mirror of
https://github.com/rshipp/awesome-malware-analysis.git
synced 2024-12-18 10:26:07 +00:00
Merge remote-tracking branch 'refs/remotes/rshipp/master'
This commit is contained in:
commit
a19d5fb717
233
README.md
233
README.md
@ -1,7 +1,6 @@
|
||||
# Awesome Malware Analysis
|
||||
|
||||
[![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)
|
||||
[![Link Status](https://travis-ci.org/rshipp/awesome-malware-analysis.svg?branch=master)](https://travis-ci.org/rshipp/awesome-malware-analysis)
|
||||
|
||||
A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
[awesome-python](https://github.com/vinta/awesome-python) and
|
||||
@ -57,11 +56,13 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
|
||||
* [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot.
|
||||
* [Cowrie](https://github.com/micheloosterhof/cowrie) - SSH honeypot, based
|
||||
on Kippo.
|
||||
[Dionaea](https://github.com/DinoTools/dionaea) - Honeypot designed to trap malware.
|
||||
on Kippo.
|
||||
* [DemoHunter](https://github.com/RevengeComing/DemonHunter) - Low interaction Distributed Honeypots.
|
||||
* [Dionaea](https://github.com/DinoTools/dionaea) - Honeypot designed to trap malware.
|
||||
* [Glastopf](https://github.com/mushorg/glastopf) - Web application honeypot.
|
||||
* [Honeyd](http://www.honeyd.org/) - Create a virtual honeynet.
|
||||
* [HoneyDrive](http://bruteforce.gr/honeydrive) - Honeypot bundle Linux distro.
|
||||
* [HoneyDrive](http://bruteforcelab.com/honeydrive) - Honeypot bundle Linux distro.
|
||||
* [Honeytrap](https://github.com/honeytrap/honeytrap) - Opensource system for running, monitoring and managing honeypots.
|
||||
* [Mnemosyne](https://github.com/johnnykv/mnemosyne) - A normalizer for
|
||||
honeypot data; supports Dionaea.
|
||||
* [Thug](https://github.com/buffer/thug) - Low interaction honeyclient, for
|
||||
@ -77,9 +78,9 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
malware samples and analyses.
|
||||
* [Exploit Database](https://www.exploit-db.com/) - Exploit and shellcode
|
||||
samples.
|
||||
* [Malshare](http://malshare.com) - Large repository of malware actively
|
||||
* [Infosec - CERT-PA](https://infosec.cert-pa.it/analyze/submission.html) - Malware samples collection and analysis.
|
||||
* [Malshare](https://malshare.com) - Large repository of malware actively
|
||||
scrapped from malicious sites.
|
||||
samples directly from a number of online sources.
|
||||
* [MalwareDB](http://malwaredb.malekal.com/) - Malware samples repository.
|
||||
* [Open Malware Project](http://openmalware.org/) - Sample information and
|
||||
downloads. Formerly Offensive Computing.
|
||||
@ -87,9 +88,11 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
crawler with pre-analysis and reporting functionalities
|
||||
* [theZoo](https://github.com/ytisf/theZoo) - Live malware samples for
|
||||
analysts.
|
||||
* [Tracker h3x](http://tracker.h3x.eu/) - Agregator for malware corpus tracker
|
||||
* [Tracker h3x](http://tracker.h3x.eu/) - Agregator for malware corpus tracker
|
||||
and malicious download sites.
|
||||
* [ViruSign](http://www.virusign.com/) - Malware database that detected by
|
||||
* [vduddu malware repo](https://github.com/vduddu/Malware) - Collection of
|
||||
various malware files and source code.
|
||||
* [ViruSign](http://www.virussign.com/) - Malware database that detected by
|
||||
many anti malware programs except ClamAV.
|
||||
* [VirusShare](https://virusshare.com/) - Malware repository, registration
|
||||
required.
|
||||
@ -121,12 +124,14 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
working with OpenIOC objects, from Mandiant.
|
||||
* [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) -
|
||||
Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
|
||||
from various lists. Curated by the [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework).
|
||||
from various lists. Curated by the
|
||||
[CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework).
|
||||
* [MISP](https://github.com/MISP/MISP) - Malware Information Sharing
|
||||
Platform curated by [The MISP Project](http://www.misp-project.org/).
|
||||
* [PassiveTotal](https://www.passivetotal.org/) - Research, connect, tag and
|
||||
share IPs and domains.
|
||||
* [Pulsedive](https://pulsedive.com) - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
|
||||
* [PyIOCe](https://github.com/pidydx/PyIOCe) - A Python OpenIOC editor.
|
||||
* [RiskIQ](https://community.riskiq.com/) - Research, connect, tag and
|
||||
share IPs and domains. (Was PassiveTotal.)
|
||||
* [threataggregator](https://github.com/jpsenior/threataggregator) -
|
||||
Aggregates security threats from a number of sources, including some of
|
||||
those listed below in [other resources](#other-resources).
|
||||
@ -152,8 +157,6 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
Network security blocklists.
|
||||
* [Critical Stack- Free Intel Market](https://intel.criticalstack.com) - Free
|
||||
intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
|
||||
* [CRDF ThreatCenter](http://threatcenter.crdf.fr/) - List of new threats detected
|
||||
by CRDF anti-malware.
|
||||
* [Cybercrime tracker](http://cybercrime-tracker.net/) - Multiple botnet active tracker.
|
||||
* [FireEye IOCs](https://github.com/fireeye/iocs) - Indicators of Compromise
|
||||
shared publicly by FireEye.
|
||||
@ -161,18 +164,19 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
with a focus on attacks, malware and abuse. Evolution, Changes History,
|
||||
Country Maps, Age of IPs listed, Retention Policy, Overlaps.
|
||||
* [hpfeeds](https://github.com/rep/hpfeeds) - Honeypot feed protocol.
|
||||
* [Infosec - CERT-PA lists](https://infosec.cert-pa.it/analyze/statistics.html) ([IPs](https://infosec.cert-pa.it/analyze/listip.txt) - [Domains](https://infosec.cert-pa.it/analyze/listdomains.txt) - [URLs](https://infosec.cert-pa.it/analyze/listurls.txt)) - Blocklist service.
