rhetenor/awesome-awesomeness
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
2d63fe63cdc259a8b0049caa7dfa409165087fa3
awesome-awesomeness/terminal/malwareanalysis2
Jonas Zeunert 2d63fe63cd Restructure with Makefile + add html output
2024-04-20 19:22:54 +02:00

917 lines
96 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
 Awesome Malware Analysis !Awesome (https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg) (https://github.com/sindresorhus/awesome)
A curated list of awesome malware analysis tools and resources. Inspired by
awesome-python (https://github.com/vinta/awesome-python) and
awesome-php (https://github.com/ziadoz/awesome-php).
!Drop ICE (drop.png) (https://twitter.com/githubbers/status/1182017616740663296)
- Malware Collection (#malware-collection)
- **Anonymizers** (#anonymizers) 
- **Honeypots** (#honeypots) 
- **Malware Corpora** (#malware-corpora)
- Open Source Threat Intelligence (#open-source-threat-intelligence)
- **Tools** (#tools) 
- **Other Resources** (#other-resources)
- Detection and Classification (#detection-and-classification)
- Online Scanners and Sandboxes (#online-scanners-and-sandboxes)
- Domain Analysis (#domain-analysis)
- Browser Malware (#browser-malware)
- Documents and Shellcode (#documents-and-shellcode)
- File Carving (#file-carving)
- Deobfuscation (#deobfuscation)
- Debugging and Reverse Engineering (#debugging-and-reverse-engineering)
- Network (#network)
- Memory Forensics (#memory-forensics)
- Windows Artifacts (#windows-artifacts)
- Storage and Workflow (#storage-and-workflow)
- Miscellaneous (#miscellaneous)
- Resources (#resources)
- **Books** (#books)
- **Other** (#other)
- Related Awesome Lists (#related-awesome-lists)
- Contributing (#contributing)
- Thanks (#thanks)
View Chinese translation: 恶意软件分析大合集.md (恶意软件分析大合集.md).
―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
Malware Collection
Anonymizers
Web traffic anonymizers for analysts.
⟡ Anonymouse.org (http://anonymouse.org/) - A free, web based anonymizer.
⟡ OpenVPN (https://openvpn.net/) - VPN software and hosting solutions.
⟡ Privoxy (http://www.privoxy.org/) - An open source proxy server with some
 privacy features.
⟡ Tor (https://www.torproject.org/) - The Onion Router, for browsing the web
 without leaving traces of the client IP.
Honeypots
Trap and collect your own samples.
⟡ Conpot (https://github.com/mushorg/conpot) - ICS/SCADA honeypot.
⟡ Cowrie (https://github.com/micheloosterhof/cowrie) - SSH honeypot, based
 on Kippo.
⟡ DemoHunter (https://github.com/RevengeComing/DemonHunter) - Low interaction Distributed Honeypots.
⟡ Dionaea (https://github.com/DinoTools/dionaea) - Honeypot designed to trap malware.
⟡ Glastopf (https://github.com/mushorg/glastopf) - Web application honeypot.
⟡ Honeyd (http://www.honeyd.org/) - Create a virtual honeynet.
⟡ HoneyDrive (http://bruteforcelab.com/honeydrive) - Honeypot bundle Linux distro.
⟡ Honeytrap (https://github.com/honeytrap/honeytrap) - Opensource system for running, monitoring and managing honeypots.
⟡ MHN (https://github.com/pwnlandia/mhn) - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a 
neat web interface.
⟡ Mnemosyne (https://github.com/johnnykv/mnemosyne) - A normalizer for
 honeypot data; supports Dionaea.
⟡ Thug (https://github.com/buffer/thug) - Low interaction honeyclient, for
 investigating malicious websites.
Malware Corpora
Malware samples collected for analysis.
⟡ Clean MX (http://support.clean-mx.de/clean-mx/viruses.php) - Realtime
 database of malware and malicious domains.
⟡ Contagio (http://contagiodump.blogspot.com/) - A collection of recent
 malware samples and analyses.
⟡ Exploit Database (https://www.exploit-db.com/) - Exploit and shellcode
 samples.
⟡ Infosec - CERT-PA (https://infosec.cert-pa.it/analyze/submission.html) - Malware samples collection and analysis.
⟡ InQuest Labs (https://labs.inquest.net) - Evergrowing searchable corpus of malicious Microsoft documents.
⟡ Javascript Mallware Collection (https://github.com/HynekPetrak/javascript-malware-collection) - Collection of almost 40.000 javascript malware samples
⟡ Malpedia (https://malpedia.caad.fkie.fraunhofer.de/) - A resource providing
 rapid identification and actionable context for malware investigations.
⟡ Malshare (https://malshare.com) - Large repository of malware actively
 scrapped from malicious sites.
⟡ Open Malware Project (http://openmalware.org/) - Sample information and
 downloads. Formerly Offensive Computing.
⟡ Ragpicker (https://github.com/robbyFux/Ragpicker) - Plugin based malware
 crawler with pre-analysis and reporting functionalities
⟡ theZoo (https://github.com/ytisf/theZoo) - Live malware samples for
 analysts.
⟡ Tracker h3x (http://tracker.h3x.eu/) - Agregator for malware corpus tracker
 and malicious download sites.
⟡ vduddu malware repo (https://github.com/vduddu/Malware) - Collection of
 various malware files and source code.
⟡ VirusBay (https://beta.virusbay.io/) - Community-Based malware repository and social network.
⟡ ViruSign (http://www.virussign.com/) - Malware database that detected by
 many anti malware programs except ClamAV.
⟡ VirusShare (https://virusshare.com/) - Malware repository, registration
 required.
⟡ VX Vault (http://vxvault.net) - Active collection of malware samples.
⟡ Zeltser's Sources (https://zeltser.com/malware-sample-sources/) - A list
 of malware sample sources put together by Lenny Zeltser.
⟡ Zeus Source Code (https://github.com/Visgean/Zeus) - Source for the Zeus
 trojan leaked in 2011.
⟡ VX Underground (http://vx-underground.org/) - Massive and growing collection of free malware samples.
Open Source Threat Intelligence
Tools
Harvest and analyze IOCs.
⟡ AbuseHelper (https://github.com/abusesa/abusehelper) - An open-source
 framework for receiving and redistributing abuse feeds and threat intel.
⟡ AlienVault Open Threat Exchange (https://otx.alienvault.com/) - Share and
 collaborate in developing Threat Intelligence.
⟡ Combine (https://github.com/mlsecproject/combine) - Tool to gather Threat
 Intelligence indicators from publicly available sources.
⟡ Fileintel (https://github.com/keithjjones/fileintel) - Pull intelligence per file hash.
⟡ Hostintel (https://github.com/keithjjones/hostintel) - Pull intelligence per host.
⟡ IntelMQ (https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation) -
 A tool for CERTs for processing incident data using a message queue.
