2015-05-09 00:08:28 +00:00
# Awesome Malware Analysis
2015-08-05 23:17:51 +00:00
[![Awesome ](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg )](https://github.com/sindresorhus/awesome)
2015-05-09 00:08:28 +00:00
A curated list of awesome malware analysis tools and resources. Inspired by
[awesome-python ](https://github.com/vinta/awesome-python ) and
[awesome-php ](https://github.com/ziadoz/awesome-php ).
- [Awesome Malware Analysis ](#awesome-malware-analysis )
2015-05-09 03:40:28 +00:00
- [Malware Collection ](#malware-collection )
- [Anonymizers ](#anonymizers )
- [Honeypots ](#honeypots )
- [Malware Corpora ](#malware-corpora )
2015-05-09 18:35:06 +00:00
- [Open Source Threat Intelligence ](#open-source-threat-intelligence )
2015-05-15 01:33:30 +00:00
- [Tools ](#tools )
- [Other Resources ](#other-resources )
2015-05-09 04:28:10 +00:00
- [Detection and Classification ](#detection-and-classification )
2015-05-09 04:35:17 +00:00
- [Online Scanners and Sandboxes ](#online-scanners-and-sandboxes )
2015-05-09 04:46:55 +00:00
- [Domain Analysis ](#domain-analysis )
2015-05-09 17:19:48 +00:00
- [Browser Malware ](#browser-malware )
2015-05-09 15:25:59 +00:00
- [Documents and Shellcode ](#documents-and-shellcode )
2015-05-09 16:05:04 +00:00
- [File Carving ](#file-carving )
- [Deobfuscation ](#deobfuscation )
2015-05-09 16:41:13 +00:00
- [Debugging and Reverse Engineering ](#debugging-and-reverse-engineering )
2015-05-09 16:05:04 +00:00
- [Network ](#network )
2015-05-09 04:41:41 +00:00
- [Memory Forensics ](#memory-forensics )
2015-05-09 22:30:52 +00:00
- [Windows Artifacts ](#windows-artifacts )
2015-05-09 22:01:22 +00:00
- [Storage and Workflow ](#storage-and-workflow )
2015-05-09 04:31:31 +00:00
- [Miscellaneous ](#miscellaneous )
2015-05-09 00:08:28 +00:00
- [Resources ](#resources )
- [Books ](#books )
- [Twitter ](#twitter )
2015-05-09 03:51:11 +00:00
- [Other ](#other )
2015-05-09 00:08:28 +00:00
- [Related Awesome Lists ](#related-awesome-lists )
- [Contributing ](#contributing )
2015-05-15 02:01:44 +00:00
- [Thanks ](#thanks )
2015-05-09 00:08:28 +00:00
---
2015-05-09 03:40:28 +00:00
## Malware Collection
2015-05-09 00:08:28 +00:00
2015-05-09 03:40:28 +00:00
### Anonymizers
*Web traffic anonymizers for analysts.*
2015-05-09 04:23:12 +00:00
* [Anonymouse.org ](http://anonymouse.org/ ) - A free, web based anonymizer.
* [OpenVPN ](https://openvpn.net/ ) - VPN software and hosting solutions.
* [Privoxy ](http://www.privoxy.org/ ) - An open source proxy server with some
privacy features.
2015-05-09 03:40:28 +00:00
* [Tor ](https://www.torproject.org/ ) - The Onion Router, for browsing the web
without leaving traces of the client IP.
2015-05-09 03:51:11 +00:00
### Honeypots
2015-05-09 04:24:53 +00:00
*Trap and collect your own samples.*
2015-11-14 03:37:29 +00:00
* [Conpot ](https://github.com/mushorg/conpot ) - ICS/SCADA honeypot.
2016-01-21 00:34:18 +00:00
* [Cowrie ](https://github.com/micheloosterhof/cowrie ) - SSH honeypot, based
2017-10-22 06:03:05 +00:00
on Kippo.
* [DemoHunter ](https://github.com/RevengeComing/DemonHunter ) - Low interaction Distributed Honeypots.
* [Dionaea ](https://github.com/DinoTools/dionaea ) - Honeypot designed to trap malware.
2016-05-26 14:55:36 +00:00
* [Glastopf ](https://github.com/mushorg/glastopf ) - Web application honeypot.
2015-12-29 09:58:43 +00:00
* [Honeyd ](http://www.honeyd.org/ ) - Create a virtual honeynet.
2017-03-26 20:57:01 +00:00
* [HoneyDrive ](http://bruteforcelab.com/honeydrive ) - Honeypot bundle Linux distro.
2015-05-09 21:57:21 +00:00
* [Mnemosyne ](https://github.com/johnnykv/mnemosyne ) - A normalizer for
honeypot data; supports Dionaea.
2015-05-09 16:06:09 +00:00
* [Thug ](https://github.com/buffer/thug ) - Low interaction honeyclient, for
investigating malicious websites.
2015-05-09 03:51:11 +00:00
### Malware Corpora
2015-05-09 04:24:53 +00:00
*Malware samples collected for analysis.*
2015-05-09 15:17:07 +00:00
* [Clean MX ](http://support.clean-mx.de/clean-mx/viruses.php ) - Realtime
database of malware and malicious domains.
2015-05-09 03:51:11 +00:00
* [Contagio ](http://contagiodump.blogspot.com/ ) - A collection of recent
malware samples and analyses.
2015-05-09 15:34:23 +00:00
* [Exploit Database ](https://www.exploit-db.com/ ) - Exploit and shellcode
samples.
2017-09-25 00:14:52 +00:00
* [Malshare ](https://malshare.com ) - Large repository of malware actively
2015-09-22 15:41:10 +00:00
scrapped from malicious sites.
2015-09-22 15:41:56 +00:00
* [MalwareDB ](http://malwaredb.malekal.com/ ) - Malware samples repository.
2016-06-05 05:28:51 +00:00
* [Open Malware Project ](http://openmalware.org/ ) - Sample information and
downloads. Formerly Offensive Computing.
2016-09-29 03:47:04 +00:00
* [Ragpicker ](https://github.com/robbyFux/Ragpicker ) - Plugin based malware
crawler with pre-analysis and reporting functionalities
2015-09-22 15:41:10 +00:00
* [theZoo ](https://github.com/ytisf/theZoo ) - Live malware samples for
analysts.
2017-09-25 00:22:36 +00:00
* [Tracker h3x ](http://tracker.h3x.eu/ ) - Agregator for malware corpus tracker
2016-12-16 00:09:18 +00:00
and malicious download sites.
2017-09-24 23:52:56 +00:00
* [ViruSign ](http://www.virussign.com/ ) - Malware database that detected by
2015-09-22 15:41:10 +00:00
many anti malware programs except ClamAV.
2016-03-21 21:36:59 +00:00
* [VirusShare ](https://virusshare.com/ ) - Malware repository, registration
2016-04-27 16:12:14 +00:00
required.
2016-12-16 00:11:21 +00:00
* [VX Vault ](http://vxvault.net ) - Active collection of malware samples.
2015-05-09 15:17:07 +00:00
* [Zeltser's Sources ](https://zeltser.com/malware-sample-sources/ ) - A list
of malware sample sources put together by Lenny Zeltser.
2015-05-15 13:31:44 +00:00
* [Zeus Source Code ](https://github.com/Visgean/Zeus ) - Source for the Zeus
trojan leaked in 2011.
2015-05-09 03:51:11 +00:00
2015-05-09 18:35:06 +00:00
## Open Source Threat Intelligence
2015-05-15 01:33:30 +00:00
### Tools
*Harvest and analyze IOCs.*
2015-05-12 03:01:53 +00:00
2016-05-26 19:44:51 +00:00
* [AbuseHelper ](https://github.com/abusesa/abusehelper ) - An open-source
framework for receiving and redistributing abuse feeds and threat intel.
2016-05-26 19:46:13 +00:00
* [AlienVault Open Threat Exchange ](https://otx.alienvault.com/ ) - Share and
collaborate in developing Threat Intelligence.
2015-05-17 19:25:47 +00:00
* [Combine ](https://github.com/mlsecproject/combine ) - Tool to gather Threat
2015-05-12 03:01:53 +00:00
Intelligence indicators from publicly available sources.
2016-09-11 14:37:31 +00:00
* [Fileintel ](https://github.com/keithjjones/fileintel ) - Pull intelligence per file hash.
* [Hostintel ](https://github.com/keithjjones/hostintel ) - Pull intelligence per host.