|
||||
* [Internet Storm Center (DShield)](https://isc.sans.edu/) - Diary and
|
||||
searchable incident database, with a web [API](https://dshield.org/api/)
|
||||
searchable incident database, with a web [API](https://dshield.org/api/).
|
||||
([unofficial Python library](https://github.com/rshipp/python-dshield)).
|
||||
* [malc0de](http://malc0de.com/database/) - Searchable incident database.
|
||||
* [Malware Domain List](http://www.malwaredomainlist.com/) - Search and share
|
||||
malicious URLs.
|
||||
* [OpenIOC](http://openioc.org/) - Framework for sharing threat intelligence.
|
||||
* [Palevo Blocklists](https://palevotracker.abuse.ch/blocklists.php) - Botnet
|
||||
C&C blocklists.
|
||||
* [Metadefender Threat Intelligence Feeds](https://metadefender.opswat.com/threat-intelligence-feeds) -
|
||||
List of the most looked up file hashes from Metadefender malware feed.
|
||||
* [OpenIOC](https://www.fireeye.com/services/freeware.html) - Framework for sharing threat intelligence.
|
||||
* [Proofpoint Threat Intelligence](https://www.proofpoint.com/us/products/et-intelligence) -
|
||||
Rulesets and more. (Formerly Emerging Threats.)
|
||||
* [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) -
|
||||
* [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) -
|
||||
A list of ransomware overview with details, detection and prevention.
|
||||
* [STIX - Structured Threat Information eXpression](http://stixproject.github.io) -
|
||||
Standardized language to represent and share cyber threat information.
|
||||
@ -181,6 +185,8 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
- [CybOX - Cyber Observables eXpression](http://cyboxproject.github.io)
|
||||
- [MAEC - Malware Attribute Enumeration and Characterization](http://maec.mitre.org/)
|
||||
- [TAXII - Trusted Automated eXchange of Indicator Information](http://taxiiproject.github.io)
|
||||
* [ThreatMiner](https://www.threatminer.org/) - Data mining portal for threat
|
||||
intelligence, with search.
|
||||
* [threatRECON](https://threatrecon.co/) - Search for indicators, up to 1000
|
||||
free per month.
|
||||
* [Yara rules](https://github.com/Yara-Rules/rules) - Yara rules repository.
|
||||
@ -193,11 +199,16 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
|
||||
* [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a
|
||||
variety of tools for reporting on Windows PE files.
|
||||
* [Assemblyline](https://bitbucket.org/cse-assemblyline/assemblyline) - A scalable
|
||||
distributed file analysis framework.
|
||||
* [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless
|
||||
AWS pipeline that scans and alerts on uploaded files based on a set of
|
||||
YARA rules.
|
||||
* [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection.
|
||||
* [ClamAV](http://www.clamav.net/) - Open source antivirus engine.
|
||||
* [Detect-It-Easy](https://github.com/horsicq/Detect-It-Easy) - A program for
|
||||
determining types of files.
|
||||
* [ExifTool](http://www.sno.phy.queensu.ca/~phil/exiftool/) - Read, write and
|
||||
* [ExifTool](https://sno.phy.queensu.ca/~phil/exiftool/) - Read, write and
|
||||
edit file metadata.
|
||||
* [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) -
|
||||
Modular, recursive file scanning solution.
|
||||
@ -206,9 +217,11 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
* [Loki](https://github.com/Neo23x0/Loki) - Host based scanner for IOCs.
|
||||
* [Malfunction](https://github.com/Dynetics/Malfunction) - Catalog and
|
||||
compare malware at a function level.
|
||||
* [Manalyze](https://github.com/JusticeRage/Manalyze) - Static analyzer for PE
|
||||
executables.
|
||||
* [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - Static analysis
|
||||
framework.
|
||||
* [MultiScanner](https://github.com/MITRECND/multiscanner) - Modular file
|
||||
* [MultiScanner](https://github.com/mitre/multiscanner) - Modular file
|
||||
scanning/analysis framework
|
||||
* [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking
|
||||
up hashes in NIST's National Software Reference Library database.
|
||||
@ -217,9 +230,10 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
* [PEV](http://pev.sourceforge.net/) - A multiplatform toolkit to work with PE
|
||||
files, providing feature-rich tools for proper analysis of suspicious binaries.
|
||||
* [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits.
|
||||
* [ssdeep](http://ssdeep.sourceforge.net/) - Compute fuzzy hashes.
|
||||
* [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) - Python script
|
||||
for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/) database.
|
||||
* [ssdeep](https://ssdeep-project.github.io/ssdeep/) - Compute fuzzy hashes.
|
||||
* [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) -
|
||||
Python script for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/)
|
||||
database.
|
||||
* [TrID](http://mark0.net/soft-trid-e.html) - File identifier.
|
||||
* [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for
|
||||
analysts.
|
||||
@ -227,10 +241,12 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
yara rules based on a set of malware samples. Also contains a good
|
||||
strings DB to avoid false positives.
|
||||
|
||||
|
||||
## Online Scanners and Sandboxes
|
||||
|
||||
*Web-based multi-AV scanners, and malware sandboxes for automated analysis.*
|
||||
* [APK Analyzer](https://www.apk-analyzer.net/) - Free dynamic analysis of APKs.
|
||||
|
||||
* [anlyz.io](https://sandbox.anlyz.io/) - Online sandbox.
|
||||
* [AndroTotal](https://andrototal.org/) - Free online analysis of APKs
|
||||
against multiple mobile antivirus apps.
|
||||
* [AVCaesar](https://avcaesar.malware.lu/) - Malware.lu online scanner and
|
||||
@ -241,52 +257,57 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
* [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - Modified
|
||||
version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
|
||||
legal concerns by the author.
|
||||
* [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A Python API used to control
|
||||
a cuckoo-modified sandbox.
|
||||
* [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A
|
||||
Python API used to control a cuckoo-modified sandbox.
|
||||
* [DeepViz](https://www.deepviz.com/) - Multi-format file analyzer with
|
||||
machine-learning classification.
|
||||
* [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do traffic analysis
|
||||
of Linux malwares and capturing IOCs.
|
||||
* [Document Analyzer](https://www.document-analyzer.net/) - Free dynamic analysis of DOC and PDF files.
