awesome-malware-analysis
Defund the Police.
12k stars
701 watching
3k forks
last commit: 4 months ago
Linked from 17 awesome lists
analysis-frameworkautomated-analysisawesomeawesome-listchinesechinese-translationdomain-analysisdrop-icedynamic-analysislistmalware-analysismalware-collectionmalware-researchmalware-samplesnetwork-trafficstatic-analysisthreat-intelligencethreat-sharingthreatintel
Awesome Malware Analysis / Malware Collection / Anonymizers | |||
Anonymouse.org | A free, web based anonymizer | ||
OpenVPN | VPN software and hosting solutions | ||
Privoxy | An open source proxy server with some privacy features | ||
Tor | The Onion Router, for browsing the web without leaving traces of the client IP | ||
Awesome Malware Analysis / Malware Collection / Honeypots | |||
Conpot | 1,233 | 7 months ago | ICS/SCADA honeypot |
Cowrie | 5,138 | 3 days ago | SSH honeypot, based on Kippo |
DemoHunter | 59 | over 6 years ago | Low interaction Distributed Honeypots |
Dionaea | 702 | 2 months ago | Honeypot designed to trap malware |
Glastopf | 556 | 3 months ago | Web application honeypot |
Honeyd | Create a virtual honeynet | ||
HoneyDrive | Honeypot bundle Linux distro | ||
Honeytrap | 1,222 | about 1 year ago | Opensource system for running, monitoring and managing honeypots |
MHN | 2,430 | 5 months ago | MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface |
Mnemosyne | 45 | over 9 years ago | A normalizer for honeypot data; supports Dionaea |
Thug | 984 | 16 days ago | Low interaction honeyclient, for investigating malicious websites |
Awesome Malware Analysis / Malware Collection / Malware Corpora | |||
Clean MX | Realtime database of malware and malicious domains | ||
Contagio | A collection of recent malware samples and analyses | ||
Exploit Database | Exploit and shellcode samples | ||
Infosec - CERT-PA | Malware samples collection and analysis | ||
InQuest Labs | Evergrowing searchable corpus of malicious Microsoft documents | ||
Javascript Mallware Collection | 672 | 3 months ago | Collection of almost 40.000 javascript malware samples |
Malpedia | A resource providing rapid identification and actionable context for malware investigations | ||
Malshare | Large repository of malware actively scrapped from malicious sites | ||
Ragpicker | 93 | about 9 years ago | Plugin based malware crawler with pre-analysis and reporting functionalities |
theZoo | 11,186 | 5 months ago | Live malware samples for analysts |
Tracker h3x | Agregator for malware corpus tracker and malicious download sites | ||
vduddu malware repo | Collection of various malware files and source code | ||
VirusBay | Community-Based malware repository and social network | ||
ViruSign | Malware database that detected by many anti malware programs except ClamAV | ||
VirusShare | Malware repository, registration required | ||
VX Vault | Active collection of malware samples | ||
Zeltser's Sources | A list of malware sample sources put together by Lenny Zeltser | ||
Zeus Source Code | 1,407 | almost 4 years ago | Source for the Zeus trojan leaked in 2011 |
VX Underground | Massive and growing collection of free malware samples | ||
Awesome Malware Analysis / Open Source Threat Intelligence / Tools | |||
AbuseHelper | 117 | about 5 years ago | An open-source framework for receiving and redistributing abuse feeds and threat intel |
AlienVault Open Threat Exchange | Share and collaborate in developing Threat Intelligence | ||
Combine | 654 | over 5 years ago | Tool to gather Threat Intelligence indicators from publicly available sources |
Fileintel | 118 | almost 4 years ago | Pull intelligence per file hash |
Hostintel | 262 | over 3 years ago | Pull intelligence per host |
IntelMQ | - A tool for CERTs for processing incident data using a message queue | ||
IOC Editor | - A free editor for XML IOC files | ||
iocextract | 500 | about 2 months ago | Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool |
ioc_writer | 200 | over 1 year ago | Python library for working with OpenIOC objects, from Mandiant |
MalPipe | 103 | almost 6 years ago | Malware/IOC ingestion and processing engine, that enriches collected data |
