A curated list of awesome malware analysis tools and resources. Inspired by
229858β
25098π΄
awesome-python) and
31156β
5087π΄
awesome-php).
- Malware Collection
- Open Source Threat Intelligence
- Detection and Classification
- Online Scanners and Sandboxes
- Domain Analysis
- Browser Malware
- Documents and Shellcode
- File Carving
- Deobfuscation
- Debugging and Reverse Engineering
- Network
- Memory Forensics
- Windows Artifacts
- Storage and Workflow
- Miscellaneous
- Resources
- Related Awesome Lists
- Contributing
- Thanks
View Chinese translation: ζΆζθ½―δ»Άεζ倧ει.md.
Web traffic anonymizers for analysts.
- Anonymouse.org - A free, web based anonymizer.
- π OpenVPN - VPN software and hosting solutions.
- Privoxy - An open source proxy server with some privacy features.
- π Tor - The Onion Router, for browsing the web without leaving traces of the client IP.
Trap and collect your own samples.
1263β
417π΄
Conpot) - ICS/SCADA honeypot.5294β
902π΄
Cowrie) - SSH honeypot, based on Kippo.61β
12π΄
DemoHunter) - Low interaction Distributed Honeypots.721β
184π΄
Dionaea) - Honeypot designed to trap malware.567β
168π΄
Glastopf) - Web application honeypot.- Honeyd - Create a virtual honeynet.
- π HoneyDrive - Honeypot bundle Linux distro.
1231β
174π΄
Honeytrap) - Opensource system for running, monitoring and managing honeypots.2440β
631π΄
MHN) - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.46β
39π΄
Mnemosyne) - A normalizer for honeypot data; supports Dionaea.1000β
203π΄
Thug) - Low interaction honeyclient, for investigating malicious websites.
Malware samples collected for analysis.
- Clean MX - Realtime database of malware and malicious domains.
- Contagio - A collection of recent malware samples and analyses.
- π Exploit Database - Exploit and shellcode samples.
- π Infosec - CERT-PA - Malware samples collection and analysis.
- π InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.
687β
239π΄
Javascript Mallware Collection) - Collection of almost 40.000 javascript malware samples- π Malpedia - A resource providing rapid identification and actionable context for malware investigations.
- π Malshare - Large repository of malware actively scrapped from malicious sites.
94β
25π΄
Ragpicker) - Plugin based malware crawler with pre-analysis and reporting functionalities11461β
2538π΄
theZoo) - Live malware samples for analysts.- Tracker h3x - Agregator for malware corpus tracker and malicious download sites.
?β
?π΄
vduddu malware repo) - Collection of various malware files and source code.- π VirusBay - Community-Based malware repository and social network.
- ViruSign - Malware database that detected by many anti malware programs except ClamAV.
- π VirusShare - Malware repository, registration required.
- VX Vault - Active collection of malware samples.
- π Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
1431β
698π΄
Zeus Source Code) - Source for the Zeus trojan leaked in 2011.- VX Underground - Massive and growing collection of free malware samples.
Harvest and analyze IOCs.
122β
18π΄
AbuseHelper) - An open-source framework for receiving and redistributing abuse feeds and threat intel.- π AlienVault Open Threat Exchange - Share and collaborate in developing Threat Intelligence.
657β
171π΄
Combine) - Tool to gather Threat Intelligence indicators from publicly available sources.120β
25π΄
Fileintel) - Pull intelligence per file hash.265β
51π΄
Hostintel) - Pull intelligence per host.- π IntelMQ - A tool for CERTs for processing incident data using a message queue.
- π IOC Editor - A free editor for XML IOC files.
515β
92π΄
iocextract) - Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.201β
61π΄
ioc_writer) - Python library for working with OpenIOC objects, from Mandiant.105β
24π΄
MalPipe) - Malware/IOC ingestion and processing engine, that enriches collected data.228β
60π΄
Massive Octo Spice) - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.5462β
1421π΄
MISP) - Malware Information Sharing Platform curated by The MISP Project.- π Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
18β
5π΄
PyIOCe) - A Python OpenIOC editor.- π RiskIQ - Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
80β
27π΄
threataggregator) - Aggregates security threats from a number of sources, including some of those listed below in other resources.- π ThreatConnect - TC Open allows you to see and share open source threat data, with support and validation from our free community.