⟡ IOC Editor (https://www.fireeye.com/services/freeware/ioc-editor.html) -
 A free editor for XML IOC files.
⟡ iocextract (https://github.com/InQuest/python-iocextract) - Advanced Indicator
 of Compromise (IOC) extractor, Python library and command-line tool.
⟡ ioc_writer (https://github.com/mandiant/ioc_writer) - Python library for
 working with OpenIOC objects, from Mandiant.
⟡ MalPipe (https://github.com/silascutler/MalPipe) - Malware/IOC ingestion and
 processing engine, that enriches collected data.
⟡ Massive Octo Spice (https://github.com/csirtgadgets/massive-octo-spice) -
 Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
 from various lists. Curated by the
 CSIRT Gadgets Foundation (http://csirtgadgets.org/collective-intelligence-framework).
⟡ MISP (https://github.com/MISP/MISP) - Malware Information Sharing
 Platform curated by The MISP Project (http://www.misp-project.org/).
⟡ Pulsedive (https://pulsedive.com) - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
⟡ PyIOCe (https://github.com/pidydx/PyIOCe) - A Python OpenIOC editor.
⟡ RiskIQ (https://community.riskiq.com/) - Research, connect, tag and
 share IPs and domains. (Was PassiveTotal.)
⟡ threataggregator (https://github.com/jpsenior/threataggregator) -
 Aggregates security threats from a number of sources, including some of
 those listed below in other resources (#other-resources).
⟡ ThreatConnect (https://threatconnect.com/free/) - TC Open allows you to see and
 share open source threat data, with support and validation from our free community.
⟡ ThreatCrowd (https://www.threatcrowd.org/) - A search engine for threats,
 with graphical visualization.
⟡ ThreatIngestor (https://github.com/InQuest/ThreatIngestor/) - Build
 automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and
 more.
⟡ ThreatTracker (https://github.com/michael-yip/ThreatTracker) - A Python
 script to monitor and generate alerts based on IOCs indexed by a set of
 Google Custom Search Engines.
⟡ TIQ-test (https://github.com/mlsecproject/tiq-test) - Data visualization
 and statistical analysis of Threat Intelligence feeds.
Other Resources
Threat intelligence and IOC resources.
⟡ Autoshun (https://www.autoshun.org/) (list (https://www.autoshun.org/files/shunlist.csv)) -
 Snort plugin and blocklist.
⟡ Bambenek Consulting Feeds (http://osint.bambenekconsulting.com/feeds/) -
 OSINT feeds based on malicious DGA algorithms.
⟡ Fidelis Barncat (https://www.fidelissecurity.com/resources/fidelis-barncat) -
 Extensive malware config database (must request access).
⟡ CI Army (http://cinsscore.com/) (list (http://cinsscore.com/list/ci-badguys.txt)) -
 Network security blocklists.
⟡ Critical Stack- Free Intel Market (https://intel.criticalstack.com) - Free
 intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
⟡ Cybercrime tracker (http://cybercrime-tracker.net/) - Multiple botnet active tracker.
⟡ FireEye IOCs (https://github.com/fireeye/iocs) - Indicators of Compromise
 shared publicly by FireEye.
⟡ FireHOL IP Lists (https://iplists.firehol.org/) - Analytics for 350+ IP lists
 with a focus on attacks, malware and abuse. Evolution, Changes History,
 Country Maps, Age of IPs listed, Retention Policy, Overlaps.
⟡ HoneyDB (https://riskdiscovery.com/honeydb) - Community driven honeypot sensor data collection and aggregation.
⟡ hpfeeds (https://github.com/rep/hpfeeds) - Honeypot feed protocol.
⟡ Infosec - CERT-PA lists (https://infosec.cert-pa.it/analyze/statistics.html) (IPs (https://infosec.cert-pa.it/analyze/listip.txt) - Domains (https://infosec.cert-pa.it/analyze/listdomains.txt) - URLs 
(https://infosec.cert-pa.it/analyze/listurls.txt)) - Blocklist service.
⟡ InQuest REPdb (https://labs.inquest.net/repdb) - Continuous aggregation of IOCs from a variety of open reputation sources.
⟡ InQuest IOCdb (https://labs.inquest.net/iocdb) - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.
⟡ Internet Storm Center (DShield) (https://isc.sans.edu/) - Diary and
 searchable incident database, with a web API (https://dshield.org/api/).
 (unofficial Python library (https://github.com/rshipp/python-dshield)).
⟡ malc0de (http://malc0de.com/database/) - Searchable incident database.
⟡ Malware Domain List (http://www.malwaredomainlist.com/) - Search and share
 malicious URLs.
⟡ MetaDefender Threat Intelligence Feed (https://www.opswat.com/developers/threat-intelligence-feed) -
 List of the most looked up file hashes from MetaDefender Cloud.
⟡ OpenIOC (https://www.fireeye.com/services/freeware.html) - Framework for sharing threat intelligence.
⟡ Proofpoint Threat Intelligence (https://www.proofpoint.com/us/products/et-intelligence) -
 Rulesets and more. (Formerly Emerging Threats.)
⟡ Ransomware overview (https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) -
 A list of ransomware overview with details, detection and prevention.
⟡ STIX - Structured Threat Information eXpression (http://stixproject.github.io) -
 Standardized language to represent and share cyber threat information.
 Related efforts from MITRE (https://www.mitre.org/):
 - CAPEC - Common Attack Pattern Enumeration and Classification (http://capec.mitre.org/)
 - CybOX - Cyber Observables eXpression (http://cyboxproject.github.io)
 - MAEC - Malware Attribute Enumeration and Characterization (http://maec.mitre.org/)
 - TAXII - Trusted Automated eXchange of Indicator Information (http://taxiiproject.github.io)
⟡ SystemLookup (https://www.systemlookup.com/) - SystemLookup hosts a collection of lists that provide information on
 the components of legitimate and potentially unwanted programs.
⟡ ThreatMiner (https://www.threatminer.org/) - Data mining portal for threat
 intelligence, with search.
⟡ threatRECON (https://threatrecon.co/) - Search for indicators, up to 1000
 free per month.
⟡ ThreatShare (https://threatshare.io/) - C2 panel tracker
⟡ Yara rules (https://github.com/Yara-Rules/rules) - Yara rules repository.
⟡ YETI (https://github.com/yeti-platform/yeti) - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
⟡ ZeuS Tracker (https://zeustracker.abuse.ch/blocklist.php) - ZeuS
 blocklists.
Detection and Classification
Antivirus and other malware identification tools
⟡ AnalyzePE (https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a
 variety of tools for reporting on Windows PE files.
⟡ Assemblyline (https://cybercentrecanada.github.io/assemblyline4_docs/) - A scalable file triage and malware analysis system integrating the cyber security community's best tools..
