0

awesome-malware-analysis

A curated list of awesome malware analysis tools and resources.

官方网站
Github 资源库
主要指标

Github星跟踪图

Awesome Malware Analysis Awesome

A curated list of awesome malware analysis tools and resources. Inspired by
awesome-python and
awesome-php.

Drop ICE

View Chinese translation: 恶意软件分析大合集.md.

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org - A free, web based anonymizer.
  • OpenVPN - VPN software and hosting solutions.
  • Privoxy - An open source proxy server with some
    privacy features.
  • Tor - The Onion Router, for browsing the web
    without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

  • Conpot - ICS/SCADA honeypot.
  • Cowrie - SSH honeypot, based
    on Kippo.
  • DemoHunter - Low interaction Distributed Honeypots.
  • Dionaea - Honeypot designed to trap malware.
  • Glastopf - Web application honeypot.
  • Honeyd - Create a virtual honeynet.
  • HoneyDrive - Honeypot bundle Linux distro.
  • Honeytrap - Opensource system for running, monitoring and managing honeypots.
  • MHN - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
  • Mnemosyne - A normalizer for
    honeypot data; supports Dionaea.
  • Thug - Low interaction honeyclient, for
    investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX - Realtime
    database of malware and malicious domains.
  • Contagio - A collection of recent
    malware samples and analyses.
  • Exploit Database - Exploit and shellcode
    samples.
  • Infosec - CERT-PA - Malware samples collection and analysis.
  • InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.
  • Javascript Mallware Collection - Collection of almost 40.000 javascript malware samples
  • Malpedia - A resource providing
    rapid identification and actionable context for malware investigations.
  • Malshare - Large repository of malware actively
    scrapped from malicious sites.
  • Open Malware Project - Sample information and
    downloads. Formerly Offensive Computing.
  • Ragpicker - Plugin based malware
    crawler with pre-analysis and reporting functionalities
  • theZoo - Live malware samples for
    analysts.
  • Tracker h3x - Agregator for malware corpus tracker
    and malicious download sites.
  • vduddu malware repo - Collection of
    various malware files and source code.
  • VirusBay - Community-Based malware repository and social network.
  • ViruSign - Malware database that detected by
    many anti malware programs except ClamAV.
  • VirusShare - Malware repository, registration
    required.
  • VX Vault - Active collection of malware samples.
  • Zeltser's Sources - A list
    of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code - Source for the Zeus
    trojan leaked in 2011.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

  • AbuseHelper - An open-source
    framework for receiving and redistributing abuse feeds and threat intel.
  • AlienVault Open Threat Exchange - Share and
    collaborate in developing Threat Intelligence.
  • Combine - Tool to gather Threat
    Intelligence indicators from publicly available sources.
  • Fileintel - Pull intelligence per file hash.
  • Hostintel - Pull intelligence per host.
  • IntelMQ -
    A tool for CERTs for processing incident data using a message queue.
  • IOC Editor -
    A free editor for XML IOC files.
  • iocextract - Advanced Indicator
    of Compromise (IOC) extractor, Python library and command-line tool.
  • ioc_writer - Python library for
    working with OpenIOC objects, from Mandiant.
  • MalPipe - Malware/IOC ingestion and
    processing engine, that enriches collected data.
  • Massive Octo Spice -
    Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
    from various lists. Curated by the
    CSIRT Gadgets Foundation.
  • MISP - Malware Information Sharing
    Platform curated by The MISP Project.
  • Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
  • PyIOCe - A Python OpenIOC editor.
  • RiskIQ - Research, connect, tag and
    share IPs and domains. (Was PassiveTotal.)
  • threataggregator -
    Aggregates security threats from a number of sources, including some of
    those listed below in other resources.
  • ThreatConnect - TC Open allows you to see and
    share open source threat data, with support and validation from our free community.
  • ThreatCrowd - A search engine for threats,
    with graphical visualization.
  • ThreatIngestor - Build
    automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and
    more.
  • ThreatTracker - A Python
    script to monitor and generate alerts based on IOCs indexed by a set of
    Google Custom Search Engines.
  • TIQ-test - Data visualization
    and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Detection and Classification

