Skip to content

Latest commit

 

History

History
914 lines (837 loc) · 70.4 KB

File metadata and controls

914 lines (837 loc) · 70.4 KB

Awesome Malware Analysis Awesome

A curated list of awesome malware analysis tools and resources. Inspired by 225686⭐  24929🍴 awesome-python) and  31013⭐   5075🍴 awesome-php).

Drop ICE

View Chinese translation: 恶意软件分析大合集.md.


Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org - A free, web based anonymizer.
  • 🌎 OpenVPN - VPN software and hosting solutions.
  • Privoxy - An open source proxy server with some privacy features.
  • 🌎 Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

  •   1245⭐    415🍴 Conpot) - ICS/SCADA honeypot.
  •   5224⭐    893🍴 Cowrie) - SSH honeypot, based on Kippo.
  •     60⭐     12🍴 DemoHunter) - Low interaction Distributed Honeypots.
  •    716⭐    183🍴 Dionaea) - Honeypot designed to trap malware.
  •    561⭐    169🍴 Glastopf) - Web application honeypot.
  • Honeyd - Create a virtual honeynet.
  • 🌎 HoneyDrive - Honeypot bundle Linux distro.
  •   1226⭐    174🍴 Honeytrap) - Opensource system for running, monitoring and managing honeypots.
  •   2436⭐    631🍴 MHN) - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
  •     45⭐     39🍴 Mnemosyne) - A normalizer for honeypot data; supports Dionaea.
  •    994⭐    204🍴 Thug) - Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX - Realtime database of malware and malicious domains.
  • Contagio - A collection of recent malware samples and analyses.
  • 🌎 Exploit Database - Exploit and shellcode samples.
  • 🌎 Infosec - CERT-PA - Malware samples collection and analysis.
  • 🌎 InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.
  •    681⭐    237🍴 Javascript Mallware Collection) - Collection of almost 40.000 javascript malware samples
  • 🌎 Malpedia - A resource providing rapid identification and actionable context for malware investigations.
  • 🌎 Malshare - Large repository of malware actively scrapped from malicious sites.
  •     94⭐     25🍴 Ragpicker) - Plugin based malware crawler with pre-analysis and reporting functionalities
  •  11351⭐   2516🍴 theZoo) - Live malware samples for analysts.
  • Tracker h3x - Agregator for malware corpus tracker and malicious download sites.
  •      ?⭐      ?🍴 vduddu malware repo) - Collection of various malware files and source code.
  • 🌎 VirusBay - Community-Based malware repository and social network.
  • ViruSign - Malware database that detected by many anti malware programs except ClamAV.
  • 🌎 VirusShare - Malware repository, registration required.
  • VX Vault - Active collection of malware samples.
  • 🌎 Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
  •   1410⭐    696🍴 Zeus Source Code) - Source for the Zeus trojan leaked in 2011.
  • VX Underground - Massive and growing collection of free malware samples.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

  •    118⭐     18🍴 AbuseHelper) - An open-source framework for receiving and redistributing abuse feeds and threat intel.
  • 🌎 AlienVault Open Threat Exchange - Share and collaborate in developing Threat Intelligence.
  •    655⭐    171🍴 Combine) - Tool to gather Threat Intelligence indicators from publicly available sources.
  •    118⭐     25🍴 Fileintel) - Pull intelligence per file hash.
  •    263⭐     51🍴 Hostintel) - Pull intelligence per host.
  • 🌎 IntelMQ - A tool for CERTs for processing incident data using a message queue.
  • 🌎 IOC Editor - A free editor for XML IOC files.
  •    507⭐     91🍴 iocextract) - Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.
  •    200⭐     61🍴 ioc_writer) - Python library for working with OpenIOC objects, from Mandiant.
  •    103⭐     24🍴 MalPipe) - Malware/IOC ingestion and processing engine, that enriches collected data.
  •    227⭐     60🍴 Massive Octo Spice) - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  •   5403⭐   1404🍴 MISP) - Malware Information Sharing Platform curated by The MISP Project.
  • 🌎 Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
  •     17⭐      7🍴 PyIOCe) - A Python OpenIOC editor.
  • 🌎 RiskIQ - Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
  •     79⭐     27🍴 threataggregator) - Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • 🌎 ThreatConnect - TC Open allows you to see and share open source threat data, with support and validation from our free community.
  • 🌎 ThreatCrowd - A search engine for threats, with graphical visualization.
  •      ?⭐      ?🍴 ThreatIngestor) - Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.
  •     66⭐     13🍴 ThreatTracker) - A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
  •    172⭐     43🍴 TIQ-test) - Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Detection and Classification

