病毒分析工具大全

• Awesome Malware Analysis
  • Malware Collection
    • Anonymizers
    • Honeypots
    • Malware Corpora
  • Open Source Threat Intelligence
    • Tools
    • Other Resources
  • Detection and Classification
  • Online Scanners and Sandboxes
  • Domain Analysis
  • Browser Malware
  • Documents and Shellcode
  • File Carving
  • Deobfuscation
  • Debugging and Reverse Engineering
  • Network
  • Memory Forensics
  • Windows Artifacts
  • Storage and Workflow
  • Miscellaneous
• Resources
  • Books
  • Twitter
  • Other
• Related Awesome Lists
• Contributing
• Thanks

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

• Anonymouse.org – A free, web based anonymizer.
• OpenVPN – VPN software and hosting solutions.
• Privoxy – An open source proxy server with some privacy features.
• Tor – The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

• Conpot – ICS/SCADA honeypot.
• Cowrie – SSH honeypot, based on Kippo.
• Dionaea – Honeypot designed to trap malware.
• Glastopf – Web application honeypot.
• Honeyd – Create a virtual honeynet.
• HoneyDrive – Honeypot bundle Linux distro.
• Mnemosyne – A normalizer for honeypot data; supports Dionaea.
• Thug – Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

• Clean MX – Realtime database of malware and malicious domains.
• Contagio – A collection of recent malware samples and analyses.
• Exploit Database – Exploit and shellcode samples.
• Malshare – Large repository of malware actively scrapped from malicious sites.
• maltrieve – Retrieve malware samples directly from a number of online sources.
• MalwareDB – Malware samples repository.
• theZoo – Live malware samples for analysts.
• ViruSign – Malware database that detected by many anti malware programs except ClamAV.
• VirusShare – Malware repository, registration required.
• Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
• Zeus Source Code – Source for the Zeus trojan leaked in 2011.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

• AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
• Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
• IntelMQ – A tool for CERTs for processing incident data using a message queue.
• IOC Editor – A free editor for XML IOC files.
• ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
• Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
• MISP – Malware Information Sharing Platform curated by The MISP Project.
• PassiveTotal – Research, connect, tag and share IPs and domains.
• PyIOCe – A Python OpenIOC editor.
• threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
• ThreatCrowd – A search engine for threats, with graphical visualization.
• ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
• TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

• Autoshun (list) – Snort plugin and blocklist.
• CI Army (list) – Network security blocklists.
• Critical Stack- Free Intel Market – Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
• CRDF ThreatCenter – List of new threats detected by CRDF anti-malware.
• FireEye IOCs – Indicators of Compromise shared publicly by FireEye.
• FireHOL IP Lists – Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps.
• hpfeeds – Honeypot feed protocol.
• Internet Storm Center (DShield) – Diary and searchable incident database, with a web API (unofficial Python library).
• malc0de – Searchable incident database.
• Malware Domain List – Search and share malicious URLs.
• OpenIOC – Framework for sharing threat intelligence.
• Palevo Blocklists – Botnet C&C blocklists.
• Proofpoint Threat Intelligence (formerly Emerging Threats) – Rulesets and more.
• STIX – Structured Threat Information eXpression – Standardized language to represent and share cyber threat information. Related efforts from MITRE:
  • CAPEC – Common Attack Pattern Enumeration and Classification
  • CybOX – Cyber Observables eXpression
  • MAEC – Malware Attribute Enumeration and Characterization
  • TAXII – Trusted Automated eXchange of Indicator Information
• threatRECON – Search for indicators, up to 1000 free per month.
• Yara rules – Yara rules repository.
• ZeuS Tracker – ZeuS blocklists.

