diff --git a/README.md b/README.md index 1635e26..6c1eb3c 100644 --- a/README.md +++ b/README.md @@ -7,12 +7,12 @@ A curated list of awesome malware analysis tools and resources. Inspired by [![Drop ICE](drop.png)](https://twitter.com/githubbers/status/1182017616740663296) - [Malware Collection](#malware-collection) - - [Anonymizers](#anonymizers) - - [Honeypots](#honeypots) - - [Malware Corpora](#malware-corpora) + - [Anonymizers](#anonymizers) + - [Honeypots](#honeypots) + - [Malware Corpora](#malware-corpora) - [Open Source Threat Intelligence](#open-source-threat-intelligence) - - [Tools](#tools) - - [Other Resources](#other-resources) + - [Tools](#tools) + - [Other Resources](#other-resources) - [Detection and Classification](#detection-and-classification) - [Online Scanners and Sandboxes](#online-scanners-and-sandboxes) - [Domain Analysis](#domain-analysis) @@ -27,8 +27,8 @@ A curated list of awesome malware analysis tools and resources. Inspired by - [Storage and Workflow](#storage-and-workflow) - [Miscellaneous](#miscellaneous) - [Resources](#resources) - - [Books](#books) - - [Other](#other) + - [Books](#books) + - [Other](#other) - [Related Awesome Lists](#related-awesome-lists) - [Contributing](#contributing) - [Thanks](#thanks) @@ -41,855 +41,852 @@ View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大 ### Anonymizers -*Web traffic anonymizers for analysts.* +_Web traffic anonymizers for analysts._ -* [Anonymouse.org](http://anonymouse.org/) - A free, web based anonymizer. -* [OpenVPN](https://openvpn.net/) - VPN software and hosting solutions. -* [Privoxy](http://www.privoxy.org/) - An open source proxy server with some +- [Anonymouse.org](http://anonymouse.org/) - A free, web based anonymizer. +- [OpenVPN](https://openvpn.net/) - VPN software and hosting solutions. +- [Privoxy](http://www.privoxy.org/) - An open source proxy server with some privacy features. -* [Tor](https://www.torproject.org/) - The Onion Router, for browsing the web +- [Tor](https://www.torproject.org/) - The Onion Router, for browsing the web without leaving traces of the client IP. ### Honeypots -*Trap and collect your own samples.* +_Trap and collect your own samples._ -* [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot. -* [Cowrie](https://github.com/micheloosterhof/cowrie) - SSH honeypot, based +- [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot. +- [Cowrie](https://github.com/micheloosterhof/cowrie) - SSH honeypot, based on Kippo. -* [DemoHunter](https://github.com/RevengeComing/DemonHunter) - Low interaction Distributed Honeypots. -* [Dionaea](https://github.com/DinoTools/dionaea) - Honeypot designed to trap malware. -* [Glastopf](https://github.com/mushorg/glastopf) - Web application honeypot. -* [Honeyd](http://www.honeyd.org/) - Create a virtual honeynet. -* [HoneyDrive](http://bruteforcelab.com/honeydrive) - Honeypot bundle Linux distro. -* [Honeytrap](https://github.com/honeytrap/honeytrap) - Opensource system for running, monitoring and managing honeypots. -* [MHN](https://github.com/pwnlandia/mhn) - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface. -* [Mnemosyne](https://github.com/johnnykv/mnemosyne) - A normalizer for +- [DemoHunter](https://github.com/RevengeComing/DemonHunter) - Low interaction Distributed Honeypots. +- [Dionaea](https://github.com/DinoTools/dionaea) - Honeypot designed to trap malware. +- [Glastopf](https://github.com/mushorg/glastopf) - Web application honeypot. +- [Honeyd](http://www.honeyd.org/) - Create a virtual honeynet. +- [HoneyDrive](http://bruteforcelab.com/honeydrive) - Honeypot bundle Linux distro. +- [Honeytrap](https://github.com/honeytrap/honeytrap) - Opensource system for running, monitoring and managing honeypots. +- [MHN](https://github.com/pwnlandia/mhn) - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface. +- [Mnemosyne](https://github.com/johnnykv/mnemosyne) - A normalizer for honeypot data; supports Dionaea. -* [Thug](https://github.com/buffer/thug) - Low interaction honeyclient, for +- [Thug](https://github.com/buffer/thug) - Low interaction honeyclient, for investigating malicious websites. - ### Malware Corpora -*Malware samples collected for analysis.* +_Malware samples collected for analysis._ -* [Clean MX](http://support.clean-mx.de/clean-mx/viruses.php) - Realtime +- [Clean MX](http://support.clean-mx.de/clean-mx/viruses.php) - Realtime database of malware and malicious domains. -* [Contagio](http://contagiodump.blogspot.com/) - A collection of recent +- [Contagio](http://contagiodump.blogspot.com/) - A collection of recent malware samples and analyses. -* [Exploit Database](https://www.exploit-db.com/) - Exploit and shellcode +- [Exploit Database](https://www.exploit-db.com/) - Exploit and shellcode samples. -* [Infosec - CERT-PA](https://infosec.cert-pa.it/analyze/submission.html) - Malware samples collection and analysis. -* [InQuest Labs](https://labs.inquest.net) - Evergrowing searchable corpus of malicious Microsoft documents. -* [Javascript Mallware Collection](https://github.com/HynekPetrak/javascript-malware-collection) - Collection of almost 40.000 javascript malware samples -* [Malpedia](https://malpedia.caad.fkie.fraunhofer.de/) - A resource providing +- [Infosec - CERT-PA](https://infosec.cert-pa.it/analyze/submission.html) - Malware samples collection and analysis. +- [InQuest Labs](https://labs.inquest.net) - Evergrowing searchable corpus of malicious Microsoft documents. +- [Javascript Mallware Collection](https://github.com/HynekPetrak/javascript-malware-collection) - Collection of almost 40.000 javascript malware samples +- [Malpedia](https://malpedia.caad.fkie.fraunhofer.de/) - A resource providing rapid identification and actionable context for malware investigations. -* [Malshare](https://malshare.com) - Large repository of malware actively +- [Malshare](https://malshare.com) - Large repository of malware actively scrapped from malicious sites. -* [Open Malware Project](http://openmalware.org/) - Sample information and +- [Open Malware Project](http://openmalware.org/) - Sample information and downloads. Formerly Offensive Computing. -* [Ragpicker](https://github.com/robbyFux/Ragpicker) - Plugin based malware +- [Ragpicker](https://github.com/robbyFux/Ragpicker) - Plugin based malware crawler with pre-analysis and reporting functionalities -* [theZoo](https://github.com/ytisf/theZoo) - Live malware samples for +- [theZoo](https://github.com/ytisf/theZoo) - Live malware samples for analysts. -* [Tracker h3x](http://tracker.h3x.eu/) - Agregator for malware corpus tracker +- [Tracker h3x](http://tracker.h3x.eu/) - Agregator for malware corpus tracker and malicious download sites. -* [vduddu malware repo](https://github.com/vduddu/Malware) - Collection of +- [vduddu malware repo](https://github.com/vduddu/Malware) - Collection of various malware files and source code. -* [VirusBay](https://beta.virusbay.io/) - Community-Based malware repository and social network. -* [ViruSign](http://www.virussign.com/) - Malware database that detected by +- [VirusBay](https://beta.virusbay.io/) - Community-Based malware repository and social network. +- [ViruSign](http://www.virussign.com/) - Malware database that detected by many anti malware programs except ClamAV. -* [VirusShare](https://virusshare.com/) - Malware repository, registration +- [VirusShare](https://virusshare.com/) - Malware repository, registration required. -* [VX Vault](http://vxvault.net) - Active collection of malware samples. -* [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - A list +- [VX Vault](http://vxvault.net) - Active collection of malware samples. +- [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - A list of malware sample sources put together by Lenny Zeltser. -* [Zeus Source Code](https://github.com/Visgean/Zeus) - Source for the Zeus +- [Zeus Source Code](https://github.com/Visgean/Zeus) - Source for the Zeus trojan leaked in 2011. -* [VX Underground](http://vx-underground.org/) - Massive and growing collection of free malware samples. +- [VX Underground](http://vx-underground.org/) - Massive and growing collection of free malware samples. ## Open Source Threat Intelligence ### Tools -*Harvest and analyze IOCs.* +_Harvest and analyze IOCs._ -* [AbuseHelper](https://github.com/abusesa/abusehelper) - An open-source +- [AbuseHelper](https://github.com/abusesa/abusehelper) - An open-source framework for receiving and redistributing abuse feeds and threat intel. -* [AlienVault Open Threat Exchange](https://otx.alienvault.com/) - Share and +- [AlienVault Open Threat Exchange](https://otx.alienvault.com/) - Share and collaborate in developing Threat Intelligence. -* [Combine](https://github.com/mlsecproject/combine) - Tool to gather Threat +- [Combine](https://github.com/mlsecproject/combine) - Tool to gather Threat Intelligence indicators from publicly available sources. -* [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash. -* [Hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host. -* [IntelMQ](https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation) - +- [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash. +- [Hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host. +- [IntelMQ](https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation) - A tool for CERTs for processing incident data using a message queue. -* [IOC Editor](https://www.fireeye.com/services/freeware/ioc-editor.html) - +- [IOC Editor](https://www.fireeye.com/services/freeware/ioc-editor.html) - A free editor for XML IOC files. -* [iocextract](https://github.com/InQuest/python-iocextract) - Advanced Indicator +- [iocextract](https://github.com/InQuest/python-iocextract) - Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool. -* [ioc_writer](https://github.com/mandiant/ioc_writer) - Python library for +- [ioc_writer](https://github.com/mandiant/ioc_writer) - Python library for working with OpenIOC objects, from Mandiant. -* [MalPipe](https://github.com/silascutler/MalPipe) - Malware/IOC ingestion and +- [MalPipe](https://github.com/silascutler/MalPipe) - Malware/IOC