10 KiB
Awesome Malware Analysis
A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.
Malware Collection
Anonymizers
Web traffic anonymizers for analysts.
- Anonymouse.org - A free, web based anonymizer.
- OpenVPN - VPN software and hosting solutions.
- Privoxy - An open source proxy server with some privacy features.
- Tor - The Onion Router, for browsing the web without leaving traces of the client IP.
Honeypots
Trap and collect your own samples.
- Conpot - ICS/SCADA honeypot.
- Dionaea - Honeypot designed to trap malware.
- Glastopf - Web application honeypot.
- Honeyd - Create a virtual honeynet.
- Kippo - Medium interaction SSH honeypot.
- Thug - Low interaction honeyclient, for investigating malicious websites.
Malware Corpora
Malware samples collected for analysis.
- Clean MX - Realtime database of malware and malicious domains.
- Contagio - A collection of recent malware samples and analyses.
- Exploit Database - Exploit and shellcode samples.
- Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
Detection and Classification
Antivirus and other malware identification tools
- AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
- ClamAV - Open source antivirus engine.
- ExifTool - Read, write and edit file metadata.
- hashdeep - Compute digest hashes with a variety of algorithms.
- nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
- packerid - A cross-platform Python alternative to PEiD.
- ssdeep - Compute fuzzy hashes.
- TrID - File identifier.
- YARA - Pattern matching tool for analysts.
Online Scanners and Sandboxes
Web-based multi-AV scanners, and malware sandboxes for automated analysis.
- Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
- Jotti - Free online multi-AV scanner.
- Malwr - Free analysis with an online Cuckoo Sandbox instance.
- VirusTotal - Free online analysis of malware samples and URLs
- Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.
Domain Analysis
Inspect domains and IP addresses.
- Dig - Free online dig and other network tools.
- IPinfo - Gather information about an IP or domain by searching online resources.
- TekDefense Automator - OSINT tool for gatherig information about URLs, IPs, or hashes.
- Whois - DomainTools free online whois search.
- Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.
Browser Malware
Malicious URLs. See also the domain analysis and documents and shellcode sections.
Documents and Shellcode
Analyze malicious JS and shellcode from PDFs and Office documents.
- AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
- diStorm - Disassembler for analyzing malicious shellcode.
- JS Beautifier - JavaScript unpacking and deobfuscation.
- JSDetox - JavaScript malware analysis tool.
- jsunpack-n - A javascript unpacker that emulates browser functionality.
- libemu - Library and tools for x86 shellcode emulation.
- malpdfobj - Deconstruct malicious PDFs into a JSON representation.
- OfficeMalScanner - Scan for malicious traces in MS Office documents.
- officeparser - A Python script for parsing the MS Office OLE document format.
- Origami PDF - A tool for analyzing malicious PDFs, and more.
- PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
- PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
- peepdf - Python tool for exploring possibly malicious PDFs.
- Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.
File Carving
For extracting files from inside disk and memory images.
- bulk_extractor - Fast file carving tool.
- Foremost - File carving tool designed by the US Air Force.
- Hachoir - A collection of Python libraries for dealing with binary files.
- Scalpel - Another data carving tool.
Deobfuscation
Reverse XOR and other code obfuscation methods
Debugging and Reverse Engineering
Disassemblers, debuggers, and other static and dynamic analysis tools.
- Bokken - GUI for Pyew and Radare.
- Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
- GDB - The GNU debugger.
- IDA Pro - Windows disassembler and debugger, with a free evaluation version.
- ltrace - Dynamic analysis for Linux executables.
- objdump - Part of GNU binutils, for static analysis of Linux binaries.
- OllyDbg - An assembly-level debugger for Windows executables.
- Pyew - Python tool for malware analysis.
- strace - Dynamic analysis for Linux executables.
- Radare2 - Reverse engineering framework, with debugger support.
- Udis86 - Disassembler library and tool for x86 and x86_64.
- Vivisect - Python tool for malware analysis.
Network
Analyze network interactions.
Memory Forensics
Tools for dissecting malware in memory images or running systems.
- FindAES - Find AES encryption keys in memory.
- Rekall - Memory analysis framework, forked from Volatility in 2013.
- TotalRecall - Script based on Volatility for automating various malware analysis tasks.
- Volatility - Advanced memory forensics framework.
- WinDbg - Live memory inspection and kernel debugging for Windows systems.
Miscellaneous
- REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
Resources
Books
Essential malware analysis reading material.
- Malware Analyst's Cookbook and DVD - Tools and Techniques for Fighting Malicious Code.
- Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.
- The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
- The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler.
Other
- Honeynet Project - Honeypot tools, papers, and other resources.
- Malicious Software - Malware blog and resources by Lenny Zeltser.
- /r/Malware - The malware subreddit.
- /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.
Related Awesome Lists
Contributing
Pull requests and issues with suggestions are welcome!