Antivirus and other malware identification tools

  •    204⭐     35🍴 AnalyzePE) - Wrapper for a variety of tools for reporting on Windows PE files.
  • 🌎 Assemblyline - A scalable file triage and malware analysis system integrating the cyber security community's best tools..
  •   1410⭐    187🍴 BinaryAlert) - An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
  •   4890⭐    564🍴 capa) - Detects capabilities in executable files.
  • chkrootkit - Local Linux rootkit detection.
  • ClamAV - Open source antivirus engine.
  •   7696⭐    736🍴 Detect It Easy(DiE)) - A program for determining types of files.
  • Exeinfo PE - Packer, compressor detector, unpack info, internal exe tools.
  • 🌎 ExifTool - Read, write and edit file metadata.
  •    289⭐     49🍴 File Scanning Framework) - Modular, recursive file scanning solution.
  •   1561⭐    192🍴 fn2yara) - FN2Yara is a tool to generate Yara signatures for matching functions (code) in an executable program.
  •      1⭐      0🍴 Generic File Parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
  •    709⭐    132🍴 hashdeep) - Compute digest hashes with a variety of algorithms.
  •   1765⭐    194🍴 HashCheck) - Windows shell extension to compute hashes with a variety of algorithms.
  •   3403⭐    583🍴 Loki) - Host based scanner for IOCs.
  •    191⭐     35🍴 Malfunction) - Catalog and compare malware at a function level.
  •   1019⭐    161🍴 Manalyze) - Static analyzer for PE executables.
  •    174⭐     40🍴 MASTIFF) - Static analysis framework.
  •    616⭐    125🍴 MultiScanner) - Modular file scanning/analysis framework
  •    527⭐     80🍴 Nauz File Detector(NFD)) - Linker/Compiler/Tool detector for Windows, Linux and MacOS.
  •    111⭐     10🍴 nsrllookup) - A tool for looking up hashes in NIST's National Software Reference Library database.
  •     42⭐      9🍴 packerid) - A cross-platform Python alternative to PEiD.
  • 🌎 PE-bear - Reversing tool for PE files.
  •    611⭐    139🍴 PEframe) - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
  • PEV - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  •    496⭐     95🍴 PortEx) - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
  •   1330⭐    170🍴 Quark-Engine) - An Obfuscation-Neglect Android Malware Scoring System
  • Rootkit Hunter - Detect Linux rootkits.
  • 🌎 ssdeep - Compute fuzzy hashes.
  • 🌎 totalhash.py - Python script for easy searching of the 🌎 TotalHash.cymru.com database.
  • TrID - File identifier.
  • 🌎 YARA - Pattern matching tool for analysts.
  •   1558⭐    281🍴 Yara rules generator) - Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.
  •      1⭐      0🍴 Yara Finder) - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • 🌎 anlyz.io - Online sandbox.
  • 🌎 any.run - Online interactive sandbox.
  • 🌎 AndroTotal - Free online analysis of APKs against multiple mobile antivirus apps.
  •    234⭐     38🍴 BoomBox) - Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant.
  • Cryptam - Analyze suspicious office documents.
  • 🌎 Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
  •    271⭐    100🍴 cuckoo-modified) - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
  •     21⭐      7🍴 cuckoo-modified-api) - A Python API used to control a cuckoo-modified sandbox.
  • 🌎 DeepViz - Multi-format file analyzer with machine-learning classification.
  •      ?⭐      ?🍴 detux) - A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
  •   1066⭐    255🍴 DRAKVUF) - Dynamic malware analysis system.
  • 🌎 filescan.io - Static malware analysis, VBA/Powershell/VBS/JS Emulation
  • firmware.re - Unpacks, scans and analyzes almost any firmware package.
  •    732⭐    220🍴 HaboMalHunter) - An Automated Malware Analysis Tool for Linux ELF Files.
  • 🌎 Hybrid Analysis - Online malware analysis tool, powered by VxSandbox.
  • 🌎 Intezer - Detect, analyze, and categorize malware by identifying code reuse and code similarities.