2016-04-17 20:21:19 +00:00
* [IntelMQ ](https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation ) -
2015-09-22 13:48:05 +00:00
A tool for CERTs for processing incident data using a message queue.
2015-12-29 10:00:59 +00:00
* [IOC Editor ](https://www.fireeye.com/services/freeware/ioc-editor.html ) -
A free editor for XML IOC files.
2015-05-15 15:35:08 +00:00
* [ioc_writer ](https://github.com/mandiant/ioc_writer ) - Python library for
working with OpenIOC objects, from Mandiant.
2015-09-22 15:07:14 +00:00
* [Massive Octo Spice ](https://github.com/csirtgadgets/massive-octo-spice ) -
Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
2017-09-25 00:22:36 +00:00
from various lists. Curated by the
[CSIRT Gadgets Foundation ](http://csirtgadgets.org/collective-intelligence-framework ).
2015-05-18 14:30:45 +00:00
* [MISP ](https://github.com/MISP/MISP ) - Malware Information Sharing
2015-05-20 08:40:16 +00:00
Platform curated by [The MISP Project ](http://www.misp-project.org/ ).
2017-10-22 20:42:37 +00:00
* [Pulsedive ](https://pulsedive.com ) - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
2015-12-29 10:17:15 +00:00
* [PyIOCe ](https://github.com/pidydx/PyIOCe ) - A Python OpenIOC editor.
2017-09-25 00:14:52 +00:00
* [RiskIQ ](https://community.riskiq.com/ ) - Research, connect, tag and
share IPs and domains. (Was PassiveTotal.)
2015-05-15 01:33:30 +00:00
* [threataggregator ](https://github.com/jpsenior/threataggregator ) -
Aggregates security threats from a number of sources, including some of
those listed below in [other resources ](#other-resources ).
2015-08-08 03:33:00 +00:00
* [ThreatCrowd ](https://www.threatcrowd.org/ ) - A search engine for threats,
with graphical visualization.
2016-05-26 14:56:50 +00:00
* [ThreatTracker ](https://github.com/michael-yip/ThreatTracker ) - A Python
2015-11-04 08:55:43 +00:00
script to monitor and generate alerts based on IOCs indexed by a set of
Google Custom Search Engines.
2015-05-17 19:25:47 +00:00
* [TIQ-test ](https://github.com/mlsecproject/tiq-test ) - Data visualization
2015-05-15 02:21:35 +00:00
and statistical analysis of Threat Intelligence feeds.
2015-05-15 01:33:30 +00:00
### Other Resources
2015-05-12 03:01:53 +00:00
2015-05-09 18:35:06 +00:00
*Threat intelligence and IOC resources.*
2016-06-30 22:06:44 +00:00
* [Autoshun ](https://www.autoshun.org/ ) ([list](https://www.autoshun.org/files/shunlist.csv)) -
2015-12-28 12:16:56 +00:00
Snort plugin and blocklist.
2016-07-30 04:54:24 +00:00
* [Bambenek Consulting Feeds ](http://osint.bambenekconsulting.com/feeds/ ) -
OSINT feeds based on malicious DGA algorithms.
* [Fidelis Barncat ](https://www.fidelissecurity.com/resources/fidelis-barncat ) -
Extensive malware config database (must request access).
2015-12-29 09:56:08 +00:00
* [CI Army ](http://cinsscore.com/ ) ([list](http://cinsscore.com/list/ci-badguys.txt)) -
2015-05-09 19:53:55 +00:00
Network security blocklists.
2016-08-28 00:40:57 +00:00
* [Critical Stack- Free Intel Market ](https://intel.criticalstack.com ) - Free
2015-09-22 14:56:40 +00:00
intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
2016-12-16 00:04:24 +00:00
* [Cybercrime tracker ](http://cybercrime-tracker.net/ ) - Multiple botnet active tracker.
2015-05-15 15:30:26 +00:00
* [FireEye IOCs ](https://github.com/fireeye/iocs ) - Indicators of Compromise
shared publicly by FireEye.
2016-03-31 21:27:13 +00:00
* [FireHOL IP Lists ](https://iplists.firehol.org/ ) - Analytics for 350+ IP lists
with a focus on attacks, malware and abuse. Evolution, Changes History,
Country Maps, Age of IPs listed, Retention Policy, Overlaps.
2015-05-09 19:49:07 +00:00
* [hpfeeds ](https://github.com/rep/hpfeeds ) - Honeypot feed protocol.
2015-05-09 19:09:30 +00:00
* [Internet Storm Center (DShield) ](https://isc.sans.edu/ ) - Diary and
2017-09-25 00:42:08 +00:00
searchable incident database, with a web [API ](https://dshield.org/api/ ).
2015-05-09 19:09:30 +00:00
([unofficial Python library](https://github.com/rshipp/python-dshield)).
2015-05-09 18:48:40 +00:00
* [malc0de ](http://malc0de.com/database/ ) - Searchable incident database.
* [Malware Domain List ](http://www.malwaredomainlist.com/ ) - Search and share
malicious URLs.
2017-09-25 00:22:36 +00:00
* [Metadefender.com Threat Intelligence Feeds ](https://www.metadefender.com/threat-intelligence-feeds ) -
2017-03-14 21:53:27 +00:00
List of the most looked up file hashes from Metadefender.com malware feed.
2015-05-09 18:35:06 +00:00
* [OpenIOC ](http://openioc.org/ ) - Framework for sharing threat intelligence.
2015-05-09 18:48:40 +00:00
* [Palevo Blocklists ](https://palevotracker.abuse.ch/blocklists.php ) - Botnet
C& C blocklists.
2016-10-10 15:46:08 +00:00
* [Proofpoint Threat Intelligence ](https://www.proofpoint.com/us/products/et-intelligence ) -
Rulesets and more. (Formerly Emerging Threats.)
2017-09-25 00:22:36 +00:00
* [Ransomware overview ](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml ) -
2016-12-15 23:58:20 +00:00
A list of ransomware overview with details, detection and prevention.
2015-12-28 23:09:27 +00:00
* [STIX - Structured Threat Information eXpression ](http://stixproject.github.io ) -
2015-09-22 15:11:56 +00:00
Standardized language to represent and share cyber threat information.
2016-04-12 15:16:09 +00:00
Related efforts from [MITRE ](https://www.mitre.org/ ):
2015-09-22 15:11:56 +00:00
- [CAPEC - Common Attack Pattern Enumeration and Classification ](http://capec.mitre.org/ )
2015-12-28 23:09:27 +00:00
- [CybOX - Cyber Observables eXpression ](http://cyboxproject.github.io )
2015-09-22 15:11:56 +00:00
- [MAEC - Malware Attribute Enumeration and Characterization ](http://maec.mitre.org/ )
2015-12-28 23:09:27 +00:00
- [TAXII - Trusted Automated eXchange of Indicator Information ](http://taxiiproject.github.io )
2017-09-25 00:53:31 +00:00
* [ThreatMiner ](https://www.threatminer.org/ ) - Data mining portal for threat
intelligence, with search.
2015-09-22 15:30:15 +00:00
* [threatRECON ](https://threatrecon.co/ ) - Search for indicators, up to 1000
free per month.
2015-09-22 15:12:37 +00:00
* [Yara rules ](https://github.com/Yara-Rules/rules ) - Yara rules repository.
2015-05-09 18:48:40 +00:00
* [ZeuS Tracker ](https://zeustracker.abuse.ch/blocklist.php ) - ZeuS
blocklists.
2015-05-09 18:35:06 +00:00
2015-05-09 04:28:10 +00:00
## Detection and Classification
*Antivirus and other malware identification tools*
2015-05-09 15:36:04 +00:00
* [AnalyzePE ](https://github.com/hiddenillusion/AnalyzePE ) - Wrapper for a
variety of tools for reporting on Windows PE files.
2017-10-19 18:46:06 +00:00
* [Assemblyline ](https://bitbucket.org/cse-assemblyline/assemblyline ) - A scalable
distributed file analysis framework.
2017-09-25 00:22:36 +00:00
* [BinaryAlert ](https://github.com/airbnb/binaryalert ) - An open source, serverless
2017-09-25 00:42:08 +00:00
AWS pipeline that scans and alerts on uploaded files based on a set of
YARA rules.
2015-05-09 17:35:33 +00:00
* [chkrootkit ](http://www.chkrootkit.org/ ) - Local Linux rootkit detection.
2015-11-14 03:37:29 +00:00
* [ClamAV ](http://www.clamav.net/ ) - Open source antivirus engine.