Antivirus and other malware identification tools

  • AnalyzePE - Wrapper for a
    variety of tools for reporting on Windows PE files.
  • Assemblyline - A scalable
    distributed file analysis framework.
  • BinaryAlert - An open source, serverless
    AWS pipeline that scans and alerts on uploaded files based on a set of
    YARA rules.
  • chkrootkit - Local Linux rootkit detection.
  • ClamAV - Open source antivirus engine.
  • Detect It Easy(DiE) - A program for
    determining types of files.
  • Exeinfo PE - Packer, compressor detector, unpack
    info, internal exe tools.
  • ExifTool - Read, write and
    edit file metadata.
  • File Scanning Framework -
    Modular, recursive file scanning solution.
  • Generic File Parser - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
  • hashdeep - Compute digest hashes with
    a variety of algorithms.
  • HashCheck - Windows shell extension
    to compute hashes with a variety of algorithms.
  • Loki - Host based scanner for IOCs.
  • Malfunction - Catalog and
    compare malware at a function level.
  • Manalyze - Static analyzer for PE
    executables.
  • MASTIFF - Static analysis
    framework.
  • MultiScanner - Modular file
    scanning/analysis framework
  • Nauz File Detector(NFD) - Linker/Compiler/Tool detector for Windows, Linux and MacOS.
  • nsrllookup - A tool for looking
    up hashes in NIST's National Software Reference Library database.
  • packerid - A cross-platform
    Python alternative to PEiD.
  • PE-bear - Reversing tool for PE
    files.
  • PEframe - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
  • PEV - A multiplatform toolkit to work with PE
    files, providing feature-rich tools for proper analysis of suspicious binaries.
  • PortEx - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
  • Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System
  • Rootkit Hunter - Detect Linux rootkits.
  • ssdeep - Compute fuzzy hashes.
  • totalhash.py -
    Python script for easy searching of the TotalHash.cymru.com
    database.
  • TrID - File identifier.
  • YARA - Pattern matching tool for
    analysts.
  • Yara rules generator - Generate
    yara rules based on a set of malware samples. Also contains a good
    strings DB to avoid false positives.
  • Yara Finder - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • anlyz.io - Online sandbox.
  • any.run - Online interactive sandbox.
  • AndroTotal - Free online analysis of APKs
    against multiple mobile antivirus apps.
  • AVCaesar - Malware.lu online scanner and
    malware repository.
  • BoomBox - Automatic deployment of Cuckoo
    Sandbox malware lab using Packer and Vagrant.
  • Cryptam - Analyze suspicious office documents.
  • Cuckoo Sandbox - Open source, self hosted
    sandbox and automated analysis system.
  • cuckoo-modified - Modified
    version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
    legal concerns by the author.
  • cuckoo-modified-api - A
    Python API used to control a cuckoo-modified sandbox.
  • DeepViz - Multi-format file analyzer with
    machine-learning classification.
  • detux - A sandbox developed to do
    traffic analysis of Linux malwares and capturing IOCs.
  • DRAKVUF - Dynamic malware analysis
    system.
  • firmware.re - Unpacks, scans and analyzes almost any
    firmware package.
  • HaboMalHunter - An Automated Malware
    Analysis Tool for Linux ELF Files.
  • Hybrid Analysis - Online malware
    analysis tool, powered by VxSandbox.
  • Intezer - Detect, analyze, and categorize malware by
    identifying code reuse and code similarities.
  • IRMA - An asynchronous and customizable
    analysis platform for suspicious files.
  • Joe Sandbox - Deep malware analysis with Joe Sandbox.
  • Jotti - Free online multi-AV scanner.
  • Limon - Sandbox for Analyzing Linux Malware.
  • Malheur - Automatic sandboxed analysis
    of malware behavior.
  • malice.io - Massively scalable malware analysis framework.
  • malsub - A Python RESTful API framework for
