• 病毒分析工具大全


    Malware Collection

    Anonymizers

    Web traffic anonymizers for analysts.

    • Anonymouse.org – A free, web based anonymizer.
    • OpenVPN – VPN software and hosting solutions.
    • Privoxy – An open source proxy server with some privacy features.
    • Tor – The Onion Router, for browsing the web without leaving traces of the client IP.

    Honeypots

    Trap and collect your own samples.

    • Conpot – ICS/SCADA honeypot.
    • Cowrie – SSH honeypot, based on Kippo.
    • Dionaea – Honeypot designed to trap malware.
    • Glastopf – Web application honeypot.
    • Honeyd – Create a virtual honeynet.
    • HoneyDrive – Honeypot bundle Linux distro.
    • Mnemosyne – A normalizer for honeypot data; supports Dionaea.
    • Thug – Low interaction honeyclient, for investigating malicious websites.

    Malware Corpora

    Malware samples collected for analysis.

    • Clean MX – Realtime database of malware and malicious domains.
    • Contagio – A collection of recent malware samples and analyses.
    • Exploit Database – Exploit and shellcode samples.
    • Malshare – Large repository of malware actively scrapped from malicious sites.
    • maltrieve – Retrieve malware samples directly from a number of online sources.
    • MalwareDB – Malware samples repository.
    • theZoo – Live malware samples for analysts.
    • ViruSign – Malware database that detected by many anti malware programs except ClamAV.
    • VirusShare – Malware repository, registration required.
    • Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
    • Zeus Source Code – Source for the Zeus trojan leaked in 2011.

    Open Source Threat Intelligence

    Tools

    Harvest and analyze IOCs.

    • AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
    • Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
    • IntelMQ – A tool for CERTs for processing incident data using a message queue.
    • IOC Editor – A free editor for XML IOC files.
    • ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
    • Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
    • MISP – Malware Information Sharing Platform curated by The MISP Project.
    • PassiveTotal – Research, connect, tag and share IPs and domains.
    • PyIOCe – A Python OpenIOC editor.
    • threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
    • ThreatCrowd – A search engine for threats, with graphical visualization.
    • ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
    • TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

    Other Resources

    Threat intelligence and IOC resources.

    Detection and Classification

    Antivirus and other malware identification tools

    • AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
    • chkrootkit – Local Linux rootkit detection.
    • ClamAV – Open source antivirus engine.
    • ExifTool – Read, write and edit file metadata.
    • hashdeep – Compute digest hashes with a variety of algorithms.
    • Loki – Host based scanner for IOCs.
    • Malfunction – Catalog and compare malware at a function level.
    • MASTIFF – Static analysis framework.
    • MultiScanner – Modular file scanning/analysis framework
    • nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
    • packerid – A cross-platform Python alternative to PEiD.
    • PEiD – Packer identifier for Windows binaries.
    • PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
    • Rootkit Hunter – Detect Linux rootkits.
    • ssdeep – Compute fuzzy hashes.
    • totalhash.py – Python script for easy searching of the TotalHash.cymru.com database.
    • TrID – File identifier.
    • YARA – Pattern matching tool for analysts.
    • Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.

    Online Scanners and Sandboxes

    Web-based multi-AV scanners, and malware sandboxes for automated analysis.

    • AndroTotal – free online analysis of APKs against multiple mobile antivirus apps.
    • Anubis – Malware Analysis for Unknown Binaries and Site Check.
    • AVCaesar – Malware.lu online scanner and malware repository.
    • Cryptam – Analyze suspicious office documents.
    • Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
    • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
    • DeepViz – Multi-format file analyzer with machine-learning classification.
    • DRAKVUF – Dynamic malware analysis system.
    • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
    • IRMA – An asynchronous and customizable analysis platform for suspicious files.
    • Jotti – Free online multi-AV scanner.
    • Malheur – Automatic sandboxed analysis of malware behavior.
    • Malwr – Free analysis with an online Cuckoo Sandbox instance.
    • MASTIFF Online – Online static analysis of malware.
    • Metadefender.com – Scan a file, hash or IP address for malware (free)
    • Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
    • PDF Examiner – Analyse suspicious PDF files.
    • Recomposer – A helper script for safely uploading binaries to sandbox sites.
    • SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
    • VirusTotal – Free online analysis of malware samples and URLs
    • Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

    Domain Analysis

    Inspect domains and IP addresses.