2016-05-26 14:35:52 +00:00
* [Detect-It-Easy ](https://github.com/horsicq/Detect-It-Easy ) - A program for
determining types of files.
2017-09-25 00:14:52 +00:00
* [ExifTool ](https://sno.phy.queensu.ca/~phil/exiftool/ ) - Read, write and
2015-05-09 16:38:12 +00:00
edit file metadata.
2016-11-25 04:55:28 +00:00
* [File Scanning Framework ](https://github.com/EmersonElectricCo/fsf ) -
Modular, recursive file scanning solution.
2015-05-09 17:11:57 +00:00
* [hashdeep ](https://github.com/jessek/hashdeep ) - Compute digest hashes with
a variety of algorithms.
2015-09-22 15:46:17 +00:00
* [Loki ](https://github.com/Neo23x0/Loki ) - Host based scanner for IOCs.
2015-10-02 16:28:37 +00:00
* [Malfunction ](https://github.com/Dynetics/Malfunction ) - Catalog and
compare malware at a function level.
2015-05-15 19:55:38 +00:00
* [MASTIFF ](https://github.com/KoreLogicSecurity/mastiff ) - Static analysis
framework.
2017-07-18 16:01:36 +00:00
* [MultiScanner ](https://github.com/mitre/multiscanner ) - Modular file
2015-05-20 18:35:54 +00:00
scanning/analysis framework
2015-05-09 17:14:18 +00:00
* [nsrllookup ](https://github.com/rjhansen/nsrllookup ) - A tool for looking
up hashes in NIST's National Software Reference Library database.
2015-05-09 16:48:29 +00:00
* [packerid ](http://handlers.sans.org/jclausing/packerid.py ) - A cross-platform
Python alternative to PEiD.
2015-05-17 19:00:43 +00:00
* [PEV ](http://pev.sourceforge.net/ ) - A multiplatform toolkit to work with PE
files, providing feature-rich tools for proper analysis of suspicious binaries.
2015-05-09 17:35:33 +00:00
* [Rootkit Hunter ](http://rkhunter.sourceforge.net/ ) - Detect Linux rootkits.
2017-09-25 00:14:52 +00:00
* [ssdeep ](https://ssdeep-project.github.io/ssdeep/ ) - Compute fuzzy hashes.
2017-09-25 00:22:36 +00:00
* [totalhash.py ](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f ) -
Python script for easy searching of the [TotalHash.cymru.com ](https://totalhash.cymru.com/ )
database.
2015-05-09 16:38:12 +00:00
* [TrID ](http://mark0.net/soft-trid-e.html ) - File identifier.
2015-05-09 04:28:10 +00:00
* [YARA ](https://plusvic.github.io/yara/ ) - Pattern matching tool for
analysts.
2015-09-22 14:56:40 +00:00
* [Yara rules generator ](https://github.com/Neo23x0/yarGen ) - Generate
yara rules based on a set of malware samples. Also contains a good
strings DB to avoid false positives.
2015-05-09 04:28:10 +00:00
2015-05-09 04:35:17 +00:00
## Online Scanners and Sandboxes
2015-05-09 16:29:41 +00:00
*Web-based multi-AV scanners, and malware sandboxes for automated analysis.*
2017-09-25 00:53:31 +00:00
2017-09-25 07:18:26 +00:00
* [anlyz.io ](https://sandbox.anlyz.io/ ) - Online sandbox.
2017-11-12 17:44:40 +00:00
* [SEKOIA Dropper Analysis ](https://malware.sekoia.fr/ ) - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
2016-05-26 19:35:48 +00:00
* [AndroTotal ](https://andrototal.org/ ) - Free online analysis of APKs
2015-10-13 05:23:16 +00:00
against multiple mobile antivirus apps.
2015-05-18 14:47:05 +00:00
* [AVCaesar ](https://avcaesar.malware.lu/ ) - Malware.lu online scanner and
malware repository.
2015-09-22 15:25:30 +00:00
* [Cryptam ](http://www.cryptam.com/ ) - Analyze suspicious office documents.
2016-11-13 19:48:51 +00:00
* [Cuckoo Sandbox ](https://cuckoosandbox.org/ ) - Open source, self hosted
2015-05-09 15:24:09 +00:00
sandbox and automated analysis system.
2015-09-22 14:56:40 +00:00
* [cuckoo-modified ](https://github.com/brad-accuvant/cuckoo-modified ) - Modified
version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
legal concerns by the author.
2017-09-25 00:22:36 +00:00
* [cuckoo-modified-api ](https://github.com/keithjjones/cuckoo-modified-api ) - A
Python API used to control a cuckoo-modified sandbox.
2015-11-14 05:13:24 +00:00
* [DeepViz ](https://www.deepviz.com/ ) - Multi-format file analyzer with
machine-learning classification.
2017-09-25 00:22:36 +00:00
* [detux ](https://github.com/detuxsandbox/detux/ ) - A sandbox developed to do
traffic analysis of Linux malwares and capturing IOCs.
2015-05-15 19:51:46 +00:00
* [DRAKVUF ](https://github.com/tklengyel/drakvuf ) - Dynamic malware analysis
system.
2017-09-25 00:22:36 +00:00
* [firmware.re ](http://firmware.re/ ) - Unpacks, scans and analyzes almost any
firmware package.
* [HaboMalHunter ](https://github.com/Tencent/HaboMalHunter ) - An Automated Malware
Analysis Tool for Linux ELF Files.
2015-05-17 15:05:09 +00:00
* [Hybrid Analysis ](https://www.hybrid-analysis.com/ ) - Online malware
analysis tool, powered by VxSandbox.
2015-09-22 15:38:56 +00:00
* [IRMA ](http://irma.quarkslab.com/ ) - An asynchronous and customizable
analysis platform for suspicious files.
2016-07-01 02:05:30 +00:00
* [Joe Sandbox ](https://www.joesecurity.org ) - Deep malware analysis with Joe Sandbox.
2015-11-14 03:37:29 +00:00
* [Jotti ](https://virusscan.jotti.org/en ) - Free online multi-AV scanner.
2017-09-25 00:42:08 +00:00
* [Limon ](https://github.com/monnappa22/Limon ) - Sandbox for Analyzing Linux Malware.
2015-05-15 20:16:58 +00:00
* [Malheur ](https://github.com/rieck/malheur ) - Automatic sandboxed analysis
of malware behavior.
2017-09-25 00:22:36 +00:00
* [malsub ](https://github.com/diogo-fernan/malsub ) - A Python RESTful API framework for
online malware and URL analysis services.
* [Malware config ](https://malwareconfig.com/ ) - Extract, decode and display online
2016-12-16 00:21:37 +00:00
the configuration settings from common malwares.
2015-05-15 19:50:47 +00:00
* [Malwr ](https://malwr.com/ ) - Free analysis with an online Cuckoo Sandbox
instance.
2015-05-15 19:55:38 +00:00
* [MASTIFF Online ](https://mastiff-online.korelogic.com/ ) - Online static
analysis of malware.
2016-03-31 11:42:09 +00:00
* [Metadefender.com ](https://www.metadefender.com ) - Scan a file, hash or IP
2017-09-25 00:42:08 +00:00
address for malware (free).
2016-07-01 02:05:30 +00:00
* [NetworkTotal ](https://www.networktotal.com/index.html ) - A service that analyzes
pcap files and facilitates the quick detection of viruses, worms, trojans, and all
2016-06-14 06:50:00 +00:00
kinds of malware using Suricata configured with EmergingThreats Pro.
2015-05-15 19:57:58 +00:00
* [Noriben ](https://github.com/Rurik/Noriben ) - Uses Sysinternals Procmon to
collect information about malware in a sandboxed environment.
2015-09-22 15:27:27 +00:00
* [PDF Examiner ](http://www.pdfexaminer.com/ ) - Analyse suspicious PDF files.
2016-10-10 15:37:08 +00:00
* [ProcDot ](http://www.procdot.com ) - A graphical malware analysis tool kit.
2015-05-09 22:46:02 +00:00
* [Recomposer ](https://github.com/secretsquirrel/recomposer ) - A helper
script for safely uploading binaries to sandbox sites.
2017-09-25 00:22:36 +00:00
* [Sand droid ](http://sanddroid.xjtu.edu.cn/ ) - Automatic and complete
2016-12-16 00:19:36 +00:00
Android application analysis system.
2016-01-21 18:46:29 +00:00
* [SEE ](https://github.com/F-Secure/see ) - Sandboxed Execution Environment (SEE)
2016-01-09 11:43:10 +00:00
is a framework for building test automation in secured Environments.
