awesome-malware-analysis/README.md

Awesome Malware Analysis

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

• Awesome Malware Analysis
  • Malware Collection
    • Anonymizers
    • Honeypots
    • Malware Corpora
  • Open Source Threat Intelligence
  • Detection and Classification
  • Online Scanners and Sandboxes
  • Domain Analysis
  • Browser Malware
  • Documents and Shellcode
  • File Carving
  • Deobfuscation
  • Debugging and Reverse Engineering
  • Network
  • Memory Forensics
  • Miscellaneous
• Resources
  • Books
  • Twitter
  • Other
• Related Awesome Lists
• Contributing

---

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

• Anonymouse.org - A free, web based anonymizer.
• OpenVPN - VPN software and hosting solutions.
• Privoxy - An open source proxy server with some privacy features.
• Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

• Conpot - ICS/SCADA honeypot.
• Dionaea - Honeypot designed to trap malware.
• Glastopf - Web application honeypot.
• Honeyd - Create a virtual honeynet.
• Kippo - Medium interaction SSH honeypot.
• Thug - Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

• Clean MX - Realtime database of malware and malicious domains.
• Contagio - A collection of recent malware samples and analyses.
• Exploit Database - Exploit and shellcode samples.
• Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.

Open Source Threat Intelligence

Threat intelligence and IOC resources.

• OpenIOC - Framework for sharing threat intelligence.

Detection and Classification

Antivirus and other malware identification tools

• AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
• chkrootkit - Local Linux rootkit detection.
• ClamAV - Open source antivirus engine.
• ExifTool - Read, write and edit file metadata.
• hashdeep - Compute digest hashes with a variety of algorithms.
• nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
• packerid - A cross-platform Python alternative to PEiD.
• PEiD - Packer identifier for Windows binaries.
• Rootkit Hunter - Detect Linux rootkits.
• ssdeep - Compute fuzzy hashes.
• totalhash.py - Python script for easy searching of the TotalHash.com database.
• TrID - File identifier.
• YARA - Pattern matching tool for analysts.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

• Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
• Jotti - Free online multi-AV scanner.
• Malwr - Free analysis with an online Cuckoo Sandbox instance.
• VirusTotal - Free online analysis of malware samples and URLs
• Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

• Dig - Free online dig and other network tools.
• IPinfo - Gather information about an IP or domain by searching online resources.
• TekDefense Automator - OSINT tool for gatherig information about URLs, IPs, or hashes.
• Whois - DomainTools free online whois search.
• Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

• Firebug - Firefox extension for web development.
• Java Decompiler - Decompile and inspect Java apps.
• Java IDX Parser - Parses Java IDX cache files.
• Malzilla - Analyze malicious web pages.
• RABCDAsm - A "Robust ActionScript Bytecode Disassembler."
• swftools - Tools for working with Adobe Flash files.
• xxxswf - A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents.

• AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
• diStorm - Disassembler for analyzing malicious shellcode.
• JS Beautifier - JavaScript unpacking and deobfuscation.
• JSDetox - JavaScript malware analysis tool.
• jsunpack-n - A javascript unpacker that emulates browser functionality.
• libemu - Library and tools for x86 shellcode emulation.
• malpdfobj - Deconstruct malicious PDFs into a JSON representation.
• OfficeMalScanner - Scan for malicious traces in MS Office documents.
• officeparser - A Python script for parsing the MS Office OLE document format.
• Origami PDF - A tool for analyzing malicious PDFs, and more.
• PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
• PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
• peepdf - Python tool for exploring possibly malicious PDFs.
• Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

• bulk_extractor - Fast file carving tool.
• Foremost - File carving tool designed by the US Air Force.
• Hachoir - A collection of Python libraries for dealing with binary files.
• Scalpel - Another data carving tool.

Deobfuscation

Reverse XOR and other code obfuscation methods

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

• Bokken - GUI for Pyew and Radare.
• Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
• GDB - The GNU debugger.
• IDA Pro - Windows disassembler and debugger, with a free evaluation version.
• ltrace - Dynamic analysis for Linux executables.
• objdump - Part of GNU binutils, for static analysis of Linux binaries.
• OllyDbg - An assembly-level debugger for Windows executables.
• Pyew - Python tool for malware analysis.
• strace - Dynamic analysis for Linux executables.
• Radare2 - Reverse engineering framework, with debugger support.
• Udis86 - Disassembler library and tool for x86 and x86_64.
• Vivisect - Python tool for malware analysis.

Network

Analyze network interactions.

• INetSim - Network service emulation, useful when building a malware lab.
• mitmproxy - Intercept network traffic on the fly.
• NetworkMiner - Network forensic analysis tool, with a free version.
• ngrep - Search through network traffic like grep.
• Tcpdump - Collect network traffic.
• tcpick - Trach and reassemble TCP streams from network traffic.
• tcpxtract - Extract files from network traffic.
• Wireshark - The network traffic analysis tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

• FindAES - Find AES encryption keys in memory.
• Rekall - Memory analysis framework, forked from Volatility in 2013.
• TotalRecall - Script based on Volatility for automating various malware analysis tasks.
• Volatility - Advanced memory forensics framework.
• WinDbg - Live memory inspection and kernel debugging for Windows systems.

Miscellaneous

• REMnux - Linux distribution and docker images for malware reverse engineering and analysis.

Resources

Books

Essential malware analysis reading material.

• Malware Analyst's Cookbook and DVD - Tools and Techniques for Fighting Malicious Code.
• Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.
• The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
• The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler.

Twitter

Other

• Honeynet Project - Honeypot tools, papers, and other resources.
• Malicious Software - Malware blog and resources by Lenny Zeltser.
• /r/Malware - The malware subreddit.
• /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.

Related Awesome Lists

• Android Security
• Pentesting
• Security

Contributing

Pull requests and issues with suggestions are welcome!