ingestion and processing engine, that enriches collected data. -* [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) - +- [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework). -* [MISP](https://github.com/MISP/MISP) - Malware Information Sharing +- [MISP](https://github.com/MISP/MISP) - Malware Information Sharing Platform curated by [The MISP Project](http://www.misp-project.org/). -* [Pulsedive](https://pulsedive.com) - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds. -* [PyIOCe](https://github.com/pidydx/PyIOCe) - A Python OpenIOC editor. -* [RiskIQ](https://community.riskiq.com/) - Research, connect, tag and +- [Pulsedive](https://pulsedive.com) - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds. +- [PyIOCe](https://github.com/pidydx/PyIOCe) - A Python OpenIOC editor. +- [RiskIQ](https://community.riskiq.com/) - Research, connect, tag and share IPs and domains. (Was PassiveTotal.) -* [threataggregator](https://github.com/jpsenior/threataggregator) - +- [threataggregator](https://github.com/jpsenior/threataggregator) - Aggregates security threats from a number of sources, including some of those listed below in [other resources](#other-resources). -* [ThreatConnect](https://threatconnect.com/free/) - TC Open allows you to see and +- [ThreatConnect](https://threatconnect.com/free/) - TC Open allows you to see and share open source threat data, with support and validation from our free community. -* [ThreatCrowd](https://www.threatcrowd.org/) - A search engine for threats, +- [ThreatCrowd](https://www.threatcrowd.org/) - A search engine for threats, with graphical visualization. -* [ThreatIngestor](https://github.com/InQuest/ThreatIngestor/) - Build +- [ThreatIngestor](https://github.com/InQuest/ThreatIngestor/) - Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more. -* [ThreatTracker](https://github.com/michael-yip/ThreatTracker) - A Python +- [ThreatTracker](https://github.com/michael-yip/ThreatTracker) - A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines. -* [TIQ-test](https://github.com/mlsecproject/tiq-test) - Data visualization +- [TIQ-test](https://github.com/mlsecproject/tiq-test) - Data visualization and statistical analysis of Threat Intelligence feeds. ### Other Resources -*Threat intelligence and IOC resources.* +_Threat intelligence and IOC resources._ -* [Autoshun](https://www.autoshun.org/) ([list](https://www.autoshun.org/files/shunlist.csv)) - +- [Autoshun](https://www.autoshun.org/) ([list](https://www.autoshun.org/files/shunlist.csv)) - Snort plugin and blocklist. -* [Bambenek Consulting Feeds](http://osint.bambenekconsulting.com/feeds/) - +- [Bambenek Consulting Feeds](http://osint.bambenekconsulting.com/feeds/) - OSINT feeds based on malicious DGA algorithms. -* [Fidelis Barncat](https://www.fidelissecurity.com/resources/fidelis-barncat) - +- [Fidelis Barncat](https://www.fidelissecurity.com/resources/fidelis-barncat) - Extensive malware config database (must request access). -* [CI Army](http://cinsscore.com/) ([list](http://cinsscore.com/list/ci-badguys.txt)) - +- [CI Army](http://cinsscore.com/) ([list](http://cinsscore.com/list/ci-badguys.txt)) - Network security blocklists. -* [Critical Stack- Free Intel Market](https://intel.criticalstack.com) - Free +- [Critical Stack- Free Intel Market](https://intel.criticalstack.com) - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators. -* [Cybercrime tracker](http://cybercrime-tracker.net/) - Multiple botnet active tracker. -* [FireEye IOCs](https://github.com/fireeye/iocs) - Indicators of Compromise +- [Cybercrime tracker](http://cybercrime-tracker.net/) - Multiple botnet active tracker. +- [FireEye IOCs](https://github.com/fireeye/iocs) - Indicators of Compromise shared publicly by FireEye. -* [FireHOL IP Lists](https://iplists.firehol.org/) - Analytics for 350+ IP lists +- [FireHOL IP Lists](https://iplists.firehol.org/) - Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps. -* [HoneyDB](https://riskdiscovery.com/honeydb) - Community driven honeypot sensor data collection and aggregation. -* [hpfeeds](https://github.com/rep/hpfeeds) - Honeypot feed protocol. -* [Infosec - CERT-PA lists](https://infosec.cert-pa.it/analyze/statistics.html) ([IPs](https://infosec.cert-pa.it/analyze/listip.txt) - [Domains](https://infosec.cert-pa.it/analyze/listdomains.txt) - [URLs](https://infosec.cert-pa.it/analyze/listurls.txt)) - Blocklist service. -* [InQuest REPdb](https://labs.inquest.net/repdb) - Continuous aggregation of IOCs from a variety of open reputation sources. -* [InQuest IOCdb](https://labs.inquest.net/iocdb) - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter. -* [Internet Storm Center (DShield)](https://isc.sans.edu/) - Diary and +- [HoneyDB](https://riskdiscovery.com/honeydb) - Community driven honeypot sensor data collection and aggregation. +- [hpfeeds](https://github.com/rep/hpfeeds) - Honeypot feed protocol. +- [Infosec - CERT-PA lists](https://infosec.cert-pa.it/analyze/statistics.html) ([IPs](https://infosec.cert-pa.it/analyze/listip.txt) - [Domains](https://infosec.cert-pa.it/analyze/listdomains.txt) - [URLs](https://infosec.cert-pa.it/analyze/listurls.txt)) - Blocklist service. +- [InQuest REPdb](https://labs.inquest.net/repdb) - Continuous aggregation of IOCs from a variety of open reputation sources. +- [InQuest IOCdb](https://labs.inquest.net/iocdb) - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter. +- [Internet Storm Center (DShield)](https://isc.sans.edu/) - Diary and searchable incident database, with a web [API](https://dshield.org/api/). ([unofficial Python library](https://github.com/rshipp/python-dshield)). -* [malc0de](http://malc0de.com/database/) - Searchable incident database. -* [Malware Domain List](http://www.malwaredomainlist.com/) - Search and share +- [malc0de](http://malc0de.com/database/) - Searchable incident database. +- [Malware Domain List](http://www.malwaredomainlist.com/) - Search and share malicious URLs. -* [MetaDefender Threat Intelligence Feed](https://www.opswat.com/developers/threat-intelligence-feed) - +- [MetaDefender Threat Intelligence Feed](https://www.opswat.com/developers/threat-intelligence-feed) - List of the most looked up file hashes from MetaDefender Cloud. -* [OpenIOC](https://www.fireeye.com/services/freeware.html) - Framework for sharing threat intelligence. -* [Proofpoint Threat Intelligence](https://www.proofpoint.com/us/products/et-intelligence) - +- [OpenIOC](https://www.fireeye.com/services/freeware.html) - Framework for sharing threat intelligence. +- [Proofpoint Threat Intelligence](https://www.proofpoint.com/us/products/et-intelligence) - Rulesets and more. (Formerly Emerging Threats.) -* [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) - +- [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) - A list of ransomware overview with details, detection and prevention. -* [STIX - Structured Threat Information eXpression](http://stixproject.github.io) - +- [STIX - Structured Threat Information eXpression](http://stixproject.github.io) - Standardized language to represent and share cyber threat information. Related efforts from [MITRE](https://www.mitre.org/): - [CAPEC - Common Attack Pattern Enumeration and Classification](http://capec.mitre.org/) - [CybOX - Cyber Observables eXpression](http://cyboxproject.github.io) - [MAEC - Malware Attribute Enumeration and Characterization](http://maec.mitre.org/) - [TAXII - Trusted Automated eXchange of Indicator Information](http://taxiiproject.github.io) -* [SystemLookup](https://www.systemlookup.com/) - SystemLookup hosts a collection of lists that provide information on +- [SystemLookup](https://www.systemlookup.com/) - SystemLookup hosts a collection of lists that provide information on the components of legitimate and potentially unwanted programs. -* [ThreatMiner](https://www.threatminer.org/) - Data mining portal for threat +- [ThreatMiner](https://www.threatminer.org/) - Data mining portal for threat intelligence, with search. -* [threatRECON](https://threatrecon.co/) - Search for indicators, up to 1000 +- [threatRECON](https://threatrecon.co/) - Search for indicators, up to 1000 free per month. -* [ThreatShare](https://threatshare.io/) - C2 panel tracker -* [Yara rules](https://github.com/Yara-Rules/rules) - Yara rules repository. -* [YETI](https://github.com/yeti-platform/yeti) - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. -* [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS +- [ThreatShare](https://threatshare.io/) - C2 panel tracker +- [Yara rules](https://github.com/Yara-Rules/rules) - Yara rules repository. +- [YaraSilly2](https://github.com/YARA-Silly-Silly/yarasilly2) - A Semi automatic handy tool to generate YARA rules from sample virus files ( WIP ) for Malware Analyst, inspired by DIFF function of VirusTotal Premium Account. +- [YETI](https://github.com/yeti-platform/yeti) - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. +- [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS blocklists. ## Detection and Classification -*Antivirus and other malware identification tools* +_Antivirus and other malware identification tools_ -* [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a +- [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a variety of tools for reporting on Windows PE files. -* [Assemblyline](https://bitbucket.org/cse-assemblyline/assemblyline) - A scalable +- [Assemblyline](https://bitbucket.org/cse-assemblyline/assemblyline) - A scalable distributed file analysis framework. -* [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless +- [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules. -* [capa](https://github.com/fireeye/capa) - Detects capabilities in executable files. -* [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection. -* [ClamAV](http://www.clamav.net/) - Open source antivirus engine. -* [Detect It Easy(DiE)](https://github.com/horsicq/Detect-It-Easy) - A program for +- [capa](https://github.com/fireeye/capa) - Detects capabilities in executable