Update README.md

This commit is contained in:
kh4sh3i 2022-01-08 18:57:26 +03:30 committed by GitHub
parent 64579f7da7
commit 4b5c730a94
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -96,6 +96,8 @@ A curated list of awesome malware analysis tools and resources
* [Process Hacker](https://processhacker.sourceforge.io/) - Tool that monitors system resources.
* [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) - Advanced monitoring tool for Windows programs.
* [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility that compares snapshots.
* [ProcDot](http://www.procdot.com/) - A graphical malware analysis tool kit.
@ -111,7 +113,10 @@ A curated list of awesome malware analysis tools and resources
* Memory Forensics
* [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced memory forensics framework.
* memory acquisition
* [Comae-Toolkit](https://github.com/Crypt2Shell/Comae-Toolkit) _ use DumpIt.exe for sump whole memory
* memory analysis
* [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced memory forensics framework.
* Online Scanners and Sandboxes
@ -125,6 +130,10 @@ A curated list of awesome malware analysis tools and resources
* Android
* [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
* service emulation
* [INetSim](http://www.inetsim.org/) - Network service emulation, useful when building a malware lab.
* [FakeNet](https://sourceforge.net/projects/fakenet/) - Windows Network Simulation tool for Malware Analysis
@ -152,6 +161,15 @@ A curated list of awesome malware analysis tools and resources
* we can bypass all static analysis with rewrite import dll, with call function with address in memory
* we can create shellcode with FASM tools in assembly
* the best future of ida is create basic block for application analysis
* export procmon to csv and send to procdot for create png of malware behaviour
* almost ransomeware are 32 bit, because they can run on 32 bit and 64 bit architect
* some ransomware work when we have complex network, we use FakeNet tools for create all network service
* with FakeNet tools and vmware host only, we can see all network connection with c2 server, because 127.0.0.1 set for all dns query
* in windows 8 and upper, ther is patchgaurd mechanism that every 30m check critical section and if detedct some app remove linker and DKOM attack happen make bluescrean ! with this role most rootkit lose
* we can use psscan command in volatility for finding rootkit and hidden process
* .pdb file is so important for detection function name and indexing of system dll that use in malware
* in vmware we can suspend vm and copy .vmem for memory analysis. the file size is equal to whole memory size
### Books