- π ThreatCrowd - A search engine for threats, with graphical visualization.
?β
?π΄
ThreatIngestor) - Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.67β
12π΄
ThreatTracker) - A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.173β
43π΄
TIQ-test) - Data visualization and statistical analysis of Threat Intelligence feeds.
Threat intelligence and IOC resources.
- π Autoshun π list) - Snort plugin and blocklist.
- Bambenek Consulting Feeds - OSINT feeds based on malicious DGA algorithms.
- π Fidelis Barncat - Extensive malware config database (must request access).
- CI Army (list) - Network security blocklists.
- π Critical Stack- Free Intel Market - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
- Cybercrime tracker - Multiple botnet active tracker.
465β
117π΄
FireEye IOCs) - Indicators of Compromise shared publicly by FireEye.- π FireHOL IP Lists - Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps.
- π HoneyDB - Community driven honeypot sensor data collection and aggregation.
214β
110π΄
hpfeeds) - Honeypot feed protocol.- π Infosec - CERT-PA lists π IPs - π Domains - π URLs) - Blocklist service.
- π InQuest REPdb - Continuous aggregation of IOCs from a variety of open reputation sources.
- π InQuest IOCdb - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.
- π Internet Storm Center (DShield) - Diary and
searchable incident database, with a web π API.
(
29β
13π΄
unofficial Python library)). - malc0de - Searchable incident database.
- Malware Domain List - Search and share malicious URLs.
- π MetaDefender Threat Intelligence Feed - List of the most looked up file hashes from MetaDefender Cloud.
- π OpenIOC - Framework for sharing threat intelligence.
- π Proofpoint Threat Intelligence - Rulesets and more. (Formerly Emerging Threats.)
- π Ransomware overview - A list of ransomware overview with details, detection and prevention.
- STIX - Structured Threat Information eXpression - Standardized language to represent and share cyber threat information. Related efforts from π MITRE:
- π SystemLookup - SystemLookup hosts a collection of lists that provide information on the components of legitimate and potentially unwanted programs.
- π ThreatMiner - Data mining portal for threat intelligence, with search.
- π threatRECON - Search for indicators, up to 1000 free per month.
- π ThreatShare - C2 panel tracker
4231β
1009π΄
Yara rules) - Yara rules repository.1784β
294π΄
YETI) - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.- π ZeuS Tracker - ZeuS blocklists.
Antivirus and other malware identification tools
204β
35π΄
AnalyzePE) - Wrapper for a variety of tools for reporting on Windows PE files.- π Assemblyline - A scalable file triage and malware analysis system integrating the cyber security community's best tools..
1416β
186π΄
BinaryAlert) - An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.4986β
569π΄
capa) - Detects capabilities in executable files.- chkrootkit - Local Linux rootkit detection.
- ClamAV - Open source antivirus engine.
7875β
740π΄
Detect It Easy(DiE)) - A program for determining types of files.- Exeinfo PE - Packer, compressor detector, unpack info, internal exe tools.
- π ExifTool - Read, write and edit file metadata.
289β
49π΄
File Scanning Framework) - Modular, recursive file scanning solution.1570β
193π΄
fn2yara) - FN2Yara is a tool to generate Yara signatures for matching functions (code) in an executable program.1β
0π΄
Generic File Parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files.720β
132π΄
hashdeep) - Compute digest hashes with a variety of algorithms.1783β
197π΄
HashCheck) - Windows shell extension to compute hashes with a variety of algorithms.3436β
585π΄
Loki) - Host based scanner for IOCs.192β
35π΄
Malfunction) - Catalog and compare malware at a function level.1029β
161π΄
Manalyze) - Static analyzer for PE executables.176β
40π΄
MASTIFF) - Static analysis framework.619β
126π΄
MultiScanner) - Modular file scanning/analysis framework535β
80π΄
Nauz File Detector(NFD)) - Linker/Compiler/Tool detector for Windows, Linux and MacOS.112β
10π΄
nsrllookup) - A tool for looking up hashes in NIST's National Software Reference Library database.42β
9π΄
packerid) - A cross-platform Python alternative to PEiD.- π PE-bear - Reversing tool for PE files.