files. +- [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection. +- [ClamAV](http://www.clamav.net/) - Open source antivirus engine. +- [Detect It Easy(DiE)](https://github.com/horsicq/Detect-It-Easy) - A program for determining types of files. -* [Exeinfo PE](http://exeinfo.pe.hu/) - Packer, compressor detector, unpack +- [Exeinfo PE](http://exeinfo.pe.hu/) - Packer, compressor detector, unpack info, internal exe tools. -* [ExifTool](https://sno.phy.queensu.ca/~phil/exiftool/) - Read, write and +- [ExifTool](https://sno.phy.queensu.ca/~phil/exiftool/) - Read, write and edit file metadata. -* [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) - +- [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) - Modular, recursive file scanning solution. -* [fn2yara](https://github.com/cmu-sei/pharos) - FN2Yara is a tool to generate +- [fn2yara](https://github.com/cmu-sei/pharos) - FN2Yara is a tool to generate Yara signatures for matching functions (code) in an executable program. -* [Generic File Parser](https://github.com/uppusaikiran/generic-parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files. -* [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with +- [Generic File Parser](https://github.com/uppusaikiran/generic-parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files. +- [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with a variety of algorithms. -* [HashCheck](https://github.com/gurnec/HashCheck) - Windows shell extension +- [HashCheck](https://github.com/gurnec/HashCheck) - Windows shell extension to compute hashes with a variety of algorithms. -* [Loki](https://github.com/Neo23x0/Loki) - Host based scanner for IOCs. -* [Malfunction](https://github.com/Dynetics/Malfunction) - Catalog and +- [Loki](https://github.com/Neo23x0/Loki) - Host based scanner for IOCs. +- [Malfunction](https://github.com/Dynetics/Malfunction) - Catalog and compare malware at a function level. -* [Manalyze](https://github.com/JusticeRage/Manalyze) - Static analyzer for PE -executables. -* [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - Static analysis +- [Manalyze](https://github.com/JusticeRage/Manalyze) - Static analyzer for PE + executables. +- [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - Static analysis framework. -* [MultiScanner](https://github.com/mitre/multiscanner) - Modular file +- [MultiScanner](https://github.com/mitre/multiscanner) - Modular file scanning/analysis framework -* [Nauz File Detector(NFD)](https://github.com/horsicq/Nauz-File-Detector) - Linker/Compiler/Tool detector for Windows, Linux and MacOS. -* [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking +- [Nauz File Detector(NFD)](https://github.com/horsicq/Nauz-File-Detector) - Linker/Compiler/Tool detector for Windows, Linux and MacOS. +- [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking up hashes in NIST's National Software Reference Library database. -* [packerid](http://handlers.sans.org/jclausing/packerid.py) - A cross-platform +- [packerid](http://handlers.sans.org/jclausing/packerid.py) - A cross-platform Python alternative to PEiD. -* [PE-bear](https://hshrzd.wordpress.com/pe-bear/) - Reversing tool for PE +- [PE-bear](https://hshrzd.wordpress.com/pe-bear/) - Reversing tool for PE files. -* [PEframe](https://github.com/guelfoweb/peframe) - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents. -* [PEV](http://pev.sourceforge.net/) - A multiplatform toolkit to work with PE +- [PEframe](https://github.com/guelfoweb/peframe) - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents. +- [PEV](http://pev.sourceforge.net/) - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries. -* [PortEx](https://github.com/katjahahn/PortEx) - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness. -* [Quark-Engine](https://github.com/quark-engine/quark-engine) - An Obfuscation-Neglect Android Malware Scoring System -* [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits. -* [ssdeep](https://ssdeep-project.github.io/ssdeep/) - Compute fuzzy hashes. -* [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) - +- [PortEx](https://github.com/katjahahn/PortEx) - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness. +- [Quark-Engine](https://github.com/quark-engine/quark-engine) - An Obfuscation-Neglect Android Malware Scoring System +- [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits. +- [ssdeep](https://ssdeep-project.github.io/ssdeep/) - Compute fuzzy hashes. +- [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) - Python script for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/) database. -* [TrID](http://mark0.net/soft-trid-e.html) - File identifier. -* [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for +- [TrID](http://mark0.net/soft-trid-e.html) - File identifier. +- [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for analysts. -* [Yara rules generator](https://github.com/Neo23x0/yarGen) - Generate +- [Yara rules generator](https://github.com/Neo23x0/yarGen) - Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives. -* [Yara Finder](https://github.com/uppusaikiran/yara-finder) - A simple tool to yara match the file against various yara rules to find the indicators of suspicion. - +- [Yara Finder](https://github.com/uppusaikiran/yara-finder) - A simple tool to yara match the file against various yara rules to find the indicators of suspicion. ## Online Scanners and Sandboxes -*Web-based multi-AV scanners, and malware sandboxes for automated analysis.* +_Web-based multi-AV scanners, and malware sandboxes for automated analysis._ -* [anlyz.io](https://sandbox.anlyz.io/) - Online sandbox. -* [any.run](https://app.any.run/) - Online interactive sandbox. -* [AndroTotal](https://andrototal.org/) - Free online analysis of APKs +- [anlyz.io](https://sandbox.anlyz.io/) - Online sandbox. +- [any.run](https://app.any.run/) - Online interactive sandbox. +- [AndroTotal](https://andrototal.org/) - Free online analysis of APKs against multiple mobile antivirus apps. -* [AVCaesar](https://avcaesar.malware.lu/) - Malware.lu online scanner and +- [AVCaesar](https://avcaesar.malware.lu/) - Malware.lu online scanner and malware repository. -* [BoomBox](https://github.com/nbeede/BoomBox) - Automatic deployment of Cuckoo +- [BoomBox](https://github.com/nbeede/BoomBox) - Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant. -* [Cryptam](http://www.cryptam.com/) - Analyze suspicious office documents. -* [Cuckoo Sandbox](https://cuckoosandbox.org/) - Open source, self hosted +- [Cryptam](http://www.cryptam.com/) - Analyze suspicious office documents. +- [Cuckoo Sandbox](https://cuckoosandbox.org/) - Open source, self hosted sandbox and automated analysis system. -* [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - Modified +- [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author. -* [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A +- [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A Python API used to control a cuckoo-modified sandbox. -* [DeepViz](https://www.deepviz.com/) - Multi-format file analyzer with +- [DeepViz](https://www.deepviz.com/) - Multi-format file analyzer with machine-learning classification. -* [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do +- [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs. -* [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis +- [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis system. -* [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any +- [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any firmware package. -* [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - An Automated Malware +- [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - An Automated Malware Analysis Tool for Linux ELF Files. -* [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware +- [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware analysis tool, powered by VxSandbox. -* [Intezer](https://analyze.intezer.com) - Detect, analyze, and categorize malware by +- [Intezer](https://analyze.intezer.com) - Detect, analyze, and categorize malware by identifying code reuse and code similarities. -* [IRMA](http://irma.quarkslab.com/) - An asynchronous and customizable +- [IRMA](http://irma.quarkslab.com/) - An asynchronous and customizable analysis platform for suspicious files. -* [Joe Sandbox](https://www.joesecurity.org) - Deep malware analysis with Joe Sandbox. -* [Jotti](https://virusscan.jotti.org/en) - Free online multi-AV scanner. -* [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malware. -* [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis +- [Joe Sandbox](https://www.joesecurity.org) - Deep malware analysis with Joe Sandbox. +- [Jotti](https://virusscan.jotti.org/en) - Free online multi-AV scanner. +- [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malware. +- [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis of malware behavior. -* [malice.io](https://github.com/maliceio/malice) - Massively scalable malware analysis framework. -* [malsub](https://github.com/diogo-fernan/malsub) - A Python RESTful API framework for +- [malice.io](https://github.com/maliceio/malice) - Massively scalable malware analysis framework. +- [malsub](https://github.com/diogo-fernan/malsub) - A Python RESTful API framework for online malware and URL analysis services. -* [Malware config](https://malwareconfig.com/) - Extract, decode and display online +- [Malware config](https://malwareconfig.com/) - Extract, decode and display online the configuration settings from common malwares. -* [MalwareAnalyser.io](https://malwareanalyser.io/) - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning. -* [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox +- [MalwareAnalyser.io](https://malwareanalyser.io/) - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning. +- [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox instance. -* [MetaDefender Cloud](https://metadefender.opswat.com/ ) - Scan a file, hash, IP, URL or +- [MetaDefender Cloud](https://metadefender.opswat.com/) - Scan a file, hash, IP, URL or domain