  • IRMA - An asynchronous and customizable analysis platform for suspicious files.
  • 🌎 Joe Sandbox - Deep malware analysis with Joe Sandbox.
  • 🌎 Jotti - Free online multi-AV scanner.
  •    389⭐    115🍴 Limon) - Sandbox for Analyzing Linux Malware.
  •    368⭐    101🍴 Malheur) - Automatic sandboxed analysis of malware behavior.
  •   1654⭐    265🍴 malice.io) - Massively scalable malware analysis framework.
  •    368⭐     80🍴 malsub) - A Python RESTful API framework for online malware and URL analysis services.
  • 🌎 Malware config - Extract, decode and display online the configuration settings from common malwares.
  • 🌎 MalwareAnalyser.io - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
  • 🌎 Malwr - Free analysis with an online Cuckoo Sandbox instance.
  • 🌎 MetaDefender Cloud - Scan a file, hash, IP, URL or domain address for malware for free.
  • 🌎 NetworkTotal - A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
  •   1123⭐    220🍴 Noriben) - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • 🌎 PacketTotal - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
  • PDF Examiner - Analyse suspicious PDF files.
  • ProcDot - A graphical malware analysis tool kit.
  •    130⭐     39🍴 Recomposer) - A helper script for safely uploading binaries to sandbox sites.
  •    137⭐     40🍴 sandboxapi) - Python library for building integrations with several open source and commercial malware sandboxes.
  •    815⭐    104🍴 SEE) - Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
  • 🌎 SEKOIA Dropper Analysis - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
  • 🌎 VirusTotal - Free online analysis of malware samples and URLs
  •    137⭐     30🍴 Visualize_Logs) - Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...)
  • 🌎 Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • 🌎 AbuseIPDB - AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.
  • 🌎 badips.com - Community based IP blacklist service.
  •     37⭐      6🍴 boomerang) - A tool designed for consistent and safe capture of off network web resources.
  • 🌎 Cymon - Threat intelligence tracker, with IP/domain/hash search.
  • Desenmascara.me - One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • 🌎 Dig - Free online dig and other network tools.
  •   4924⭐    775🍴 dnstwist) - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
  •    100⭐     28🍴 IPinfo) - Gather information about an IP or domain by searching online resources.
  •    504⭐    101🍴 Machinae) - OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
  •   1632⭐    257🍴 mailchecker) - Cross-language temporary email detection library.
  •     80⭐     22🍴 MaltegoVT) - Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
  • Multi rbl - Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
  • 🌎 NormShield Services - Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
  • 🌎 PhishStats - Phishing Statistics with search for IP, domain and website title
  • 🌎 Spyse - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
  • 🌎 SecurityTrails - Historical and current WHOIS, historical and current DNS records, similar domains, certificate information and other domain and IP related API and tools.
  • 🌎 SpamCop - IP based spam block list.
  • 🌎 SpamHaus - Block list based on domains and IPs.
  • 🌎 Sucuri SiteCheck - Free Website Malware and Security Scanner.
  • 🌎 Talos Intelligence - Search for IP, domain or network owner. (Previously SenderBase.)
  • TekDefense Automater - OSINT tool for gathering information about URLs, IPs, or hashes.
  • 🌎 URLhaus - A project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
  • URLQuery - Free URL Scanner.
  • 🌎 urlscan.io - Free URL Scanner & domain information.
  • 🌎 Whois - DomainTools free online whois search.
  • 🌎 Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.
  • 🌎 ZScalar Zulu - Zulu URL Risk Analyzer.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