    online malware and URL analysis services.
  • Malware config - Extract, decode and display online
    the configuration settings from common malwares.
  • MalwareAnalyser.io - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
  • Malwr - Free analysis with an online Cuckoo Sandbox
    instance.
  • MetaDefender Cloud - Scan a file, hash, IP, URL or
    domain address for malware for free.
  • NetworkTotal - A service that analyzes
    pcap files and facilitates the quick detection of viruses, worms, trojans, and all
    kinds of malware using Suricata configured with EmergingThreats Pro.
  • Noriben - Uses Sysinternals Procmon to
    collect information about malware in a sandboxed environment.
  • PacketTotal - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
  • PDF Examiner - Analyse suspicious PDF files.
  • ProcDot - A graphical malware analysis tool kit.
  • Recomposer - A helper
    script for safely uploading binaries to sandbox sites.
  • sandboxapi - Python library for
    building integrations with several open source and commercial malware sandboxes.
  • SEE - Sandboxed Execution Environment (SEE)
    is a framework for building test automation in secured Environments.
  • SEKOIA Dropper Analysis - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
  • VirusTotal - Free online analysis of malware
    samples and URLs
  • Visualize_Logs - Open source
    visualization library and command line tools for logs. (Cuckoo, Procmon, more
    to come...)
  • Zeltser's List - Free
    automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • AbuseIPDB - AbuseIPDB is a project dedicated
    to helping combat the spread of hackers, spammers, and abusive activity on the internet.
  • badips.com - Community based IP blacklist service.
  • boomerang - A tool designed
    for consistent and safe capture of off network web resources.
  • Cymon - Threat intelligence tracker, with IP/domain/hash
    search.
  • Desenmascara.me - One click tool to retrieve as
    much metadata as possible for a website and to assess its good standing.
  • Dig - Free online dig and other
    network tools.
  • dnstwist - Domain name permutation
    engine for detecting typo squatting, phishing and corporate espionage.
  • IPinfo - Gather information
    about an IP or domain by searching online resources.
  • Machinae - OSINT tool for
    gathering information about URLs, IPs, or hashes. Similar to Automator.
  • mailchecker - Cross-language
    temporary email detection library.
  • MaltegoVT - Maltego transform
    for the VirusTotal API. Allows domain/IP research, and searching for file
    hashes and scan reports.
  • Multi rbl - Multiple DNS blacklist and forward
    confirmed reverse DNS lookup over more than 300 RBLs.
  • NormShield Services - Free API Services
    for detecting possible phishing domains, blacklisted ip addresses and breached
    accounts.
  • PhishStats - Phishing Statistics with search for
    IP, domain and website title
  • Spyse - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
  • SecurityTrails - Historical and current WHOIS,
    historical and current DNS records, similar domains, certificate information
    and other domain and IP related API and tools.
  • SpamCop - IP based spam block list.
  • SpamHaus - Block list based on
    domains and IPs.
  • Sucuri SiteCheck - Free Website Malware
    and Security Scanner.
  • Talos Intelligence - Search for IP, domain
    or network owner. (Previously SenderBase.)
  • TekDefense Automater - OSINT tool
    for gathering information about URLs, IPs, or hashes.
  • URLhaus - A project from abuse.ch with the goal
    of sharing malicious URLs that are being used for malware distribution.
  • URLQuery - Free URL Scanner.
  • urlscan.io - Free URL Scanner & domain information.
  • Whois - DomainTools free online whois
    search.
  • Zeltser's List - Free
    online tools for researching malicious websites, compiled by Lenny Zeltser.
  • ZScalar Zulu - Zulu URL Risk Analyzer.