address for malware for free. -* [NetworkTotal](https://www.networktotal.com/index.html) - A service that analyzes +- [NetworkTotal](https://www.networktotal.com/index.html) - A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro. -* [Noriben](https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to +- [Noriben](https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment. -* [PacketTotal](https://packettotal.com/) - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within. -* [PDF Examiner](http://www.pdfexaminer.com/) - Analyse suspicious PDF files. -* [ProcDot](http://www.procdot.com) - A graphical malware analysis tool kit. -* [Recomposer](https://github.com/secretsquirrel/recomposer) - A helper +- [PacketTotal](https://packettotal.com/) - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within. +- [PDF Examiner](http://www.pdfexaminer.com/) - Analyse suspicious PDF files. +- [ProcDot](http://www.procdot.com) - A graphical malware analysis tool kit. +- [Recomposer](https://github.com/secretsquirrel/recomposer) - A helper script for safely uploading binaries to sandbox sites. -* [sandboxapi](https://github.com/InQuest/python-sandboxapi) - Python library for +- [sandboxapi](https://github.com/InQuest/python-sandboxapi) - Python library for building integrations with several open source and commercial malware sandboxes. -* [SEE](https://github.com/F-Secure/see) - Sandboxed Execution Environment (SEE) +- [SEE](https://github.com/F-Secure/see) - Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. -* [SEKOIA Dropper Analysis](https://malware.sekoia.fr/) - Online dropper analysis (Js, VBScript, Microsoft Office, PDF). -* [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware +- [SEKOIA Dropper Analysis](https://malware.sekoia.fr/) - Online dropper analysis (Js, VBScript, Microsoft Office, PDF). +- [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware samples and URLs -* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source - visualization library and command line tools for logs. (Cuckoo, Procmon, more +- [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source + visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...) -* [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free +- [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free automated sandboxes and services, compiled by Lenny Zeltser. ## Domain Analysis -*Inspect domains and IP addresses.* +_Inspect domains and IP addresses._ -* [AbuseIPDB](https://www.abuseipdb.com/) - AbuseIPDB is a project dedicated +- [AbuseIPDB](https://www.abuseipdb.com/) - AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet. -* [badips.com](https://www.badips.com/) - Community based IP blacklist service. -* [boomerang](https://github.com/EmersonElectricCo/boomerang) - A tool designed +- [badips.com](https://www.badips.com/) - Community based IP blacklist service. +- [boomerang](https://github.com/EmersonElectricCo/boomerang) - A tool designed for consistent and safe capture of off network web resources. -* [Cymon](https://cymon.io/) - Threat intelligence tracker, with IP/domain/hash +- [Cymon](https://cymon.io/) - Threat intelligence tracker, with IP/domain/hash search. -* [Desenmascara.me](http://desenmascara.me) - One click tool to retrieve as +- [Desenmascara.me](http://desenmascara.me) - One click tool to retrieve as much metadata as possible for a website and to assess its good standing. -* [Dig](https://networking.ringofsaturn.com/) - Free online dig and other +- [Dig](https://networking.ringofsaturn.com/) - Free online dig and other network tools. -* [dnstwist](https://github.com/elceef/dnstwist) - Domain name permutation +- [dnstwist](https://github.com/elceef/dnstwist) - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage. -* [IPinfo](https://github.com/hiddenillusion/IPinfo) - Gather information +- [IPinfo](https://github.com/hiddenillusion/IPinfo) - Gather information about an IP or domain by searching online resources. -* [Machinae](https://github.com/hurricanelabs/machinae) - OSINT tool for +- [Machinae](https://github.com/hurricanelabs/machinae) - OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator. -* [mailchecker](https://github.com/FGRibreau/mailchecker) - Cross-language +- [mailchecker](https://github.com/FGRibreau/mailchecker) - Cross-language temporary email detection library. -* [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - Maltego transform +- [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports. -* [Multi rbl](http://multirbl.valli.org/) - Multiple DNS blacklist and forward +- [Multi rbl](http://multirbl.valli.org/) - Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs. -* [NormShield Services](https://services.normshield.com/) - Free API Services +- [NormShield Services](https://services.normshield.com/) - Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts. -* [PhishStats](https://phishstats.info/) - Phishing Statistics with search for +- [PhishStats](https://phishstats.info/) - Phishing Statistics with search for IP, domain and website title -* [Spyse](https://spyse.com/) - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info, -* [SecurityTrails](https://securitytrails.com/) - Historical and current WHOIS, +- [Spyse](https://spyse.com/) - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info, +- [SecurityTrails](https://securitytrails.com/) - Historical and current WHOIS, historical and current DNS records, similar domains, certificate information and other domain and IP related API and tools. -* [SpamCop](https://www.spamcop.net/bl.shtml) - IP based spam block list. -* [SpamHaus](https://www.spamhaus.org/lookup/) - Block list based on +- [SpamCop](https://www.spamcop.net/bl.shtml) - IP based spam block list. +- [SpamHaus](https://www.spamhaus.org/lookup/) - Block list based on domains and IPs. -* [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - Free Website Malware +- [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - Free Website Malware and Security Scanner. -* [Talos Intelligence](https://talosintelligence.com/) - Search for IP, domain +- [Talos Intelligence](https://talosintelligence.com/) - Search for IP, domain or network owner. (Previously SenderBase.) -* [TekDefense Automater](http://www.tekdefense.com/automater/) - OSINT tool +- [TekDefense Automater](http://www.tekdefense.com/automater/) - OSINT tool for gathering information about URLs, IPs, or hashes. -* [URLhaus](https://urlhaus.abuse.ch/) - A project from abuse.ch with the goal +- [URLhaus](https://urlhaus.abuse.ch/) - A project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. -* [URLQuery](http://urlquery.net/) - Free URL Scanner. -* [urlscan.io](https://urlscan.io/) - Free URL Scanner & domain information. -* [Whois](https://whois.domaintools.com/) - DomainTools free online whois +- [URLQuery](http://urlquery.net/) - Free URL Scanner. +- [urlscan.io](https://urlscan.io/) - Free URL Scanner & domain information. +- [Whois](https://whois.domaintools.com/) - DomainTools free online whois search. -* [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - Free +- [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - Free online tools for researching malicious websites, compiled by Lenny Zeltser. -* [ZScalar Zulu](https://zulu.zscaler.com/#) - Zulu URL Risk Analyzer. +- [ZScalar Zulu](https://zulu.zscaler.com/#) - Zulu URL Risk Analyzer. ## Browser Malware -*Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and -[documents and shellcode](#documents-and-shellcode) sections.* +_Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and +[documents and shellcode](#documents-and-shellcode) sections._ -* [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) - Combines +- [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) - Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support. -* [Firebug](https://getfirebug.com/) - Firefox extension for web development. -* [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps. -* [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java +- [Firebug](https://getfirebug.com/) - Firefox extension for web development. +- [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps. +- [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java IDX cache files. -* [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript +- [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript malware analysis tool. -* [jsunpack-n](https://github.com/urule99/jsunpack-n) - A javascript +- [jsunpack-n](https://github.com/urule99/jsunpack-n) - A javascript unpacker that emulates browser functionality. -* [Krakatau](https://github.com/Storyyeller/Krakatau) - Java decompiler, +- [Krakatau](https://github.com/Storyyeller/Krakatau) - Java decompiler, assembler, and disassembler. -* [Malzilla](http://malzilla.sourceforge.net/) - Analyze malicious web pages. -* [RABCDAsm](https://github.com/CyberShadow/RABCDAsm) - A "Robust +- [Malzilla](http://malzilla.sourceforge.net/) - Analyze malicious web pages. +- [RABCDAsm](https://github.com/CyberShadow/RABCDAsm) - A "Robust ActionScript Bytecode Disassembler." -* [SWF Investigator](https://labs.adobe.com/technologies/swfinvestigator/) - +- [SWF Investigator](https://labs.adobe.com/technologies/swfinvestigator/) - Static and dynamic analysis of SWF applications. -* [swftools](http://www.swftools.org/) - Tools for working with Adobe Flash +- [swftools](http://www.swftools.org/) - Tools for working with Adobe Flash files. -* [xxxswf](http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html) - A +- [xxxswf](http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html) - A Python script for analyzing Flash files. ## Documents and Shellcode -*Analyze malicious JS and shellcode from PDFs and Office documents. See also -the [browser malware](#browser-malware) section.