  •  14717⭐   1152🍴 Bytecode Viewer) - Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support.
  • 🌎 Firebug - Firefox extension for web development.
  • Java Decompiler - Decompile and inspect Java apps.
  •      ?⭐      ?🍴 Java IDX Parser) - Parses Java IDX cache files.
  • JSDetox - JavaScript malware analysis tool.
  •    162⭐     65🍴 jsunpack-n) - A javascript unpacker that emulates browser functionality.
  •   1994⭐    222🍴 Krakatau) - Java decompiler, assembler, and disassembler.
  • Malzilla - Analyze malicious web pages.
  •    430⭐     92🍴 RABCDAsm) - A "Robust ActionScript Bytecode Disassembler."
  • 🌎 SWF Investigator - Static and dynamic analysis of SWF applications.
  • swftools - Tools for working with Adobe Flash files.
  • xxxswf - A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  •    176⭐     41🍴 AnalyzePDF) - A tool for analyzing PDFs and attempting to determine whether they are malicious.
  •    619⭐     84🍴 box-js) - A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm - Disassembler for analyzing malicious shellcode.
  • 🌎 InQuest Deep File Inspection - Upload common malware lures for Deep File Inspection and heuristical analysis.
  • JS Beautifier - JavaScript unpacking and deobfuscation.
  • libemu - Library and tools for x86 shellcode emulation.
  •     52⭐     16🍴 malpdfobj) - Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner - Scan for malicious traces in MS Office documents.
  • olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
  • 🌎 Origami PDF - A tool for analyzing malicious PDFs, and more.
  • 🌎 PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
  •     35⭐      9🍴 PDF X-Ray Lite) - A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf - Python tool for exploring possibly malicious PDFs.
  • 🌎 QuickSand - QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
  • 🌎 Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

  •   1115⭐    188🍴 bulk_extractor) - Fast file carving tool.
  •    190⭐     22🍴 EVTXtract) - Carve Windows Event Log files from raw binary data.
  • Foremost - File carving tool designed by the US Air Force.
  •    617⭐     69🍴 hachoir3) - Hachoir is a Python library to view and edit a binary stream field by field.
  •    627⭐     99🍴 Scalpel) - Another data carving tool.
  •     82⭐     46🍴 SFlock) - Nested archive extraction/unpacking (used in Cuckoo Sandbox).

Deobfuscation

Reverse XOR and other code obfuscation methods.