|
||||
* [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do
|
||||
traffic analysis of Linux malwares and capturing IOCs.
|
||||
* [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis
|
||||
system.
|
||||
* [File Analyzer](https://www.file-analyzer.net/) - Free dynamic analysis of PE files.
|
||||
* [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any firmware package.
|
||||
* [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any
|
||||
firmware package.
|
||||
* [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - An Automated Malware
|
||||
Analysis Tool for Linux ELF Files.
|
||||
* [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware
|
||||
analysis tool, powered by VxSandbox.
|
||||
* [Intezer](https://analyze.intezer.com) - Detect, analyze, and categorize malware by
|
||||
identifying code reuse and code similarities.
|
||||
* [IRMA](http://irma.quarkslab.com/) - An asynchronous and customizable
|
||||
analysis platform for suspicious files.
|
||||
* [Joe Sandbox](https://www.joesecurity.org) - Deep malware analysis with Joe Sandbox.
|
||||
* [Jotti](https://virusscan.jotti.org/en) - Free online multi-AV scanner.
|
||||
* [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malwares
|
||||
* [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malware.
|
||||
* [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis
|
||||
of malware behavior.
|
||||
* [Malware config](https://malwareconfig.com/) - Extract, decode and display online
|
||||
* [malsub](https://github.com/diogo-fernan/malsub) - A Python RESTful API framework for
|
||||
online malware and URL analysis services.
|
||||
* [Malware config](https://malwareconfig.com/) - Extract, decode and display online
|
||||
the configuration settings from common malwares.
|
||||
* [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox
|
||||
instance.
|
||||
* [MASTIFF Online](https://mastiff-online.korelogic.com/) - Online static
|
||||
analysis of malware.
|
||||
* [Metadefender.com](https://www.metadefender.com) - Scan a file, hash or IP
|
||||
address for malware (free)
|
||||
* [Metadefender](https://metadefender.opswat.com/ ) - Scan a file, hash or IP
|
||||
address for malware (free).
|
||||
* [NetworkTotal](https://www.networktotal.com/index.html) - A service that analyzes
|
||||
pcap files and facilitates the quick detection of viruses, worms, trojans, and all
|
||||
kinds of malware using Suricata configured with EmergingThreats Pro.
|
||||
* [Noriben](https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to
|
||||
collect information about malware in a sandboxed environment.
|
||||
* [PacketTotal](https://packettotal.com/) - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
|
||||
* [PDF Examiner](http://www.pdfexaminer.com/) - Analyse suspicious PDF files.
|
||||
* [ProcDot](http://www.procdot.com) - A graphical malware analysis tool kit.
|
||||
* [Recomposer](https://github.com/secretsquirrel/recomposer) - A helper
|
||||
script for safely uploading binaries to sandbox sites.
|
||||
* [Sand droid](http://sanddroid.xjtu.edu.cn/) - Automatic and complete
|
||||
Android application analysis system.
|
||||
* [sandboxapi](https://github.com/InQuest/python-sandboxapi) - Python library for
|
||||
building integrations with several open source and commercial malware sandboxes.
|
||||
* [SEE](https://github.com/F-Secure/see) - Sandboxed Execution Environment (SEE)
|
||||
is a framework for building test automation in secured Environments.
|
||||
* [URL Analyzer](https://www.url-analyzer.net/) - Free dynamic analysis of URL files.
|
||||
* [SEKOIA Dropper Analysis](https://malware.sekoia.fr/) - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
|
||||
* [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware
|
||||
samples and URLs
|
||||
* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source
|
||||
visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...)
|
||||
visualization library and command line tools for logs. (Cuckoo, Procmon, more
|
||||
to come...)
|
||||
* [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free
|
||||
automated sandboxes and services, compiled by Lenny Zeltser.
|
||||
|
||||
@ -294,9 +315,14 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
|
||||
*Inspect domains and IP addresses.*
|
||||
|
||||
* [badips.com](https://www.badips.com/) - Community based IP blacklist service.
|
||||
* [boomerang](https://github.com/EmersonElectricCo/boomerang) - A tool designed
|
||||
for consistent and safe capture of off network web resources.
|
||||
* [Cymon](https://cymon.io/) - Threat intelligence tracker, with IP/domain/hash
|
||||
search.
|
||||
* [Desenmascara.me](http://desenmascara.me) - One click tool to retrieve as
|
||||
much metadata as possible for a website and to assess its good standing.
|
||||
* [Dig](http://networking.ringofsaturn.com/) - Free online dig and other
|
||||
* [Dig](https://networking.ringofsaturn.com/) - Free online dig and other
|
||||
network tools.
|
||||
* [dnstwist](https://github.com/elceef/dnstwist) - Domain name permutation
|
||||
engine for detecting typo squatting, phishing and corporate espionage.
|
||||
@ -309,30 +335,34 @@ A curated list of awesome malware analysis tools and resources. Inspired by
|
||||
* [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - Maltego transform
|
||||
for the VirusTotal API. Allows domain/IP research, and searching for file
|
||||
hashes and scan reports.
|
||||
* [Multi rbl](http://multirbl.valli.org/) - Multiple DNS blacklist and forward
|
||||
* [Multi rbl](http://multirbl.valli.org/) - Multiple DNS blacklist and forward
|
||||
confirmed reverse DNS lookup over more than 300 RBLs.
|
||||
* [SenderBase](http://www.senderbase.org/) - Search for IP, domain or network
|
||||
owner.
|
||||
* [NormShield Services](https://services.normshield.com/) - Free API Services
|
||||
for detecting possible phishing domains, blacklisted ip addresses and breached
|
||||
accounts.
|
||||
* [SpamCop](https://www.spamcop.net/bl.shtml) - IP based spam block list.
|
||||
* [SpamHaus](https://www.spamhaus.org/lookup/) - Block list based on
|
||||
domains and IPs.
|
||||
* [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - Free Website Malware
|
||||
and Security Scanner.
|
||||
* [Talos Intelligence](https://talosintelligence.com/) - Search for IP, domain
|
||||
or network owner. (Previously SenderBase.)
|
||||
* [TekDefense Automater](http://www.tekdefense.com/automater/) - OSINT tool
|
||||
for gathering information about URLs, IPs, or hashes.