⟡ BinaryAlert (https://github.com/airbnb/binaryalert) - An open source, serverless
 AWS pipeline that scans and alerts on uploaded files based on a set of
 YARA rules.
⟡ capa (https://github.com/fireeye/capa) - Detects capabilities in executable files.
⟡ chkrootkit (http://www.chkrootkit.org/) - Local Linux rootkit detection.
⟡ ClamAV (http://www.clamav.net/) - Open source antivirus engine.
⟡ Detect It Easy(DiE) (https://github.com/horsicq/Detect-It-Easy) - A program for
 determining types of files.
⟡ Exeinfo PE (http://exeinfo.pe.hu/) - Packer, compressor detector, unpack
 info, internal exe tools.
⟡ ExifTool (https://sno.phy.queensu.ca/~phil/exiftool/) - Read, write and
 edit file metadata.
⟡ File Scanning Framework (https://github.com/EmersonElectricCo/fsf) -
 Modular, recursive file scanning solution.
⟡ fn2yara (https://github.com/cmu-sei/pharos) - FN2Yara is a tool to generate
 Yara signatures for matching functions (code) in an executable program.
⟡ Generic File Parser (https://github.com/uppusaikiran/generic-parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
⟡ hashdeep (https://github.com/jessek/hashdeep) - Compute digest hashes with
 a variety of algorithms.
⟡ HashCheck (https://github.com/gurnec/HashCheck) - Windows shell extension
 to compute hashes with a variety of algorithms.
⟡ Loki (https://github.com/Neo23x0/Loki) - Host based scanner for IOCs.
⟡ Malfunction (https://github.com/Dynetics/Malfunction) - Catalog and
 compare malware at a function level.
⟡ Manalyze (https://github.com/JusticeRage/Manalyze) - Static analyzer for PE
executables.
⟡ MASTIFF (https://github.com/KoreLogicSecurity/mastiff) - Static analysis
 framework.
⟡ MultiScanner (https://github.com/mitre/multiscanner) - Modular file
 scanning/analysis framework
⟡ Nauz File Detector(NFD) (https://github.com/horsicq/Nauz-File-Detector) - Linker/Compiler/Tool detector for Windows, Linux and MacOS.
⟡ nsrllookup (https://github.com/rjhansen/nsrllookup) - A tool for looking
 up hashes in NIST's National Software Reference Library database.
⟡ packerid (https://github.com/sooshie/packerid) - A cross-platform
 Python alternative to PEiD.
⟡ PE-bear (https://hshrzd.wordpress.com/pe-bear/) - Reversing tool for PE
 files.
⟡ PEframe (https://github.com/guelfoweb/peframe) - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
⟡ PEV (http://pev.sourceforge.net/) - A multiplatform toolkit to work with PE
 files, providing feature-rich tools for proper analysis of suspicious binaries.
⟡ PortEx (https://github.com/katjahahn/PortEx) - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
⟡ Quark-Engine (https://github.com/quark-engine/quark-engine) - An Obfuscation-Neglect Android Malware Scoring System
⟡ Rootkit Hunter (http://rkhunter.sourceforge.net/) - Detect Linux rootkits.
⟡ ssdeep (https://ssdeep-project.github.io/ssdeep/) - Compute fuzzy hashes.
⟡ totalhash.py (https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) -
 Python script for easy searching of the TotalHash.cymru.com (https://totalhash.cymru.com/)
 database.
⟡ TrID (http://mark0.net/soft-trid-e.html) - File identifier.
⟡ YARA (https://plusvic.github.io/yara/) - Pattern matching tool for
 analysts.
⟡ Yara rules generator (https://github.com/Neo23x0/yarGen) - Generate
 yara rules based on a set of malware samples. Also contains a good
 strings DB to avoid false positives.
⟡ Yara Finder (https://github.com/uppusaikiran/yara-finder) - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.
Online Scanners and Sandboxes
Web-based multi-AV scanners, and malware sandboxes for automated analysis.
⟡ anlyz.io (https://sandbox.anlyz.io/) - Online sandbox.
⟡ any.run (https://app.any.run/) - Online interactive sandbox.
⟡ AndroTotal (https://andrototal.org/) - Free online analysis of APKs
 against multiple mobile antivirus apps.
⟡ BoomBox (https://github.com/nbeede/BoomBox) - Automatic deployment of Cuckoo
 Sandbox malware lab using Packer and Vagrant.
⟡ Cryptam (http://www.cryptam.com/) - Analyze suspicious office documents.
⟡ Cuckoo Sandbox (https://cuckoosandbox.org/) - Open source, self hosted
 sandbox and automated analysis system.
⟡ cuckoo-modified (https://github.com/brad-accuvant/cuckoo-modified) - Modified
 version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
 legal concerns by the author.
⟡ cuckoo-modified-api (https://github.com/keithjjones/cuckoo-modified-api) - A
 Python API used to control a cuckoo-modified sandbox.
⟡ DeepViz (https://www.deepviz.com/) - Multi-format file analyzer with
 machine-learning classification.
⟡ detux (https://github.com/detuxsandbox/detux/) - A sandbox developed to do
 traffic analysis of Linux malwares and capturing IOCs.
⟡ DRAKVUF (https://github.com/tklengyel/drakvuf) - Dynamic malware analysis
 system.
⟡ firmware.re (http://firmware.re/) - Unpacks, scans and analyzes almost any
 firmware package.
⟡ HaboMalHunter (https://github.com/Tencent/HaboMalHunter) - An Automated Malware
 Analysis Tool for Linux ELF Files.
⟡ Hybrid Analysis (https://www.hybrid-analysis.com/) - Online malware
 analysis tool, powered by VxSandbox.
⟡ Intezer (https://analyze.intezer.com) - Detect, analyze, and categorize malware by
 identifying code reuse and code similarities.
⟡ IRMA (http://irma.quarkslab.com/) - An asynchronous and customizable
 analysis platform for suspicious files.
⟡ Joe Sandbox (https://www.joesecurity.org) - Deep malware analysis with Joe Sandbox.
⟡ Jotti (https://virusscan.jotti.org/en) - Free online multi-AV scanner.
⟡ Limon (https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malware.
⟡ Malheur (https://github.com/rieck/malheur) - Automatic sandboxed analysis
 of malware behavior.
⟡ malice.io (https://github.com/maliceio/malice) - Massively scalable malware analysis framework.
⟡ malsub (https://github.com/diogo-fernan/malsub) - A Python RESTful API framework for
 online malware and URL analysis services.
⟡ Malware config (https://malwareconfig.com/) - Extract, decode and display online
 the configuration settings from common malwares.
⟡ MalwareAnalyser.io (https://malwareanalyser.io/) - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
⟡ Malwr (https://malwr.com/) - Free analysis with an online Cuckoo Sandbox
 instance.
⟡ MetaDefender Cloud (https://metadefender.opswat.com/ ) - Scan a file, hash, IP, URL or
 domain address for malware for free.
