A curated list of awesome malware analysis tools and resources.
Go to file
2015-05-09 11:57:59 -06:00
CONTRIBUTING.md Add license info 2015-05-09 11:57:59 -06:00
LICENSE Add CC-BY-4.0 license 2015-05-08 18:16:07 -06:00
README.md Added @Rurik IDX parser, malzilla, JD 2015-05-09 11:44:40 -06:00

Awesome Malware Analysis

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.


Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org - A free, web based anonymizer.
  • OpenVPN - VPN software and hosting solutions.
  • Privoxy - An open source proxy server with some privacy features.
  • Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

  • Conpot - ICS/SCADA honeypot.
  • Dionaea - Honeypot designed to trap malware.
  • Glastopf - Web application honeypot.
  • Honeyd - Create a virtual honeynet.
  • Kippo - Medium interaction SSH honeypot.
  • Thug - Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX - Realtime database of malware and malicious domains.
  • Contagio - A collection of recent malware samples and analyses.
  • Exploit Database - Exploit and shellcode samples.
  • Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.

Detection and Classification

Antivirus and other malware identification tools

  • AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
  • chkrootkit - Local Linux rootkit detection.
  • ClamAV - Open source antivirus engine.
  • ExifTool - Read, write and edit file metadata.
  • hashdeep - Compute digest hashes with a variety of algorithms.
  • nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
  • packerid - A cross-platform Python alternative to PEiD.
  • Rootkit Hunter - Detect Linux rootkits.
  • ssdeep - Compute fuzzy hashes.
  • totalhash.py - Python script for easy searching of the TotalHash.com database.
  • TrID - File identifier.
  • YARA - Pattern matching tool for analysts.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
  • Jotti - Free online multi-AV scanner.
  • Malwr - Free analysis with an online Cuckoo Sandbox instance.
  • VirusTotal - Free online analysis of malware samples and URLs
  • Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • Dig - Free online dig and other network tools.
  • IPinfo - Gather information about an IP or domain by searching online resources.
  • TekDefense Automator - OSINT tool for gatherig information about URLs, IPs, or hashes.
  • Whois - DomainTools free online whois search.
  • Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

  • Java Decompiler - Decompile and inspect Java apps.
  • Java IDX Parser - Parses Java IDX cache files.
  • Malzilla - Analyze malicious web pages.
  • RABCDAsm - A "Robust ActionScript Bytecode Disassembler."
  • swftools - Tools for working with Adobe Flash files.
  • xxxswf - A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents.

  • AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • diStorm - Disassembler for analyzing malicious shellcode.
  • JS Beautifier - JavaScript unpacking and deobfuscation.
  • JSDetox - JavaScript malware analysis tool.
  • jsunpack-n - A javascript unpacker that emulates browser functionality.
  • libemu - Library and tools for x86 shellcode emulation.
  • malpdfobj - Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner - Scan for malicious traces in MS Office documents.
  • officeparser - A Python script for parsing the MS Office OLE document format.
  • Origami PDF - A tool for analyzing malicious PDFs, and more.
  • PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf - Python tool for exploring possibly malicious PDFs.
  • Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

  • bulk_extractor - Fast file carving tool.
  • Foremost - File carving tool designed by the US Air Force.
  • Hachoir - A collection of Python libraries for dealing with binary files.
  • Scalpel - Another data carving tool.

Deobfuscation

Reverse XOR and other code obfuscation methods

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  • Bokken - GUI for Pyew and Radare.
  • Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
  • GDB - The GNU debugger.
  • IDA Pro - Windows disassembler and debugger, with a free evaluation version.
  • ltrace - Dynamic analysis for Linux executables.
  • objdump - Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg - An assembly-level debugger for Windows executables.
  • Pyew - Python tool for malware analysis.
  • strace - Dynamic analysis for Linux executables.
  • Radare2 - Reverse engineering framework, with debugger support.
  • Udis86 - Disassembler library and tool for x86 and x86_64.
  • Vivisect - Python tool for malware analysis.

Network

Analyze network interactions.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • FindAES - Find AES encryption keys in memory.
  • Rekall - Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall - Script based on Volatility for automating various malware analysis tasks.
  • Volatility - Advanced memory forensics framework.
  • WinDbg - Live memory inspection and kernel debugging for Windows systems.

Miscellaneous

  • REMnux - Linux distribution and docker images for malware reverse engineering and analysis.

Resources

Books

Essential malware analysis reading material.

Twitter

Other

Related Awesome Lists

Contributing

Pull requests and issues with suggestions are welcome!