|
||||
* [URLQuery](http://urlquery.net/) - Free URL Scanner.
|
||||
* [urlscan.io](https://urlscan.io/) - Free URL Scanner & domain information.
|
||||
* [Whois](https://whois.domaintools.com/) - DomainTools free online whois
|
||||
search.
|
||||
* [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - Free
|
||||
online tools for researching malicious websites, compiled by Lenny Zeltser.
|
||||
* [ZScalar Zulu](http://zulu.zscaler.com/#) - Zulu URL Risk Analyzer.
|
||||
* [ZScalar Zulu](https://zulu.zscaler.com/#) - Zulu URL Risk Analyzer.
|
||||
|
||||
## Browser Malware
|
||||
|
||||
*Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and
|
||||
[documents and shellcode](#documents-and-shellcode) sections.*
|
||||
|
||||
* [Firebug](http://getfirebug.com/) - Firefox extension for web development.
|
||||
* [Firebug](https://getfirebug.com/) - Firefox extension for web development.
|
||||
* [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps.
|
||||
* [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java
|
||||
IDX cache files.
|
||||
@ -397,10 +427,12 @@ the [browser malware](#browser-malware) section.*
|
||||
Event Log files from raw binary data.
|
||||
* [Foremost](http://foremost.sourceforge.net/) - File carving tool designed
|
||||
by the US Air Force.
|
||||
* [Hachoir](https://bitbucket.org/haypo/hachoir) - A collection of Python
|
||||
libraries for dealing with binary files.
|
||||
* [hachoir3](https://github.com/vstinner/hachoir3) - Hachoir is a Python library
|
||||
to view and edit a binary stream field by field.
|
||||
* [Scalpel](https://github.com/sleuthkit/scalpel) - Another data carving
|
||||
tool.
|
||||
* [SFlock](https://github.com/jbremer/sflock) - Nested archive
|
||||
extraction/unpacking (used in Cuckoo Sandbox).
|
||||
|
||||
## Deobfuscation
|
||||
|
||||
@ -448,22 +480,25 @@ the [browser malware](#browser-malware) section.*
|
||||
source Binary Analysis and Reverse engineering Framework.
|
||||
* [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for
|
||||
reverse engineering based on graph visualization.
|
||||
* [Binary ninja](https://binary.ninja/) - A reversing engineering platform that is an alternative to IDA.
|
||||
* [Binwalk](http://binwalk.org/) - Firmware analysis tool.
|
||||
* [Binary ninja](https://binary.ninja/) - A reversing engineering platform
|
||||
that is an alternative to IDA.
|
||||
* [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool.
|
||||
* [Bokken](http://www.bokken.re/) - GUI for Pyew and Radare.
|
||||
([mirror](https://github.com/inguma/bokken))
|
||||
* [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for
|
||||
binary analysis and reversing, with support for many architectures and
|
||||
bindings in several languages.
|
||||
* [codebro](https://github.com/hugsy/codebro) - Web based code browser using
|
||||
clang to provide basic code analysis.
|
||||
clang to provide basic code analysis.
|
||||
* [DECAF (Dynamic Executable Code Analysis Framework)](https://github.com/sycurelab/DECAF)
|
||||
- A binary analysis platform based on QEMU. DroidScope is now an extension to DECAF.
|
||||
* [dnSpy](https://github.com/0xd4d/dnSpy) - .NET assembly editor, decompiler
|
||||
and debugger.
|
||||
* [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A
|
||||
modular debugger with a Qt GUI.
|
||||
* [Fibratus](https://github.com/rabbitstack/fibratus) - Tool for exploration
|
||||
and tracing of the Windows kernel.
|
||||
* [FPort](http://www.mcafee.com/us/downloads/free-tools/fport.aspx#) - Reports
|
||||
* [FPort](https://www.mcafee.com/us/downloads/free-tools/fport.aspx) - Reports
|
||||
open TCP/IP and UDP ports in a live system and maps them to the owning application.
|
||||
* [GDB](http://www.sourceware.org/gdb/) - The GNU debugger.
|
||||
* [GEF](https://github.com/hugsy/gef) - GDB Enhanced Features, for exploiters
|
||||
@ -471,51 +506,68 @@ the [browser malware](#browser-malware) section.*
|
||||
* [hackers-grep](https://github.com/codypierce/hackers-grep) - A utility to
|
||||
search for strings in PE executables including imports, exports, and debug
|
||||
symbols.
|
||||
* [Hopper](https://www.hopperapp.com/) - The macOS and Linux Disassembler.
|
||||
* [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows
|
||||
disassembler and debugger, with a free evaluation version.
|
||||
* [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for
|
||||
malware analysis and more, with a Python API.
|
||||
* [ILSpy](http://ilspy.net/) - ILSpy is the open-source .NET assembly browser and decompiler.
|
||||
* [Kaitai Struct](http://kaitai.io/) - DSL for file formats / network protocols /
|
||||
data structures reverse engineering and dissection, with code generation
|
||||
for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
|
||||
* [LIEF](https://lief.quarkslab.com/) - LIEF provides a cross-platform library
|
||||
to parse, modify and abstract ELF, PE and MachO formats.
|
||||
* [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables.
|
||||
* [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils,
|
||||
for static analysis of Linux binaries.
|
||||
* [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows
|
||||
executables.
|
||||
* [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral Dynamic Analysis
|
||||
* [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral
|
||||
Dynamic Analysis.
|
||||
* [PEDA](https://github.com/longld/peda) - Python Exploit Development
|
||||
Assistance for GDB, an enhanced display with added commands.
|
||||
* [pestudio](https://winitor.com/) - Perform static analysis of Windows
|
||||
executables.
|
||||
* [plasma](https://github.com/joelpx/plasma) - Interactive disassembler for
|
||||
x86/ARM/MIPS.
|
||||
* [Pharos](https://github.com/cmu-sei/pharos) - The Pharos binary analysis framework
|
||||
can be used to perform automated static analysis of binaries.
|
||||
* [plasma](https://github.com/plasma-disassembler/plasma) - Interactive
|
||||
disassembler for x86/ARM/MIPS.