⟡ NetworkTotal (https://www.networktotal.com/index.html) - A service that analyzes
 pcap files and facilitates the quick detection of viruses, worms, trojans, and all
 kinds of malware using Suricata configured with EmergingThreats Pro.
⟡ Noriben (https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to
 collect information about malware in a sandboxed environment.
⟡ PacketTotal (https://packettotal.com/) - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
⟡ PDF Examiner (http://www.pdfexaminer.com/) - Analyse suspicious PDF files.
⟡ ProcDot (http://www.procdot.com) - A graphical malware analysis tool kit.
⟡ Recomposer (https://github.com/secretsquirrel/recomposer) - A helper
 script for safely uploading binaries to sandbox sites.
⟡ sandboxapi (https://github.com/InQuest/python-sandboxapi) - Python library for
 building integrations with several open source and commercial malware sandboxes.
⟡ SEE (https://github.com/F-Secure/see) - Sandboxed Execution Environment (SEE)
 is a framework for building test automation in secured Environments.
⟡ SEKOIA Dropper Analysis (https://malware.sekoia.fr/) - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
⟡ VirusTotal (https://www.virustotal.com/) - Free online analysis of malware
 samples and URLs
⟡ Visualize_Logs (https://github.com/keithjjones/visualize_logs) - Open source
 visualization library and command line tools for logs. (Cuckoo, Procmon, more
 to come...)
⟡ Zeltser's List (https://zeltser.com/automated-malware-analysis/) - Free
 automated sandboxes and services, compiled by Lenny Zeltser.
Domain Analysis
Inspect domains and IP addresses.
⟡ AbuseIPDB (https://www.abuseipdb.com/) - AbuseIPDB is a project dedicated
 to helping combat the spread of hackers, spammers, and abusive activity on the internet.
⟡ badips.com (https://www.badips.com/) - Community based IP blacklist service.
⟡ boomerang (https://github.com/EmersonElectricCo/boomerang) - A tool designed
 for consistent and safe capture of off network web resources.
⟡ Cymon (https://cymon.io/) - Threat intelligence tracker, with IP/domain/hash
 search.
⟡ Desenmascara.me (http://desenmascara.me) - One click tool to retrieve as
 much metadata as possible for a website and to assess its good standing.
⟡ Dig (https://networking.ringofsaturn.com/) - Free online dig and other
 network tools.
⟡ dnstwist (https://github.com/elceef/dnstwist) - Domain name permutation
 engine for detecting typo squatting, phishing and corporate espionage.
⟡ IPinfo (https://github.com/hiddenillusion/IPinfo) - Gather information
 about an IP or domain by searching online resources.
⟡ Machinae (https://github.com/hurricanelabs/machinae) - OSINT tool for
 gathering information about URLs, IPs, or hashes. Similar to Automator.
⟡ mailchecker (https://github.com/FGRibreau/mailchecker) - Cross-language
 temporary email detection library.
⟡ MaltegoVT (https://github.com/michael-yip/MaltegoVT) - Maltego transform
 for the VirusTotal API. Allows domain/IP research, and searching for file
 hashes and scan reports.
⟡ Multi rbl (http://multirbl.valli.org/) - Multiple DNS blacklist and forward
 confirmed reverse DNS lookup over more than 300 RBLs.
⟡ NormShield Services (https://services.normshield.com/) - Free API Services
 for detecting possible phishing domains, blacklisted ip addresses and breached
 accounts.
⟡ PhishStats (https://phishstats.info/) - Phishing Statistics with search for
 IP, domain and website title
⟡ Spyse (https://spyse.com/) - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
⟡ SecurityTrails (https://securitytrails.com/) - Historical and current WHOIS,
 historical and current DNS records, similar domains, certificate information
 and other domain and IP related API and tools.
⟡ SpamCop (https://www.spamcop.net/bl.shtml) - IP based spam block list.
⟡ SpamHaus (https://www.spamhaus.org/lookup/) - Block list based on
 domains and IPs.
⟡ Sucuri SiteCheck (https://sitecheck.sucuri.net/) - Free Website Malware
 and Security Scanner.
⟡ Talos Intelligence (https://talosintelligence.com/) - Search for IP, domain
 or network owner. (Previously SenderBase.)
⟡ TekDefense Automater (http://www.tekdefense.com/automater/) - OSINT tool
 for gathering information about URLs, IPs, or hashes.
⟡ URLhaus (https://urlhaus.abuse.ch/) - A project from abuse.ch with the goal
 of sharing malicious URLs that are being used for malware distribution.
⟡ URLQuery (http://urlquery.net/) - Free URL Scanner.
⟡ urlscan.io (https://urlscan.io/) - Free URL Scanner & domain information.
⟡ Whois (https://whois.domaintools.com/) - DomainTools free online whois
 search.
⟡ Zeltser's List (https://zeltser.com/lookup-malicious-websites/) - Free
 online tools for researching malicious websites, compiled by Lenny Zeltser.
⟡ ZScalar Zulu (https://zulu.zscaler.com/#) - Zulu URL Risk Analyzer.
Browser Malware
Analyze malicious URLs. See also the domain analysis (#domain-analysis) and
documents and shellcode (#documents-and-shellcode) sections.*
⟡ Bytecode Viewer (https://github.com/Konloch/bytecode-viewer) - Combines
 multiple Java bytecode viewers and decompilers into one tool, including
 APK/DEX support.
⟡ Firebug (https://getfirebug.com/) - Firefox extension for web development.
⟡ Java Decompiler (http://jd.benow.ca/) - Decompile and inspect Java apps.
⟡ Java IDX Parser (https://github.com/Rurik/Java_IDX_Parser/) - Parses Java
 IDX cache files.
⟡ JSDetox (http://www.relentless-coding.com/projects/jsdetox/) - JavaScript
 malware analysis tool.
⟡ jsunpack-n (https://github.com/urule99/jsunpack-n) - A javascript
 unpacker that emulates browser functionality.
⟡ Krakatau (https://github.com/Storyyeller/Krakatau) - Java decompiler,
 assembler, and disassembler.
⟡ Malzilla (http://malzilla.sourceforge.net/) - Analyze malicious web pages.
⟡ RABCDAsm (https://github.com/CyberShadow/RABCDAsm) - A "Robust
 ActionScript Bytecode Disassembler."
⟡ SWF Investigator (https://labs.adobe.com/technologies/swfinvestigator/) -
 Static and dynamic analysis of SWF applications.
⟡ swftools (http://www.swftools.org/) - Tools for working with Adobe Flash
 files.
⟡ xxxswf (http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html) - A
 Python script for analyzing Flash files.
Documents and Shellcode
Analyze malicious JS and shellcode from PDFs and Office documents. See also
the browser malware (#browser-malware) section.*
⟡ AnalyzePDF (https://github.com/hiddenillusion/AnalyzePDF) - A tool for
 analyzing PDFs and attempting to determine whether they are malicious.