612β
138π΄
PEframe) - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.- PEV - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
499β
95π΄
PortEx) - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.1348β
170π΄
Quark-Engine) - An Obfuscation-Neglect Android Malware Scoring System- Rootkit Hunter - Detect Linux rootkits.
- π ssdeep - Compute fuzzy hashes.
- π totalhash.py - Python script for easy searching of the π TotalHash.cymru.com database.
- TrID - File identifier.
- π YARA - Pattern matching tool for analysts.
1578β
282π΄
Yara rules generator) - Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.2β
0π΄
Yara Finder) - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.
Web-based multi-AV scanners, and malware sandboxes for automated analysis.
- π anlyz.io - Online sandbox.
- π any.run - Online interactive sandbox.
- π AndroTotal - Free online analysis of APKs against multiple mobile antivirus apps.
236β
38π΄
BoomBox) - Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant.- Cryptam - Analyze suspicious office documents.
- π Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
271β
100π΄
cuckoo-modified) - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.22β
7π΄
cuckoo-modified-api) - A Python API used to control a cuckoo-modified sandbox.- π DeepViz - Multi-format file analyzer with machine-learning classification.
?β
?π΄
detux) - A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.1078β
256π΄
DRAKVUF) - Dynamic malware analysis system.- π filescan.io - Static malware analysis, VBA/Powershell/VBS/JS Emulation
- firmware.re - Unpacks, scans and analyzes almost any firmware package.
735β
220π΄
HaboMalHunter) - An Automated Malware Analysis Tool for Linux ELF Files.- π Hybrid Analysis - Online malware analysis tool, powered by VxSandbox.
- π Intezer - Detect, analyze, and categorize malware by identifying code reuse and code similarities.
- IRMA - An asynchronous and customizable analysis platform for suspicious files.
- π Joe Sandbox - Deep malware analysis with Joe Sandbox.
- π Jotti - Free online multi-AV scanner.
390β
115π΄
Limon) - Sandbox for Analyzing Linux Malware.369β
101π΄
Malheur) - Automatic sandboxed analysis of malware behavior.1658β
270π΄
malice.io) - Massively scalable malware analysis framework.368β
79π΄
malsub) - A Python RESTful API framework for online malware and URL analysis services.- π Malware config - Extract, decode and display online the configuration settings from common malwares.
- π MalwareAnalyser.io - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
- π Malwr - Free analysis with an online Cuckoo Sandbox instance.
- π MetaDefender Cloud - Scan a file, hash, IP, URL or domain address for malware for free.
- π NetworkTotal - A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
1137β
222π΄
Noriben) - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.- π PacketTotal - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
- PDF Examiner - Analyse suspicious PDF files.
- ProcDot - A graphical malware analysis tool kit.
130β
39π΄
Recomposer) - A helper script for safely uploading binaries to sandbox sites.138β
40π΄
sandboxapi) - Python library for building integrations with several open source and commercial malware sandboxes.817β
104π΄
SEE) - Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.- π SEKOIA Dropper Analysis - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
- π VirusTotal - Free online analysis of malware samples and URLs
139β
30π΄
Visualize_Logs) - Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...)- π Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.
Inspect domains and IP addresses.
- π AbuseIPDB - AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.
- π badips.com - Community based IP blacklist service.
38β
6π΄
boomerang) - A tool designed for consistent and safe capture of off network web resources.- π Cymon - Threat intelligence tracker, with IP/domain/hash search.
- Desenmascara.me - One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
- π Dig - Free online dig and other network tools.
4971β
776π΄
dnstwist) - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.100β
24π΄
IPinfo) - Gather information about an IP or domain by searching online resources.506β
101π΄
Machinae) - OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.1661β
259π΄
mailchecker) - Cross-language temporary email detection library.80β
22π΄
MaltegoVT) - Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.- Multi rbl - Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
- π NormShield Services - Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
- π PhishStats - Phishing Statistics with search for IP, domain and website title
- π Spyse - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
- π SecurityTrails - Historical and current WHOIS, historical and current DNS records, similar domains, certificate information and other domain and IP related API and tools.