|
||||
* [PPEE (puppy)](https://www.mzrst.com/) - A Professional PE file Explorer for
|
||||
reversers, malware researchers and those who want to statically inspect PE
|
||||
files in more detail.
|
||||
* [Process Explorer](https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx) -
|
||||
* [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) -
|
||||
Advanced task manager for Windows.
|
||||
* [Process Hacker] (http://processhacker.sourceforge.net/) - Tool that monitors system resources
|
||||
* [Process Monitor](https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) -
|
||||
* [Process Hacker](http://processhacker.sourceforge.net/) - Tool that monitors
|
||||
system resources.
|
||||
* [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) -
|
||||
Advanced monitoring tool for Windows programs.
|
||||
* [PSTools](https://technet.microsoft.com/en-us/sysinternals/pstools.aspx) - Windows
|
||||
* [PSTools](https://docs.microsoft.com/en-us/sysinternals/downloads/pstools) - Windows
|
||||
command-line tools that help manage and investigate live systems.
|
||||
* [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware
|
||||
analysis.
|
||||
* [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse
|
||||
engineering sandbox by the Talos team at Cisco.
|
||||
* [QKD](https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg
|
||||
server for stealth debugging.
|
||||
* [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with
|
||||
debugger support.
|
||||
* [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility that compares snapshots.
|
||||
* [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility
|
||||
that compares snapshots.
|
||||
* [RetDec](https://retdec.com/) - Retargetable machine-code decompiler with an
|
||||
[online decompilation service](https://retdec.com/decompilation/) and
|
||||
[API](https://retdec.com/api/) that you can use in your tools.
|
||||
* [ROPMEMU](https://github.com/vrtadmin/ROPMEMU) - A framework to analyze, dissect
|
||||
* [ROPMEMU](https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect
|
||||
and decompile complex code-reuse attacks.
|
||||
* [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a
|
||||
plugin for Sublime 3 to aid with malware analyis.
|
||||
* [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for
|
||||
Linux executables.
|
||||
* [Triton](http://triton.quarkslab.com/) - A dynamic binary analysis (DBA) framework.
|
||||
* [Triton](https://triton.quarkslab.com/) - A dynamic binary analysis (DBA) framework.
|
||||
* [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool
|
||||
for x86 and x86_64.
|
||||
* [Vivisect](https://github.com/vivisect/vivisect) - Python tool for
|
||||
malware analysis.
|
||||
* [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/download-windbg) - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
|
||||
* [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows.
|
||||
|
||||
## Network
|
||||
@ -529,12 +581,17 @@ the [browser malware](#browser-malware) section.*
|
||||
explorer.
|
||||
* [chopshop](https://github.com/MITRECND/chopshop) - Protocol analysis and
|
||||
decoding framework.
|
||||
* [Fiddler](http://www.telerik.com/fiddler) - Intercepting web proxy designed
|
||||
* [CloudShark](https://www.cloudshark.org) - Web-based tool for packet analysis
|
||||
and malware traffic detection.
|
||||
* [Fiddler](https://www.telerik.com/fiddler) - Intercepting web proxy designed
|
||||
for "web debugging."
|
||||
* [Hale](https://github.com/pjlantz/Hale) - Botnet C&C monitor.
|
||||
* [Haka](http://www.haka-security.org/) - An open source security oriented
|
||||
language for describing protocols and applying security policies on (live)
|
||||
captured traffic.
|
||||
* [HTTPReplay](https://github.com/jbremer/httpreplay) - Library for parsing
|
||||
and reading out PCAP files, including TLS streams using TLS Master Secrets
|
||||
(used in Cuckoo Sandbox).
|
||||
* [INetSim](http://www.inetsim.org/) - Network service emulation, useful when
|
||||
building a malware lab.
|
||||
* [Laika BOSS](https://github.com/lmco/laikaboss) - Laika BOSS is a file-centric
|
||||
@ -552,7 +609,14 @@ the [browser malware](#browser-malware) section.*
|
||||
forensic analysis tool, with a free version.
|
||||
* [ngrep](http://ngrep.sourceforge.net/) - Search through network traffic
|
||||
like grep.
|
||||
* [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and traffic visualizer.
|
||||
* [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and
|
||||
traffic visualizer.
|
||||
* [Python ICAP Yara](https://github.com/RamadhanAmizudin/python-icap-yara) - An
|
||||
ICAP Server with yara scanner for URL or content.
|
||||
* [Squidmagic](https://github.com/ch3k1/squidmagic) - squidmagic is a tool
|
||||
designed to analyze a web-based network traffic to detect central command
|
||||
and control (C&C) servers and malicious sites, using Squid proxy server and
|
||||
Spamhaus.
|
||||
* [Tcpdump](http://www.tcpdump.org/) - Collect network traffic.
|
||||
* [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams
|
||||
from network traffic.
|
||||
@ -565,14 +629,17 @@ the [browser malware](#browser-malware) section.*
|
||||
|
||||
*Tools for dissecting malware in memory images or running systems.*
|
||||
|
||||
* [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS forensics
|
||||
client supporting hiberfil, pagefile, raw memory analysis
|
||||
* [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS
|
||||
forensics client supporting hiberfil, pagefile, raw memory analysis.
|
||||
* [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of
|
||||
Malware in Memory, built on Volatility
|
||||
Malware in Memory, built on Volatility.
|
||||
* [evolve](https://github.com/JamesHabben/evolve) - Web interface for the
|
||||
Volatility Memory Forensics Framework.
|
||||
* [FindAES](http://jessekornblum.livejournal.com/269749.html) - Find AES
|
||||
* [FindAES](https://sourceforge.net/projects/findaes/) - Find AES
|
||||
encryption keys in memory.
|
||||
* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - High speed memory
|
||||
analysis framework developed in .NET supports all Windows x64, includes
|
||||
code integrity and write support.
|
||||
* [Muninn](https://github.com/ytisf/muninn) - A script to automate portions
|
||||
of analysis using Volatility, and create a readable report.
|
||||
* [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework,
|
||||
@ -585,6 +652,8 @@ the [browser malware](#browser-malware) section.*
|
||||
memory forensics framework.
|
||||
* [VolUtility](https://github.com/kevthehermit/VolUtility) - Web Interface for
|
||||
Volatility Memory Analysis framework.