⟡ box-js (https://github.com/CapacitorSet/box-js) - A tool for studying JavaScript
 malware, featuring JScript/WScript support and ActiveX emulation.
⟡ diStorm (http://www.ragestorm.net/distorm/) - Disassembler for analyzing
 malicious shellcode.
⟡ InQuest Deep File Inspection (https://labs.inquest.net/dfi) - Upload common malware lures for Deep File Inspection and heuristical analysis.
⟡ JS Beautifier (http://jsbeautifier.org/) - JavaScript unpacking and deobfuscation.
⟡ libemu (http://libemu.carnivore.it/) - Library and tools for x86 shellcode
 emulation.
⟡ malpdfobj (https://github.com/9b/malpdfobj) - Deconstruct malicious PDFs
 into a JSON representation.
⟡ OfficeMalScanner (http://www.reconstructer.org/code.html) - Scan for
 malicious traces in MS Office documents.
⟡ olevba (http://www.decalage.info/python/olevba) - A script for parsing OLE
 and OpenXML documents and extracting useful information.
⟡ Origami PDF (https://code.google.com/archive/p/origami-pdf) - A tool for
 analyzing malicious PDFs, and more.
⟡ PDF Tools (https://blog.didierstevens.com/programs/pdf-tools/) - pdfid,
 pdf-parser, and more from Didier Stevens.
⟡ PDF X-Ray Lite (https://github.com/9b/pdfxray_lite) - A PDF analysis tool,
 the backend-free version of PDF X-RAY.
⟡ peepdf (http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - Python
 tool for exploring possibly malicious PDFs.
⟡ QuickSand (https://www.quicksand.io/) - QuickSand is a compact C framework
 to analyze suspected malware documents to identify exploits in streams of different
 encodings and to locate and extract embedded executables.
⟡ Spidermonkey (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) -
 Mozilla's JavaScript engine, for debugging malicious JS.
File Carving
For extracting files from inside disk and memory images.
⟡ bulk_extractor (https://github.com/simsong/bulk_extractor) - Fast file
 carving tool.
⟡ EVTXtract (https://github.com/williballenthin/EVTXtract) - Carve Windows
 Event Log files from raw binary data.
⟡ Foremost (http://foremost.sourceforge.net/) - File carving tool designed
 by the US Air Force.
⟡ hachoir3 (https://github.com/vstinner/hachoir3) - Hachoir is a Python library
 to view and edit a binary stream field by field.
⟡ Scalpel (https://github.com/sleuthkit/scalpel) - Another data carving
 tool.
⟡ SFlock (https://github.com/jbremer/sflock) - Nested archive
 extraction/unpacking (used in Cuckoo Sandbox).
Deobfuscation
Reverse XOR and other code obfuscation methods.
⟡ Balbuzard (https://bitbucket.org/decalage/balbuzard/wiki/Home) - A malware
 analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
⟡ de4dot (https://github.com/0xd4d/de4dot) - .NET deobfuscator and
 unpacker.
⟡ ex_pe_xor (http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html)
 & iheartxor (http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html) -
 Two tools from Alexander Hanel for working with single-byte XOR encoded
 files.
⟡ FLOSS (https://github.com/fireeye/flare-floss) - The FireEye Labs Obfuscated
 String Solver uses advanced static analysis techniques to automatically
 deobfuscate strings from malware binaries.
⟡ NoMoreXOR (https://github.com/hiddenillusion/NoMoreXOR) - Guess a 256 byte
 XOR key using frequency analysis.
⟡ PackerAttacker (https://github.com/BromiumLabs/PackerAttacker) - A generic
 hidden code extractor for Windows malware.
⟡ PyInstaller Extractor (https://github.com/extremecoders-re/pyinstxtractor) -
 A Python script to extract the contents of a PyInstaller generated Windows
 executable file. The contents of the pyz file (usually pyc files) present
 inside the executable are also extracted and automatically fixed so that a
 Python bytecode decompiler will recognize it.
⟡ uncompyle6 (https://github.com/rocky/python-uncompyle6/) - A cross-version
 Python bytecode decompiler. Translates Python bytecode back into equivalent
 Python source code.
⟡ un{i}packer (https://github.com/unipacker/unipacker) - Automatic and
 platform-independent unpacker for Windows binaries based on emulation.
⟡ unpacker (https://github.com/malwaremusings/unpacker/) - Automated malware
 unpacker for Windows malware based on WinAppDbg.
⟡ unxor (https://github.com/tomchop/unxor/) - Guess XOR keys using
 known-plaintext attacks.
⟡ VirtualDeobfuscator (https://github.com/jnraber/VirtualDeobfuscator) -
 Reverse engineering tool for virtualization wrappers.
⟡ XORBruteForcer (http://eternal-todo.com/var/scripts/xorbruteforcer) -
 A Python script for brute forcing single-byte XOR keys.
⟡ XORSearch & XORStrings (https://blog.didierstevens.com/programs/xorsearch/) -
 A couple programs from Didier Stevens for finding XORed data.
⟡ xortool (https://github.com/hellman/xortool) - Guess XOR key length, as
 well as the key itself.
Debugging and Reverse Engineering
Disassemblers, debuggers, and other static and dynamic analysis tools.
⟡ angr (https://github.com/angr/angr) - Platform-agnostic binary analysis
 framework developed at UCSB's Seclab.
⟡ bamfdetect (https://github.com/bwall/bamfdetect) - Identifies and extracts
 information from bots and other malware.
⟡ BAP (https://github.com/BinaryAnalysisPlatform/bap) - Multiplatform and
 open source (MIT) binary analysis framework developed at CMU's Cylab.
⟡ BARF (https://github.com/programa-stic/barf-project) - Multiplatform, open
 source Binary Analysis and Reverse engineering Framework.
⟡ binnavi (https://github.com/google/binnavi) - Binary analysis IDE for
 reverse engineering based on graph visualization.
⟡ Binary ninja (https://binary.ninja/) - A reversing engineering platform
 that is an alternative to IDA.
⟡ Binwalk (https://github.com/devttys0/binwalk) - Firmware analysis tool.
⟡ BluePill (https://github.com/season-lab/bluepill) - Framework for executing and debugging evasive malware and protected executables.
⟡ Capstone (https://github.com/aquynh/capstone) - Disassembly framework for
 binary analysis and reversing, with support for many architectures and
 bindings in several languages.
⟡ codebro (https://github.com/hugsy/codebro) - Web based code browser using
  clang to provide basic code analysis.
⟡ Cutter (https://github.com/radareorg/cutter) - GUI for Radare2.
⟡ DECAF (Dynamic Executable Code Analysis Framework) (https://github.com/sycurelab/DECAF)
 - A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
⟡ dnSpy (https://github.com/0xd4d/dnSpy) - .NET assembly editor, decompiler
 and debugger.