  • 🌎 Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  •   6980⭐   2692🍴 de4dot) - .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  •   3279⭐    455🍴 FLOSS) - The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
  •     86⭐     18🍴 NoMoreXOR) - Guess a 256 byte XOR key using frequency analysis.
  •    268⭐     72🍴 PackerAttacker) - A generic hidden code extractor for Windows malware.
  •   2990⭐    617🍴 PyInstaller Extractor) - A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it.
  •      ?⭐      ?🍴 uncompyle6) - A cross-version Python bytecode decompiler. Translates Python bytecode back into equivalent Python source code.
  •    660⭐     83🍴 un{i}packer) - Automatic and platform-independent unpacker for Windows binaries based on emulation.
  •      ?⭐      ?🍴 unpacker) - Automated malware unpacker for Windows malware based on WinAppDbg.
  •      ?⭐      ?🍴 unxor) - Guess XOR keys using known-plaintext attacks.
  •    133⭐     24🍴 VirtualDeobfuscator) - Reverse engineering tool for virtualization wrappers.
  • XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
  • 🌎 XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
  •   1400⭐    173🍴 xortool) - Guess XOR key length, as well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  •   7608⭐   1085🍴 angr) - Platform-agnostic binary analysis framework developed at UCSB's Seclab.
  •      ?⭐      ?🍴 bamfdetect) - Identifies and extracts information from bots and other malware.
  •   2071⭐    273🍴 BAP) - Multiplatform and open source (MIT) binary analysis framework developed at CMU's Cylab.
  •   1411⭐    168🍴 BARF) - Multiplatform, open source Binary Analysis and Reverse engineering Framework.
  •   2873⭐    453🍴 binnavi) - Binary analysis IDE for reverse engineering based on graph visualization.
  • 🌎 Binary ninja - A reversing engineering platform that is an alternative to IDA.
  •  11384⭐   1566🍴 Binwalk) - Firmware analysis tool.
  •    122⭐     22🍴 BluePill) - Framework for executing and debugging evasive malware and protected executables.
  •   7623⭐   1558🍴 Capstone) - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
  •     44⭐      6🍴 codebro) - Web based code browser using  clang to provide basic code analysis.
  •      ?⭐      ?🍴 Cutter) - GUI for Radare2.
  •    806⭐    168🍴 DECAF (Dynamic Executable Code Analysis Framework)) - A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
  •  26697⭐   5121🍴 dnSpy) - .NET assembly editor, decompiler and debugger.
  • 🌎 dotPeek - Free .NET Decompiler and Assembly Browser.
  • Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
  •   2219⭐    191🍴 Fibratus) - Tool for exploration and tracing of the Windows kernel.
  • 🌎 FPort - Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
  • GDB - The GNU debugger.
  •   7024⭐    739🍴 GEF) - GDB Enhanced Features, for exploiters and reverse engineers.
  •  52096⭐   5905🍴 Ghidra) - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
  •    170⭐     19🍴 hackers-grep) - A utility to search for strings in PE executables including imports, exports, and debug symbols.
  • 🌎 Hopper - The macOS and Linux Disassembler.
  • 🌎 IDA Pro - Windows disassembler and debugger, with a free evaluation version.
  •    969⭐    224🍴 IDR) - Interactive Delphi Reconstructor is a decompiler of Delphi executable files and dynamic libraries.
  • Immunity Debugger - Debugger for malware analysis and more, with a Python API.
  • ILSpy - ILSpy is the open-source .NET assembly browser and decompiler.
  • Kaitai Struct - DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • 🌎 LIEF - LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
  • ltrace - Dynamic analysis for Linux executables.
  •     82⭐     24🍴 mac-a-mal) - An automated framework for mac malware hunting.
  • 🌎 objdump - Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg - An assembly-level debugger for Windows executables.
  • 🌎 OllyDumpEx - Dump memory from (unpacked) malware Windows process and store raw or rebuild PE file. This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg.
  •    104⭐     42🍴 PANDA) - Platform for Architecture-Neutral Dynamic Analysis.
  •   5902⭐    806🍴 PEDA) - Python Exploit Development Assistance for GDB, an enhanced display with added commands.
  • 🌎 pestudio - Perform static analysis of Windows executables.
  •   1561⭐    192🍴 Pharos) - The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
  •   3048⭐    276🍴 plasma) - Interactive disassembler for x86/ARM/MIPS.
  • 🌎 PPEE (puppy) - A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
  • 🌎 Process Explorer - Advanced task manager for Windows.
  • Process Hacker - Tool that monitors system resources.
  • 🌎 Process Monitor - Advanced monitoring tool for Windows programs.
  • 🌎 PSTools - Windows command-line tools that help manage and investigate live systems.
  •    383⭐     95🍴 Pyew) - Python tool for malware analysis.
  •   1655⭐    249🍴 PyREBox) - Python scriptable reverse engineering sandbox by the Talos team at Cisco.
  • 🌎 Qiling Framework - Cross platform emulation and sanboxing framework with instruments for binary analysis.
  •      ?⭐      ?🍴 QKD) - QEMU with embedded WinDbg server for stealth debugging.
  • Radare2 - Reverse engineering framework, with debugger support.
  • 🌎 RegShot - Registry compare utility that compares snapshots.
  • 🌎 RetDec - Retargetable machine-code decompiler with an 🌎 online decompilation service and 🌎 API that you can use in your tools.
  •    284⭐     42🍴 ROPMEMU) - A framework to analyze, dissect and decompile complex code-reuse attacks.
  •   1119⭐    232🍴 Scylla Imports Reconstructor) - Find and fix the IAT of an unpacked / dumped PE32 malware.
  •   3483⭐    434🍴 ScyllaHide) - An Anti-Anti-Debug library and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.
  •     64⭐     15🍴 SMRT) - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
  • 🌎 strace - Dynamic analysis for Linux executables.
  •    684⭐    125🍴 StringSifter) - A machine learning tool that automatically ranks strings based on their relevance for malware analysis.
  • 🌎 Triton - A dynamic binary analysis (DBA) framework.
  •   1021⭐    299🍴 Udis86) - Disassembler library and tool for x86 and x86_64.
  •    941⭐    187🍴 Vivisect) - Python tool for malware analysis.
  • 🌎 WinDbg - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
  •      ?⭐      ?🍴 X64dbg) - An open-source x64/x32 debugger for windows.