|
||||
* [WDBGARK](https://github.com/swwwolf/wdbgark) -
|
||||
WinDBG Anti-RootKit Extension.
|
||||
* [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit) -
|
||||
Live memory inspection and kernel debugging for Windows systems.
|
||||
|
||||
@ -602,10 +671,14 @@ the [browser malware](#browser-malware) section.*
|
||||
|
||||
## Storage and Workflow
|
||||
|
||||
* [Aleph](https://github.com/trendmicro/aleph) - OpenSource Malware Analysis
|
||||
* [Aleph](https://github.com/merces/aleph) - Open Source Malware Analysis
|
||||
Pipeline System.
|
||||
* [CRITs](https://crits.github.io/) - Collaborative Research Into Threats, a
|
||||
malware and threat repository.
|
||||
* [FAME](https://certsocietegenerale.github.io/fame/) - A malware analysis
|
||||
framework featuring a pipeline that can be extended with custom modules,
|
||||
which can be chained and interact with each other to perform end-to-end
|
||||
analysis.
|
||||
* [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and
|
||||
search malware.
|
||||
* [Polichombr](https://github.com/ANSSI-FR/polichombr) - A malware analysis
|
||||
@ -620,14 +693,15 @@ the [browser malware](#browser-malware) section.*
|
||||
|
||||
* [al-khaser](https://github.com/LordNoteworthy/al-khaser) - A PoC malware
|
||||
with good intentions that aimes to stress anti-malware systems.
|
||||
* [Binarly](http://www.binar.ly/search) - Search engine for bytes in a large
|
||||
corpus of malware.
|
||||
* [DC3-MWCP](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP) -
|
||||
The Defense Cyber Crime Center's Malware Configuration Parser framework.
|
||||
* [FLARE VM](https://github.com/fireeye/flare-vm) - A fully customizable,
|
||||
Windows-based, security distribution for malware analysis.
|
||||
* [MalSploitBase](https://github.com/misterch0c/malSploitBase) - A database
|
||||
containing exploits used by malware.
|
||||
* [Malware Museum](https://archive.org/details/malwaremuseum) - Collection of
|
||||
malware programs that were distributed in the 1980s and 1990s.
|
||||
* [Malware Organiser](https://github.com/uppusaikiran/malware-organiser) - A simple tool to organise large malicious/benign files into a organised Structure.
|
||||
* [Pafish](https://github.com/a0rtega/pafish) - Paranoid Fish, a demonstration
|
||||
tool that employs several techniques to detect sandboxes and analysis
|
||||
environments in the same way as malware families do.
|
||||
@ -644,10 +718,12 @@ the [browser malware](#browser-malware) section.*
|
||||
|
||||
* [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) -
|
||||
Tools and Techniques for Fighting Malicious Code.
|
||||
* [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On Guide
|
||||
to Dissecting Malicious Software.
|
||||
* [Practical Reverse Engineering](http://a.co/63SQsH2) - Intermediate Reverse Engineering
|
||||
* [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer Security and Incident Response
|
||||
* [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On
|
||||
Guide to Dissecting Malicious Software.
|
||||
* [Practical Reverse Engineering](https://www.amzn.com/dp/1118787315/) -
|
||||
Intermediate Reverse Engineering.
|
||||
* [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer
|
||||
Security and Incident Response.
|
||||
* [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting
|
||||
Malware and Threats in Windows, Linux, and Mac Memory.
|
||||
* [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide
|
||||
@ -684,8 +760,8 @@ the [browser malware](#browser-malware) section.*
|
||||
of commonly used file format (including PE & ELF).
|
||||
* [Honeynet Project](http://honeynet.org/) - Honeypot tools, papers, and
|
||||
other resources.
|
||||
* [Kernel Mode](http://www.kernelmode.info/forum/) - An active community devoted to
|
||||
malware analysis and kernel development.
|
||||
* [Kernel Mode](http://www.kernelmode.info/forum/) - An active community
|
||||
devoted to malware analysis and kernel development.
|
||||
* [Malicious Software](https://zeltser.com/malicious-software/) - Malware
|
||||
blog and resources by Lenny Zeltser.
|
||||
* [Malware Analysis Search](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) -
|
||||
@ -728,6 +804,7 @@ the [browser malware](#browser-malware) section.*
|
||||
* [Pentesting](https://github.com/enaqx/awesome-pentest)
|
||||
* [Security](https://github.com/sbilly/awesome-security)
|
||||
* [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence)
|
||||
* [YARA](https://github.com/InQuest/awesome-yara)
|
||||
|
||||
# [Contributing](CONTRIBUTING.md)
|
||||
|
||||
|
40
恶意软件分析大合集.md
40
恶意软件分析大合集.md
@ -1,4 +1,4 @@
|
||||
# 恶意软件分析大合集
|
||||
# 恶意软件分析大合集
|
||||
|
||||
|
||||
这个列表记录着那些令人称赞的恶意软件分析工具和资源。受到 [awesome-python](https://github.com/vinta/awesome-python) 和 [awesome-php](https://github.com/ziadoz/awesome-php) 的启迪。
|
||||
@ -15,21 +15,21 @@
|
||||
- [在线扫描与沙盒](#在线扫描与沙盒)
|
||||
- [域名分析](#域名分析)
|
||||
- [浏览器恶意软件](#浏览器恶意软件)
|
||||