⟡ dotPeek (https://www.jetbrains.com/decompiler/) - Free .NET Decompiler and
 Assembly Browser.
⟡ Evan's Debugger (EDB) (http://codef00.com/projects#debugger) - A
 modular debugger with a Qt GUI.
⟡ Fibratus (https://github.com/rabbitstack/fibratus) - Tool for exploration
 and tracing of the Windows kernel.
⟡ FPort (https://www.mcafee.com/us/downloads/free-tools/fport.aspx) - Reports
 open TCP/IP and UDP ports in a live system and maps them to the owning application.
⟡ GDB (http://www.sourceware.org/gdb/) - The GNU debugger.
⟡ GEF (https://github.com/hugsy/gef) - GDB Enhanced Features, for exploiters
 and reverse engineers.
⟡ Ghidra (https://github.com/NationalSecurityAgency/ghidra) - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
⟡ hackers-grep (https://github.com/codypierce/hackers-grep) - A utility to
 search for strings in PE executables including imports, exports, and debug
 symbols.
⟡ Hopper (https://www.hopperapp.com/) - The macOS and Linux Disassembler.
⟡ IDA Pro (https://www.hex-rays.com/products/ida/index.shtml) - Windows
 disassembler and debugger, with a free evaluation version.
⟡ IDR (https://github.com/crypto2011/IDR) - Interactive Delphi Reconstructor
 is a decompiler of Delphi executable files and dynamic libraries.
⟡ Immunity Debugger (http://debugger.immunityinc.com/) - Debugger for
 malware analysis and more, with a Python API.
⟡ ILSpy (http://ilspy.net/) - ILSpy is the open-source .NET assembly browser and decompiler.
⟡ Kaitai Struct (http://kaitai.io/) - DSL for file formats / network protocols /
 data structures reverse engineering and dissection, with code generation
 for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
⟡ LIEF (https://lief.quarkslab.com/) - LIEF provides a cross-platform library
 to parse, modify and abstract ELF, PE and MachO formats.
⟡ ltrace (http://ltrace.org/) - Dynamic analysis for Linux executables.
⟡ mac-a-mal (https://github.com/phdphuc/mac-a-mal) - An automated framework
 for mac malware hunting.
⟡ objdump (https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils,
 for static analysis of Linux binaries.
⟡ OllyDbg (http://www.ollydbg.de/) - An assembly-level debugger for Windows
 executables.
⟡ OllyDumpEx (https://low-priority.appspot.com/ollydumpex/) - Dump memory
 from (unpacked) malware Windows process and store raw or rebuild PE file.
 This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg.
⟡ PANDA (https://github.com/moyix/panda) - Platform for Architecture-Neutral
 Dynamic Analysis.
⟡ PEDA (https://github.com/longld/peda) - Python Exploit Development
 Assistance for GDB, an enhanced display with added commands.
⟡ pestudio (https://winitor.com/) - Perform static analysis of Windows
 executables.
⟡ Pharos (https://github.com/cmu-sei/pharos) - The Pharos binary analysis framework
 can be used to perform automated static analysis of binaries.
⟡ plasma (https://github.com/plasma-disassembler/plasma) - Interactive
 disassembler for x86/ARM/MIPS.
⟡ PPEE (puppy) (https://www.mzrst.com/) - A Professional PE file Explorer for
 reversers, malware researchers and those who want to statically inspect PE
 files in more detail.
⟡ Process Explorer (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) -
 Advanced task manager for Windows.
⟡ Process Hacker (http://processhacker.sourceforge.net/) - Tool that monitors
 system resources.
⟡ Process Monitor (https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) -
 Advanced monitoring tool for Windows programs.
⟡ PSTools (https://docs.microsoft.com/en-us/sysinternals/downloads/pstools) - Windows
 command-line tools that help manage and investigate live systems.
⟡ Pyew (https://github.com/joxeankoret/pyew) - Python tool for malware
 analysis.
⟡ PyREBox (https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse
 engineering sandbox by the Talos team at Cisco.
⟡ Qiling Framework (https://www.qiling.io/) - Cross platform emulation and sanboxing
 framework with instruments for binary analysis.
⟡ QKD (https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg
 server for stealth debugging.
⟡ Radare2 (http://www.radare.org/r/) - Reverse engineering framework, with
 debugger support.
⟡ RegShot (https://sourceforge.net/projects/regshot/) - Registry compare utility
 that compares snapshots.
⟡ RetDec (https://retdec.com/) - Retargetable machine-code decompiler with an
 online decompilation service (https://retdec.com/decompilation/) and
 API (https://retdec.com/api/) that you can use in your tools.
⟡ ROPMEMU (https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect
 and decompile complex code-reuse attacks.
⟡ Scylla Imports Reconstructor (https://github.com/NtQuery/Scylla) - Find and fix
 the IAT of an unpacked / dumped PE32 malware.
⟡ ScyllaHide (https://github.com/x64dbg/ScyllaHide) - An Anti-Anti-Debug library
 and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.
⟡ SMRT (https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a
 plugin for Sublime 3 to aid with malware analyis.
⟡ strace (https://sourceforge.net/projects/strace/) - Dynamic analysis for
 Linux executables.
⟡ StringSifter (https://github.com/fireeye/stringsifter) - A machine learning tool
 that automatically ranks strings based on their relevance for malware analysis.
⟡ Triton (https://triton.quarkslab.com/) - A dynamic binary analysis (DBA) framework.
⟡ Udis86 (https://github.com/vmt/udis86) - Disassembler library and tool
 for x86 and x86_64.
⟡ Vivisect (https://github.com/vivisect/vivisect) - Python tool for
 malware analysis.
⟡ WinDbg (https://developer.microsoft.com/en-us/windows/hardware/download-windbg) - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device 
drivers, and the kernel-mode memory dumps.
⟡ X64dbg (https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows.
Network
Analyze network interactions.
⟡ Bro (https://www.bro.org) - Protocol analyzer that operates at incredible
 scale; both file and network protocols.
⟡ BroYara (https://github.com/hempnall/broyara) - Use Yara rules from Bro.
⟡ CapTipper (https://github.com/omriher/CapTipper) - Malicious HTTP traffic
 explorer.
⟡ chopshop (https://github.com/MITRECND/chopshop) - Protocol analysis and
 decoding framework.
⟡ CloudShark (https://www.cloudshark.org) - Web-based tool for packet analysis
 and malware traffic detection.
⟡ FakeNet-NG (https://github.com/fireeye/flare-fakenet-ng) - Next generation
 dynamic network analysis tool.
⟡ Fiddler (https://www.telerik.com/fiddler) - Intercepting web proxy designed
 for "web debugging."
⟡ Hale (https://github.com/pjlantz/Hale) - Botnet C&C monitor.
