mirror of
https://github.com/rshipp/awesome-malware-analysis.git
synced 2024-12-24 05:05:25 +00:00
Wrap some lines
This commit is contained in:
parent
fc3125268b
commit
6d7827d58a
93
README.md
93
README.md
@ -121,7 +121,8 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
|||||||
working with OpenIOC objects, from Mandiant.
|
working with OpenIOC objects, from Mandiant.
|
||||||
* [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) -
|
* [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) -
|
||||||
Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
|
Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
|
||||||
from various lists. Curated by the [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework).
|
from various lists. Curated by the
|
||||||
|
[CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework).
|
||||||
* [MISP](https://github.com/MISP/MISP) - Malware Information Sharing
|
* [MISP](https://github.com/MISP/MISP) - Malware Information Sharing
|
||||||
Platform curated by [The MISP Project](http://www.misp-project.org/).
|
Platform curated by [The MISP Project](http://www.misp-project.org/).
|
||||||
* [PyIOCe](https://github.com/pidydx/PyIOCe) - A Python OpenIOC editor.
|
* [PyIOCe](https://github.com/pidydx/PyIOCe) - A Python OpenIOC editor.
|
||||||
@ -221,8 +222,9 @@ YARA rules.
|
|||||||
files, providing feature-rich tools for proper analysis of suspicious binaries.
|
files, providing feature-rich tools for proper analysis of suspicious binaries.
|
||||||
* [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits.
|
* [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits.
|
||||||
* [ssdeep](https://ssdeep-project.github.io/ssdeep/) - Compute fuzzy hashes.
|
* [ssdeep](https://ssdeep-project.github.io/ssdeep/) - Compute fuzzy hashes.
|
||||||
* [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) - Python script
|
* [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) -
|
||||||
for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/) database.
|
Python script for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/)
|
||||||
|
database.
|
||||||
* [TrID](http://mark0.net/soft-trid-e.html) - File identifier.
|
* [TrID](http://mark0.net/soft-trid-e.html) - File identifier.
|
||||||
* [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for
|
* [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for
|
||||||
analysts.
|
analysts.
|
||||||
@ -243,16 +245,18 @@ YARA rules.
|
|||||||
* [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - Modified
|
* [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - Modified
|
||||||
version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
|
version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
|
||||||
legal concerns by the author.
|
legal concerns by the author.
|
||||||
* [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A Python API used to control
|
* [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A
|
||||||
a cuckoo-modified sandbox.
|
Python API used to control a cuckoo-modified sandbox.
|
||||||
* [DeepViz](https://www.deepviz.com/) - Multi-format file analyzer with
|
* [DeepViz](https://www.deepviz.com/) - Multi-format file analyzer with
|
||||||
machine-learning classification.
|
machine-learning classification.
|
||||||
* [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do traffic analysis
|
* [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do
|
||||||
of Linux malwares and capturing IOCs.
|
traffic analysis of Linux malwares and capturing IOCs.
|
||||||
* [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis
|
* [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis
|
||||||
system.
|
system.
|
||||||
* [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any firmware package.
|
* [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any
|
||||||
* [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - An Automated Malware Analysis Tool for Linux ELF Files.
|
firmware package.
|
||||||
|
* [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - An Automated Malware
|
||||||
|
Analysis Tool for Linux ELF Files.
|
||||||
* [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware
|
* [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware
|
||||||
analysis tool, powered by VxSandbox.
|
analysis tool, powered by VxSandbox.
|
||||||
* [IRMA](http://irma.quarkslab.com/) - An asynchronous and customizable
|
* [IRMA](http://irma.quarkslab.com/) - An asynchronous and customizable
|
||||||
@ -262,7 +266,8 @@ YARA rules.
|
|||||||
* [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malwares
|
* [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malwares
|
||||||
* [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis
|
* [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis
|
||||||
of malware behavior.
|
of malware behavior.
|
||||||
* [malsub](https://github.com/diogo-fernan/malsub) - A Python RESTful API framework for online malware and URL analysis services.
|
* [malsub](https://github.com/diogo-fernan/malsub) - A Python RESTful API framework for
|
||||||
|
online malware and URL analysis services.
|
||||||
* [Malware config](https://malwareconfig.com/) - Extract, decode and display online
|
* [Malware config](https://malwareconfig.com/) - Extract, decode and display online
|
||||||
the configuration settings from common malwares.
|
the configuration settings from common malwares.