- π SpamCop - IP based spam block list.
- π SpamHaus - Block list based on domains and IPs.
- π Sucuri SiteCheck - Free Website Malware and Security Scanner.
- π Talos Intelligence - Search for IP, domain or network owner. (Previously SenderBase.)
- TekDefense Automater - OSINT tool for gathering information about URLs, IPs, or hashes.
- π URLhaus - A project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
- URLQuery - Free URL Scanner.
- π urlscan.io - Free URL Scanner & domain information.
- π Whois - DomainTools free online whois search.
- π Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.
- π ZScalar Zulu - Zulu URL Risk Analyzer.
Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.
14779β
1158π΄
Bytecode Viewer) - Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support.- π Firebug - Firefox extension for web development.
- Java Decompiler - Decompile and inspect Java apps.
?β
?π΄
Java IDX Parser) - Parses Java IDX cache files.- JSDetox - JavaScript malware analysis tool.
163β
65π΄
jsunpack-n) - A javascript unpacker that emulates browser functionality.2008β
223π΄
Krakatau) - Java decompiler, assembler, and disassembler.- Malzilla - Analyze malicious web pages.
433β
92π΄
RABCDAsm) - A "Robust ActionScript Bytecode Disassembler."- π SWF Investigator - Static and dynamic analysis of SWF applications.
- swftools - Tools for working with Adobe Flash files.
- xxxswf - A Python script for analyzing Flash files.
Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.
179β
41π΄
AnalyzePDF) - A tool for analyzing PDFs and attempting to determine whether they are malicious.624β
86π΄
box-js) - A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.- diStorm - Disassembler for analyzing malicious shellcode.
- π InQuest Deep File Inspection - Upload common malware lures for Deep File Inspection and heuristical analysis.
- JS Beautifier - JavaScript unpacking and deobfuscation.
- libemu - Library and tools for x86 shellcode emulation.
53β
16π΄
malpdfobj) - Deconstruct malicious PDFs into a JSON representation.- OfficeMalScanner - Scan for malicious traces in MS Office documents.
- olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
- π Origami PDF - A tool for analyzing malicious PDFs, and more.
- π PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
35β
9π΄
PDF X-Ray Lite) - A PDF analysis tool, the backend-free version of PDF X-RAY.- peepdf - Python tool for exploring possibly malicious PDFs.
- π QuickSand - QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
- π Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.
For extracting files from inside disk and memory images.
1138β
192π΄
bulk_extractor) - Fast file carving tool.193β
22π΄
EVTXtract) - Carve Windows Event Log files from raw binary data.- Foremost - File carving tool designed by the US Air Force.
625β
70π΄
hachoir3) - Hachoir is a Python library to view and edit a binary stream field by field.629β
100π΄
Scalpel) - Another data carving tool.82β
48π΄
SFlock) - Nested archive extraction/unpacking (used in Cuckoo Sandbox).
Reverse XOR and other code obfuscation methods.
- π Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
7020β
2692π΄
de4dot) - .NET deobfuscator and unpacker.- ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
3365β
461π΄
FLOSS) - The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.86β
18π΄
NoMoreXOR) - Guess a 256 byte XOR key using frequency analysis.270β
72π΄
PackerAttacker) - A generic hidden code extractor for Windows malware.3077β
628π΄
PyInstaller Extractor) - A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it.?β
?π΄
uncompyle6) - A cross-version Python bytecode decompiler. Translates Python bytecode back into equivalent Python source code.674β
83π΄
un{i}packer) - Automatic and platform-independent unpacker for Windows binaries based on emulation.?β
?π΄
unpacker) - Automated malware unpacker for Windows malware based on WinAppDbg.?β
?π΄
unxor) - Guess XOR keys using known-plaintext attacks.134β
24π΄
VirtualDeobfuscator) - Reverse engineering tool for virtualization wrappers.- XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
- π XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
1409β
173π΄
xortool) - Guess XOR key length, as well as the key itself.
Disassemblers, debuggers, and other static and dynamic analysis tools.
