CONTRIBUTING.md | ||
LICENSE | ||
README.md |
Awesome Malware Analysis
A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.
- Awesome Malware Analysis
- Resources
- Related Awesome Lists
- Contributing
Malware Collection
Anonymizers
Web traffic anonymizers for analysts.
- Anonymouse.org - A free, web based anonymizer.
- OpenVPN - VPN software and hosting solutions.
- Privoxy - An open source proxy server with some privacy features.
- Tor - The Onion Router, for browsing the web without leaving traces of the client IP.
Honeypots
Trap and collect your own samples.
- Conpot - ICS/SCADA honeypot.
- Dionaea - Honeypot designed to trap malware.
- Glastopf - Web application honeypot.
- Honeyd - Create a virtual honeynet.
- Kippo - Medium interaction SSH honeypot.
- Thug - Low interaction honeyclient, for investigating malicious websites.
Malware Corpora
Malware samples collected for analysis.
- Clean MX - Realtime database of malware and malicious domains.
- Contagio - A collection of recent malware samples and analyses.
- Exploit Database - Exploit and shellcode samples.
- Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
Open Source Threat Intelligence
Threat intelligence and IOC resources.
- Autoshun (list) - Snort plugin and blocklist.
- CI Army List - Network security blocklists (bad guys).
- Emerging Threats - Rulesets and more.
- hpfeeds - Honeypot feed protocol.
- Internet Storm Center (DShield) - Diary and searchable incident database, with a web API (unofficial Python library).
- malc0de - Searchable incident database.
- Malware Domain List - Search and share malicious URLs.
- OpenIOC - Framework for sharing threat intelligence.
- Palevo Blocklists - Botnet C&C blocklists.
- ZeuS Tracker - ZeuS blocklists.
Detection and Classification
Antivirus and other malware identification tools
- AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
- chkrootkit - Local Linux rootkit detection.
- ClamAV - Open source antivirus engine.
- ExifTool - Read, write and edit file metadata.
- hashdeep - Compute digest hashes with a variety of algorithms.
- nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
- packerid - A cross-platform Python alternative to PEiD.
- PEiD - Packer identifier for Windows binaries.
- Rootkit Hunter - Detect Linux rootkits.
- ssdeep - Compute fuzzy hashes.
- totalhash.py - Python script for easy searching of the TotalHash.com database.
- TrID - File identifier.
- YARA - Pattern matching tool for analysts.
Online Scanners and Sandboxes
Web-based multi-AV scanners, and malware sandboxes for automated analysis.
- Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
- Jotti - Free online multi-AV scanner.
- Malwr - Free analysis with an online Cuckoo Sandbox instance.
- VirusTotal - Free online analysis of malware samples and URLs
- Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.
Domain Analysis
Inspect domains and IP addresses.
- Dig - Free online dig and other network tools.
- IPinfo - Gather information about an IP or domain by searching online resources.
- TekDefense Automator - OSINT tool for gatherig information about URLs, IPs, or hashes.
- Whois - DomainTools free online whois search.
- Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.
Browser Malware
Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.
- Firebug - Firefox extension for web development.
- Java Decompiler - Decompile and inspect Java apps.
- Java IDX Parser - Parses Java IDX cache files.
- JSDetox - JavaScript malware analysis tool.
- jsunpack-n - A javascript unpacker that emulates browser functionality.
- Malzilla - Analyze malicious web pages.
- RABCDAsm - A "Robust ActionScript Bytecode Disassembler."
- swftools - Tools for working with Adobe Flash files.
- xxxswf - A Python script for analyzing Flash files.
Documents and Shellcode
Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.
- AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
- diStorm - Disassembler for analyzing malicious shellcode.
- JS Beautifier - JavaScript unpacking and deobfuscation.
- libemu - Library and tools for x86 shellcode emulation.
- malpdfobj - Deconstruct malicious PDFs into a JSON representation.
- OfficeMalScanner - Scan for malicious traces in MS Office documents.
- officeparser - A Python script for parsing the MS Office OLE document format.
- Origami PDF - A tool for analyzing malicious PDFs, and more.
- PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
- PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
- peepdf - Python tool for exploring possibly malicious PDFs.
- Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.
File Carving
For extracting files from inside disk and memory images.
- bulk_extractor - Fast file carving tool.
- Foremost - File carving tool designed by the US Air Force.
- Hachoir - A collection of Python libraries for dealing with binary files.
- Scalpel - Another data carving tool.
Deobfuscation
Reverse XOR and other code obfuscation methods
Debugging and Reverse Engineering
Disassemblers, debuggers, and other static and dynamic analysis tools.
- Bokken - GUI for Pyew and Radare.
- Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
- GDB - The GNU debugger.
- IDA Pro - Windows disassembler and debugger, with a free evaluation version.
- Immunity Debugger - Debugger for malware analysis and more, with a Python API.
- ltrace - Dynamic analysis for Linux executables.
- objdump - Part of GNU binutils, for static analysis of Linux binaries.
- OllyDbg - An assembly-level debugger for Windows executables.
- Pyew - Python tool for malware analysis.
- strace - Dynamic analysis for Linux executables.
- Radare2 - Reverse engineering framework, with debugger support.
- Udis86 - Disassembler library and tool for x86 and x86_64.
- Vivisect - Python tool for malware analysis.
Network
Analyze network interactions.
- INetSim - Network service emulation, useful when building a malware lab.
- mitmproxy - Intercept network traffic on the fly.
- NetworkMiner - Network forensic analysis tool, with a free version.
- ngrep - Search through network traffic like grep.
- Tcpdump - Collect network traffic.
- tcpick - Trach and reassemble TCP streams from network traffic.
- tcpxtract - Extract files from network traffic.
- Wireshark - The network traffic analysis tool.
Memory Forensics
Tools for dissecting malware in memory images or running systems.
- FindAES - Find AES encryption keys in memory.
- Rekall - Memory analysis framework, forked from Volatility in 2013.
- TotalRecall - Script based on Volatility for automating various malware analysis tasks.
- Volatility - Advanced memory forensics framework.
- WinDbg - Live memory inspection and kernel debugging for Windows systems.
Miscellaneous
- REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
Resources
Books
Essential malware analysis reading material.
- Malware Analyst's Cookbook and DVD - Tools and Techniques for Fighting Malicious Code.
- Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.
- The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
- The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler.
Other
- Honeynet Project - Honeypot tools, papers, and other resources.
- Malicious Software - Malware blog and resources by Lenny Zeltser.
- /r/Malware - The malware subreddit.
- /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.
Related Awesome Lists
Contributing
Pull requests and issues with suggestions are welcome!