- [文档和 Shellcode](#文档和 Shellcode)
|
||||
- [文档和 Shellcode](#文档和-Shellcode)
|
||||
- [文件提取](#文件提取)
|
||||
- [去混淆](#去混淆)
|
||||
- [调试与逆向工程](#调试与逆向工程)
|
||||
- [网络](#网络)
|
||||
- [内存取证](#内存取证)
|
||||
- [Windows 神器](#Windows 神器)
|
||||
- [Windows 神器](#Windows-神器)
|
||||
- [存储和工作流](#存储和工作流)
|
||||
- [杂项](#杂项)
|
||||
- [资源](#资源)
|
||||
- [书籍](#书籍)
|
||||
- [Twitter](#Twitter)
|
||||
- [其它](#其它)
|
||||
- [相关 Awesome 清单](#相关 Awesome 清单)
|
||||
- [贡献者](#贡献者)
|
||||
- [相关 Awesome 清单](#相关-Awesome-清单)
|
||||
- [贡献者](#做出贡献)
|
||||
- [致谢](#致谢)
|
||||
|
||||
---
|
||||
@ -65,13 +65,13 @@
|
||||
* [Clean MX](http://support.clean-mx.de/clean-mx/viruses.php) - 恶意软件和恶意域名的实时数据库
|
||||
* [Contagio](http://contagiodump.blogspot.com/) - 近期的恶意软件样本和分析的收集
|
||||
* [Exploit Database](https://www.exploit-db.com/) - Exploit 和 shellcode 样本
|
||||
* [Malshare](http://malshare.com) - 在恶意网站上得到的大量恶意样本库
|
||||
* [Malshare](https://malshare.com) - 在恶意网站上得到的大量恶意样本库
|
||||
* [MalwareDB](http://malwaredb.malekal.com/) - 恶意软件样本库
|
||||
* [Open Malware Project](http://openmalware.org/) - 样本信息和下载
|
||||
* [Ragpicker](https://github.com/robbyFux/Ragpicker) - 基于 malware crawler 的一个插件
|
||||
* [theZoo](https://github.com/ytisf/theZoo) - 分析人员的实时恶意样本库
|
||||
* [Tracker h3x](http://tracker.h3x.eu/) - Agregator 的恶意软件跟踪和下载地址
|
||||
* [ViruSign](http://www.virusign.com/) - 除 ClamAV 外的反病毒程序检出的恶意软件数据库
|
||||
* [ViruSign](http://www.virussign.com/) - 除 ClamAV 外的反病毒程序检出的恶意软件数据库
|
||||
* [VirusShare](http://virusshare.com/) - 恶意软件库
|
||||
* [VX Vault](http://vxvault.net/) - 恶意软件样本的主动收集
|
||||
* [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - 由 Lenny Zeltser 整理的恶意软件样本源列表
|
||||
@ -93,8 +93,8 @@
|
||||
* [ioc_writer](https://github.com/mandiant/ioc_writer) - 开发的用于 OpenIOC 对象的 Python 库
|
||||
* [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) - 由 [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework)发起,之前叫做 CIF (Collective Intelligence Framework),从各种信息源聚合 IOC 信息
|
||||
* [MISP](https://github.com/MISP/MISP) - 由 [The MISP Project](http://www.misp-project.org/) 发起的恶意软件信息共享平台
|
||||
* [PassiveTotal](https://www.passivetotal.org/) - 研究、链接、标注和分享 IP 与 域名
|
||||
* [PyIOCe](https://github.com/pidydx/PyIOCe) - 一个 Python OpenIOC 编辑器
|
||||
* [RiskIQ](https://community.riskiq.com/) - 研究、链接、标注和分享 IP 与 域名
|
||||
* [threataggregator](https://github.com/jpsenior/threataggregator) - 聚合来自多个信息源的安全威胁,包括 [other resources](#other-resources) 列表中的一些
|
||||
* [ThreatCrowd](https://www.threatcrowd.org/) - 带有图形可视化的威胁搜索引擎
|
||||
* [TIQ-test](https://github.com/mlsecproject/tiq-test) - 威胁情报源的数据可视化和统计分析
|
||||
@ -138,7 +138,7 @@
|
||||
* [chkrootkit](http://www.chkrootkit.org/) - 本地 Linux rootkit 检测
|
||||
* [ClamAV](http://www.clamav.net/) - 开源反病毒引擎
|
||||
* [Detect-It-Easy](https://github.com/horsicq/Detect-It-Easy) - 用于确定文件类型的程序
|
||||
* [ExifTool](http://www.sno.phy.queensu.ca/~phil/exiftool/) - 读、写、编辑文件的元数据
|
||||
* [ExifTool](https://sno.phy.queensu.ca/~phil/exiftool/) - 读、写、编辑文件的元数据
|
||||
* [File Scanning Framework](http://www.sno.phy.queensu.ca/%7Ephil/exiftool/) - 模块化的递归文件扫描解决方案
|
||||
* [hashdeep](https://github.com/jessek/hashdeep) - 用各种算法计算哈希值
|
||||
* [Loki](https://github.com/Neo23x0/Loki) - 基于主机的 IOC 扫描器
|
||||
@ -149,7 +149,7 @@
|
||||
* [packerid](http://handlers.sans.org/jclausing/packerid.py) - 跨平台的 PEiD 的替代品
|
||||
* [PEV](http://pev.sourceforge.net/) - 为正确分析可疑的二进制文件提供功能丰富工具的 PE 文件多平台分析工具集
|
||||
* [Rootkit Hunter](http://rkhunter.sourceforge.net/) - 检测 Linux 的 rootkits
|
||||
* [ssdeep](http://ssdeep.sourceforge.net/) - 计算模糊哈希值
|
||||
* [ssdeep](https://ssdeep-project.github.io/ssdeep/) - 计算模糊哈希值
|
||||
* [totalhash.py](https://gist.github.com/malc0de/10270150) - 一个简单搜索[TotalHash.com](http://totalhash.com/) 数据库的 Python 脚本
|
||||
* [TrID](http://mark0.net/soft-trid-e.html) - 文件识别
|
||||
* [YARA](https://plusvic.github.io/yara/) - 分析师利用的模式识别工具
|
||||
@ -159,7 +159,6 @@
|
||||
|
||||
*基于 Web 的多反病毒引擎扫描器和恶意软件自动分析的沙盒*
|
||||
|
||||
* [APK Analyzer](https://www.apk-analyzer.net/) - APK 免费动态分析
|
||||
* [AndroTotal](https://andrototal.org/) - 利用多个移动反病毒软件进行免费在线分析 App
|
||||
* [AVCaesar](https://avcaesar.malware.lu/) - Malware.lu 在线扫描器和恶意软件集合
|
||||
* [Cryptam](http://www.cryptam.com/) - 分析可疑的 Office 文档
|
||||
@ -168,10 +167,9 @@
|
||||
* [cuckoo-modified-api](https://github.com/brad-accuvant/cuckoo-modified) - 用于控制 cuckoo-modified 沙盒的 Python API
|
||||
* [DeepViz](https://www.deepviz.com/) - 通过机器学习分类来分析的多格式文件分析器
|
||||
* [detux](https://github.com/detuxsandbox/detux/) - 一个用于对 Linux 恶意软件流量分析与 IOC 信息捕获的沙盒
|
||||
* [Document Analyzer](https://www.document-analyzer.net/) - DOC 和 PDF 文件的免费动态分析
|
||||
* [DRAKVUF](https://github.com/tklengyel/drakvuf) - 动态恶意软件分析系统
|
||||
* [File Analyzer](https://www.file-analyzer.net/) - 免费 PE 文件动态分析
|
||||
* [firmware.re](http://firmware.re/) - 解包、扫描、分析绝大多数固件包
|
||||
* [firmware.re](http://firmware.re/) - 解包、扫描、分析绝大多数固件包
|
||||
* [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - Linux平台上的自动化恶意代码分析工具.