|
||||||
* [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox
|
* [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox
|
||||||
@ -287,7 +292,8 @@ YARA rules.
|
|||||||
* [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware
|
* [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware
|
||||||
samples and URLs
|
samples and URLs
|
||||||
* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source
|
* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source
|
||||||
visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...)
|
visualization library and command line tools for logs. (Cuckoo, Procmon, more
|
||||||
|
to come...)
|
||||||
* [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free
|
* [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free
|
||||||
automated sandboxes and services, compiled by Lenny Zeltser.
|
automated sandboxes and services, compiled by Lenny Zeltser.
|
||||||
|
|
||||||
@ -295,7 +301,8 @@ YARA rules.
|
|||||||
|
|
||||||
*Inspect domains and IP addresses.*
|
*Inspect domains and IP addresses.*
|
||||||
|
|
||||||
* [boomerang](https://github.com/EmersonElectricCo/boomerang) - A tool designed for consistent and safe capture of off network web resources.
|
* [boomerang](https://github.com/EmersonElectricCo/boomerang) - A tool designed
|
||||||
|
for consistent and safe capture of off network web resources.
|
||||||
* [Desenmascara.me](http://desenmascara.me) - One click tool to retrieve as
|
* [Desenmascara.me](http://desenmascara.me) - One click tool to retrieve as
|
||||||
much metadata as possible for a website and to assess its good standing.
|
much metadata as possible for a website and to assess its good standing.
|
||||||
* [Dig](https://networking.ringofsaturn.com/) - Free online dig and other
|
* [Dig](https://networking.ringofsaturn.com/) - Free online dig and other
|
||||||
@ -321,8 +328,8 @@ YARA rules.
|
|||||||
domains and IPs.
|
domains and IPs.
|
||||||
* [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - Free Website Malware
|
* [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - Free Website Malware
|
||||||
and Security Scanner.
|
and Security Scanner.
|
||||||
* [Talos Intelligence](https://talosintelligence.com/) - Search for IP, domain or network
|
* [Talos Intelligence](https://talosintelligence.com/) - Search for IP, domain
|
||||||
owner. (Previously SenderBase.)
|
or network owner. (Previously SenderBase.)
|
||||||
* [TekDefense Automater](http://www.tekdefense.com/automater/) - OSINT tool
|
* [TekDefense Automater](http://www.tekdefense.com/automater/) - OSINT tool
|
||||||
for gathering information about URLs, IPs, or hashes.
|
for gathering information about URLs, IPs, or hashes.
|
||||||
* [URLQuery](http://urlquery.net/) - Free URL Scanner.
|
* [URLQuery](http://urlquery.net/) - Free URL Scanner.
|
||||||
@ -455,7 +462,8 @@ the [browser malware](#browser-malware) section.*
|
|||||||
source Binary Analysis and Reverse engineering Framework.
|
source Binary Analysis and Reverse engineering Framework.
|
||||||
* [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for
|
* [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for
|
||||||
reverse engineering based on graph visualization.
|
reverse engineering based on graph visualization.
|
||||||
* [Binary ninja](https://binary.ninja/) - A reversing engineering platform that is an alternative to IDA.
|
* [Binary ninja](https://binary.ninja/) - A reversing engineering platform
|
||||||
|
that is an alternative to IDA.
|
||||||
* [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool.
|
* [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool.
|
||||||
* [Bokken](http://www.bokken.re/) - GUI for Pyew and Radare.
|
* [Bokken](http://www.bokken.re/) - GUI for Pyew and Radare.
|
||||||
([mirror](https://github.com/inguma/bokken))
|
([mirror](https://github.com/inguma/bokken))
|
||||||
@ -492,31 +500,35 @@ the [browser malware](#browser-malware) section.*
|
|||||||
for static analysis of Linux binaries.
|
for static analysis of Linux binaries.
|
||||||
* [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows
|
* [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows
|
||||||
executables.
|
executables.
|
||||||
* [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral Dynamic Analysis
|
* [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral
|
||||||
|
Dynamic Analysis.
|
||||||
* [PEDA](https://github.com/longld/peda) - Python Exploit Development
|
* [PEDA](https://github.com/longld/peda) - Python Exploit Development
|
||||||
Assistance for GDB, an enhanced display with added commands.
|
Assistance for GDB, an enhanced display with added commands.