    • Desenmascara.me – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
    • Dig – Free online dig and other network tools.
    • dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
    • IPinfo – Gather information about an IP or domain by searching online resources.
    • Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
    • mailchecker – Cross-language temporary email detection library.
    • MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
    • SenderBase – Search for IP, domain or network owner.
    • SpamCop – IP based spam block list.
    • SpamHaus – Block list based on domains and IPs.
    • Sucuri SiteCheck – Free Website Malware and Security Scanner.
    • TekDefense Automator – OSINT tool for gathering information about URLs, IPs, or hashes.
    • URLQuery – Free URL Scanner.
    • Whois – DomainTools free online whois search.
    • Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
    • ZScalar Zulu – Zulu URL Risk Analyzer.

    Browser Malware

    Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

    • Firebug – Firefox extension for web development.
    • Java Decompiler – Decompile and inspect Java apps.
    • Java IDX Parser – Parses Java IDX cache files.
    • JSDetox – JavaScript malware analysis tool.
    • jsunpack-n – A javascript unpacker that emulates browser functionality.
    • Krakatau – Java decompiler, assembler, and disassembler.
    • Malzilla – Analyze malicious web pages.
    • RABCDAsm – A “Robust ActionScript Bytecode Disassembler.”
    • swftools – Tools for working with Adobe Flash files.
    • xxxswf – A Python script for analyzing Flash files.

    Documents and Shellcode

    Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

    • AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
    • diStorm – Disassembler for analyzing malicious shellcode.
    • JS Beautifier – JavaScript unpacking and deobfuscation.
    • JS Deobfuscator – Deobfuscate simple Javascript that use eval or document.write to conceal its code.
    • libemu – Library and tools for x86 shellcode emulation.
    • malpdfobj – Deconstruct malicious PDFs into a JSON representation.
    • OfficeMalScanner – Scan for malicious traces in MS Office documents.
    • olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
    • Origami PDF – A tool for analyzing malicious PDFs, and more.
    • PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
    • PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
    • peepdf – Python tool for exploring possibly malicious PDFs.
    • Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

    File Carving

    For extracting files from inside disk and memory images.

    • bulk_extractor – Fast file carving tool.
    • EVTXtract – Carve Windows Event Log files from raw binary data.
    • Foremost – File carving tool designed by the US Air Force.
    • Hachoir – A collection of Python libraries for dealing with binary files.
    • Scalpel – Another data carving tool.

    Deobfuscation

    Reverse XOR and other code obfuscation methods.

    • Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
    • de4dot – .NET deobfuscator and unpacker.
    • ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
    • NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
    • PackerAttacker – A generic hidden code extractor for Windows malware.
    • unxor – Guess XOR keys using known-plaintext attacks.
    • VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
    • XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
    • XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
    • xortool – Guess XOR key length, as well as the key itself.

    Debugging and Reverse Engineering

    Disassemblers, debuggers, and other static and dynamic analysis tools.

    • angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
    • BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
    • binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
    • Bokken – GUI for Pyew and Radare.
    • Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
    • codebro – Web based code browser using clang to provide basic code analysis.
    • dnSpy – .NET assembly editor, decompiler and debugger.
    • Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
    • GDB – The GNU debugger.
    • GEF – GDB Enhanced Features, for exploiters and reverse engineers.
    • hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
    • IDA Pro – Windows disassembler and debugger, with a free evaluation version.
    • Immunity Debugger – Debugger for malware analysis and more, with a Python API.
    • ltrace – Dynamic analysis for Linux executables.
    • objdump – Part of GNU binutils, for static analysis of Linux binaries.
    • OllyDbg – An assembly-level debugger for Windows executables.
    • PANDA – Platform for Architecture-Neutral Dynamic Analysis
    • PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
    • pestudio – Perform static analysis of Windows executables.
    • plasma – Interactive disassembler for x86/ARM/MIPS.
    • Process Monitor – Advanced monitoring tool for Windows programs.
    • Pyew – Python tool for malware analysis.
    • Radare2 – Reverse engineering framework, with debugger support.
    • SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
    • strace – Dynamic analysis for Linux executables.
    • Triton – A dynamic binary analysis (DBA) framework.
    • Udis86 – Disassembler library and tool for x86 and x86_64.
    • Vivisect – Python tool for malware analysis.
    • X64dbg – An open-source x64/x32 debugger for windows.

    Network

    Analyze network interactions.

    • Bro – Protocol analyzer that operates at incredible scale; both file and network protocols.
    • BroYara – Use Yara rules from Bro.
    • CapTipper – Malicious HTTP traffic explorer.
    • chopshop – Protocol analysis and decoding framework.
    • Fiddler – Intercepting web proxy designed for “web debugging.”
    • Hale – Botnet C&C monitor.
    • Haka – Haka is an open source security oriented language which allows to describe protocols and apply security policies on (live) captured traffic.
    • INetSim – Network service emulation, useful when building a malware lab.
    • Laika BOSS – Laika BOSS is a file-centric malware analysis and intrusion detection system.
    • Malcom – Malware Communications Analyzer.
    • Maltrail – A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
    • mitmproxy – Intercept network traffic on the fly.
    • Moloch – IPv4 traffic capturing, indexing and database system.
    • NetworkMiner – Network forensic analysis tool, with a free version.
    • ngrep – Search through network traffic like grep.
    • PcapViz – Network topology and traffic visualizer.
    • Tcpdump – Collect network traffic.
    • tcpick – Trach and reassemble TCP streams from network traffic.
    • tcpxtract – Extract files from network traffic.
    • Wireshark – The network traffic analysis tool.

    Memory Forensics

    Tools for dissecting malware in memory images or running systems.

    • DAMM – Differential Analysis of Malware in Memory, built on Volatility
    • evolve – Web interface for the Volatility Memory Forensics Framework.
    • FindAES – Find AES encryption keys in memory.
    • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
    • Rekall – Memory analysis framework, forked from Volatility in 2013.
    • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
    • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
    • Volatility – Advanced memory forensics framework.
    • VolUtility – Web Interface for Volatility Memory Analysis framework.
    • WinDbg – Live memory inspection and kernel debugging for Windows systems.

    Windows Artifacts

    • AChoir – A live incident response script for gathering Windows artifacts.
    • python-evt – Python library for parsing Windows Event Logs.
    • python-registry – Python library for parsing registry files.
    • RegRipper (GitHub) – Plugin-based registry analysis tool.

    Storage and Workflow

    • Aleph – OpenSource Malware Analysis Pipeline System.
    • CRITs – Collaborative Research Into Threats, a malware and threat repository.
    • Malwarehouse – Store, tag, and search malware.
    • Viper – A binary management and analysis framework for analysts and researchers.

    Miscellaneous

    • DC3-MWCP – The Defense Cyber Crime Center’s Malware Configuration Parser framework.
    • Pafish – Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
    • REMnux – Linux distribution and docker images for malware reverse engineering and analysis.
    • Santoku Linux – Linux distribution for mobile forensics, malware analysis, and security.

    Resources

    Books

    Essential malware analysis reading material.

     

     

    https://github.com/rshipp/awesome-malware-analysis#awesome-malware-analysis

     

     

    Posted by Tony @ 6:34 am

  • Leave a Reply

    Your email address will not be published.