Browser Malware

Analyze malicious URLs. See also the domain analysis and
documents and shellcode sections.

  • Firebug - Firefox extension for web development.
  • Java Decompiler - Decompile and inspect Java apps.
  • Java IDX Parser - Parses Java
    IDX cache files.
  • JSDetox - JavaScript
    malware analysis tool.
  • jsunpack-n - A javascript
    unpacker that emulates browser functionality.
  • Krakatau - Java decompiler,
    assembler, and disassembler.
  • Malzilla - Analyze malicious web pages.
  • RABCDAsm - A "Robust
    ActionScript Bytecode Disassembler."
  • SWF Investigator -
    Static and dynamic analysis of SWF applications.
  • swftools - Tools for working with Adobe Flash
    files.
  • xxxswf - A
    Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also
the browser malware section.

  • AnalyzePDF - A tool for
    analyzing PDFs and attempting to determine whether they are malicious.
  • box-js - A tool for studying JavaScript
    malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm - Disassembler for analyzing
    malicious shellcode.
  • InQuest Deep File Inspection - Upload common malware lures for Deep File Inspection and heuristical analysis.
  • JS Beautifier - JavaScript unpacking and deobfuscation.
  • libemu - Library and tools for x86 shellcode
    emulation.
  • malpdfobj - Deconstruct malicious PDFs
    into a JSON representation.
  • OfficeMalScanner - Scan for
    malicious traces in MS Office documents.
  • olevba - A script for parsing OLE
    and OpenXML documents and extracting useful information.
  • Origami PDF - A tool for
    analyzing malicious PDFs, and more.
  • PDF Tools - pdfid,
    pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite - A PDF analysis tool,
    the backend-free version of PDF X-RAY.
  • peepdf - Python
    tool for exploring possibly malicious PDFs.
  • QuickSand - QuickSand is a compact C framework
    to analyze suspected malware documents to identify exploits in streams of different
    encodings and to locate and extract embedded executables.
  • Spidermonkey -
    Mozilla's JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

  • bulk_extractor - Fast file
    carving tool.
  • EVTXtract - Carve Windows
    Event Log files from raw binary data.
  • Foremost - File carving tool designed
    by the US Air Force.
  • hachoir3 - Hachoir is a Python library
    to view and edit a binary stream field by field.
  • Scalpel - Another data carving
    tool.
  • SFlock - Nested archive
    extraction/unpacking (used in Cuckoo Sandbox).

Deobfuscation

Reverse XOR and other code obfuscation methods.

  • Balbuzard - A malware
    analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot - .NET deobfuscator and
    unpacker.
  • ex_pe_xor
    & iheartxor -
    Two tools from Alexander Hanel for working with single-byte XOR encoded
    files.
  • FLOSS - The FireEye Labs Obfuscated
    String Solver uses advanced static analysis techniques to automatically
    deobfuscate strings from malware binaries.
  • NoMoreXOR - Guess a 256 byte
    XOR key using frequency analysis.
  • PackerAttacker - A generic
    hidden code extractor for Windows malware.
  • un{i}packer - Automatic and
    platform-independent unpacker for Windows binaries based on emulation.
  • unpacker - Automated malware
    unpacker for Windows malware based on WinAppDbg.
  • unxor - Guess XOR keys using
    known-plaintext attacks.
  • VirtualDeobfuscator -
    Reverse engineering tool for virtualization wrappers.
  • XORBruteForcer -
    A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings -
    A couple programs from Didier Stevens for finding XORed data.
  • xortool - Guess XOR key length, as
    well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  • angr - Platform-agnostic binary analysis
    framework developed at UCSB's Seclab.
  • bamfdetect - Identifies and extracts
    information from bots and other malware.
  • BAP - Multiplatform and
    open source (MIT) binary analysis framework developed at CMU's Cylab.
  • BARF - Multiplatform, open
    source Binary Analysis and Reverse engineering Framework.
  • binnavi - Binary analysis IDE for
    reverse engineering based on graph visualization.