Network

Analyze network interactions.

  • 🌎 Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.
  •     33⭐      5🍴 BroYara) - Use Yara rules from Bro.
  •    711⭐    159🍴 CapTipper) - Malicious HTTP traffic explorer.
  •    489⭐    112🍴 chopshop) - Protocol analysis and decoding framework.
  • 🌎 CloudShark - Web-based tool for packet analysis and malware traffic detection.
  •   1808⭐    361🍴 FakeNet-NG) - Next generation dynamic network analysis tool.
  • 🌎 Fiddler - Intercepting web proxy designed for "web debugging."
  •    187⭐     64🍴 Hale) - Botnet C&C monitor.
  • Haka - An open source security oriented language for describing protocols and applying security policies on (live) captured traffic.
  •     94⭐     35🍴 HTTPReplay) - Library for parsing and reading out PCAP files, including TLS streams using TLS Master Secrets (used in Cuckoo Sandbox).
  • INetSim - Network service emulation, useful when building a malware lab.
  •    741⭐    156🍴 Laika BOSS) - Laika BOSS is a file-centric malware analysis and intrusion detection system.
  •    364⭐     59🍴 Malcolm) - Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
  •   1155⭐    215🍴 Malcom) - Malware Communications Analyzer.
  •   6580⭐   1090🍴 Maltrail) - A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
  • 🌎 mitmproxy - Intercept network traffic on the fly.
  •   6347⭐   1042🍴 Moloch) - IPv4 traffic capturing, indexing and database system.
  • NetworkMiner - Network forensic analysis tool, with a free version.
  •    902⭐    101🍴 ngrep) - Search through network traffic like grep.
  •    343⭐     61🍴 PcapViz) - Network topology and traffic visualizer.
  •     57⭐     13🍴 Python ICAP Yara) - An ICAP Server with yara scanner for URL or content.
  •     78⭐     27🍴 Squidmagic) - squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus.
  • Tcpdump - Collect network traffic.
  • tcpick - Trach and reassemble TCP streams from network traffic.
  • tcpxtract - Extract files from network traffic.
  • 🌎 Wireshark - The network traffic analysis tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • 🌎 BlackLight - Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
  •    210⭐     48🍴 DAMM) - Differential Analysis of Malware in Memory, built on Volatility.
  •    259⭐     42🍴 evolve) - Web interface for the Volatility Memory Forensics Framework.
  • 🌎 FindAES - Find AES encryption keys in memory.
  •    279⭐     57🍴 inVtero.net) - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  •     52⭐      9🍴 Muninn) - A script to automate portions of analysis using Volatility, and create a readable report.    227⭐     19🍴 Orochi) - Orochi is an open source framework for collaborative forensic memory dump analysis.
  • Rekall - Memory analysis framework, forked from Volatility in 2013.
  •     49⭐      9🍴 TotalRecall) - Script based on Volatility for automating various malware analysis tasks.
  •    193⭐     50🍴 VolDiff) - Run Volatility on memory images before and after malware execution, and report changes.
  •   7366⭐   1283🍴 Volatility) - Advanced memory forensics framework.
  •    380⭐     82🍴 VolUtility) - Web Interface for Volatility Memory Analysis framework.
  •    616⭐    178🍴 WDBGARK) - WinDBG Anti-RootKit Extension.
  • 🌎 WinDbg - Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  •    183⭐     29🍴 AChoir) - A live incident response script for gathering Windows artifacts.
  •     48⭐     11🍴 python-evt) - Python library for parsing Windows Event Logs.
  • python-registry - Python library for parsing registry files.
  • RegRipper (     ?⭐      ?🍴 GitHub)) - Plugin-based registry analysis tool.