2015-05-09 04:35:53 +00:00
* [VirusTotal ](https://www.virustotal.com/ ) - Free online analysis of malware
samples and URLs
2016-11-13 19:49:18 +00:00
* [Visualize_Logs ](https://github.com/keithjjones/visualize_logs ) - Open source
2017-09-25 00:22:36 +00:00
visualization library and command line tools for logs. (Cuckoo, Procmon, more
to come...)
2015-05-09 15:24:09 +00:00
* [Zeltser's List ](https://zeltser.com/automated-malware-analysis/ ) - Free
automated sandboxes and services, compiled by Lenny Zeltser.
2015-05-09 04:35:17 +00:00
2015-05-09 15:26:12 +00:00
## Domain Analysis
*Inspect domains and IP addresses.*
2017-09-25 00:53:31 +00:00
* [badips.com ](https://www.badips.com/ ) - Community based IP blacklist service.
2017-09-25 00:22:36 +00:00
* [boomerang ](https://github.com/EmersonElectricCo/boomerang ) - A tool designed
for consistent and safe capture of off network web resources.
2017-09-25 00:53:31 +00:00
* [Cymon ](https://cymon.io/ ) - Threat intelligence tracker, with IP/domain/hash
search.
2015-09-22 14:56:40 +00:00
* [Desenmascara.me ](http://desenmascara.me ) - One click tool to retrieve as
much metadata as possible for a website and to assess its good standing.
2017-07-18 16:01:36 +00:00
* [Dig ](https://networking.ringofsaturn.com/ ) - Free online dig and other
2015-05-09 15:26:12 +00:00
network tools.
2016-04-17 20:16:33 +00:00
* [dnstwist ](https://github.com/elceef/dnstwist ) - Domain name permutation
2016-05-18 19:56:33 +00:00
engine for detecting typo squatting, phishing and corporate espionage.
2015-05-09 15:36:04 +00:00
* [IPinfo ](https://github.com/hiddenillusion/IPinfo ) - Gather information
about an IP or domain by searching online resources.
2016-03-16 04:45:20 +00:00
* [Machinae ](https://github.com/hurricanelabs/machinae ) - OSINT tool for
gathering information about URLs, IPs, or hashes. Similar to Automator.
2016-04-17 20:16:33 +00:00
* [mailchecker ](https://github.com/FGRibreau/mailchecker ) - Cross-language
2016-05-18 19:56:33 +00:00
temporary email detection library.
2016-05-26 14:56:50 +00:00
* [MaltegoVT ](https://github.com/michael-yip/MaltegoVT ) - Maltego transform
for the VirusTotal API. Allows domain/IP research, and searching for file
hashes and scan reports.
2017-09-25 00:22:36 +00:00
* [Multi rbl ](http://multirbl.valli.org/ ) - Multiple DNS blacklist and forward
2016-12-16 00:23:58 +00:00
confirmed reverse DNS lookup over more than 300 RBLs.
2017-09-25 00:22:36 +00:00
* [NormShield Services ](https://services.normshield.com/ ) - Free API Services
for detecting possible phishing domains, blacklisted ip addresses and breached
2017-07-26 06:08:59 +00:00
accounts.
2015-09-22 15:22:46 +00:00
* [SpamCop ](https://www.spamcop.net/bl.shtml ) - IP based spam block list.
2016-03-21 21:36:59 +00:00
* [SpamHaus ](https://www.spamhaus.org/lookup/ ) - Block list based on
2015-09-22 15:22:46 +00:00
domains and IPs.
2015-09-22 14:56:40 +00:00
* [Sucuri SiteCheck ](https://sitecheck.sucuri.net/ ) - Free Website Malware
and Security Scanner.
2017-09-25 00:22:36 +00:00
* [Talos Intelligence ](https://talosintelligence.com/ ) - Search for IP, domain
or network owner. (Previously SenderBase.)
2016-08-21 21:13:14 +00:00
* [TekDefense Automater ](http://www.tekdefense.com/automater/ ) - OSINT tool
2016-03-16 04:45:20 +00:00
for gathering information about URLs, IPs, or hashes.
2016-08-28 00:40:57 +00:00
* [URLQuery ](http://urlquery.net/ ) - Free URL Scanner.
2016-04-12 15:36:24 +00:00
* [Whois ](https://whois.domaintools.com/ ) - DomainTools free online whois
2015-05-09 15:26:12 +00:00
search.
* [Zeltser's List ](https://zeltser.com/lookup-malicious-websites/ ) - Free
online tools for researching malicious websites, compiled by Lenny Zeltser.
2017-09-25 00:14:52 +00:00
* [ZScalar Zulu ](https://zulu.zscaler.com/# ) - Zulu URL Risk Analyzer.
2015-05-09 15:26:12 +00:00
2015-05-09 17:19:48 +00:00
## Browser Malware
2015-05-09 17:20:38 +00:00
*Analyze malicious URLs. See also the [domain analysis ](#domain-analysis ) and
[documents and shellcode ](#documents-and-shellcode ) sections.*
2015-05-09 17:19:48 +00:00
2017-09-25 00:14:52 +00:00
* [Firebug ](https://getfirebug.com/ ) - Firefox extension for web development.
2015-05-09 17:44:40 +00:00
* [Java Decompiler ](http://jd.benow.ca/ ) - Decompile and inspect Java apps.
* [Java IDX Parser ](https://github.com/Rurik/Java_IDX_Parser/ ) - Parses Java
IDX cache files.
2015-05-09 18:50:43 +00:00
* [JSDetox ](http://www.relentless-coding.com/projects/jsdetox/ ) - JavaScript
malware analysis tool.
2015-11-14 03:37:29 +00:00
* [jsunpack-n ](https://github.com/urule99/jsunpack-n ) - A javascript
2015-05-09 18:50:43 +00:00
unpacker that emulates browser functionality.
2016-04-17 20:16:33 +00:00
* [Krakatau ](https://github.com/Storyyeller/Krakatau ) - Java decompiler,
2016-05-18 19:56:33 +00:00
assembler, and disassembler.
2015-05-09 17:44:40 +00:00
* [Malzilla ](http://malzilla.sourceforge.net/ ) - Analyze malicious web pages.
2015-05-09 17:41:24 +00:00
* [RABCDAsm ](https://github.com/CyberShadow/RABCDAsm ) - A "Robust
ActionScript Bytecode Disassembler."
2015-05-09 17:39:46 +00:00
* [swftools ](http://www.swftools.org/ ) - Tools for working with Adobe Flash
files.
* [xxxswf ](http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html ) - A
Python script for analyzing Flash files.
2015-05-09 15:34:23 +00:00
## Documents and Shellcode
2015-05-09 18:53:33 +00:00
*Analyze malicious JS and shellcode from PDFs and Office documents. See also
the [browser malware ](#browser-malware ) section.*
2015-05-09 16:29:41 +00:00
2015-05-09 15:36:04 +00:00
* [AnalyzePDF ](https://github.com/hiddenillusion/AnalyzePDF ) - A tool for
analyzing PDFs and attempting to determine whether they are malicious.
2016-11-14 11:25:41 +00:00
* [box-js ](https://github.com/CapacitorSet/box-js ) - A tool for studying JavaScript
malware, featuring JScript/WScript support and ActiveX emulation.
2015-05-09 15:50:57 +00:00
* [diStorm ](http://www.ragestorm.net/distorm/ ) - Disassembler for analyzing
malicious shellcode.
2015-05-09 16:34:53 +00:00
* [JS Beautifier ](http://jsbeautifier.org/ ) - JavaScript unpacking and deobfuscation.
2015-12-28 12:32:38 +00:00
* [JS Deobfuscator ](http://www.kahusecurity.com/2015/new-javascript-deobfuscator-tool/ ) -
Deobfuscate simple Javascript that use eval or document.write to conceal
its code.
2015-05-09 15:50:57 +00:00
* [libemu ](http://libemu.carnivore.it/ ) - Library and tools for x86 shellcode
emulation.
2015-05-09 15:52:49 +00:00
* [malpdfobj ](https://github.com/9b/malpdfobj ) - Deconstruct malicious PDFs
into a JSON representation.
2015-05-09 15:50:57 +00:00
* [OfficeMalScanner ](http://www.reconstructer.org/code.html ) - Scan for
malicious traces in MS Office documents.
2015-05-09 21:03:32 +00:00
* [olevba ](http://www.decalage.info/python/olevba ) - A script for parsing OLE
and OpenXML documents and extracting useful information.