7689β
1090π΄
angr) - Platform-agnostic binary analysis framework developed at UCSB's Seclab.?β
?π΄
bamfdetect) - Identifies and extracts information from bots and other malware.2089β
274π΄
BAP) - Multiplatform and open source (MIT) binary analysis framework developed at CMU's Cylab.1412β
168π΄
BARF) - Multiplatform, open source Binary Analysis and Reverse engineering Framework.2878β
453π΄
binnavi) - Binary analysis IDE for reverse engineering based on graph visualization.- π Binary ninja - A reversing engineering platform that is an alternative to IDA.
11790β
1588π΄
Binwalk) - Firmware analysis tool.123β
22π΄
BluePill) - Framework for executing and debugging evasive malware and protected executables.7715β
1564π΄
Capstone) - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.44β
6π΄
codebro) - Web based code browser using clang to provide basic code analysis.?β
?π΄
Cutter) - GUI for Radare2.810β
168π΄
DECAF (Dynamic Executable Code Analysis Framework)) - A binary analysis platform based on QEMU. DroidScope is now an extension to DECAF.26894β
5164π΄
dnSpy) - .NET assembly editor, decompiler and debugger.- π dotPeek - Free .NET Decompiler and Assembly Browser.
- Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
2263β
194π΄
Fibratus) - Tool for exploration and tracing of the Windows kernel.- π FPort - Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
- GDB - The GNU debugger.
7129β
746π΄
GEF) - GDB Enhanced Features, for exploiters and reverse engineers.52875β
5974π΄
Ghidra) - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.169β
19π΄
hackers-grep) - A utility to search for strings in PE executables including imports, exports, and debug symbols.- π Hopper - The macOS and Linux Disassembler.
- π IDA Pro - Windows disassembler and debugger, with a free evaluation version.
981β
226π΄
IDR) - Interactive Delphi Reconstructor is a decompiler of Delphi executable files and dynamic libraries.- Immunity Debugger - Debugger for malware analysis and more, with a Python API.
- ILSpy - ILSpy is the open-source .NET assembly browser and decompiler.
- Kaitai Struct - DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
- π LIEF - LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
- ltrace - Dynamic analysis for Linux executables.
85β
24π΄
mac-a-mal) - An automated framework for mac malware hunting.- π objdump - Part of GNU binutils, for static analysis of Linux binaries.
- OllyDbg - An assembly-level debugger for Windows executables.
- π OllyDumpEx - Dump memory from (unpacked) malware Windows process and store raw or rebuild PE file. This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg.
106β
42π΄
PANDA) - Platform for Architecture-Neutral Dynamic Analysis.5927β
808π΄
PEDA) - Python Exploit Development Assistance for GDB, an enhanced display with added commands.- π pestudio - Perform static analysis of Windows executables.
1570β
193π΄
Pharos) - The Pharos binary analysis framework can be used to perform automated static analysis of binaries.3048β
275π΄
plasma) - Interactive disassembler for x86/ARM/MIPS.- π PPEE (puppy) - A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
- π Process Explorer - Advanced task manager for Windows.
- Process Hacker - Tool that monitors system resources.
- π Process Monitor - Advanced monitoring tool for Windows programs.
- π PSTools - Windows command-line tools that help manage and investigate live systems.
387β
95π΄
Pyew) - Python tool for malware analysis.1657β
249π΄
PyREBox) - Python scriptable reverse engineering sandbox by the Talos team at Cisco.- π Qiling Framework - Cross platform emulation and sanboxing framework with instruments for binary analysis.
?β
?π΄
QKD) - QEMU with embedded WinDbg server for stealth debugging.- Radare2 - Reverse engineering framework, with debugger support.
- π RegShot - Registry compare utility that compares snapshots.
- π RetDec - Retargetable machine-code decompiler with an π online decompilation service and π API that you can use in your tools.
285β
42π΄
ROPMEMU) - A framework to analyze, dissect and decompile complex code-reuse attacks.1136β
233π΄
Scylla Imports Reconstructor) - Find and fix the IAT of an unpacked / dumped PE32 malware.3536β
442π΄
ScyllaHide) - An Anti-Anti-Debug library and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.66β
15π΄
SMRT) - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.- π strace - Dynamic analysis for Linux executables.