* +_Analyze malicious JS and shellcode from PDFs and Office documents. See also +the [browser malware](#browser-malware) section._ -* [AnalyzePDF](https://github.com/hiddenillusion/AnalyzePDF) - A tool for +- [AnalyzePDF](https://github.com/hiddenillusion/AnalyzePDF) - A tool for analyzing PDFs and attempting to determine whether they are malicious. -* [box-js](https://github.com/CapacitorSet/box-js) - A tool for studying JavaScript +- [box-js](https://github.com/CapacitorSet/box-js) - A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation. -* [diStorm](http://www.ragestorm.net/distorm/) - Disassembler for analyzing +- [diStorm](http://www.ragestorm.net/distorm/) - Disassembler for analyzing malicious shellcode. -* [InQuest Deep File Inspection](https://labs.inquest.net/dfi) - Upload common malware lures for Deep File Inspection and heuristical analysis. -* [JS Beautifier](http://jsbeautifier.org/) - JavaScript unpacking and deobfuscation. -* [libemu](http://libemu.carnivore.it/) - Library and tools for x86 shellcode +- [InQuest Deep File Inspection](https://labs.inquest.net/dfi) - Upload common malware lures for Deep File Inspection and heuristical analysis. +- [JS Beautifier](http://jsbeautifier.org/) - JavaScript unpacking and deobfuscation. +- [libemu](http://libemu.carnivore.it/) - Library and tools for x86 shellcode emulation. -* [malpdfobj](https://github.com/9b/malpdfobj) - Deconstruct malicious PDFs +- [malpdfobj](https://github.com/9b/malpdfobj) - Deconstruct malicious PDFs into a JSON representation. -* [OfficeMalScanner](http://www.reconstructer.org/code.html) - Scan for +- [OfficeMalScanner](http://www.reconstructer.org/code.html) - Scan for malicious traces in MS Office documents. -* [olevba](http://www.decalage.info/python/olevba) - A script for parsing OLE +- [olevba](http://www.decalage.info/python/olevba) - A script for parsing OLE and OpenXML documents and extracting useful information. -* [Origami PDF](https://code.google.com/archive/p/origami-pdf) - A tool for +- [Origami PDF](https://code.google.com/archive/p/origami-pdf) - A tool for analyzing malicious PDFs, and more. -* [PDF Tools](https://blog.didierstevens.com/programs/pdf-tools/) - pdfid, +- [PDF Tools](https://blog.didierstevens.com/programs/pdf-tools/) - pdfid, pdf-parser, and more from Didier Stevens. -* [PDF X-Ray Lite](https://github.com/9b/pdfxray_lite) - A PDF analysis tool, +- [PDF X-Ray Lite](https://github.com/9b/pdfxray_lite) - A PDF analysis tool, the backend-free version of PDF X-RAY. -* [peepdf](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - Python +- [peepdf](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - Python tool for exploring possibly malicious PDFs. -* [QuickSand](https://www.quicksand.io/) - QuickSand is a compact C framework +- [QuickSand](https://www.quicksand.io/) - QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables. -* [Spidermonkey](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) - +- [Spidermonkey](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) - Mozilla's JavaScript engine, for debugging malicious JS. ## File Carving -*For extracting files from inside disk and memory images.* +_For extracting files from inside disk and memory images._ -* [bulk_extractor](https://github.com/simsong/bulk_extractor) - Fast file +- [bulk_extractor](https://github.com/simsong/bulk_extractor) - Fast file carving tool. -* [EVTXtract](https://github.com/williballenthin/EVTXtract) - Carve Windows +- [EVTXtract](https://github.com/williballenthin/EVTXtract) - Carve Windows Event Log files from raw binary data. -* [Foremost](http://foremost.sourceforge.net/) - File carving tool designed +- [Foremost](http://foremost.sourceforge.net/) - File carving tool designed by the US Air Force. -* [hachoir3](https://github.com/vstinner/hachoir3) - Hachoir is a Python library +- [hachoir3](https://github.com/vstinner/hachoir3) - Hachoir is a Python library to view and edit a binary stream field by field. -* [Scalpel](https://github.com/sleuthkit/scalpel) - Another data carving +- [Scalpel](https://github.com/sleuthkit/scalpel) - Another data carving tool. -* [SFlock](https://github.com/jbremer/sflock) - Nested archive +- [SFlock](https://github.com/jbremer/sflock) - Nested archive extraction/unpacking (used in Cuckoo Sandbox). ## Deobfuscation -*Reverse XOR and other code obfuscation methods.* +_Reverse XOR and other code obfuscation methods._ -* [Balbuzard](https://bitbucket.org/decalage/balbuzard/wiki/Home) - A malware +- [Balbuzard](https://bitbucket.org/decalage/balbuzard/wiki/Home) - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more. -* [de4dot](https://github.com/0xd4d/de4dot) - .NET deobfuscator and +- [de4dot](https://github.com/0xd4d/de4dot) - .NET deobfuscator and unpacker. -* [ex_pe_xor](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html) +- [ex_pe_xor](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html) & [iheartxor](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html) - Two tools from Alexander Hanel for working with single-byte XOR encoded files. -* [FLOSS](https://github.com/fireeye/flare-floss) - The FireEye Labs Obfuscated +- [FLOSS](https://github.com/fireeye/flare-floss) - The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. -* [NoMoreXOR](https://github.com/hiddenillusion/NoMoreXOR) - Guess a 256 byte +- [NoMoreXOR](https://github.com/hiddenillusion/NoMoreXOR) - Guess a 256 byte XOR key using frequency analysis. -* [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker) - A generic +- [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker) - A generic hidden code extractor for Windows malware. -* [PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor) - +- [PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor) - A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it. -* [uncompyle6](https://github.com/rocky/python-uncompyle6/) - A cross-version - Python bytecode decompiler. Translates Python bytecode back into equivalent +- [uncompyle6](https://github.com/rocky/python-uncompyle6/) - A cross-version + Python bytecode decompiler. Translates Python bytecode back into equivalent Python source code. -* [un{i}packer](https://github.com/unipacker/unipacker) - Automatic and +- [un{i}packer](https://github.com/unipacker/unipacker) - Automatic and platform-independent unpacker for Windows binaries based on emulation. -* [unpacker](https://github.com/malwaremusings/unpacker/) - Automated malware +- [unpacker](https://github.com/malwaremusings/unpacker/) - Automated malware unpacker for Windows malware based on WinAppDbg. -* [unxor](https://github.com/tomchop/unxor/) - Guess XOR keys using +- [unxor](https://github.com/tomchop/unxor/) - Guess XOR keys using known-plaintext attacks. -* [VirtualDeobfuscator](https://github.com/jnraber/VirtualDeobfuscator) - +- [VirtualDeobfuscator](https://github.com/jnraber/VirtualDeobfuscator) - Reverse engineering tool for virtualization wrappers. -* [XORBruteForcer](http://eternal-todo.com/var/scripts/xorbruteforcer) - +- [XORBruteForcer](http://eternal-todo.com/var/scripts/xorbruteforcer) - A Python script for brute forcing single-byte XOR keys. -* [XORSearch & XORStrings](https://blog.didierstevens.com/programs/xorsearch/) - +- [XORSearch & XORStrings](https://blog.didierstevens.com/programs/xorsearch/) - A couple programs from Didier Stevens for finding XORed data. -* [xortool](https://github.com/hellman/xortool) - Guess XOR key length, as +- [xortool](https://github.com/hellman/xortool) - Guess XOR key length, as well as the key itself. ## Debugging and Reverse Engineering -*Disassemblers, debuggers, and other static and dynamic analysis tools.* +_Disassemblers, debuggers, and other static and dynamic analysis tools._ -* [angr](https://github.com/angr/angr) - Platform-agnostic binary analysis +- [angr](https://github.com/angr/angr) - Platform-agnostic binary analysis framework developed at UCSB's Seclab. -* [bamfdetect](https://github.com/bwall/bamfdetect) - Identifies and extracts +- [bamfdetect](https://github.com/bwall/bamfdetect) - Identifies and extracts information from bots and other malware. -* [BAP](https://github.com/BinaryAnalysisPlatform/bap) - Multiplatform and +- [BAP](https://github.com/BinaryAnalysisPlatform/bap) - Multiplatform and open source (MIT) binary analysis framework developed at CMU's Cylab. -* [BARF](https://github.com/programa-stic/barf-project) - Multiplatform, open +- [BARF](https://github.com/programa-stic/barf-project) - Multiplatform, open source Binary Analysis and Reverse engineering Framework. -* [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for +- [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for reverse engineering based on graph visualization. -* [Binary ninja](https://binary.ninja/) - A reversing engineering platform +- [Binary ninja](https://binary.ninja/) - A reversing engineering platform that is an alternative to IDA. -* [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool. -* [BluePill](https://github.com/season-lab/bluepill) - Framework for executing and debugging evasive malware and protected executables. -* [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for +- [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool. +- [BluePill](https://github.com/season-lab/bluepill) - Framework for executing and debugging evasive malware and protected executables. +- [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages. -* [codebro](https://github.com/hugsy/codebro) - Web based code browser using -  clang to provide basic code analysis. -* [Cutter](https://github.com/radareorg/cutter) - GUI for Radare2. -* [DECAF (Dynamic Executable Code Analysis Framework)](https://github.com/sycurelab/DECAF) +- [codebro](https://github.com/hugsy/codebro) - Web based code browser using +  clang to provide basic code analysis. +- [Cutter](https://github.com/radareorg/cutter) - GUI for Radare2. +- [DECAF (Dynamic Executable Code Analysis Framework)](https://github.com/sycurelab/DECAF) - A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF. -* [dnSpy](https://github.com/0xd4d/dnSpy) - .NET assembly editor, decompiler +- [dnSpy](https://github.com/0xd4d/dnSpy) - .NET assembly editor, decompiler and debugger. -* [dotPeek](https://www.jetbrains.com/decompiler/) - Free .NET Decompiler and +- [dotPeek](https://www.jetbrains.com/decompiler/) - Free .NET Decompiler and Assembly Browser. -* [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A +- [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A modular debugger with a Qt GUI. -* [Fibratus](https://github.com/rabbitstack/fibratus) - Tool for exploration +- [Fibratus](https://github.com/rabbitstack/fibratus) - Tool for exploration and tracing of the Windows kernel. -* [FPort](https://www.mcafee.com/us/downloads/free-tools/fport.aspx) - Reports +- [FPort](https://www.mcafee.com/us/downloads/free-tools/fport.aspx) - Reports open TCP/IP and UDP ports in a live system and maps them to the owning application. -* [GDB](http://www.sourceware.org/gdb/) - The GNU debugger. -* [GEF](https://github.com/hugsy/gef) - GDB Enhanced Features, for exploiters +- [GDB](http://www.sourceware.org/gdb/) - The GNU debugger. +- [GEF](https://github.com/hugsy/gef) - GDB Enhanced Features, for exploiters and reverse engineers. -* [Ghidra](https://github.com/NationalSecurityAgency/ghidra) - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. -* [hackers-grep](https://github.com/codypierce/hackers-grep) - A utility to +- [Ghidra](https://github.com/NationalSecurityAgency/ghidra) - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. +- [hackers-grep](https://github.com/codypierce/hackers-grep) - A utility to search for strings in PE executables including imports, exports, and debug symbols. -* [Hopper](https://www.hopperapp.com/) - The macOS and Linux Disassembler. -* [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows +- [Hopper](https://www.hopperapp.com/) - The macOS and Linux Disassembler. +- [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows disassembler and debugger, with a free evaluation version. -* [IDR](https://github.com/crypto2011/IDR) - Interactive Delphi Reconstructor +- [IDR](https://github.com/crypto2011/IDR) - Interactive Delphi Reconstructor is a decompiler of Delphi executable files and dynamic libraries. -* [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for +- [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for malware analysis and more, with a Python API. -* [ILSpy](http://ilspy.net/) - ILSpy is the open-source .NET assembly browser and decompiler. -* [Kaitai Struct](http://kaitai.io/) - DSL for file formats / network protocols / +- [ILSpy](http://ilspy.net/) - ILSpy is the open-source .NET assembly browser and decompiler. +- [Kaitai Struct](http://kaitai.io/) - DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby. -* [LIEF](https://lief.quarkslab.com/) - LIEF provides a cross-platform library +- [LIEF](https://lief.quarkslab.com/) - LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats. -* [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables. -* [mac-a-mal](https://github.com/phdphuc/mac-a-mal) - An automated framework +- [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables. +- [mac-a-mal](https://github.com/phdphuc/mac-a-mal) - An automated framework for mac malware hunting. -* [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils, +- [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils, for static analysis of Linux binaries. -* [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows +- [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows executables. -* [OllyDumpEx](https://low-priority.appspot.com/ollydumpex/) - Dump memory +- [OllyDumpEx](https://low-priority.appspot.com/ollydumpex/) - Dump memory from (unpacked) malware Windows process and store raw or rebuild PE file. This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg. -* [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral +- [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral Dynamic Analysis. -* [PEDA](https://github.com/longld/peda) - Python Exploit Development +- [PEDA](https://github.com/longld/peda) - Python Exploit Development Assistance for GDB, an enhanced display with added commands. -* [pestudio](https://winitor.com/) - Perform static analysis of Windows +- [pestudio](https://winitor.com/) - Perform static analysis of Windows executables. -* [Pharos](https://github.com/cmu-sei/pharos) - The Pharos binary analysis framework +- [Pharos](https://github.com/cmu-sei/pharos) - The Pharos binary analysis framework can be used to perform automated static analysis of binaries. -* [plasma](https://github.com/plasma-disassembler/plasma) - Interactive +- [plasma](https://github.com/plasma-disassembler/plasma) - Interactive disassembler for x86/ARM/MIPS. -* [PPEE (puppy)](https://www.mzrst.com/) - A Professional PE file Explorer for +- [PPEE (puppy)](https://www.mzrst.com/) - A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail. -* [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) - +- [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) - Advanced task manager for Windows. -* [Process Hacker](http://processhacker.sourceforge.net/) - Tool that monitors +- [Process Hacker](http://processhacker.sourceforge.net/) - Tool that monitors system resources. -* [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) - +- [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) - Advanced monitoring tool for Windows programs. -* [PSTools](https://docs.microsoft.com/en-us/sysinternals/downloads/pstools) - Windows +- [PSTools](https://docs.microsoft.com/en-us/sysinternals/downloads/pstools) - Windows command-line tools that help manage and investigate live systems. -* [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware +- [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware analysis. -* [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse +- [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse engineering sandbox by the Talos team at Cisco. -* [QKD](https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg +- [QKD](https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg server for stealth debugging. -* [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with +- [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with debugger support. -* [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility +- [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility that compares snapshots. -* [RetDec](https://retdec.com/) - Retargetable machine-code decompiler with an +- [RetDec](https://retdec.com/) - Retargetable machine-code decompiler with an [online decompilation service](https://retdec.com/decompilation/) and [API](https://retdec.com/api/) that you can use in your tools. -* [ROPMEMU](https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect +- [ROPMEMU](https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect and decompile complex code-reuse attacks. -* [Scylla Imports Reconstructor](https://github.com/NtQuery/Scylla) - Find and fix +- [Scylla Imports Reconstructor](https://github.com/NtQuery/Scylla) - Find and fix the IAT of an unpacked / dumped PE32 malware. -* [ScyllaHide](https://github.com/x64dbg/ScyllaHide) - An Anti-Anti-Debug library +- [ScyllaHide](https://github.com/x64dbg/ScyllaHide) - An Anti-Anti-Debug library and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine. -* [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a +- [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis. -* [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for +- [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for Linux executables. -* [StringSifter](https://github.com/fireeye/stringsifter) - A machine learning tool +- [StringSifter](https://github.com/fireeye/stringsifter) - A machine learning tool that automatically ranks strings based on their relevance for malware analysis. -* [Triton](https://triton.quarkslab.com/) - A dynamic binary analysis (DBA) framework. -* [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool +- [Triton](https://triton.quarkslab.com/) - A dynamic binary analysis (DBA) framework. +- [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool for x86 and x86_64. -* [Vivisect](https://github.com/vivisect/vivisect) - Python tool for +- [Vivisect](https://github.com/vivisect/vivisect) - Python tool for malware analysis. -* [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/download-windbg) - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps. -* [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows. +- [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/download-windbg) - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps. +- [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows. ## Network -*Analyze network interactions.* +_Analyze network interactions._ -* [Bro](https://www.bro.org) - Protocol analyzer that operates at incredible +- [Bro](https://www.bro.org) - Protocol analyzer that operates at incredible scale; both file and network protocols. -* [BroYara](https://github.com/hempnall/broyara) - Use Yara rules from Bro. -* [CapTipper](https://github.com/omriher/CapTipper) - Malicious HTTP traffic +- [BroYara](https://github.com/hempnall/broyara) - Use Yara rules from Bro. +- [CapTipper](https://github.com/omriher/CapTipper) - Malicious HTTP traffic explorer. -* [chopshop](https://github.com/MITRECND/chopshop) - Protocol analysis and +- [chopshop](https://github.com/MITRECND/chopshop) - Protocol analysis and decoding framework. -* [CloudShark](https://www.cloudshark.org) - Web-based tool for packet analysis +- [CloudShark](https://www.cloudshark.org) - Web-based tool for packet analysis and malware traffic detection. -* [FakeNet-NG](https://github.com/fireeye/flare-fakenet-ng) - Next generation +- [FakeNet-NG](https://github.com/fireeye/flare-fakenet-ng) - Next generation dynamic network analysis tool. -* [Fiddler](https://www.telerik.com/fiddler) - Intercepting web proxy designed +- [Fiddler](https://www.telerik.com/fiddler) - Intercepting web proxy designed for "web debugging." -* [Hale](https://github.com/pjlantz/Hale) - Botnet C&C monitor. -* [Haka](http://www.haka-security.org/) - An open source security oriented +- [Hale](https://github.com/pjlantz/Hale) - Botnet C&C monitor. +- [Haka](http://www.haka-security.org/) - An open source security oriented language for describing