2016-03-21 21:36:59 +00:00
* [Origami PDF ](https://code.google.com/archive/p/origami-pdf ) - A tool for
2015-05-09 15:57:05 +00:00
analyzing malicious PDFs, and more.
2016-04-12 15:16:09 +00:00
* [PDF Tools ](https://blog.didierstevens.com/programs/pdf-tools/ ) - pdfid,
2015-05-09 15:46:37 +00:00
pdf-parser, and more from Didier Stevens.
2015-05-09 15:57:26 +00:00
* [PDF X-Ray Lite ](https://github.com/9b/pdfxray_lite ) - A PDF analysis tool,
2015-05-09 15:52:49 +00:00
the backend-free version of PDF X-RAY.
2015-05-09 15:58:39 +00:00
* [peepdf ](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool ) - Python
tool for exploring possibly malicious PDFs.
2016-07-01 02:05:30 +00:00
* [QuickSand ](https://www.quicksand.io/ ) - QuickSand is a compact C framework
to analyze suspected malware documents to identify exploits in streams of different
2016-06-12 07:45:00 +00:00
encodings and to locate and extract embedded executables.
2015-05-09 15:34:23 +00:00
* [Spidermonkey ](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey ) -
Mozilla's JavaScript engine, for debugging malicious JS.
2015-05-09 17:05:07 +00:00
## File Carving
*For extracting files from inside disk and memory images.*
* [bulk_extractor ](https://github.com/simsong/bulk_extractor ) - Fast file
carving tool.
2015-05-09 22:35:00 +00:00
* [EVTXtract ](https://github.com/williballenthin/EVTXtract ) - Carve Windows
Event Log files from raw binary data.
2015-05-09 17:05:07 +00:00
* [Foremost ](http://foremost.sourceforge.net/ ) - File carving tool designed
by the US Air Force.
* [Hachoir ](https://bitbucket.org/haypo/hachoir ) - A collection of Python
libraries for dealing with binary files.
* [Scalpel ](https://github.com/sleuthkit/scalpel ) - Another data carving
tool.
2017-08-10 00:12:16 +00:00
* [SFlock ](https://github.com/jbremer/sflock ) - Nested archive
extraction/unpacking (used in Cuckoo Sandbox).
2015-05-09 17:05:07 +00:00
2015-05-09 17:07:39 +00:00
## Deobfuscation
2015-05-15 01:37:48 +00:00
*Reverse XOR and other code obfuscation methods.*
2015-05-09 17:07:39 +00:00
2015-05-15 01:55:57 +00:00
* [Balbuzard ](https://bitbucket.org/decalage/balbuzard/wiki/Home ) - A malware
analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
2015-09-22 16:07:01 +00:00
* [de4dot ](https://github.com/0xd4d/de4dot ) - .NET deobfuscator and
unpacker.
2015-05-15 01:53:06 +00:00
* [ex_pe_xor ](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html )
& [iheartxor ](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html ) -
Two tools from Alexander Hanel for working with single-byte XOR encoded
files.
2016-07-01 02:05:30 +00:00
* [FLOSS ](https://github.com/fireeye/flare-floss ) - The FireEye Labs Obfuscated
String Solver uses advanced static analysis techniques to automatically
2016-06-11 07:15:00 +00:00
deobfuscate strings from malware binaries.
2015-05-15 01:44:14 +00:00
* [NoMoreXOR ](https://github.com/hiddenillusion/NoMoreXOR ) - Guess a 256 byte
XOR key using frequency analysis.
2015-11-04 09:02:54 +00:00
* [PackerAttacker ](https://github.com/BromiumLabs/PackerAttacker ) - A generic
hidden code extractor for Windows malware.
2016-07-01 02:05:30 +00:00
* [unpacker ](https://github.com/malwaremusings/unpacker/ ) - Automated malware
2016-06-10 07:11:00 +00:00
unpacker for Windows malware based on WinAppDbg.
2015-05-15 01:47:34 +00:00
* [unxor ](https://github.com/tomchop/unxor/ ) - Guess XOR keys using
known-plaintext attacks.
2015-11-04 08:54:07 +00:00
* [VirtualDeobfuscator ](https://github.com/jnraber/VirtualDeobfuscator ) -
Reverse engineering tool for virtualization wrappers.
2015-05-15 01:54:50 +00:00
* [XORBruteForcer ](http://eternal-todo.com/var/scripts/xorbruteforcer ) -
A Python script for brute forcing single-byte XOR keys.
2016-04-12 15:16:09 +00:00
* [XORSearch & XORStrings ](https://blog.didierstevens.com/programs/xorsearch/ ) -
2015-05-15 01:53:06 +00:00
A couple programs from Didier Stevens for finding XORed data.
2015-05-15 01:46:08 +00:00
* [xortool ](https://github.com/hellman/xortool ) - Guess XOR key length, as
well as the key itself.
2015-05-15 01:44:14 +00:00
2015-05-09 16:41:13 +00:00
## Debugging and Reverse Engineering
2015-05-09 16:48:55 +00:00
*Disassemblers, debuggers, and other static and dynamic analysis tools.*
2015-11-04 08:47:37 +00:00
* [angr ](https://github.com/angr/angr ) - Platform-agnostic binary analysis
framework developed at UCSB's Seclab.
2016-07-01 02:05:30 +00:00
* [bamfdetect ](https://github.com/bwall/bamfdetect ) - Identifies and extracts
2016-06-09 07:20:00 +00:00
information from bots and other malware.
2016-11-13 19:49:39 +00:00
* [BAP ](https://github.com/BinaryAnalysisPlatform/bap ) - Multiplatform and
open source (MIT) binary analysis framework developed at CMU's Cylab.
2015-11-04 08:48:58 +00:00
* [BARF ](https://github.com/programa-stic/barf-project ) - Multiplatform, open
source Binary Analysis and Reverse engineering Framework.
2015-11-04 08:42:57 +00:00
* [binnavi ](https://github.com/google/binnavi ) - Binary analysis IDE for
reverse engineering based on graph visualization.
2017-09-25 00:22:36 +00:00
* [Binary ninja ](https://binary.ninja/ ) - A reversing engineering platform
that is an alternative to IDA.
2017-04-08 13:09:37 +00:00
* [Binwalk ](https://github.com/devttys0/binwalk ) - Firmware analysis tool.
2016-01-20 15:08:48 +00:00
* [Bokken ](http://www.bokken.re/ ) - GUI for Pyew and Radare.
2016-10-10 15:46:15 +00:00
([mirror](https://github.com/inguma/bokken))
2015-11-04 08:50:31 +00:00
* [Capstone ](https://github.com/aquynh/capstone ) - Disassembly framework for
binary analysis and reversing, with support for many architectures and
bindings in several languages.
2015-11-04 08:46:31 +00:00
* [codebro ](https://github.com/hugsy/codebro ) - Web based code browser using
2017-10-07 03:04:03 +00:00
clang to provide basic code analysis.
* [DECAF (Dynamic Executable Code Analysis Framework) ](https://github.com/sycurelab/DECAF )
- A binary analysis platform based on QEMU. DroidScope is now an extension to DECAF.
2015-09-22 16:07:01 +00:00
* [dnSpy ](https://github.com/0xd4d/dnSpy ) - .NET assembly editor, decompiler
and debugger.
2015-05-09 16:57:48 +00:00
* [Evan's Debugger (EDB) ](http://codef00.com/projects#debugger ) - A
modular debugger with a Qt GUI.
2016-05-26 14:33:56 +00:00
* [Fibratus ](https://github.com/rabbitstack/fibratus ) - Tool for exploration
and tracing of the Windows kernel.
2017-03-26 20:57:01 +00:00
* [FPort ](https://www.mcafee.com/us/downloads/free-tools/fport.aspx ) - Reports
2016-11-13 20:21:25 +00:00
open TCP/IP and UDP ports in a live system and maps them to the owning application.
2015-05-09 16:57:48 +00:00
* [GDB ](http://www.sourceware.org/gdb/ ) - The GNU debugger.
2015-11-04 08:51:38 +00:00
* [GEF ](https://github.com/hugsy/gef ) - GDB Enhanced Features, for exploiters
and reverse engineers.
2015-09-22 16:02:36 +00:00
* [hackers-grep ](https://github.com/codypierce/hackers-grep ) - A utility to
search for strings in PE executables including imports, exports, and debug
2015-09-22 16:13:12 +00:00
symbols.
