and alerts on uploaded files based on a set of
   YARA rules.
@@ -257,7 +257,7 @@ executables.
 * [Nauz File Detector(NFD)](https://github.com/horsicq/Nauz-File-Detector) - Linker/Compiler/Tool detector  for Windows, Linux and MacOS.
 * [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking
   up hashes in NIST's National Software Reference Library database.
-* [packerid](http://handlers.sans.org/jclausing/packerid.py) - A cross-platform
+* [packerid](https://github.com/sooshie/packerid) - A cross-platform
   Python alternative to PEiD.
 * [PE-bear](https://hshrzd.wordpress.com/pe-bear/) - Reversing tool for PE
   files.
@@ -265,6 +265,7 @@ executables.
 * [PEV](http://pev.sourceforge.net/) - A multiplatform toolkit to work with PE
   files, providing feature-rich tools for proper analysis of suspicious binaries.
 * [PortEx](https://github.com/katjahahn/PortEx) - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
+* [python_mmdt](https://github.com/a232319779/python_mmdt) - Malicious code detection tool based on local sensitive hashing and machine learning.
 * [Quark-Engine](https://github.com/quark-engine/quark-engine) - An Obfuscation-Neglect Android Malware Scoring System
 * [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits.
 * [ssdeep](https://ssdeep-project.github.io/ssdeep/) - Compute fuzzy hashes.
@@ -385,7 +386,7 @@ executables.
   accounts.
 * [PhishStats](https://phishstats.info/) - Phishing Statistics with search for
   IP, domain and website title
-* [Spyse](https://spyse.com/) - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,  
+* [Spyse](https://spyse.com/) - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
 * [SecurityTrails](https://securitytrails.com/) - Historical and current WHOIS,
   historical and current DNS records, similar domains, certificate information
   and other domain and IP related API and tools.
@@ -621,6 +622,8 @@ the [browser malware](#browser-malware) section.*
   analysis.
 * [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse
   engineering sandbox by the Talos team at Cisco.
+* [Qiling Framework](https://www.qiling.io/) - Cross platform emulation and sanboxing
+  framework with instruments for binary analysis.
 * [QKD](https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg
   server for stealth debugging.
 * [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with
@@ -640,7 +643,7 @@ the [browser malware](#browser-malware) section.*
   plugin for Sublime 3 to aid with malware analyis.
 * [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for
   Linux executables.
-* [StringSifter](https://github.com/fireeye/stringsifter) - A machine learning tool 
+* [StringSifter](https://github.com/fireeye/stringsifter) - A machine learning tool
   that automatically ranks strings based on their relevance for malware analysis.
 * [Triton](https://triton.quarkslab.com/) - A dynamic binary analysis (DBA) framework.
 * [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool
@@ -727,6 +730,8 @@ the [browser malware](#browser-malware) section.*
   code integrity and write support.
 * [Muninn](https://github.com/ytisf/muninn) - A script to automate portions
   of analysis using Volatility, and create a readable report.
+  [Orochi](https://github.com/LDO-CERT/orochi) - Orochi is an open source framework for 
+  collaborative forensic memory dump analysis. 
 * [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework,
   forked from Volatility in 2013.
 * [TotalRecall](https://github.com/sketchymoose/TotalRecall) - Script based
@@ -846,8 +851,8 @@ the [browser malware](#browser-malware) section.*
   Presentation introducing the concepts of malware analysis, threat intelligence
   and reverse engineering. Experience or prior knowledge is not required. Labs
   link in description.
-* [Malware Persistence](https://github.com/Karneades/malware-persistence) - Collection 
-  of various information focused on malware persistence: detection (techniques), 
+* [Malware Persistence](https://github.com/Karneades/malware-persistence) - Collection
+  of various information focused on malware persistence: detection (techniques),
   response, pitfalls and the log collection (tools).
 * [Malware Samples and Traffic](http://malware-traffic-analysis.net/) - This
   blog focuses on network traffic related to malware infections.