|
||||
* [Hybrid Analysis](https://www.hybrid-analysis.com/) - 由 VxSandbox 支持的在线恶意软件分析工具
|
||||
* [IRMA](http://irma.quarkslab.com/) - 异步、可定制的可疑文件分析平台
|
||||
* [Joe Sandbox](https://www.joesecurity.org/) - 深度恶意软件分析
|
||||
@ -189,7 +187,6 @@
|
||||
* [Recomposer](https://github.com/secretsquirrel/recomposer) - 安全上传二进制程序到沙盒网站的辅助脚本
|
||||
* [Sand droid](http://sanddroid.xjtu.edu.cn/) - 自动化、完整的 Android 应用程序分析系统
|
||||
* [SEE](https://github.com/F-Secure/see) - 在安全环境中构建测试自动化的框架
|
||||
* [URL Analyzer](https://www.url-analyzer.net/) - 对 URL 文件的动态分析
|
||||
* [VirusTotal](https://www.virustotal.com/) - 免费的在线恶意软件样本和 URL 分析
|
||||
* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - 用于日志的开源可视化库和命令行工具(Cuckoo、Procmon 等)
|
||||
* [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Lenny Zeltser 创建的免费自动沙盒服务
|
||||
@ -206,21 +203,21 @@
|
||||
* [mailchecker](https://github.com/FGRibreau/mailchecker) - 跨语言临时邮件检测库
|
||||
* [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - 让 Maltego 使用 VirusTotal API,允许搜索域名、IP 地址、文件哈希、报告
|
||||
* [Multi rbl](http://multirbl.valli.org/) - 多个 DNS 黑名单,反向查找超过 300 个 RBL。
|
||||
* [SenderBase](http://www.senderbase.org/) - 搜索 IP、域名或网络的所有者
|
||||
* [SpamCop](https://www.spamcop.net/bl.shtml) - 垃圾邮件 IP 黑名单IP
|
||||
* [SpamHaus](http://www.spamhaus.org/lookup/) - 基于域名和 IP 的黑名单
|
||||
* [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - 免费的网站恶意软件与安全扫描器
|
||||
* [Talos Intelligence](https://talosintelligence.com/) - 搜索 IP、域名或网络的所有者
|
||||
* [TekDefense Automator](http://www.tekdefense.com/automater/) - 收集关于 URL、IP 和哈希值的 OSINT 工具
|
||||
* [URLQuery](http://urlquery.net/) - 免费的 URL 扫描器
|
||||
* [Whois](http://whois.domaintools.com/) - DomainTools 家免费的 whois 搜索
|
||||
* [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - 由 Lenny Zeltser 整理的免费在线恶意软件工具集
|
||||
* [ZScalar Zulu](http://zulu.zscaler.com/#) - Zulu URL 风险分析
|
||||
* [ZScalar Zulu](https://zulu.zscaler.com/#) - Zulu URL 风险分析
|
||||
|
||||
## 浏览器恶意软件
|
||||
|
||||
*分析恶意 URL,也可以参考 [domain analysis](#domain-analysis) 和 [documents and shellcode](#documents-and-shellcode) 部分*
|
||||
|
||||
* [Firebug](http://getfirebug.com/) - Firefox Web 开发扩展
|
||||
* [Firebug](https://getfirebug.com/) - Firefox Web 开发扩展
|
||||
* [Java Decompiler](http://jd.benow.ca/) - 反编译并检查 Java 的应用
|
||||
* [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - 解析 Java IDX 缓存文件
|
||||
* [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript 恶意软件分析工具
|
||||
@ -308,9 +305,9 @@
|
||||
* [pestudio](https://winitor.com/) - Windows 可执行程序的静态分析
|
||||
* [plasma](https://github.com/joelpx/plasma) - 面向 x86/ARM/MIPS 的交互式反汇编器
|
||||
* [PPEE (puppy)](https://www.mzrst.com/) - 专业的 PE 文件资源管理器
|
||||
* [Process Explorer ](https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx) - 高级 Windows 任务管理器
|
||||
* [Process Monitor](https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) - Windows 下高级程序监控工具
|
||||
* [PSTools](https://technet.microsoft.com/en-us/sysinternals/pstools.aspx) - 可以帮助管理员实时管理系统的 Windows 命令行工具
|
||||
* [Process Explorer](https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx) - 高级 Windows 任务管理器
|
||||
* [Process Monitor](https://docs.microsoft.com/sysinternals/downloads/procmon) - Windows 下高级程序监控工具
|
||||
* [PSTools](https://docs.microsoft.com/sysinternals/downloads/pstools) - 可以帮助管理员实时管理系统的 Windows 命令行工具
|
||||
* [Pyew](https://github.com/joxeankoret/pyew) - 恶意软件分析的 Python 工具
|
||||
* [Radare2](http://www.radare.org/r/) - 带有调试器支持的逆向工程框架
|
||||
* [RetDec](https://retdec.com/) - 可重定向的机器码反编译器,同时有在线反编译服务和 API
|
||||
@ -455,6 +452,7 @@
|
||||
* [Pentesting](https://github.com/enaqx/awesome-pentest)
|
||||
* [Security](https://github.com/sbilly/awesome-security)
|
||||
* [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence)
|
||||
* [YARA](https://github.com/InQuest/awesome-yara)
|
||||
|
||||
# [做出贡献](CONTRIBUTING.md)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user