Detection and Classification

Antivirus and other malware identification tools

• AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
• chkrootkit – Local Linux rootkit detection.
• ClamAV – Open source antivirus engine.
• ExifTool – Read, write and edit file metadata.
• hashdeep – Compute digest hashes with a variety of algorithms.
• Loki – Host based scanner for IOCs.
• Malfunction – Catalog and compare malware at a function level.
• MASTIFF – Static analysis framework.
• MultiScanner – Modular file scanning/analysis framework
• nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
• packerid – A cross-platform Python alternative to PEiD.
• PEiD – Packer identifier for Windows binaries.
• PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
• Rootkit Hunter – Detect Linux rootkits.
• ssdeep – Compute fuzzy hashes.
• totalhash.py – Python script for easy searching of the TotalHash.cymru.com database.
• TrID – File identifier.
• YARA – Pattern matching tool for analysts.
• Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

• AndroTotal – free online analysis of APKs against multiple mobile antivirus apps.
• Anubis – Malware Analysis for Unknown Binaries and Site Check.
• AVCaesar – Malware.lu online scanner and malware repository.
• Cryptam – Analyze suspicious office documents.
• Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
• cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
• DeepViz – Multi-format file analyzer with machine-learning classification.
• DRAKVUF – Dynamic malware analysis system.
• Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
• IRMA – An asynchronous and customizable analysis platform for suspicious files.
• Jotti – Free online multi-AV scanner.
• Malheur – Automatic sandboxed analysis of malware behavior.
• Malwr – Free analysis with an online Cuckoo Sandbox instance.
• MASTIFF Online – Online static analysis of malware.
• Metadefender.com – Scan a file, hash or IP address for malware (free)
• Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
• PDF Examiner – Analyse suspicious PDF files.
• Recomposer – A helper script for safely uploading binaries to sandbox sites.
• SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
• VirusTotal – Free online analysis of malware samples and URLs
• Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

• Desenmascara.me – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
• Dig – Free online dig and other network tools.
• dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
• IPinfo – Gather information about an IP or domain by searching online resources.
• Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
• mailchecker – Cross-language temporary email detection library.
• MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
• SenderBase – Search for IP, domain or network owner.
• SpamCop – IP based spam block list.
• SpamHaus – Block list based on domains and IPs.
• Sucuri SiteCheck – Free Website Malware and Security Scanner.
• TekDefense Automator – OSINT tool for gathering information about URLs, IPs, or hashes.
• URLQuery – Free URL Scanner.
• Whois – DomainTools free online whois search.
• Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
• ZScalar Zulu – Zulu URL Risk Analyzer.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

• Firebug – Firefox extension for web development.
• Java Decompiler – Decompile and inspect Java apps.
• Java IDX Parser – Parses Java IDX cache files.
• JSDetox – JavaScript malware analysis tool.
• jsunpack-n – A javascript unpacker that emulates browser functionality.
• Krakatau – Java decompiler, assembler, and disassembler.
• Malzilla – Analyze malicious web pages.
• RABCDAsm – A “Robust ActionScript Bytecode Disassembler.”
• swftools – Tools for working with Adobe Flash files.
• xxxswf – A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

• AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
• diStorm – Disassembler for analyzing malicious shellcode.
• JS Beautifier – JavaScript unpacking and deobfuscation.
• JS Deobfuscator – Deobfuscate simple Javascript that use eval or document.write to conceal its code.
• libemu – Library and tools for x86 shellcode emulation.
• malpdfobj – Deconstruct malicious PDFs into a JSON representation.
• OfficeMalScanner – Scan for malicious traces in MS Office documents.
• olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
• Origami PDF – A tool for analyzing malicious PDFs, and more.
• PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
• PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
• peepdf – Python tool for exploring possibly malicious PDFs.
• Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

• bulk_extractor – Fast file carving tool.
• EVTXtract – Carve Windows Event Log files from raw binary data.
• Foremost – File carving tool designed by the US Air Force.
• Hachoir – A collection of Python libraries for dealing with binary files.
• Scalpel – Another data carving tool.

Deobfuscation

Reverse XOR and other code obfuscation methods.

• Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
• de4dot – .NET deobfuscator and unpacker.
• ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
• NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
• PackerAttacker – A generic hidden code extractor for Windows malware.
• unxor – Guess XOR keys using known-plaintext attacks.
• VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
• XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
• XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
• xortool – Guess XOR key length, as well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

• angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
• BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
• binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
• Bokken – GUI for Pyew and Radare.
• Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
• codebro – Web based code browser using clang to provide basic code analysis.
• dnSpy – .NET assembly editor, decompiler and debugger.
• Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
• GDB – The GNU debugger.
• GEF – GDB Enhanced Features, for exploiters and reverse engineers.
• hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
• IDA Pro – Windows disassembler and debugger, with a free evaluation version.
• Immunity Debugger – Debugger for malware analysis and more, with a Python API.
• ltrace – Dynamic analysis for Linux executables.
• objdump – Part of GNU binutils, for static analysis of Linux binaries.
• OllyDbg – An assembly-level debugger for Windows executables.
• PANDA – Platform for Architecture-Neutral Dynamic Analysis
• PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
• pestudio – Perform static analysis of Windows executables.
• plasma – Interactive disassembler for x86/ARM/MIPS.
• Process Monitor – Advanced monitoring tool for Windows programs.
• Pyew – Python tool for malware analysis.
• Radare2 – Reverse engineering framework, with debugger support.
• SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
• strace – Dynamic analysis for Linux executables.
• Triton – A dynamic binary analysis (DBA) framework.
• Udis86 – Disassembler library and tool for x86 and x86_64.
• Vivisect – Python tool for malware analysis.
• X64dbg – An open-source x64/x32 debugger for windows.

Network

Analyze network interactions.

• Bro – Protocol analyzer that operates at incredible scale; both file and network protocols.
• BroYara – Use Yara rules from Bro.
• CapTipper – Malicious HTTP traffic explorer.
• chopshop – Protocol analysis and decoding framework.
• Fiddler – Intercepting web proxy designed for “web debugging.”
• Hale – Botnet C&C monitor.
• Haka – Haka is an open source security oriented language which allows to describe protocols and apply security policies on (live) captured traffic.
• INetSim – Network service emulation, useful when building a malware lab.
• Laika BOSS – Laika BOSS is a file-centric malware analysis and intrusion detection system.
• Malcom – Malware Communications Analyzer.
• Maltrail – A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
• mitmproxy – Intercept network traffic on the fly.
• Moloch – IPv4 traffic capturing, indexing and database system.
• NetworkMiner – Network forensic analysis tool, with a free version.
• ngrep – Search through network traffic like grep.
• PcapViz – Network topology and traffic visualizer.
• Tcpdump – Collect network traffic.
• tcpick – Trach and reassemble TCP streams from network traffic.
• tcpxtract – Extract files from network traffic.
• Wireshark – The network traffic analysis tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

• DAMM – Differential Analysis of Malware in Memory, built on Volatility
• evolve – Web interface for the Volatility Memory Forensics Framework.
• FindAES – Find AES encryption keys in memory.
• Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
• Rekall – Memory analysis framework, forked from Volatility in 2013.
• TotalRecall – Script based on Volatility for automating various malware analysis tasks.
• VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
• Volatility – Advanced memory forensics framework.
• VolUtility – Web Interface for Volatility Memory Analysis framework.
• WinDbg – Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

• AChoir – A live incident response script for gathering Windows artifacts.
• python-evt – Python library for parsing Windows Event Logs.
• python-registry – Python library for parsing registry files.
• RegRipper (GitHub) – Plugin-based registry analysis tool.

Storage and Workflow

• Aleph – OpenSource Malware Analysis Pipeline System.
• CRITs – Collaborative Research Into Threats, a malware and threat repository.
• Malwarehouse – Store, tag, and search malware.
• Viper – A binary management and analysis framework for analysts and researchers.

Miscellaneous

• DC3-MWCP – The Defense Cyber Crime Center’s Malware Configuration Parser framework.
• Pafish – Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
• REMnux – Linux distribution and docker images for malware reverse engineering and analysis.
• Santoku Linux – Linux distribution for mobile forensics, malware analysis, and security.

Resources

Books

Essential malware analysis reading material.

• Malware Analyst’s Cookbook and DVD – Tools and Techniques for Fighting Malicious Code.
• Practical Malware Analysis – The Hands-On Guide to Dissecting Malicious Software.
• The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux, and Mac Memory.
• The IDA Pro Book – The Unofficial Guide to the World’s Most Popular Disassembler.

https://github.com/rshipp/awesome-malware-analysis#awesome-malware-analysis