protocols and applying security policies on (live) captured traffic. -* [HTTPReplay](https://github.com/jbremer/httpreplay) - Library for parsing +- [HTTPReplay](https://github.com/jbremer/httpreplay) - Library for parsing and reading out PCAP files, including TLS streams using TLS Master Secrets (used in Cuckoo Sandbox). -* [INetSim](http://www.inetsim.org/) - Network service emulation, useful when +- [INetSim](http://www.inetsim.org/) - Network service emulation, useful when building a malware lab. -* [Laika BOSS](https://github.com/lmco/laikaboss) - Laika BOSS is a file-centric +- [Laika BOSS](https://github.com/lmco/laikaboss) - Laika BOSS is a file-centric malware analysis and intrusion detection system. -* [Malcolm](https://github.com/idaholab/Malcolm) - Malcolm is a powerful, easily +- [Malcolm](https://github.com/idaholab/Malcolm) - Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs. -* [Malcom](https://github.com/tomchop/malcom) - Malware Communications +- [Malcom](https://github.com/tomchop/malcom) - Malware Communications Analyzer. -* [Maltrail](https://github.com/stamparm/maltrail) - A malicious traffic +- [Maltrail](https://github.com/stamparm/maltrail) - A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface. -* [mitmproxy](https://mitmproxy.org/) - Intercept network traffic on the fly. -* [Moloch](https://github.com/aol/moloch) - IPv4 traffic capturing, indexing +- [mitmproxy](https://mitmproxy.org/) - Intercept network traffic on the fly. +- [Moloch](https://github.com/aol/moloch) - IPv4 traffic capturing, indexing and database system. -* [NetworkMiner](http://www.netresec.com/?page=NetworkMiner) - Network +- [NetworkMiner](http://www.netresec.com/?page=NetworkMiner) - Network forensic analysis tool, with a free version. -* [ngrep](https://github.com/jpr5/ngrep) - Search through network traffic +- [ngrep](https://github.com/jpr5/ngrep) - Search through network traffic like grep. -* [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and +- [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and traffic visualizer. -* [Python ICAP Yara](https://github.com/RamadhanAmizudin/python-icap-yara) - An +- [Python ICAP Yara](https://github.com/RamadhanAmizudin/python-icap-yara) - An ICAP Server with yara scanner for URL or content. -* [Squidmagic](https://github.com/ch3k1/squidmagic) - squidmagic is a tool +- [Squidmagic](https://github.com/ch3k1/squidmagic) - squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus. -* [Tcpdump](http://www.tcpdump.org/) - Collect network traffic. -* [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams +- [Tcpdump](http://www.tcpdump.org/) - Collect network traffic. +- [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams from network traffic. -* [tcpxtract](http://tcpxtract.sourceforge.net/) - Extract files from network +- [tcpxtract](http://tcpxtract.sourceforge.net/) - Extract files from network traffic. -* [Wireshark](https://www.wireshark.org/) - The network traffic analysis +- [Wireshark](https://www.wireshark.org/) - The network traffic analysis tool. ## Memory Forensics -*Tools for dissecting malware in memory images or running systems.* +_Tools for dissecting malware in memory images or running systems._ -* [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS +- [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis. -* [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of +- [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of Malware in Memory, built on Volatility. -* [evolve](https://github.com/JamesHabben/evolve) - Web interface for the +- [evolve](https://github.com/JamesHabben/evolve) - Web interface for the Volatility Memory Forensics Framework. -* [FindAES](https://sourceforge.net/projects/findaes/) - Find AES +- [FindAES](https://sourceforge.net/projects/findaes/) - Find AES encryption keys in memory. -* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - High speed memory +- [inVtero.net](https://github.com/ShaneK2/inVtero.net) - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support. -* [Muninn](https://github.com/ytisf/muninn) - A script to automate portions +- [Muninn](https://github.com/ytisf/muninn) - A script to automate portions of analysis using Volatility, and create a readable report. -* [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework, +- [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework, forked from Volatility in 2013. -* [TotalRecall](https://github.com/sketchymoose/TotalRecall) - Script based +- [TotalRecall](https://github.com/sketchymoose/TotalRecall) - Script based on Volatility for automating various malware analysis tasks. -* [VolDiff](https://github.com/aim4r/VolDiff) - Run Volatility on memory +- [VolDiff](https://github.com/aim4r/VolDiff) - Run Volatility on memory images before and after malware execution, and report changes. -* [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced +- [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced memory forensics framework. -* [VolUtility](https://github.com/kevthehermit/VolUtility) - Web Interface for +- [VolUtility](https://github.com/kevthehermit/VolUtility) - Web Interface for Volatility Memory Analysis framework. -* [WDBGARK](https://github.com/swwwolf/wdbgark) - +- [WDBGARK](https://github.com/swwwolf/wdbgark) - WinDBG Anti-RootKit Extension. -* [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit) - +- [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit) - Live memory inspection and kernel debugging for Windows systems. ## Windows Artifacts -* [AChoir](https://github.com/OMENScan/AChoir) - A live incident response +- [AChoir](https://github.com/OMENScan/AChoir) - A live incident response script for gathering Windows artifacts. -* [python-evt](https://github.com/williballenthin/python-evt) - Python +- [python-evt](https://github.com/williballenthin/python-evt) - Python library for parsing Windows Event Logs. -* [python-registry](http://www.williballenthin.com/registry/) - Python +- [python-registry](http://www.williballenthin.com/registry/) - Python library for parsing registry files. -* [RegRipper](http://brettshavers.cc/index.php/brettsblog/tags/tag/regripper/) +- [RegRipper](http://brettshavers.cc/index.php/brettsblog/tags/tag/regripper/) ([GitHub](https://github.com/keydet89/RegRipper2.8)) - Plugin-based registry analysis tool. ## Storage and Workflow -* [Aleph](https://github.com/merces/aleph) - Open Source Malware Analysis +- [Aleph](https://github.com/merces/aleph) - Open Source Malware Analysis Pipeline System. -* [CRITs](https://crits.github.io/) - Collaborative Research Into Threats, a +- [CRITs](https://crits.github.io/) - Collaborative Research Into Threats, a malware and threat repository. -* [FAME](https://certsocietegenerale.github.io/fame/) - A malware analysis +- [FAME](https://certsocietegenerale.github.io/fame/) - A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis. -* [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and +- [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and search malware. -* [Polichombr](https://github.com/ANSSI-FR/polichombr) - A malware analysis +- [Polichombr](https://github.com/ANSSI-FR/polichombr) - A malware analysis platform designed to help analysts to reverse malwares collaboratively. -* [stoQ](http://stoq.punchcyber.com) - Distributed content analysis +- [stoQ](http://stoq.punchcyber.com) - Distributed content analysis framework with extensive plugin support, from input to output, and everything in between. -* [Viper](http://viper.li/) - A binary management and analysis framework for +- [Viper](http://viper.li/) - A binary management and analysis framework for analysts and researchers. ## Miscellaneous -* [al-khaser](https://github.com/LordNoteworthy/al-khaser) - A PoC malware +- [al-khaser](https://github.com/LordNoteworthy/al-khaser) - A PoC malware with good intentions that aimes to stress anti-malware systems. -* [CryptoKnight](https://github.com/AbertayMachineLearningGroup/CryptoKnight) - Automated cryptographic algorithm reverse engineering and classification framework. -* [DC3-MWCP](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP) - +- [CryptoKnight](https://github.com/AbertayMachineLearningGroup/CryptoKnight) - Automated cryptographic algorithm reverse engineering and classification framework. +- [DC3-MWCP](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP) - The Defense Cyber Crime Center's Malware Configuration Parser framework. -* [FLARE VM](https://github.com/fireeye/flare-vm) - A fully customizable, +- [FLARE VM](https://github.com/fireeye/flare-vm) - A fully customizable, Windows-based, security distribution for malware analysis. -* [MalSploitBase](https://github.com/misterch0c/malSploitBase) - A database +- [MalSploitBase](https://github.com/misterch0c/malSploitBase) - A database containing exploits used by malware. -* [Malware Museum](https://archive.org/details/malwaremuseum) - Collection of +- [Malware Museum](https://archive.org/details/malwaremuseum) - Collection of malware programs that were distributed in the 1980s and 1990s. -* [Malware Organiser](https://github.com/uppusaikiran/malware-organiser) - A simple tool to organise large malicious/benign files into a organised Structure. -* [Pafish](https://github.com/a0rtega/pafish) - Paranoid Fish, a demonstration +- [Malware Organiser](https://github.com/uppusaikiran/malware-organiser) - A simple tool to organise large malicious/benign files into a organised Structure. +- [Pafish](https://github.com/a0rtega/pafish) - Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do. -* [REMnux](https://remnux.org/) - Linux distribution and docker images for +- [REMnux](https://remnux.org/) - Linux distribution and docker images for malware reverse engineering and analysis. -* [Tsurugi Linux](https://tsurugi-linux.org/) - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities. -* [Santoku Linux](https://santoku-linux.com/) - Linux distribution for mobile +- [Tsurugi Linux](https://tsurugi-linux.org/) - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities. +- [Santoku Linux](https://santoku-linux.com/) - Linux distribution for mobile forensics, malware analysis, and security. # Resources ## Books -*Essential malware analysis reading material.