A curated list of awesome malware analysis tools and resources.
Go to file
2015-05-09 10:51:23 -06:00
LICENSE Add CC-BY-4.0 license 2015-05-08 18:16:07 -06:00
README.md Add @vmt udis86, and objdump 2015-05-09 10:51:23 -06:00

Awesome Malware Analysis

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.


Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org - A free, web based anonymizer.
  • OpenVPN - VPN software and hosting solutions.
  • Privoxy - An open source proxy server with some privacy features.
  • Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

  • Conpot - ICS/SCADA honeypot.
  • Dionaea - Honeypot designed to trap malware.
  • Glastopf - Web application honeypot.
  • Honeyd - Create a virtual honeynet.
  • Kippo - Medium interaction SSH honeypot.
  • Thug - Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX - Realtime database of malware and malicious domains.
  • Contagio - A collection of recent malware samples and analyses.
  • Exploit Database - Exploit and shellcode samples.
  • Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.

Detection and Classification

Antivirus and other malware identification tools

  • AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
  • ClamAV - Open source antivirus engine.
  • ExifTool - Read, write and edit file metadata.
  • packerid - A cross-platform Python alternative to PEiD.
  • TrID - File identifier.
  • YARA - Pattern matching tool for analysts.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
  • Jotti - Free online multi-AV scanner.
  • Malwr - Free analysis with an online Cuckoo Sandbox instance.
  • VirusTotal - Free online analysis of malware samples and URLs
  • Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • Dig - Free online dig and other network tools.
  • IPinfo - Gather information about an IP or domain by searching online resources.
  • Whois - DomainTools free online whois search.
  • Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents.

  • AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • diStorm - Disassembler for analyzing malicious shellcode.
  • JS Beautifier - JavaScript unpacking and deobfuscation.
  • JSDetox - JavaScript malware analysis tool.
  • jsunpack-n - A javascript unpacker that emulates browser functionality.
  • libemu - Library and tools for x86 shellcode emulation.
  • malpdfobj - Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner - Scan for malicious traces in MS Office documents.
  • officeparser - A Python script for parsing the MS Office OLE document format.
  • Origami PDF - A tool for analyzing malicious PDFs, and more.
  • PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf - Python tool for exploring possibly malicious PDFs.
  • Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  • Bokken - GUI for Pyew and Radare.
  • IDA Pro - Windows disassembler and debugger, with a free evaluation version.
  • objdump - Part of GNU binutils, for static analysis of Linux binaries.
  • Pyew - Python tool for malware analysis.
  • Radare2 - Reverse engineering framework, with debugger support.
  • Udis86 - Disassembler library and tool for x86 and x86_64.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • FindAES - Find AES encryption keys in memory.
  • Rekall - Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall - Script based on Volatility for automating various malware analysis tasks.
  • Volatility - Advanced memory forensics framework.
  • WinDbg - Live memory inspection and kernel debugging for Windows systems.

Miscellaneous

  • REMnux - Linux distribution and docker images for malware reverse engineering and analysis.

Resources

Books

Essential malware analysis reading material.

Twitter

Other

Related Awesome Lists

Contributing

Pull requests and issues with suggestions are welcome!