恶意软件分析大合集.md

@@ -3,31 +3,32 @@
 
 这个列表记录着那些令人称赞的恶意软件分析工具和资源。受到 [awesome-python](https://github.com/vinta/awesome-python) 和 [awesome-php](https://github.com/ziadoz/awesome-php) 的启迪。
 
-- [恶意软件集合](#恶意软件集合)
+- [恶意软件分析大合集 ![Awesome](https://github.com/sindresorhus/awesome)](#恶意软件分析大合集-)
+  - [恶意软件集合](#恶意软件集合)
     - [匿名代理](#匿名代理)
     - [蜜罐](#蜜罐)
     - [恶意软件样本库](#恶意软件样本库)
-- [开源威胁情报](#开源威胁情报)
+  - [开源威胁情报](#开源威胁情报)
     - [工具](#工具)
     - [其他资源](#其他资源)
-- [检测与分类](#检测与分类)
-- [在线扫描与沙盒](#在线扫描与沙盒)
-- [域名分析](#域名分析)
-- [浏览器恶意软件](#浏览器恶意软件)
-- [文档和 Shellcode](#文档和-Shellcode)
-- [文件提取](#文件提取)
-- [去混淆](#去混淆)
-- [调试与逆向工程](#调试与逆向工程)
-- [网络](#网络)
-- [内存取证](#内存取证)
-- [Windows 神器](#Windows-神器)
-- [存储和工作流](#存储和工作流)
-- [杂项](#杂项)
+  - [检测与分类](#检测与分类)
+  - [在线扫描与沙盒](#在线扫描与沙盒)
+  - [域名分析](#域名分析)
+  - [浏览器恶意软件](#浏览器恶意软件)
+  - [文档和 Shellcode](#文档和-shellcode)
+  - [文件提取](#文件提取)
+  - [去混淆](#去混淆)
+  - [调试和逆向工程](#调试和逆向工程)
+  - [网络](#网络)
+  - [内存取证](#内存取证)
+  - [Windows 神器](#windows-神器)
+  - [存储和工作流](#存储和工作流)
+  - [杂项](#杂项)
 - [资源](#资源)
-    - [书籍](#书籍)
-    - [其它](#其它)
-- [相关 Awesome 清单](#相关-Awesome-清单)
-- [贡献者](#做出贡献)
+  - [书籍](#书籍)
+  - [其它](#其它)
+- [相关 Awesome 清单](#相关-awesome-清单)
+- [做出贡献](#做出贡献)
 - [致谢](#致谢)
 
 ---
@@ -153,7 +154,7 @@
 *反病毒和其他恶意软件识别工具*
 
 * [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Windows PE 文件的分析器
-* [Assemblyline](https://bitbucket.org/cse-assemblyline/assemblyline) - 大规模分布式文件分析框架
+* [Assemblyline](https://cybercentrecanada.github.io/assemblyline4_docs/) - 大规模分布式文件分析框架
 * [BinaryAlert](https://github.com/airbnb/binaryalert) - 开源、无服务 AWS 管道，用于对上传的文件使用 YARA 进行扫描和报警
 * [capa](https://github.com/fireeye/capa) - 检测可执行文件的攻击能力
 * [chkrootkit](http://www.chkrootkit.org/) - 本地 Linux rootkit 检测
@@ -177,6 +178,7 @@
 * [PEframe](https://github.com/guelfoweb/peframe) - PEframe 可以对 PE 文件与 Office 文档文件进行静态分析
 * [PEV](http://pev.sourceforge.net/) - 为正确分析可疑的二进制文件提供功能丰富工具的 PE 文件多平台分析工具集
 * [PortEx](https://github.com/katjahahn/PortEx) - 聚焦于与 PE 文件相关恶意软件分析的 Java 库
+* [python_mmdt](https://github.com/a232319779/python_mmdt) - 基于局部敏感哈希与机器学习的恶意代码检测工具
 * [Quark-Engine](https://github.com/quark-engine/quark-engine) - 能够对抗混淆的 Android 恶意软件评估系统
 * [Rootkit Hunter](http://rkhunter.sourceforge.net/) - 检测 Linux 的 rootkits
 * [ssdeep](https://ssdeep-project.github.io/ssdeep/) - 计算模糊哈希值
@@ -342,7 +344,7 @@
 * [Capstone](https://github.com/aquynh/capstone) - 二进制分析反汇编框架，支持多种架构和许多语言
 * [codebro](https://github.com/hugsy/codebro) - 使用 clang 提供基础代码分析的 Web 端代码浏览器
 * [Cutter](https://github.com/radareorg/cutter) - Radare2 的 GUI
-* [DECAF (Dynamic Executable Code Analysis Framework)](https://github.com/sycurelab/DECAF) 
+* [DECAF (Dynamic Executable Code Analysis Framework)](https://github.com/sycurelab/DECAF)
   - 基于 QEMU 的二进制分析平台，DroidScope 是 DECAF 的扩展
 * [dnSpy](https://github.com/0xd4d/dnSpy) - .NET 编辑器、编译器、调试器
 * [dotPeek](https://www.jetbrains.com/decompiler/) - 免费 .NET 反编译与汇编浏览器