Storage and Workflow

  •    158⭐     53🍴 Aleph) - Open Source Malware Analysis Pipeline System.
  • 🌎 CRITs - Collaborative Research Into Threats, a malware and threat repository.
  • 🌎 FAME - A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
  •    133⭐     43🍴 Malwarehouse) - Store, tag, and search malware.
  •    375⭐     60🍴 Polichombr) - A malware analysis platform designed to help analysts to reverse malwares collaboratively.
  • stoQ - Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
  • Viper - A binary management and analysis framework for analysts and researchers.

Miscellaneous

  •   5940⭐   1177🍴 al-khaser) - A PoC malware with good intentions that aimes to stress anti-malware systems.
  •     38⭐     12🍴 CryptoKnight) - Automated cryptographic algorithm reverse engineering and classification framework.
  •    301⭐     59🍴 DC3-MWCP) - The Defense Cyber Crime Center's Malware Configuration Parser framework.
  •   6623⭐    925🍴 FLARE VM) - A fully customizable, Windows-based, security distribution for malware analysis.
  •    537⭐    197🍴 MalSploitBase) - A database containing exploits used by malware.
  • 🌎 Malware Museum - Collection of malware programs that were distributed in the 1980s and 1990s.
  •      1⭐      0🍴 Malware Organiser) - A simple tool to organise large malicious/benign files into a organised Structure.
  •   3417⭐    463🍴 Pafish) - Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
  • 🌎 REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
  • 🌎 Tsurugi Linux - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
  • 🌎 Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.

Resources

Books

Essential malware analysis reading material.

Other

  •   1661⭐    279🍴 APT Notes) - A collection of papers and notes related to Advanced Persistent Threats.
  •    949⭐    277🍴 Ember) - Endgame Malware BEnchmark for Research, a repository that makes it easy to (re)create a machine learning model that can be used to predict a score for a PE file based on static analysis.
  •  10551⭐    736🍴 File Formats posters) - Nice visualization of commonly used file format (including PE & ELF).
  • Honeynet Project - Honeypot tools, papers, and other resources.
  • Kernel Mode - An active community devoted to malware analysis and kernel development.
  • 🌎 Malicious Software - Malware blog and resources by Lenny Zeltser.
  • 🌎 Malware Analysis Search - Custom Google search engine from Corey Harrell.
  • Malware Analysis Tutorials - The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning practical malware analysis.
  • 🌎 Malware Analysis, Threat Intelligence and Reverse Engineering - Presentation introducing the concepts of malware analysis, threat intelligence and reverse engineering. Experience or prior knowledge is not required. Labs link in description.
  •    165⭐     15🍴 Malware Persistence) - Collection of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools).
  • Malware Samples and Traffic - This blog focuses on network traffic related to malware infections.
  • 🌎 Malware Search+++ Firefox extension allows you to easily search some of the most popular malware databases
  • 🌎 Practical Malware Analysis Starter Kit - This package contains most of the software referenced in the Practical Malware Analysis book.
  •   3768⭐    786🍴 RPISEC Malware Analysis) - These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.
  • WindowsIR: Malware - Harlan Carvey's page on Malware.
  •    325⭐     70🍴 Windows Registry specification) - Windows registry file format specification.
  • 🌎 /r/csirt_tools - Subreddit for CSIRT tools and resources, with a 🌎 malware analysis flair.
  • 🌎 /r/Malware - The malware subreddit.
  • 🌎 /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.

Related Awesome Lists

Pull requests and issues with suggestions are welcome! Please read the CONTRIBUTING guidelines before submitting a PR.

Thanks

This list was made possible by:

  • Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;
  • Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst's Cookbook, which was a big inspiration for creating the list;
  • And everyone else who has sent pull requests or suggested links to add here!

Thanks!

Source

 12005⭐   2575🍴 rshipp/awesome-malware-analysis)