* +_Essential malware analysis reading material._ -* [Learning Malware Analysis](https://www.packtpub.com/networking-and-servers/learning-malware-analysis) - Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware -* [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) - +- [Learning Malware Analysis](https://www.packtpub.com/networking-and-servers/learning-malware-analysis) - Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware +- [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) - Tools and Techniques for Fighting Malicious Code. -* [Mastering Malware Analysis](https://www.packtpub.com/networking-and-servers/mastering-malware-analysis) - Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks -* [Mastering Reverse Engineering](https://www.packtpub.com/networking-and-servers/mastering-reverse-engineering) - Mastering Reverse Engineering: Re-engineer your ethical hacking skills -* [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On +- [Mastering Malware Analysis](https://www.packtpub.com/networking-and-servers/mastering-malware-analysis) - Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks +- [Mastering Reverse Engineering](https://www.packtpub.com/networking-and-servers/mastering-reverse-engineering) - Mastering Reverse Engineering: Re-engineer your ethical hacking skills +- [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On Guide to Dissecting Malicious Software. -* [Practical Reverse Engineering](https://www.amzn.com/dp/1118787315/) - +- [Practical Reverse Engineering](https://www.amzn.com/dp/1118787315/) - Intermediate Reverse Engineering. -* [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer +- [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer Security and Incident Response. -* [Rootkits and Bootkits](https://www.amazon.com/dp/1593277164) - Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats -* [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting +- [Rootkits and Bootkits](https://www.amazon.com/dp/1593277164) - Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats +- [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting Malware and Threats in Windows, Linux, and Mac Memory. -* [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide +- [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide to the World's Most Popular Disassembler. -* [The Rootkit Arsenal](https://amzn.com/dp/144962636X) - The Rootkit Arsenal: +- [The Rootkit Arsenal](https://amzn.com/dp/144962636X) - The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System ## Other -* [APT Notes](https://github.com/aptnotes/data) - A collection of papers +- [APT Notes](https://github.com/aptnotes/data) - A collection of papers and notes related to Advanced Persistent Threats. -* [Ember](https://github.com/endgameinc/ember) - Endgame Malware BEnchmark for Research, +- [Ember](https://github.com/endgameinc/ember) - Endgame Malware BEnchmark for Research, a repository that makes it easy to (re)create a machine learning model that can be used to predict a score for a PE file based on static analysis. -* [File Formats posters](https://github.com/corkami/pics) - Nice visualization +- [File Formats posters](https://github.com/corkami/pics) - Nice visualization of commonly used file format (including PE & ELF). -* [Honeynet Project](http://honeynet.org/) - Honeypot tools, papers, and +- [Honeynet Project](http://honeynet.org/) - Honeypot tools, papers, and other resources. -* [Kernel Mode](http://www.kernelmode.info/forum/) - An active community +- [Kernel Mode](http://www.kernelmode.info/forum/) - An active community devoted to malware analysis and kernel development. -* [Malicious Software](https://zeltser.com/malicious-software/) - Malware +- [Malicious Software](https://zeltser.com/malicious-software/) - Malware blog and resources by Lenny Zeltser. -* [Malware Analysis Search](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) - +- [Malware Analysis Search](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) - Custom Google search engine from [Corey Harrell](journeyintoir.blogspot.com/). -* [Malware Analysis Tutorials](http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html) - +- [Malware Analysis Tutorials](http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html) - The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning practical malware analysis. -* [Malware Analysis, Threat Intelligence and Reverse Engineering](https://www.slideshare.net/bartblaze/malware-analysis-threat-intelligence-and-reverse-engineering) - +- [Malware Analysis, Threat Intelligence and Reverse Engineering](https://www.slideshare.net/bartblaze/malware-analysis-threat-intelligence-and-reverse-engineering) - Presentation introducing the concepts of malware analysis, threat intelligence and reverse engineering. Experience or prior knowledge is not required. Labs link in description. -* [Malware Persistence](https://github.com/Karneades/malware-persistence) - Collection - of various information focused on malware persistence: detection (techniques), +- [Malware Persistence](https://github.com/Karneades/malware-persistence) - Collection + of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools). -* [Malware Samples and Traffic](http://malware-traffic-analysis.net/) - This +- [Malware Samples and Traffic](http://malware-traffic-analysis.net/) - This blog focuses on network traffic related to malware infections. -* [Malware Search+++](https://addons.mozilla.org/fr/firefox/addon/malware-search-plusplusplus/) Firefox extension allows +- [Malware Search+++](https://addons.mozilla.org/fr/firefox/addon/malware-search-plusplusplus/) Firefox extension allows you to easily search some of the most popular malware databases -* [Practical Malware Analysis Starter Kit](https://bluesoul.me/practical-malware-analysis-starter-kit/) - +- [Practical Malware Analysis Starter Kit](https://bluesoul.me/practical-malware-analysis-starter-kit/) - This package contains most of the software referenced in the Practical Malware Analysis book. -* [RPISEC Malware Analysis](https://github.com/RPISEC/Malware) - These are the +- [RPISEC Malware Analysis](https://github.com/RPISEC/Malware) - These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015. -* [WindowsIR: Malware](http://windowsir.blogspot.com/p/malware.html) - Harlan +- [WindowsIR: Malware](http://windowsir.blogspot.com/p/malware.html) - Harlan Carvey's page on Malware. -* [Windows Registry specification](https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md) - +- [Windows Registry specification](https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md) - Windows registry file format specification. -* [/r/csirt_tools](https://www.reddit.com/r/csirt_tools/) - Subreddit for CSIRT +- [/r/csirt_tools](https://www.reddit.com/r/csirt_tools/) - Subreddit for CSIRT tools and resources, with a [malware analysis](https://www.reddit.com/r/csirt_tools/search?q=flair%3A%22Malware%20analysis%22&sort=new&restrict_sr=on) flair. -* [/r/Malware](https://www.reddit.com/r/Malware) - The malware subreddit. -* [/r/ReverseEngineering](https://www.reddit.com/r/ReverseEngineering) - +- [/r/Malware](https://www.reddit.com/r/Malware) - The malware subreddit. +- [/r/ReverseEngineering](https://www.reddit.com/r/ReverseEngineering) - Reverse engineering subreddit, not limited to just malware. - - # Related Awesome Lists -* [Android Security](https://github.com/ashishb/android-security-awesome) -* [AppSec](https://github.com/paragonie/awesome-appsec) -* [CTFs](https://github.com/apsdehal/awesome-ctf) -* [Forensics](https://github.com/Cugu/awesome-forensics) -* ["Hacking"](https://github.com/carpedm20/awesome-hacking) -* [Honeypots](https://github.com/paralax/awesome-honeypots) -* [Industrial Control System Security](https://github.com/hslatman/awesome-industrial-control-system-security) -* [Incident-Response](https://github.com/meirwah/awesome-incident-response) -* [Infosec](https://github.com/onlurking/awesome-infosec) -* [PCAP Tools](https://github.com/caesar0301/awesome-pcaptools) -* [Pentesting](https://github.com/enaqx/awesome-pentest) -* [Security](https://github.com/sbilly/awesome-security) -* [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence) -* [YARA](https://github.com/InQuest/awesome-yara) +- [Android Security](https://github.com/ashishb/android-security-awesome) +- [AppSec](https://github.com/paragonie/awesome-appsec) +- [CTFs](https://github.com/apsdehal/awesome-ctf) +- [Forensics](https://github.com/Cugu/awesome-forensics) +- ["Hacking"](https://github.com/carpedm20/awesome-hacking) +- [Honeypots](https://github.com/paralax/awesome-honeypots) +- [Industrial Control System Security](https://github.com/hslatman/awesome-industrial-control-system-security) +- [Incident-Response](https://github.com/meirwah/awesome-incident-response) +- [Infosec](https://github.com/onlurking/awesome-infosec) +- [PCAP Tools](https://github.com/caesar0301/awesome-pcaptools) +- [Pentesting](https://github.com/enaqx/awesome-pentest) +- [Security](https://github.com/sbilly/awesome-security) +- [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence) +- [YARA](https://github.com/InQuest/awesome-yara) # [Contributing](CONTRIBUTING.md) @@ -900,11 +897,11 @@ Pull requests and issues with suggestions are welcome! Please read the This list was made possible by: -* Lenny Zeltser and other contributors for developing REMnux, where I +- Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list; -* Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for - writing the *Malware Analyst's Cookbook*, which was a big inspiration for +- Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for + writing the _Malware Analyst's Cookbook_, which was a big inspiration for creating the list; -* And everyone else who has sent pull requests or suggested links to add here! +- And everyone else who has sent pull requests or suggested links to add here! Thanks!