|
||||||
* [pestudio](https://winitor.com/) - Perform static analysis of Windows
|
* [pestudio](https://winitor.com/) - Perform static analysis of Windows
|
||||||
executables.
|
executables.
|
||||||
* [plasma](https://github.com/plasma-disassembler/plasma) - Interactive disassembler for
|
* [plasma](https://github.com/plasma-disassembler/plasma) - Interactive
|
||||||
x86/ARM/MIPS.
|
disassembler for x86/ARM/MIPS.
|
||||||
* [PPEE (puppy)](https://www.mzrst.com/) - A Professional PE file Explorer for
|
* [PPEE (puppy)](https://www.mzrst.com/) - A Professional PE file Explorer for
|
||||||
reversers, malware researchers and those who want to statically inspect PE
|
reversers, malware researchers and those who want to statically inspect PE
|
||||||
files in more detail.
|
files in more detail.
|
||||||
* [Process Explorer](https://docs.microsoft.com/sysinternals/downloads/process-explorer) -
|
* [Process Explorer](https://docs.microsoft.com/sysinternals/downloads/process-explorer) -
|
||||||
Advanced task manager for Windows.
|
Advanced task manager for Windows.
|
||||||
* [Process Hacker](http://processhacker.sourceforge.net/) - Tool that monitors system resources.
|
* [Process Hacker](http://processhacker.sourceforge.net/) - Tool that monitors
|
||||||
|
system resources.
|
||||||
* [Process Monitor](https://docs.microsoft.com/sysinternals/downloads/procmon) -
|
* [Process Monitor](https://docs.microsoft.com/sysinternals/downloads/procmon) -
|
||||||
Advanced monitoring tool for Windows programs.
|
Advanced monitoring tool for Windows programs.
|
||||||
* [PSTools](https://docs.microsoft.com/sysinternals/downloads/pstools) - Windows
|
* [PSTools](https://docs.microsoft.com/sysinternals/downloads/pstools) - Windows
|
||||||
command-line tools that help manage and investigate live systems.
|
command-line tools that help manage and investigate live systems.
|
||||||
* [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware
|
* [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware
|
||||||
analysis.
|
analysis.
|
||||||
* [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse engineering
|
* [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse
|
||||||
sandbox by the Talos team at Cisco.
|
engineering sandbox by the Talos team at Cisco.
|
||||||
* [QKD](https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg server for stealth debugging.
|
* [QKD](https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg
|
||||||
|
server for stealth debugging.
|
||||||
* [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with
|
* [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with
|
||||||
debugger support.
|
debugger support.
|
||||||
* [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility that compares snapshots.
|
* [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility
|
||||||
|
that compares snapshots.
|
||||||
* [RetDec](https://retdec.com/) - Retargetable machine-code decompiler with an
|
* [RetDec](https://retdec.com/) - Retargetable machine-code decompiler with an
|
||||||
[online decompilation service](https://retdec.com/decompilation/) and
|
[online decompilation service](https://retdec.com/decompilation/) and
|
||||||
[API](https://retdec.com/api/) that you can use in your tools.
|
[API](https://retdec.com/api/) that you can use in your tools.
|
||||||
@ -572,11 +584,14 @@ the [browser malware](#browser-malware) section.*
|
|||||||
forensic analysis tool, with a free version.
|
forensic analysis tool, with a free version.
|
||||||
* [ngrep](http://ngrep.sourceforge.net/) - Search through network traffic
|
* [ngrep](http://ngrep.sourceforge.net/) - Search through network traffic
|
||||||
like grep.
|
like grep.
|
||||||
* [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and traffic visualizer.
|
* [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and
|
||||||
* [Python ICAP Yara](https://github.com/RamadhanAmizudin/python-icap-yara) - An ICAP Server with yara scanner for URL or content.
|
traffic visualizer.
|
||||||
|
* [Python ICAP Yara](https://github.com/RamadhanAmizudin/python-icap-yara) - An
|
||||||
|
ICAP Server with yara scanner for URL or content.
|
||||||
* [Squidmagic](https://github.com/ch3k1/squidmagic) - squidmagic is a tool
|
* [Squidmagic](https://github.com/ch3k1/squidmagic) - squidmagic is a tool
|
||||||
designed to analyze a web-based network traffic to detect central command
|
designed to analyze a web-based network traffic to detect central command
|
||||||
and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus.
|
and control (C&C) servers and malicious sites, using Squid proxy server and
|
||||||
|
Spamhaus.