688β
125π΄
StringSifter) - A machine learning tool that automatically ranks strings based on their relevance for malware analysis.- π Triton - A dynamic binary analysis (DBA) framework.
1029β
298π΄
Udis86) - Disassembler library and tool for x86 and x86_64.946β
188π΄
Vivisect) - Python tool for malware analysis.- π WinDbg - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
?β
?π΄
X64dbg) - An open-source x64/x32 debugger for windows.
Analyze network interactions.
- π Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.
33β
5π΄
BroYara) - Use Yara rules from Bro.715β
159π΄
CapTipper) - Malicious HTTP traffic explorer.490β
112π΄
chopshop) - Protocol analysis and decoding framework.- π CloudShark - Web-based tool for packet analysis and malware traffic detection.
1834β
364π΄
FakeNet-NG) - Next generation dynamic network analysis tool.- π Fiddler - Intercepting web proxy designed for "web debugging."
188β
62π΄
Hale) - Botnet C&C monitor.- Haka - An open source security oriented language for describing protocols and applying security policies on (live) captured traffic.
95β
35π΄
HTTPReplay) - Library for parsing and reading out PCAP files, including TLS streams using TLS Master Secrets (used in Cuckoo Sandbox).- INetSim - Network service emulation, useful when building a malware lab.
743β
156π΄
Laika BOSS) - Laika BOSS is a file-centric malware analysis and intrusion detection system.372β
61π΄
Malcolm) - Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.1160β
216π΄
Malcom) - Malware Communications Analyzer.6686β
1107π΄
Maltrail) - A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.- π mitmproxy - Intercept network traffic on the fly.
6453β
1045π΄
Moloch) - IPv4 traffic capturing, indexing and database system.- NetworkMiner - Network forensic analysis tool, with a free version.
911β
102π΄
ngrep) - Search through network traffic like grep.344β
61π΄
PcapViz) - Network topology and traffic visualizer.58β
13π΄
Python ICAP Yara) - An ICAP Server with yara scanner for URL or content.78β
27π΄
Squidmagic) - squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus.- Tcpdump - Collect network traffic.
- tcpick - Trach and reassemble TCP streams from network traffic.
- tcpxtract - Extract files from network traffic.
- π Wireshark - The network traffic analysis tool.
Tools for dissecting malware in memory images or running systems.
- π BlackLight - Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
212β
48π΄
DAMM) - Differential Analysis of Malware in Memory, built on Volatility.260β
42π΄
evolve) - Web interface for the Volatility Memory Forensics Framework.- π FindAES - Find AES encryption keys in memory.
281β
57π΄
inVtero.net) - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.52β
9π΄
Muninn) - A script to automate portions of analysis using Volatility, and create a readable report.227β
19π΄
Orochi) - Orochi is an open source framework for collaborative forensic memory dump analysis.- Rekall - Memory analysis framework, forked from Volatility in 2013.
49β
9π΄
TotalRecall) - Script based on Volatility for automating various malware analysis tasks.195β
50π΄
VolDiff) - Run Volatility on memory images before and after malware execution, and report changes.7445β
1298π΄
Volatility) - Advanced memory forensics framework.381β
81π΄
VolUtility) - Web Interface for Volatility Memory Analysis framework.622β
180π΄
WDBGARK) - WinDBG Anti-RootKit Extension.- π WinDbg - Live memory inspection and kernel debugging for Windows systems.
184β
29π΄
AChoir) - A live incident response script for gathering Windows artifacts.48β
11π΄
python-evt) - Python library for parsing Windows Event Logs.- python-registry - Python library for parsing registry files.
- RegRipper
(
?β
?π΄
GitHub)) - Plugin-based registry analysis tool.
158β
55π΄
Aleph) - Open Source Malware Analysis Pipeline System.- π CRITs - Collaborative Research Into Threats, a malware and threat repository.
- π FAME - A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
134β
43π΄
Malwarehouse) - Store, tag, and search malware.376β
60π΄
Polichombr) - A malware analysis platform designed to help analysts to reverse malwares collaboratively.- stoQ - Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
- Viper - A binary management and analysis framework for analysts and researchers.