  • Binary ninja - A reversing engineering platform
    that is an alternative to IDA.
  • Binwalk - Firmware analysis tool.
  • Capstone - Disassembly framework for
    binary analysis and reversing, with support for many architectures and
    bindings in several languages.
  • codebro - Web based code browser using
     clang to provide basic code analysis.
  • Cutter - GUI for Radare2.
  • DECAF (Dynamic Executable Code Analysis Framework)
    - A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
  • dnSpy - .NET assembly editor, decompiler
    and debugger.
  • dotPeek - Free .NET Decompiler and
    Assembly Browser.
  • Evan's Debugger (EDB) - A
    modular debugger with a Qt GUI.
  • Fibratus - Tool for exploration
    and tracing of the Windows kernel.
  • FPort - Reports
    open TCP/IP and UDP ports in a live system and maps them to the owning application.
  • GDB - The GNU debugger.
  • GEF - GDB Enhanced Features, for exploiters
    and reverse engineers.
  • Ghidra - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
  • hackers-grep - A utility to
    search for strings in PE executables including imports, exports, and debug
    symbols.
  • Hopper - The macOS and Linux Disassembler.
  • IDA Pro - Windows
    disassembler and debugger, with a free evaluation version.
  • IDR - Interactive Delphi Reconstructor
    is a decompiler of Delphi executable files and dynamic libraries.
  • Immunity Debugger - Debugger for
    malware analysis and more, with a Python API.
  • ILSpy - ILSpy is the open-source .NET assembly browser and decompiler.
  • Kaitai Struct - DSL for file formats / network protocols /
    data structures reverse engineering and dissection, with code generation
    for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • LIEF - LIEF provides a cross-platform library
    to parse, modify and abstract ELF, PE and MachO formats.
  • ltrace - Dynamic analysis for Linux executables.
  • mac-a-mal - An automated framework
    for mac malware hunting.
  • objdump - Part of GNU binutils,
    for static analysis of Linux binaries.
  • OllyDbg - An assembly-level debugger for Windows
    executables.
  • PANDA - Platform for Architecture-Neutral
    Dynamic Analysis.
  • PEDA - Python Exploit Development
    Assistance for GDB, an enhanced display with added commands.
  • pestudio - Perform static analysis of Windows
    executables.
  • Pharos - The Pharos binary analysis framework
    can be used to perform automated static analysis of binaries.
  • plasma - Interactive
    disassembler for x86/ARM/MIPS.
  • PPEE (puppy) - A Professional PE file Explorer for
    reversers, malware researchers and those who want to statically inspect PE
    files in more detail.
  • Process Explorer -
    Advanced task manager for Windows.
  • Process Hacker - Tool that monitors
    system resources.
  • Process Monitor -
    Advanced monitoring tool for Windows programs.
  • PSTools - Windows
    command-line tools that help manage and investigate live systems.
  • Pyew - Python tool for malware
    analysis.
  • PyREBox - Python scriptable reverse
    engineering sandbox by the Talos team at Cisco.
  • QKD - QEMU with embedded WinDbg
    server for stealth debugging.
  • Radare2 - Reverse engineering framework, with
    debugger support.
  • RegShot - Registry compare utility
    that compares snapshots.
  • RetDec - Retargetable machine-code decompiler with an
    online decompilation service and
    API that you can use in your tools.
  • ROPMEMU - A framework to analyze, dissect
    and decompile complex code-reuse attacks.
  • SMRT - Sublime Malware Research Tool, a
    plugin for Sublime 3 to aid with malware analyis.
  • strace - Dynamic analysis for
    Linux executables.
  • StringSifter - A machine learning tool
    that automatically ranks strings based on their relevance for malware analysis.
  • Triton - A dynamic binary analysis (DBA) framework.
  • Udis86 - Disassembler library and tool
    for x86 and x86_64.
  • Vivisect - Python tool for
    malware analysis.
  • WinDbg - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
  • X64dbg - An open-source x64/x32 debugger for windows.