⟡ Haka (http://www.haka-security.org/) - An open source security oriented
 language for describing protocols and applying security policies on (live)
 captured traffic.
⟡ HTTPReplay (https://github.com/jbremer/httpreplay) - Library for parsing
 and reading out PCAP files, including TLS streams using TLS Master Secrets
 (used in Cuckoo Sandbox).
⟡ INetSim (http://www.inetsim.org/) - Network service emulation, useful when
 building a malware lab.
⟡ Laika BOSS (https://github.com/lmco/laikaboss) - Laika BOSS is a file-centric
 malware analysis and intrusion detection system.
⟡ Malcolm (https://github.com/idaholab/Malcolm) - Malcolm is a powerful, easily
 deployable network traffic analysis tool suite for full packet capture artifacts
 (PCAP files) and Zeek logs.
⟡ Malcom (https://github.com/tomchop/malcom) - Malware Communications
 Analyzer.
⟡ Maltrail (https://github.com/stamparm/maltrail) - A malicious traffic
 detection system, utilizing publicly available (black)lists containing
 malicious and/or generally suspicious trails and featuring an reporting
 and analysis interface.
⟡ mitmproxy (https://mitmproxy.org/) - Intercept network traffic on the fly.
⟡ Moloch (https://github.com/aol/moloch) - IPv4 traffic capturing, indexing
 and database system.
⟡ NetworkMiner (http://www.netresec.com/?page=NetworkMiner) - Network
 forensic analysis tool, with a free version.
⟡ ngrep (https://github.com/jpr5/ngrep) - Search through network traffic
 like grep.
⟡ PcapViz (https://github.com/mateuszk87/PcapViz) - Network topology and
 traffic visualizer.
⟡ Python ICAP Yara (https://github.com/RamadhanAmizudin/python-icap-yara) - An
 ICAP Server with yara scanner for URL or content.
⟡ Squidmagic (https://github.com/ch3k1/squidmagic) - squidmagic is a tool
 designed to analyze a web-based network traffic to detect central command
 and control (C&C) servers and malicious sites, using Squid proxy server and
 Spamhaus.
⟡ Tcpdump (http://www.tcpdump.org/) - Collect network traffic.
⟡ tcpick (http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams
 from network traffic.
⟡ tcpxtract (http://tcpxtract.sourceforge.net/) - Extract files from network
 traffic.
⟡ Wireshark (https://www.wireshark.org/) - The network traffic analysis
 tool.
Memory Forensics
Tools for dissecting malware in memory images or running systems.
⟡ BlackLight (https://www.blackbagtech.com/blacklight.html) - Windows/MacOS
 forensics client supporting hiberfil, pagefile, raw memory analysis.
⟡ DAMM (https://github.com/504ensicsLabs/DAMM) - Differential Analysis of
 Malware in Memory, built on Volatility.
⟡ evolve (https://github.com/JamesHabben/evolve) - Web interface for the
 Volatility Memory Forensics Framework.
⟡ FindAES (https://sourceforge.net/projects/findaes/) - Find AES
 encryption keys in memory.
⟡ inVtero.net (https://github.com/ShaneK2/inVtero.net) - High speed memory
 analysis framework developed in .NET supports all Windows x64, includes
 code integrity and write support.
⟡ Muninn (https://github.com/ytisf/muninn) - A script to automate portions
 of analysis using Volatility, and create a readable report.
 Orochi (https://github.com/LDO-CERT/orochi) - Orochi is an open source framework for 
 collaborative forensic memory dump analysis. 
⟡ Rekall (http://www.rekall-forensic.com/) - Memory analysis framework,
 forked from Volatility in 2013.
⟡ TotalRecall (https://github.com/sketchymoose/TotalRecall) - Script based
 on Volatility for automating various malware analysis tasks.
⟡ VolDiff (https://github.com/aim4r/VolDiff) - Run Volatility on memory
 images before and after malware execution, and report changes.
⟡ Volatility (https://github.com/volatilityfoundation/volatility) - Advanced
 memory forensics framework.
⟡ VolUtility (https://github.com/kevthehermit/VolUtility) - Web Interface for
 Volatility Memory Analysis framework.
⟡ WDBGARK (https://github.com/swwwolf/wdbgark) -
 WinDBG Anti-RootKit Extension.
⟡ WinDbg (https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit) -
 Live memory inspection and kernel debugging for Windows systems.
Windows Artifacts
⟡ AChoir (https://github.com/OMENScan/AChoir) - A live incident response
 script for gathering Windows artifacts.
⟡ python-evt (https://github.com/williballenthin/python-evt) - Python
 library for parsing Windows Event Logs.
⟡ python-registry (http://www.williballenthin.com/registry/) - Python
 library for parsing registry files.
⟡ RegRipper (http://brettshavers.cc/index.php/brettsblog/tags/tag/regripper/)
 (GitHub (https://github.com/keydet89/RegRipper2.8)) -
 Plugin-based registry analysis tool.
Storage and Workflow
⟡ Aleph (https://github.com/merces/aleph) - Open Source Malware Analysis
 Pipeline System.
⟡ CRITs (https://crits.github.io/) - Collaborative Research Into Threats, a
 malware and threat repository.
⟡ FAME (https://certsocietegenerale.github.io/fame/) - A malware analysis
 framework featuring a pipeline that can be extended with custom modules,
 which can be chained and interact with each other to perform end-to-end
 analysis.
⟡ Malwarehouse (https://github.com/sroberts/malwarehouse) - Store, tag, and
 search malware.
⟡ Polichombr (https://github.com/ANSSI-FR/polichombr) - A malware analysis
 platform designed to help analysts to reverse malwares collaboratively.
⟡ stoQ (http://stoq.punchcyber.com) - Distributed content analysis
 framework with extensive plugin support, from input to output, and everything
 in between.
⟡ Viper (http://viper.li/) - A binary management and analysis framework for
 analysts and researchers.
Miscellaneous
⟡ al-khaser (https://github.com/LordNoteworthy/al-khaser) - A PoC malware
 with good intentions that aimes to stress anti-malware systems.
⟡ CryptoKnight (https://github.com/AbertayMachineLearningGroup/CryptoKnight) - Automated cryptographic algorithm reverse engineering and classification framework.
⟡ DC3-MWCP (https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP) -
 The Defense Cyber Crime Center's Malware Configuration Parser framework.
⟡ FLARE VM (https://github.com/fireeye/flare-vm) - A fully customizable,
 Windows-based, security distribution for malware analysis.
⟡ MalSploitBase (https://github.com/misterch0c/malSploitBase) - A database
 containing exploits used by malware.
⟡ Malware Museum (https://archive.org/details/malwaremuseum) - Collection of
 malware programs that were distributed in the 1980s and 1990s.
⟡ Malware Organiser (https://github.com/uppusaikiran/malware-organiser) - A simple tool to organise large malicious/benign files into a organised Structure.
