A curated list of awesome malware analysis tools and resources.
Go to file
2015-05-15 13:50:47 -06:00
CONTRIBUTING.md Add license info 2015-05-09 11:57:59 -06:00
LICENSE Add CC-BY-4.0 license 2015-05-08 18:16:07 -06:00
README.md Add missing jotti and malwr URLs 2015-05-15 13:50:47 -06:00

Awesome Malware Analysis

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

Work in progress!


Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org - A free, web based anonymizer.
  • OpenVPN - VPN software and hosting solutions.
  • Privoxy - An open source proxy server with some privacy features.
  • Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

  • Conpot - ICS/SCADA honeypot.
  • Dionaea - Honeypot designed to trap malware.
  • Glastopf - Web application honeypot.
  • Honeyd - Create a virtual honeynet.
  • HoneyDrive - Honeypot bundle Linux distro.
  • Kippo - Medium interaction SSH honeypot.
  • Mnemosyne - A normalizer for honeypot data; supports Dionaea.
  • Thug - Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX - Realtime database of malware and malicious domains.
  • Contagio - A collection of recent malware samples and analyses.
  • Exploit Database - Exploit and shellcode samples.
  • theZoo - Live malware samples for analysts.
  • maltrieve - Retrieve malware samples directly from a number of online sources.
  • Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code - Source for the Zeus trojan leaked in 2011.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

  • Combine - Tool to gather Threat Intelligence indicators from publicly available sources.
  • IOC Editor - A free editor for XML IOC files, from Mandiant.
  • ioc_writer - Python library for working with OpenIOC objects, from Mandiant.
  • threataggregator - Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • TIQ-test - Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Detection and Classification

Antivirus and other malware identification tools

  • AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
  • chkrootkit - Local Linux rootkit detection.
  • ClamAV - Open source antivirus engine.
  • ExifTool - Read, write and edit file metadata.
  • hashdeep - Compute digest hashes with a variety of algorithms.
  • nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
  • packerid - A cross-platform Python alternative to PEiD.
  • PEiD - Packer identifier for Windows binaries.
  • Rootkit Hunter - Detect Linux rootkits.
  • ssdeep - Compute fuzzy hashes.
  • totalhash.py - Python script for easy searching of the TotalHash.com database.
  • TrID - File identifier.
  • YARA - Pattern matching tool for analysts.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
  • Jotti - Free online multi-AV scanner.
  • Malwr - Free analysis with an online Cuckoo Sandbox instance.
  • Recomposer - A helper script for safely uploading binaries to sandbox sites.
  • VirusTotal - Free online analysis of malware samples and URLs
  • Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • Dig - Free online dig and other network tools.
  • IPinfo - Gather information about an IP or domain by searching online resources.
  • TekDefense Automator - OSINT tool for gatherig information about URLs, IPs, or hashes.
  • Whois - DomainTools free online whois search.
  • Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

  • Firebug - Firefox extension for web development.
  • Java Decompiler - Decompile and inspect Java apps.
  • Java IDX Parser - Parses Java IDX cache files.
  • JSDetox - JavaScript malware analysis tool.
  • jsunpack-n - A javascript unpacker that emulates browser functionality.
  • Malzilla - Analyze malicious web pages.
  • RABCDAsm - A "Robust ActionScript Bytecode Disassembler."
  • swftools - Tools for working with Adobe Flash files.
  • xxxswf - A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  • AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • diStorm - Disassembler for analyzing malicious shellcode.
  • JS Beautifier - JavaScript unpacking and deobfuscation.
  • libemu - Library and tools for x86 shellcode emulation.
  • malpdfobj - Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner - Scan for malicious traces in MS Office documents.
  • olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF - A tool for analyzing malicious PDFs, and more.
  • PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf - Python tool for exploring possibly malicious PDFs.
  • Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

  • bulk_extractor - Fast file carving tool.
  • EVTXtract - Carve Windows Event Log files from raw binary data.
  • Foremost - File carving tool designed by the US Air Force.
  • Hachoir - A collection of Python libraries for dealing with binary files.
  • Scalpel - Another data carving tool.

Deobfuscation

Reverse XOR and other code obfuscation methods.

  • Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • NoMoreXOR - Guess a 256 byte XOR key using frequency analysis.
  • unxor - Guess XOR keys using known-plaintext attacks.
  • XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
  • xortool - Guess XOR key length, as well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  • Bokken - GUI for Pyew and Radare.
  • Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
  • GDB - The GNU debugger.
  • IDA Pro - Windows disassembler and debugger, with a free evaluation version.
  • Immunity Debugger - Debugger for malware analysis and more, with a Python API.
  • ltrace - Dynamic analysis for Linux executables.
  • objdump - Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg - An assembly-level debugger for Windows executables.
  • Process Monitor - Advanced monitoring tool for Windows programs.
  • Pyew - Python tool for malware analysis.
  • strace - Dynamic analysis for Linux executables.
  • Radare2 - Reverse engineering framework, with debugger support.
  • Udis86 - Disassembler library and tool for x86 and x86_64.
  • Vivisect - Python tool for malware analysis.

Network

Analyze network interactions.

  • Fiddler - Intercepting web proxy designed for "web debugging."
  • Hale - Botnet C&C monitor.
  • INetSim - Network service emulation, useful when building a malware lab.
  • Malcom - Malware Communications Analyzer.
  • mitmproxy - Intercept network traffic on the fly.
  • NetworkMiner - Network forensic analysis tool, with a free version.
  • ngrep - Search through network traffic like grep.
  • Tcpdump - Collect network traffic.
  • tcpick - Trach and reassemble TCP streams from network traffic.
  • tcpxtract - Extract files from network traffic.
  • Wireshark - The network traffic analysis tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • DAMM - Differential Analysis of Malware in Memory, built on Volatility
  • FindAES - Find AES encryption keys in memory.
  • Muninn - A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall - Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall - Script based on Volatility for automating various malware analysis tasks.
  • Volatility - Advanced memory forensics framework.
  • WinDbg - Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

Storage and Workflow

  • Malwarehouse - Store, tag, and search malware.
  • Viper - A binary management and analysis framework for analysts and researchers.

Miscellaneous

  • REMnux - Linux distribution and docker images for malware reverse engineering and analysis.

Resources

Books

Essential malware analysis reading material.

Twitter

Some relevant Twitter accounts.

Other

Related Awesome Lists

Contributing

Pull requests and issues with suggestions are welcome!

Thanks

This list was made possible by:

  • Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;
  • Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst's Cookbook, which was a big inspiration for creating the list;
  • And everyone else who has sent pull requests or suggested links to add here!

Thanks!