2017-10-18 03:16:18 +00:00
* [Hopper ](https://www.hopperapp.com/ ) - The macOS and Linux Disassembler.
2015-05-09 16:48:55 +00:00
* [IDA Pro ](https://www.hex-rays.com/products/ida/index.shtml ) - Windows
disassembler and debugger, with a free evaluation version.
2015-05-09 19:48:03 +00:00
* [Immunity Debugger ](http://debugger.immunityinc.com/ ) - Debugger for
malware analysis and more, with a Python API.
2017-10-18 03:16:18 +00:00
* [ILSpy ](http://ilspy.net/ ) - ILSpy is the open-source .NET assembly browser and decompiler.
2017-02-16 08:06:17 +00:00
* [Kaitai Struct ](http://kaitai.io/ ) - DSL for file formats / network protocols /
data structures reverse engineering and dissection, with code generation
for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
2017-09-25 00:22:36 +00:00
* [LIEF ](https://lief.quarkslab.com/ ) - LIEF provides a cross-platform library
2017-04-08 12:53:52 +00:00
to parse, modify and abstract ELF, PE and MachO formats.
2015-05-09 16:57:48 +00:00
* [ltrace ](http://ltrace.org/ ) - Dynamic analysis for Linux executables.
2015-05-09 16:51:23 +00:00
* [objdump ](https://en.wikipedia.org/wiki/Objdump ) - Part of GNU binutils,
for static analysis of Linux binaries.
2015-05-09 16:57:48 +00:00
* [OllyDbg ](http://www.ollydbg.de/ ) - An assembly-level debugger for Windows
executables.
2017-09-25 00:22:36 +00:00
* [PANDA ](https://github.com/moyix/panda ) - Platform for Architecture-Neutral
Dynamic Analysis.
2015-11-04 08:53:00 +00:00
* [PEDA ](https://github.com/longld/peda ) - Python Exploit Development
Assistance for GDB, an enhanced display with added commands.
2015-05-18 16:20:28 +00:00
* [pestudio ](https://winitor.com/ ) - Perform static analysis of Windows
executables.
2017-11-02 22:26:53 +00:00
* [Pharos ](https://github.com/cmu-sei/pharos ) - The Pharos binary analysis framework
can be used to perform automated static analysis of binaries.
2017-09-25 00:22:36 +00:00
* [plasma ](https://github.com/plasma-disassembler/plasma ) - Interactive
disassembler for x86/ARM/MIPS.
2016-05-26 14:38:19 +00:00
* [PPEE (puppy) ](https://www.mzrst.com/ ) - A Professional PE file Explorer for
reversers, malware researchers and those who want to statically inspect PE
files in more detail.
2017-10-19 18:55:57 +00:00
* [Process Explorer ](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer ) -
2016-11-13 20:13:24 +00:00
Advanced task manager for Windows.
2017-09-25 00:22:36 +00:00
* [Process Hacker ](http://processhacker.sourceforge.net/ ) - Tool that monitors
system resources.
2017-10-19 18:55:57 +00:00
* [Process Monitor ](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon ) -
2015-05-09 20:04:20 +00:00
Advanced monitoring tool for Windows programs.
2017-10-19 18:55:57 +00:00
* [PSTools ](https://docs.microsoft.com/en-us/sysinternals/downloads/pstools ) - Windows
2016-11-13 20:13:24 +00:00
command-line tools that help manage and investigate live systems.
2015-05-09 16:48:55 +00:00
* [Pyew ](https://github.com/joxeankoret/pyew ) - Python tool for malware
analysis.
2017-09-25 00:22:36 +00:00
* [PyREBox ](https://github.com/Cisco-Talos/pyrebox ) - Python scriptable reverse
engineering sandbox by the Talos team at Cisco.
* [QKD ](https://github.com/ispras/qemu/releases/ ) - QEMU with embedded WinDbg
server for stealth debugging.
2015-05-09 16:41:13 +00:00
* [Radare2 ](http://www.radare.org/r/ ) - Reverse engineering framework, with
debugger support.
2017-09-25 00:22:36 +00:00
* [RegShot ](https://sourceforge.net/projects/regshot/ ) - Registry compare utility
that compares snapshots.
2016-08-09 13:25:38 +00:00
* [RetDec ](https://retdec.com/ ) - Retargetable machine-code decompiler with an
[online decompilation service ](https://retdec.com/decompilation/ ) and
[API ](https://retdec.com/api/ ) that you can use in your tools.
2017-07-18 16:01:36 +00:00
* [ROPMEMU ](https://github.com/Cisco-Talos/ROPMEMU ) - A framework to analyze, dissect
2016-06-04 21:47:58 +00:00
and decompile complex code-reuse attacks.
2015-11-04 08:45:14 +00:00
* [SMRT ](https://github.com/pidydx/SMRT ) - Sublime Malware Research Tool, a
plugin for Sublime 3 to aid with malware analyis.
2016-03-21 21:36:59 +00:00
* [strace ](https://sourceforge.net/projects/strace/ ) - Dynamic analysis for
2015-09-22 15:44:27 +00:00
Linux executables.
2017-03-26 20:57:01 +00:00
* [Triton ](https://triton.quarkslab.com/ ) - A dynamic binary analysis (DBA) framework.
2015-05-09 16:51:23 +00:00
* [Udis86 ](https://github.com/vmt/udis86 ) - Disassembler library and tool
for x86 and x86_64.
2015-05-15 19:32:32 +00:00
* [Vivisect ](https://github.com/vivisect/vivisect ) - Python tool for
2015-05-09 16:57:48 +00:00
malware analysis.
2017-10-18 03:16:18 +00:00
* [WinDbg ](https://developer.microsoft.com/en-us/windows/hardware/download-windbg ) - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
2015-10-08 23:20:31 +00:00
* [X64dbg ](https://github.com/x64dbg/ ) - An open-source x64/x32 debugger for windows.
2015-05-09 16:41:13 +00:00
2015-05-09 17:07:39 +00:00
## Network
*Analyze network interactions.*
2015-05-15 20:05:16 +00:00
* [Bro ](https://www.bro.org ) - Protocol analyzer that operates at incredible
scale; both file and network protocols.
2015-11-04 09:00:56 +00:00
* [BroYara ](https://github.com/hempnall/broyara ) - Use Yara rules from Bro.
2015-08-08 03:29:40 +00:00
* [CapTipper ](https://github.com/omriher/CapTipper ) - Malicious HTTP traffic
explorer.
2015-05-17 20:06:29 +00:00
* [chopshop ](https://github.com/MITRECND/chopshop ) - Protocol analysis and
decoding framework.
2017-09-25 00:22:36 +00:00
* [CloudShark ](https://www.cloudshark.org ) - Web-based tool for packet analysis
2017-03-03 19:28:49 +00:00
and malware traffic detection.
2017-10-19 18:55:57 +00:00
* [Fiddler ](https://www.telerik.com/fiddler ) - Intercepting web proxy designed
2015-05-15 15:23:29 +00:00
for "web debugging."
2015-05-15 15:21:53 +00:00
* [Hale ](https://github.com/pjlantz/Hale ) - Botnet C& C monitor.
2016-05-18 19:56:33 +00:00
* [Haka ](http://www.haka-security.org/ ) - An open source security oriented
language for describing protocols and applying security policies on (live)
captured traffic.
2017-08-10 00:12:16 +00:00
* [HTTPReplay ](https://github.com/jbremer/httpreplay ) - Library for parsing
and reading out PCAP files, including TLS streams using TLS Master Secrets
(used in Cuckoo Sandbox).
2015-05-09 18:20:31 +00:00
* [INetSim ](http://www.inetsim.org/ ) - Network service emulation, useful when
building a malware lab.
2016-04-16 11:37:35 +00:00
* [Laika BOSS ](https://github.com/lmco/laikaboss ) - Laika BOSS is a file-centric
2016-04-02 14:15:33 +00:00
malware analysis and intrusion detection system.
2015-05-09 21:50:03 +00:00
* [Malcom ](https://github.com/tomchop/malcom ) - Malware Communications
Analyzer.
2016-01-21 18:46:29 +00:00
* [Maltrail ](https://github.com/stamparm/maltrail ) - A malicious traffic
detection system, utilizing publicly available (black)lists containing
2015-12-10 15:26:23 +00:00
malicious and/or generally suspicious trails and featuring an reporting
and analysis interface.
2015-05-09 18:20:31 +00:00
* [mitmproxy ](https://mitmproxy.org/ ) - Intercept network traffic on the fly.