Network

Analyze network interactions.

  • Bro - Protocol analyzer that operates at incredible
    scale; both file and network protocols.
  • BroYara - Use Yara rules from Bro.
  • CapTipper - Malicious HTTP traffic
    explorer.
  • chopshop - Protocol analysis and
    decoding framework.
  • CloudShark - Web-based tool for packet analysis
    and malware traffic detection.
  • FakeNet-NG - Next generation
    dynamic network analysis tool.
  • Fiddler - Intercepting web proxy designed
    for "web debugging."
  • Hale - Botnet C&C monitor.
  • Haka - An open source security oriented
    language for describing protocols and applying security policies on (live)
    captured traffic.
  • HTTPReplay - Library for parsing
    and reading out PCAP files, including TLS streams using TLS Master Secrets
    (used in Cuckoo Sandbox).
  • INetSim - Network service emulation, useful when
    building a malware lab.
  • Laika BOSS - Laika BOSS is a file-centric
    malware analysis and intrusion detection system.
  • Malcolm - Malcolm is a powerful, easily
    deployable network traffic analysis tool suite for full packet capture artifacts
    (PCAP files) and Zeek logs.
  • Malcom - Malware Communications
    Analyzer.
  • Maltrail - A malicious traffic
    detection system, utilizing publicly available (black)lists containing
    malicious and/or generally suspicious trails and featuring an reporting
    and analysis interface.
  • mitmproxy - Intercept network traffic on the fly.
  • Moloch - IPv4 traffic capturing, indexing
    and database system.
  • NetworkMiner - Network
    forensic analysis tool, with a free version.
  • ngrep - Search through network traffic
    like grep.
  • PcapViz - Network topology and
    traffic visualizer.
  • Python ICAP Yara - An
    ICAP Server with yara scanner for URL or content.
  • Squidmagic - squidmagic is a tool
    designed to analyze a web-based network traffic to detect central command
    and control (C&C) servers and malicious sites, using Squid proxy server and
    Spamhaus.
  • Tcpdump - Collect network traffic.
  • tcpick - Trach and reassemble TCP streams
    from network traffic.
  • tcpxtract - Extract files from network
    traffic.
  • Wireshark - The network traffic analysis
    tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • BlackLight - Windows/MacOS
    forensics client supporting hiberfil, pagefile, raw memory analysis.
  • DAMM - Differential Analysis of
    Malware in Memory, built on Volatility.
  • evolve - Web interface for the
    Volatility Memory Forensics Framework.
  • FindAES - Find AES
    encryption keys in memory.
  • inVtero.net - High speed memory
    analysis framework developed in .NET supports all Windows x64, includes
    code integrity and write support.
  • Muninn - A script to automate portions
    of analysis using Volatility, and create a readable report.
  • Rekall - Memory analysis framework,
    forked from Volatility in 2013.
  • TotalRecall - Script based
    on Volatility for automating various malware analysis tasks.
  • VolDiff - Run Volatility on memory
    images before and after malware execution, and report changes.
  • Volatility - Advanced
    memory forensics framework.
  • VolUtility - Web Interface for
    Volatility Memory Analysis framework.
  • WDBGARK -
    WinDBG Anti-RootKit Extension.
  • WinDbg -
    Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir - A live incident response
    script for gathering Windows artifacts.
  • python-evt - Python
    library for parsing Windows Event Logs.
  • python-registry - Python
    library for parsing registry files.
  • RegRipper
    (GitHub) -
    Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph - Open Source Malware Analysis
    Pipeline System.
  • CRITs - Collaborative Research Into Threats, a
    malware and threat repository.
  • FAME - A malware analysis
    framework featuring a pipeline that can be extended with custom modules,
    which can be chained and interact with each other to perform end-to-end
    analysis.
  • Malwarehouse - Store, tag, and
    search malware.
  • Polichombr - A malware analysis
    platform designed to help analysts to reverse malwares collaboratively.
  • stoQ - Distributed content analysis
    framework with extensive plugin support, from input to output, and everything
    in between.
  • Viper - A binary management and analysis framework for
    analysts and researchers.

Miscellaneous

  • al-khaser - A PoC malware
    with good intentions that aimes to stress anti-malware systems.
  • CryptoKnight - Automated cryptographic algorithm reverse engineering and classification framework.
  • DC3-MWCP -
    The Defense Cyber Crime Center's Malware Configuration Parser framework.
  • FLARE VM - A fully customizable,
    Windows-based, security distribution for malware analysis.
  • MalSploitBase - A database
    containing exploits used by malware.
  • Malware Museum - Collection of
    malware programs that were distributed in the 1980s and 1990s.
  • Malware Organiser - A simple tool to organise large malicious/benign files into a organised Structure.
  • Pafish - Paranoid Fish, a demonstration
    tool that employs several techniques to detect sandboxes and analysis
    environments in the same way as malware families do.
  • REMnux - Linux distribution and docker images for
    malware reverse engineering and analysis.
  • Santoku Linux - Linux distribution for mobile
    forensics, malware analysis, and security.

Resources

Books

Essential malware analysis reading material.

Other

Related Awesome Lists

Contributing

Pull requests and issues with suggestions are welcome! Please read the
CONTRIBUTING guidelines before submitting a PR.

Thanks

This list was made possible by:

  • Lenny Zeltser and other contributors for developing REMnux, where I
    found many of the tools in this list;
  • Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for
    writing the Malware Analyst's Cookbook, which was a big inspiration for
    creating the list;
  • And everyone else who has sent pull requests or suggested links to add here!

Thanks!

主要指标

概览
名称与所有者rshipp/awesome-malware-analysis
主编程语言
编程语言 (语言数: 0)
平台
许可证Other
所有者活动
创建于2015-05-09 03:39:28
推送于2024-06-07 05:09:47
最后一次提交
发布数0
用户参与
星数12.5k
关注者数700
派生数2.6k
提交数686
已启用问题?
问题数41
打开的问题数8
拉请求数165
打开的拉请求数17
关闭的拉请求数30
项目设置
已启用Wiki?
已存档?
是复刻?
已锁定?
是镜像?
是私有?