6021β
1177π΄
al-khaser) - A PoC malware with good intentions that aimes to stress anti-malware systems.39β
12π΄
CryptoKnight) - Automated cryptographic algorithm reverse engineering and classification framework.305β
59π΄
DC3-MWCP) - The Defense Cyber Crime Center's Malware Configuration Parser framework.6755β
934π΄
FLARE VM) - A fully customizable, Windows-based, security distribution for malware analysis.538β
199π΄
MalSploitBase) - A database containing exploits used by malware.- π Malware Museum - Collection of malware programs that were distributed in the 1980s and 1990s.
1β
0π΄
Malware Organiser) - A simple tool to organise large malicious/benign files into a organised Structure.3476β
467π΄
Pafish) - Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.- π REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
- π Tsurugi Linux - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
- π Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.
Essential malware analysis reading material.
- π Learning Malware Analysis - Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware
- π Malware Analyst's Cookbook and DVD - Tools and Techniques for Fighting Malicious Code.
- π Mastering Malware Analysis - Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks
- π Mastering Reverse Engineering - Mastering Reverse Engineering: Re-engineer your ethical hacking skills
- π Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.
- π Practical Reverse Engineering - Intermediate Reverse Engineering.
- π Real Digital Forensics - Computer Security and Incident Response.
- π Rootkits and Bootkits - Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
- π The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
- π The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler.
- π The Rootkit Arsenal - The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
1669β
282π΄
APT Notes) - A collection of papers and notes related to Advanced Persistent Threats.967β
282π΄
Ember) - Endgame Malware BEnchmark for Research, a repository that makes it easy to (re)create a machine learning model that can be used to predict a score for a PE file based on static analysis.10631β
746π΄
File Formats posters) - Nice visualization of commonly used file format (including PE & ELF).- Honeynet Project - Honeypot tools, papers, and other resources.
- Kernel Mode - An active community devoted to malware analysis and kernel development.
- π Malicious Software - Malware blog and resources by Lenny Zeltser.
- π Malware Analysis Search - Custom Google search engine from Corey Harrell.
- Malware Analysis Tutorials - The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning practical malware analysis.
- π Malware Analysis, Threat Intelligence and Reverse Engineering - Presentation introducing the concepts of malware analysis, threat intelligence and reverse engineering. Experience or prior knowledge is not required. Labs link in description.
165β
15π΄
Malware Persistence) - Collection of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools).- Malware Samples and Traffic - This blog focuses on network traffic related to malware infections.
- π Malware Search+++ Firefox extension allows you to easily search some of the most popular malware databases
- π Practical Malware Analysis Starter Kit - This package contains most of the software referenced in the Practical Malware Analysis book.
3793β
791π΄
RPISEC Malware Analysis) - These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.- WindowsIR: Malware - Harlan Carvey's page on Malware.
334β
73π΄
Windows Registry specification) - Windows registry file format specification.- π /r/csirt_tools - Subreddit for CSIRT tools and resources, with a π malware analysis flair.
- π /r/Malware - The malware subreddit.
- π /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.
8316β
1460π΄
Android Security)6396β
743π΄
AppSec)9974β
1496π΄
CTFs)1243β
107π΄
Executable Packing)4063β
634π΄
Forensics)13426β
1558π΄
"Hacking")8784β
1272π΄
Honeypots)1666β
438π΄
Industrial Control System Security)7780β
1539π΄
Incident-Response)5236β
739π΄
Infosec)3158β
467π΄
PCAP Tools)22242β
4499π΄
Pentesting)12636β
1940π΄
Security)8289β
1505π΄
Threat Intelligence)3632β
498π΄
YARA)
Pull requests and issues with suggestions are welcome! Please read the CONTRIBUTING guidelines before submitting a PR.
This list was made possible by:
- Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;
- Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst's Cookbook, which was a big inspiration for creating the list;
- And everyone else who has sent pull requests or suggested links to add here!
Thanks!
12140β
2583π΄
rshipp/awesome-malware-analysis)