2015-05-17 20:05:31 +00:00
* [Moloch ](https://github.com/aol/moloch ) - IPv4 traffic capturing, indexing
and database system.
2015-05-09 18:20:31 +00:00
* [NetworkMiner ](http://www.netresec.com/?page=NetworkMiner ) - Network
forensic analysis tool, with a free version.
* [ngrep ](http://ngrep.sourceforge.net/ ) - Search through network traffic
like grep.
2017-09-25 00:22:36 +00:00
* [PcapViz ](https://github.com/mateuszk87/PcapViz ) - Network topology and
traffic visualizer.
* [Python ICAP Yara ](https://github.com/RamadhanAmizudin/python-icap-yara ) - An
ICAP Server with yara scanner for URL or content.
* [Squidmagic ](https://github.com/ch3k1/squidmagic ) - squidmagic is a tool
designed to analyze a web-based network traffic to detect central command
and control (C& C) servers and malicious sites, using Squid proxy server and
Spamhaus.
2015-05-09 18:20:31 +00:00
* [Tcpdump ](http://www.tcpdump.org/ ) - Collect network traffic.
* [tcpick ](http://tcpick.sourceforge.net/ ) - Trach and reassemble TCP streams
from network traffic.
* [tcpxtract ](http://tcpxtract.sourceforge.net/ ) - Extract files from network
traffic.
* [Wireshark ](https://www.wireshark.org/ ) - The network traffic analysis
tool.
2015-05-09 04:41:41 +00:00
## Memory Forensics
2015-05-09 04:46:55 +00:00
*Tools for dissecting malware in memory images or running systems.*
2017-09-25 00:22:36 +00:00
* [BlackLight ](https://www.blackbagtech.com/blacklight.html ) - Windows/MacOS
2017-09-25 00:42:08 +00:00
forensics client supporting hiberfil, pagefile, raw memory analysis.
2015-05-09 21:51:31 +00:00
* [DAMM ](https://github.com/504ensicsLabs/DAMM ) - Differential Analysis of
2017-09-25 00:42:08 +00:00
Malware in Memory, built on Volatility.
2016-04-17 20:16:33 +00:00
* [evolve ](https://github.com/JamesHabben/evolve ) - Web interface for the
2016-05-18 19:56:33 +00:00
Volatility Memory Forensics Framework.
2015-11-14 03:37:29 +00:00
* [FindAES ](http://jessekornblum.livejournal.com/269749.html ) - Find AES
2015-05-09 04:41:41 +00:00
encryption keys in memory.
2017-09-25 00:22:36 +00:00
* [inVtero.net ](https://github.com/ShaneK2/inVtero.net ) - High speed memory
analysis framework developed in .NET supports all Windows x64, includes
code integrity and write support.
2015-05-09 21:53:25 +00:00
* [Muninn ](https://github.com/ytisf/muninn ) - A script to automate portions
of analysis using Volatility, and create a readable report.
2015-05-09 04:41:41 +00:00
* [Rekall ](http://www.rekall-forensic.com/ ) - Memory analysis framework,
forked from Volatility in 2013.
* [TotalRecall ](https://github.com/sketchymoose/TotalRecall ) - Script based
on Volatility for automating various malware analysis tasks.
2015-05-18 16:19:02 +00:00
* [VolDiff ](https://github.com/aim4r/VolDiff ) - Run Volatility on memory
images before and after malware execution, and report changes.
2015-05-09 04:41:41 +00:00
* [Volatility ](https://github.com/volatilityfoundation/volatility ) - Advanced
memory forensics framework.
2016-04-17 20:16:33 +00:00
* [VolUtility ](https://github.com/kevthehermit/VolUtility ) - Web Interface for
2016-05-18 19:56:33 +00:00
Volatility Memory Analysis framework.
2017-03-23 10:51:50 +00:00
* [WDBGARK ](https://github.com/swwwolf/wdbgark ) -
WinDBG Anti-RootKit Extension.
2016-07-01 02:05:30 +00:00
* [WinDbg ](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit ) -
Live memory inspection and kernel debugging for Windows systems.
2015-05-09 04:41:41 +00:00
2015-05-09 22:30:52 +00:00
## Windows Artifacts
2015-09-22 16:04:13 +00:00
* [AChoir ](https://github.com/OMENScan/AChoir ) - A live incident response
script for gathering Windows artifacts.
2015-05-09 22:35:00 +00:00
* [python-evt ](https://github.com/williballenthin/python-evt ) - Python
library for parsing Windows Event Logs.
* [python-registry ](http://www.williballenthin.com/registry/ ) - Python
library for parsing registry files.
2015-12-28 23:09:27 +00:00
* [RegRipper ](http://brettshavers.cc/index.php/brettsblog/tags/tag/regripper/ )
2015-05-09 22:30:52 +00:00
([GitHub](https://github.com/keydet89/RegRipper2.8)) -
Plugin-based registry analysis tool.
2015-05-09 22:01:22 +00:00
## Storage and Workflow
2017-03-26 20:57:01 +00:00
* [Aleph ](https://github.com/merces/aleph ) - Open Source Malware Analysis
2015-05-17 19:00:43 +00:00
Pipeline System.
2015-05-17 20:08:50 +00:00
* [CRITs ](https://crits.github.io/ ) - Collaborative Research Into Threats, a
malware and threat repository.
2017-09-25 00:22:36 +00:00
* [FAME ](https://certsocietegenerale.github.io/fame/ ) - A malware analysis
framework featuring a pipeline that can be extended with custom modules,
which can be chained and interact with each other to perform end-to-end
analysis.
2015-05-09 22:01:22 +00:00
* [Malwarehouse ](https://github.com/sroberts/malwarehouse ) - Store, tag, and
search malware.
2016-07-01 02:05:30 +00:00
* [Polichombr ](https://github.com/ANSSI-FR/polichombr ) - A malware analysis
2016-06-18 06:24:00 +00:00
platform designed to help analysts to reverse malwares collaboratively.
2016-11-20 15:38:27 +00:00
* [stoQ ](http://stoq.punchcyber.com ) - Distributed content analysis
framework with extensive plugin support, from input to output, and everything
in between.
2016-11-13 19:48:51 +00:00
* [Viper ](http://viper.li/ ) - A binary management and analysis framework for
2015-05-09 22:02:53 +00:00
analysts and researchers.
2015-05-09 22:01:22 +00:00
2015-05-09 04:31:31 +00:00
## Miscellaneous
2016-07-01 02:05:30 +00:00
* [al-khaser ](https://github.com/LordNoteworthy/al-khaser ) - A PoC malware
2016-06-17 06:54:00 +00:00
with good intentions that aimes to stress anti-malware systems.
2016-07-01 02:05:30 +00:00
* [Binarly ](http://www.binar.ly/search ) - Search engine for bytes in a large
corpus of malware.
2015-05-17 19:25:23 +00:00
* [DC3-MWCP ](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP ) -
The Defense Cyber Crime Center's Malware Configuration Parser framework.
2017-09-25 00:22:36 +00:00
* [FLARE VM ](https://github.com/fireeye/flare-vm ) - A fully customizable,
2017-07-28 09:49:22 +00:00
Windows-based, security distribution for malware analysis.
2016-07-01 02:05:30 +00:00
* [MalSploitBase ](https://github.com/misterch0c/malSploitBase ) - A database
2016-06-16 06:13:00 +00:00
containing exploits used by malware.
2016-12-15 23:42:51 +00:00
* [Malware Museum ](https://archive.org/details/malwaremuseum ) - Collection of
malware programs that were distributed in the 1980s and 1990s.
2015-09-22 16:10:22 +00:00
* [Pafish ](https://github.com/a0rtega/pafish ) - Paranoid Fish, a demonstration
tool that employs several techniques to detect sandboxes and analysis
environments in the same way as malware families do.
2015-05-09 04:31:31 +00:00
* [REMnux ](https://remnux.org/ ) - Linux distribution and docker images for
malware reverse engineering and analysis.
2015-05-15 20:20:11 +00:00
* [Santoku Linux ](https://santoku-linux.com/ ) - Linux distribution for mobile
forensics, malware analysis, and security.
2015-05-09 04:31:31 +00:00
2015-05-09 03:51:11 +00:00
# Resources
## Books
2015-05-09 16:29:41 +00:00
*Essential malware analysis reading material.*
2015-05-09 16:25:31 +00:00
* [Malware Analyst's Cookbook and DVD ](https://amzn.com/dp/0470613033 ) -
Tools and Techniques for Fighting Malicious Code.