⟡ Pafish (https://github.com/a0rtega/pafish) - Paranoid Fish, a demonstration
 tool that employs several techniques to detect sandboxes and analysis
 environments in the same way as malware families do.
⟡ REMnux (https://remnux.org/) - Linux distribution and docker images for
 malware reverse engineering and analysis.
⟡ Tsurugi Linux (https://tsurugi-linux.org/) - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
⟡ Santoku Linux (https://santoku-linux.com/) - Linux distribution for mobile
 forensics, malware analysis, and security.
 Resources
Books
Essential malware analysis reading material.
⟡ Learning Malware Analysis
 (https://www.packtpub.com/networking-and-servers/learning-malware-analysis) - Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware
⟡ Malware Analyst's Cookbook and DVD (https://amzn.com/dp/0470613033) -
 Tools and Techniques for Fighting Malicious Code.
⟡ Mastering Malware Analysis
 (https://www.packtpub.com/networking-and-servers/mastering-malware-analysis) - Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks
⟡ Mastering Reverse Engineering (https://www.packtpub.com/networking-and-servers/mastering-reverse-engineering) - Mastering Reverse Engineering: Re-engineer your ethical hacking skills
⟡ Practical Malware Analysis (https://amzn.com/dp/1593272901) - The Hands-On
 Guide to Dissecting Malicious Software.
⟡ Practical Reverse Engineering (https://www.amzn.com/dp/1118787315/) -
 Intermediate Reverse Engineering.
⟡ Real Digital Forensics (https://www.amzn.com/dp/0321240693) - Computer
 Security and Incident Response.
⟡ Rootkits and Bootkits (https://www.amazon.com/dp/1593277164) - Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
⟡ The Art of Memory Forensics (https://amzn.com/dp/1118825098) - Detecting
 Malware and Threats in Windows, Linux, and Mac Memory.
⟡ The IDA Pro Book (https://amzn.com/dp/1593272898) - The Unofficial Guide
 to the World's Most Popular Disassembler.
⟡ The Rootkit Arsenal (https://amzn.com/dp/144962636X) - The Rootkit Arsenal:
 Escape and Evasion in the Dark Corners of the System
Other
⟡ APT Notes (https://github.com/aptnotes/data) - A collection of papers
 and notes related to Advanced Persistent Threats.
⟡ Ember (https://github.com/endgameinc/ember) - Endgame Malware BEnchmark for Research,
 a repository that makes it easy to (re)create a machine learning model that can be used
 to predict a score for a PE file based on static analysis.
⟡ File Formats posters (https://github.com/corkami/pics) - Nice visualization
 of commonly used file format (including PE & ELF).
⟡ Honeynet Project (http://honeynet.org/) - Honeypot tools, papers, and
 other resources.
⟡ Kernel Mode (http://www.kernelmode.info/forum/) - An active community
 devoted to malware analysis and kernel development.
⟡ Malicious Software (https://zeltser.com/malicious-software/) - Malware
 blog and resources by Lenny Zeltser.
⟡ Malware Analysis Search (https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) -
 Custom Google search engine from Corey Harrell (journeyintoir.blogspot.com/).
⟡ Malware Analysis Tutorials (http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html) -
 The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning
 practical malware analysis.
⟡ Malware Analysis, Threat Intelligence and Reverse Engineering (https://www.slideshare.net/bartblaze/malware-analysis-threat-intelligence-and-reverse-engineering) -
 Presentation introducing the concepts of malware analysis, threat intelligence
 and reverse engineering. Experience or prior knowledge is not required. Labs
 link in description.
⟡ Malware Persistence (https://github.com/Karneades/malware-persistence) - Collection
 of various information focused on malware persistence: detection (techniques),
 response, pitfalls and the log collection (tools).
⟡ Malware Samples and Traffic (http://malware-traffic-analysis.net/) - This
 blog focuses on network traffic related to malware infections.
⟡ Malware Search+++ (https://addons.mozilla.org/fr/firefox/addon/malware-search-plusplusplus/) Firefox extension allows
 you to easily search some of the most popular malware databases
⟡ Practical Malware Analysis Starter Kit (https://bluesoul.me/practical-malware-analysis-starter-kit/) -
 This package contains most of the software referenced in the Practical Malware
 Analysis book.
⟡ RPISEC Malware Analysis (https://github.com/RPISEC/Malware) - These are the
 course materials used in the Malware Analysis course at at Rensselaer Polytechnic
 Institute during Fall 2015.
⟡ WindowsIR: Malware (http://windowsir.blogspot.com/p/malware.html) - Harlan
 Carvey's page on Malware.
⟡ Windows Registry specification (https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md) -
 Windows registry file format specification.
⟡ /r/csirt_tools (https://www.reddit.com/r/csirt_tools/) - Subreddit for CSIRT
 tools and resources, with a
 malware analysis (https://www.reddit.com/r/csirt_tools/search?q=flair%3A%22Malware%20analysis%22&sort=new&restrict_sr=on) flair.
⟡ /r/Malware (https://www.reddit.com/r/Malware) - The malware subreddit.
⟡ /r/ReverseEngineering (https://www.reddit.com/r/ReverseEngineering) -
 Reverse engineering subreddit, not limited to just malware.
 Related Awesome Lists
⟡ Android Security (https://github.com/ashishb/android-security-awesome)
⟡ AppSec (https://github.com/paragonie/awesome-appsec)
⟡ CTFs (https://github.com/apsdehal/awesome-ctf)
⟡ Forensics (https://github.com/Cugu/awesome-forensics)
⟡ "Hacking" (https://github.com/carpedm20/awesome-hacking)
⟡ Honeypots (https://github.com/paralax/awesome-honeypots)
⟡ Industrial Control System Security (https://github.com/hslatman/awesome-industrial-control-system-security)
⟡ Incident-Response (https://github.com/meirwah/awesome-incident-response)
⟡ Infosec (https://github.com/onlurking/awesome-infosec)
⟡ PCAP Tools (https://github.com/caesar0301/awesome-pcaptools)
⟡ Pentesting (https://github.com/enaqx/awesome-pentest)
⟡ Security (https://github.com/sbilly/awesome-security)
⟡ Threat Intelligence (https://github.com/hslatman/awesome-threat-intelligence)
⟡ YARA (https://github.com/InQuest/awesome-yara)
 Contributing (CONTRIBUTING.md)
Pull requests and issues with suggestions are welcome! Please read the
CONTRIBUTING (CONTRIBUTING.md) guidelines before submitting a PR.
 Thanks
This list was made possible by:
⟡ Lenny Zeltser and other contributors for developing REMnux, where I
 found many of the tools in this list;
⟡ Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for
 writing the Malware Analyst's Cookbook, which was a big inspiration for
 creating the list;
⟡ And everyone else who has sent pull requests or suggested links to add here!
Thanks!
Reference in New Issue View Git Blame Copy Permalink