Awesome-Mirrors/awesome-malware-analysis

mirror of https://github.com/rshipp/awesome-malware-analysis.git synced 2024-10-01 06:35:40 -04:00

A curated list of awesome malware analysis tools and resources.

analysis-framework automated-analysis awesome awesome-list chinese chinese-translation domain-analysis drop-ice dynamic-analysis list malware-analysis malware-collection malware-research malware-samples network-traffic static-analysis threatintel threat-intelligence threat-sharing

Go to file

rshipp 4d4e89085a Add license info		2015-05-09 11:57:59 -06:00
CONTRIBUTING.md	Add license info	2015-05-09 11:57:59 -06:00
LICENSE	Add CC-BY-4.0 license	2015-05-08 18:16:07 -06:00
README.md	Added @Rurik IDX parser, malzilla, JD	2015-05-09 11:44:40 -06:00

README.md

Awesome Malware Analysis

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

Awesome Malware Analysis
Resources
- Books
- Twitter
- Other
Related Awesome Lists
Contributing

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

Anonymouse.org - A free, web based anonymizer.
OpenVPN - VPN software and hosting solutions.
Privoxy - An open source proxy server with some privacy features.
Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

Conpot - ICS/SCADA honeypot.
Dionaea - Honeypot designed to trap malware.
Glastopf - Web application honeypot.
Honeyd - Create a virtual honeynet.
Kippo - Medium interaction SSH honeypot.
Thug - Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

Clean MX - Realtime database of malware and malicious domains.
Contagio - A collection of recent malware samples and analyses.
Exploit Database - Exploit and shellcode samples.
Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.

Detection and Classification

Antivirus and other malware identification tools

AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
chkrootkit - Local Linux rootkit detection.
ClamAV - Open source antivirus engine.
ExifTool - Read, write and edit file metadata.
hashdeep - Compute digest hashes with a variety of algorithms.
nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
packerid - A cross-platform Python alternative to PEiD.
Rootkit Hunter - Detect Linux rootkits.
ssdeep - Compute fuzzy hashes.
totalhash.py - Python script for easy searching of the TotalHash.com database.
TrID - File identifier.
YARA - Pattern matching tool for analysts.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
Jotti - Free online multi-AV scanner.
Malwr - Free analysis with an online Cuckoo Sandbox instance.
VirusTotal - Free online analysis of malware samples and URLs
Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

Dig - Free online dig and other network tools.
IPinfo - Gather information about an IP or domain by searching online resources.
TekDefense Automator - OSINT tool for gatherig information about URLs, IPs, or hashes.
Whois - DomainTools free online whois search.
Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

Java Decompiler - Decompile and inspect Java apps.
Java IDX Parser - Parses Java IDX cache files.
Malzilla - Analyze malicious web pages.
RABCDAsm - A "Robust ActionScript Bytecode Disassembler."
swftools - Tools for working with Adobe Flash files.
xxxswf - A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents.

AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
diStorm - Disassembler for analyzing malicious shellcode.
JS Beautifier - JavaScript unpacking and deobfuscation.
JSDetox - JavaScript malware analysis tool.
jsunpack-n - A javascript unpacker that emulates browser functionality.
libemu - Library and tools for x86 shellcode emulation.
malpdfobj - Deconstruct malicious PDFs into a JSON representation.
OfficeMalScanner - Scan for malicious traces in MS Office documents.
officeparser - A Python script for parsing the MS Office OLE document format.
Origami PDF - A tool for analyzing malicious PDFs, and more.
PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
peepdf - Python tool for exploring possibly malicious PDFs.
Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

bulk_extractor - Fast file carving tool.
Foremost - File carving tool designed by the US Air Force.
Hachoir - A collection of Python libraries for dealing with binary files.
Scalpel - Another data carving tool.

Deobfuscation

Reverse XOR and other code obfuscation methods

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

Bokken - GUI for Pyew and Radare.
Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
GDB - The GNU debugger.
IDA Pro - Windows disassembler and debugger, with a free evaluation version.
ltrace - Dynamic analysis for Linux executables.
objdump - Part of GNU binutils, for static analysis of Linux binaries.
OllyDbg - An assembly-level debugger for Windows executables.
Pyew - Python tool for malware analysis.
strace - Dynamic analysis for Linux executables.
Radare2 - Reverse engineering framework, with debugger support.
Udis86 - Disassembler library and tool for x86 and x86_64.
Vivisect - Python tool for malware analysis.

Network

Analyze network interactions.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

FindAES - Find AES encryption keys in memory.
Rekall - Memory analysis framework, forked from Volatility in 2013.
TotalRecall - Script based on Volatility for automating various malware analysis tasks.
Volatility - Advanced memory forensics framework.
WinDbg - Live memory inspection and kernel debugging for Windows systems.

Miscellaneous

REMnux - Linux distribution and docker images for malware reverse engineering and analysis.

Resources

Books

Essential malware analysis reading material.

Malware Analyst's Cookbook and DVD - Tools and Techniques for Fighting Malicious Code.
Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.
The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler.

Twitter

Other

Honeynet Project - Honeypot tools, papers, and other resources.
Malicious Software - Malware blog and resources by Lenny Zeltser.
/r/Malware - The malware subreddit.
/r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.

Contributing

Pull requests and issues with suggestions are welcome!