2017-09-25 00:22:36 +00:00
* [Practical Malware Analysis ](https://amzn.com/dp/1593272901 ) - The Hands-On
Guide to Dissecting Malicious Software.
* [Practical Reverse Engineering ](https://www.amzn.com/dp/1118787315/ ) -
2017-09-25 00:42:08 +00:00
Intermediate Reverse Engineering.
2017-09-25 00:22:36 +00:00
* [Real Digital Forensics ](https://www.amzn.com/dp/0321240693 ) - Computer
2017-09-25 00:42:08 +00:00
Security and Incident Response.
2015-05-09 16:25:31 +00:00
* [The Art of Memory Forensics ](https://amzn.com/dp/1118825098 ) - Detecting
Malware and Threats in Windows, Linux, and Mac Memory.
* [The IDA Pro Book ](https://amzn.com/dp/1593272898 ) - The Unofficial Guide
to the World's Most Popular Disassembler.
2016-11-13 19:49:18 +00:00
* [The Rootkit Arsenal ](https://amzn.com/dp/144962636X ) - The Rootkit Arsenal:
2016-10-29 12:55:52 +00:00
Escape and Evasion in the Dark Corners of the System
2015-05-09 16:25:31 +00:00
2015-05-09 03:51:11 +00:00
## Twitter
2015-05-09 22:13:49 +00:00
*Some relevant Twitter accounts.*
2015-05-18 17:59:18 +00:00
* Adamb [@Hexacorn ](https://twitter.com/Hexacorn )
2015-05-09 22:11:27 +00:00
* Andrew Case [@attrc ](https://twitter.com/attrc )
2016-07-01 01:54:21 +00:00
* Binni Shah [@binitamshah ](https://twitter.com/binitamshah )
2015-05-09 22:11:27 +00:00
* Claudio [@botherder ](https://twitter.com/botherder )
2015-05-15 20:05:16 +00:00
* Dustin Webber [@mephux ](https://twitter.com/mephux )
2015-05-15 01:44:14 +00:00
* Glenn [@hiddenillusion ](https://twitter.com/hiddenillusion )
2015-05-09 22:11:27 +00:00
* jekil [@jekil ](https://twitter.com/jekil )
* Jurriaan Bremer [@skier_t ](https://twitter.com/skier_t )
2015-05-09 22:20:41 +00:00
* Lenny Zeltser [@lennyzeltser ](https://twitter.com/lennyzeltser )
2015-05-18 03:57:03 +00:00
* Liam Randall [@hectaman ](https://twitter.com/hectaman )
2015-05-09 22:11:27 +00:00
* Mark Schloesser [@repmovsb ](https://twitter.com/repmovsb )
* Michael Ligh (MHL) [@iMHLv2 ](https://twitter.com/iMHLv2 )
2016-06-30 21:56:51 +00:00
* Monnappa [@monnappa22 ](https://twitter.com/monnappa22 )
2015-09-22 16:57:17 +00:00
* Open Malware [@OpenMalware ](https://twitter.com/OpenMalware )
2015-05-15 20:05:16 +00:00
* Richard Bejtlich [@taosecurity ](https://twitter.com/taosecurity )
2015-05-09 22:15:26 +00:00
* Volatility [@volatility ](https://twitter.com/volatility )
2015-05-09 22:11:27 +00:00
2015-05-09 03:51:11 +00:00
## Other
2016-11-16 14:34:10 +00:00
* [APT Notes ](https://github.com/aptnotes/data ) - A collection of papers
2015-10-02 16:25:51 +00:00
and notes related to Advanced Persistent Threats.
2016-04-17 20:16:33 +00:00
* [File Formats posters ](https://github.com/corkami/pics ) - Nice visualization
2016-05-18 19:56:33 +00:00
of commonly used file format (including PE & ELF).
2015-05-09 16:15:29 +00:00
* [Honeynet Project ](http://honeynet.org/ ) - Honeypot tools, papers, and
other resources.
2017-09-25 00:42:08 +00:00
* [Kernel Mode ](http://www.kernelmode.info/forum/ ) - An active community
devoted to malware analysis and kernel development.
2015-05-09 15:17:07 +00:00
* [Malicious Software ](https://zeltser.com/malicious-software/ ) - Malware
blog and resources by Lenny Zeltser.
2015-11-14 03:37:29 +00:00
* [Malware Analysis Search ](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu ) -
2015-05-09 22:25:17 +00:00
Custom Google search engine from [Corey Harrell ](journeyintoir.blogspot.com/ ).
2016-05-18 19:56:33 +00:00
* [Malware Analysis Tutorials ](http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html ) - The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning
practical malware analysis.
2016-01-22 14:26:02 +00:00
* [Malware Samples and Traffic ](http://malware-traffic-analysis.net/ ) - This
blog focuses on network traffic related to malware infections.
2016-05-18 19:56:33 +00:00
* [Practical Malware Analysis Starter Kit ](https://bluesoul.me/practical-malware-analysis-starter-kit/ ) -
This package contains most of the software referenced in the Practical Malware
Analysis book.
2016-01-22 14:26:02 +00:00
* [RPISEC Malware Analysis ](https://github.com/RPISEC/Malware ) - These are the
course materials used in the Malware Analysis course at at Rensselaer Polytechnic
Institute during Fall 2015.
2015-05-09 22:30:52 +00:00
* [WindowsIR: Malware ](http://windowsir.blogspot.com/p/malware.html ) - Harlan
Carvey's page on Malware.
2016-04-17 20:16:33 +00:00
* [Windows Registry specification ](https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md ) - Windows registry file format specification.
2015-09-22 16:35:43 +00:00
* [/r/csirt_tools ](https://www.reddit.com/r/csirt_tools/ ) - Subreddit for CSIRT
tools and resources, with a
[malware analysis ](https://www.reddit.com/r/csirt_tools/search?q=flair%3A%22Malware%20analysis%22&sort=new&restrict_sr=on ) flair.
2015-05-09 15:17:07 +00:00
* [/r/Malware ](https://www.reddit.com/r/Malware ) - The malware subreddit.
* [/r/ReverseEngineering ](https://www.reddit.com/r/ReverseEngineering ) -
Reverse engineering subreddit, not limited to just malware.
2016-01-22 14:26:02 +00:00
2015-05-09 15:17:07 +00:00
2015-05-09 03:51:11 +00:00
# Related Awesome Lists
* [Android Security ](https://github.com/ashishb/android-security-awesome )
2015-10-01 14:14:43 +00:00
* [AppSec ](https://github.com/paragonie/awesome-appsec )
2015-08-08 03:52:40 +00:00
* [CTFs ](https://github.com/apsdehal/awesome-ctf )
2016-12-07 12:33:20 +00:00
* [Forensics ](https://github.com/Cugu/awesome-forensics )
2015-08-08 03:27:19 +00:00
* ["Hacking" ](https://github.com/carpedm20/awesome-hacking )
2015-08-08 03:23:32 +00:00
* [Honeypots ](https://github.com/paralax/awesome-honeypots )
2016-06-05 05:25:14 +00:00
* [Industrial Control System Security ](https://github.com/hslatman/awesome-industrial-control-system-security )
2016-02-27 19:35:50 +00:00
* [Incident-Response ](https://github.com/meirwah/awesome-incident-response )
2015-09-25 18:44:44 +00:00
* [Infosec ](https://github.com/onlurking/awesome-infosec )
2015-08-08 03:27:19 +00:00
* [PCAP Tools ](https://github.com/caesar0301/awesome-pcaptools )
2015-05-09 03:51:11 +00:00
* [Pentesting ](https://github.com/enaqx/awesome-pentest )
* [Security ](https://github.com/sbilly/awesome-security )
2016-06-05 05:25:14 +00:00
* [Threat Intelligence ](https://github.com/hslatman/awesome-threat-intelligence )
2017-10-17 19:56:53 +00:00
* [YARA ](https://github.com/InQuest/awesome-yara )
2015-05-09 03:51:11 +00:00
# [Contributing](CONTRIBUTING.md)
2016-05-26 15:02:15 +00:00
Pull requests and issues with suggestions are welcome! Please read the
[CONTRIBUTING ](CONTRIBUTING.md ) guidelines before submitting a PR.
2015-05-15 02:01:44 +00:00
# Thanks
This list was made possible by:
* Lenny Zeltser and other contributors for developing REMnux, where I
found many of the tools in this list;
* Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for
writing the *Malware Analyst's Cookbook* , which was a big inspiration for
creating the list;
* And everyone else who has sent pull requests or suggested links to add here!
Thanks!