|
||||||
* [Tcpdump](http://www.tcpdump.org/) - Collect network traffic.
|
* [Tcpdump](http://www.tcpdump.org/) - Collect network traffic.
|
||||||
* [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams
|
* [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams
|
||||||
from network traffic.
|
from network traffic.
|
||||||
@ -589,16 +604,17 @@ the [browser malware](#browser-malware) section.*
|
|||||||
|
|
||||||
*Tools for dissecting malware in memory images or running systems.*
|
*Tools for dissecting malware in memory images or running systems.*
|
||||||
|
|
||||||
* [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS forensics
|
* [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS
|
||||||
client supporting hiberfil, pagefile, raw memory analysis
|
forensics client supporting hiberfil, pagefile, raw memory analysis
|
||||||
* [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of
|
* [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of
|
||||||
Malware in Memory, built on Volatility
|
Malware in Memory, built on Volatility
|
||||||
* [evolve](https://github.com/JamesHabben/evolve) - Web interface for the
|
* [evolve](https://github.com/JamesHabben/evolve) - Web interface for the
|
||||||
Volatility Memory Forensics Framework.
|
Volatility Memory Forensics Framework.
|
||||||
* [FindAES](http://jessekornblum.livejournal.com/269749.html) - Find AES
|
* [FindAES](http://jessekornblum.livejournal.com/269749.html) - Find AES
|
||||||
encryption keys in memory.
|
encryption keys in memory.
|
||||||
* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - High speed memory analysis framework
|
* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - High speed memory
|
||||||
developed in .NET supports all Windows x64, includes code integrity and write support.
|
analysis framework developed in .NET supports all Windows x64, includes
|
||||||
|
code integrity and write support.
|
||||||
* [Muninn](https://github.com/ytisf/muninn) - A script to automate portions
|
* [Muninn](https://github.com/ytisf/muninn) - A script to automate portions
|
||||||
of analysis using Volatility, and create a readable report.
|
of analysis using Volatility, and create a readable report.
|
||||||
* [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework,
|
* [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework,
|
||||||
@ -634,9 +650,10 @@ the [browser malware](#browser-malware) section.*
|
|||||||
Pipeline System.
|
Pipeline System.
|
||||||
* [CRITs](https://crits.github.io/) - Collaborative Research Into Threats, a
|
* [CRITs](https://crits.github.io/) - Collaborative Research Into Threats, a
|
||||||
malware and threat repository.
|
malware and threat repository.
|
||||||
* [FAME](https://certsocietegenerale.github.io/fame/) - FAME is a malware analysis framework.
|
* [FAME](https://certsocietegenerale.github.io/fame/) - A malware analysis
|
||||||
It features a pipeline that can be extended with custom modules that can be chained and
|
framework featuring a pipeline that can be extended with custom modules,
|
||||||
interact with each other to perform end-to-end analysis.
|
which can be chained and interact with each other to perform end-to-end
|
||||||
|
analysis.
|
||||||
* [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and
|
* [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and
|
||||||
search malware.
|
search malware.
|
||||||
* [Polichombr](https://github.com/ANSSI-FR/polichombr) - A malware analysis
|
* [Polichombr](https://github.com/ANSSI-FR/polichombr) - A malware analysis
|
||||||
@ -677,10 +694,12 @@ the [browser malware](#browser-malware) section.*
|
|||||||
|
|
||||||
* [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) -
|
* [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) -
|
||||||
Tools and Techniques for Fighting Malicious Code.
|
Tools and Techniques for Fighting Malicious Code.
|
||||||
* [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On Guide
|
* [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On
|
||||||
to Dissecting Malicious Software.
|
Guide to Dissecting Malicious Software.
|
||||||
* [Practical Reverse Engineering](https://www.amzn.com/dp/1118787315/) - Intermediate Reverse Engineering
|
* [Practical Reverse Engineering](https://www.amzn.com/dp/1118787315/) -
|
||||||
* [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer Security and Incident Response
|
Intermediate Reverse Engineering
|
||||||
|
* [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer
|
||||||
|
Security and Incident Response
|
||||||
* [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting
|
* [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting
|
||||||
Malware and Threats in Windows, Linux, and Mac Memory.
|
Malware and Threats in Windows, Linux, and Mac Memory.
|
||||||
* [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide
|
* [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide
|
||||||
|
Loading…
Reference in New Issue
Block a user