Massive Octo Spice | 227 | over 6 years ago | - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the |
MISP | 5,309 | 1 day ago | Malware Information Sharing Platform curated by |
Pulsedive | Free, community-driven threat intelligence platform collecting IOCs from open-source feeds | ||
PyIOCe | 17 | almost 9 years ago | A Python OpenIOC editor |
RiskIQ | Research, connect, tag and share IPs and domains. (Was PassiveTotal.) | ||
threataggregator | 79 | over 8 years ago | - Aggregates security threats from a number of sources, including some of those listed below in |
ThreatConnect | TC Open allows you to see and share open source threat data, with support and validation from our free community | ||
ThreatCrowd | A search engine for threats, with graphical visualization | ||
ThreatIngestor | 823 | 8 months ago | Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more |
ThreatTracker | 66 | over 9 years ago | A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines |
TIQ-test | 169 | almost 9 years ago | Data visualization and statistical analysis of Threat Intelligence feeds |
Awesome Malware Analysis / Open Source Threat Intelligence / Other Resources | |||
Autoshun | ( ) - Snort plugin and blocklist | ||
Bambenek Consulting Feeds | - OSINT feeds based on malicious DGA algorithms | ||
Fidelis Barncat | - Extensive malware config database (must request access) | ||
CI Army | ( ) - Network security blocklists | ||
Critical Stack- Free Intel Market | Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators | ||
Cybercrime tracker | Multiple botnet active tracker | ||
FireEye IOCs | 463 | over 5 years ago | Indicators of Compromise shared publicly by FireEye |
FireHOL IP Lists | Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps | ||
HoneyDB | Community driven honeypot sensor data collection and aggregation | ||
hpfeeds | 212 | 12 months ago | Honeypot feed protocol |
Infosec - CERT-PA lists | ( - - ) - Blocklist service | ||
InQuest REPdb | Continuous aggregation of IOCs from a variety of open reputation sources | ||
InQuest IOCdb | Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter | ||
Internet Storm Center (DShield) | Diary and searchable incident database, with a web . ( ) | ||
malc0de | Searchable incident database | ||
Malware Domain List | Search and share malicious URLs | ||
MetaDefender Threat Intelligence Feed | - List of the most looked up file hashes from MetaDefender Cloud | ||
OpenIOC | Framework for sharing threat intelligence | ||
Proofpoint Threat Intelligence | - Rulesets and more. (Formerly Emerging Threats.) | ||
Ransomware overview | - A list of ransomware overview with details, detection and prevention | ||
STIX - Structured Threat Information eXpression | - Standardized language to represent and share cyber threat information. Related efforts from : | ||
Awesome Malware Analysis / Open Source Threat Intelligence / Other Resources / STIX - Structured Threat Information eXpression | |||
CAPEC - Common Attack Pattern Enumeration and Classification | |||
CybOX - Cyber Observables eXpression | |||
MAEC - Malware Attribute Enumeration and Characterization | |||
TAXII - Trusted Automated eXchange of Indicator Information | |||
Awesome Malware Analysis / Open Source Threat Intelligence / Other Resources | |||
SystemLookup | SystemLookup hosts a collection of lists that provide information on the components of legitimate and potentially unwanted programs | ||
ThreatMiner | Data mining portal for threat intelligence, with search | ||
threatRECON | Search for indicators, up to 1000 free per month | ||
ThreatShare | C2 panel tracker | ||
Yara rules | 4,146 | 6 months ago | Yara rules repository |
YETI | 1,724 | 1 day ago | Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository |
ZeuS Tracker | ZeuS blocklists | ||
Awesome Malware Analysis / Detection and Classification | |||
AnalyzePE | 202 | over 10 years ago | Wrapper for a variety of tools for reporting on Windows PE files |
Assemblyline | A scalable file triage and malware analysis system integrating the cyber security community's best tools | ||
BinaryAlert | 1,405 | 10 months ago | An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules |
capa | 4,127 | 12 days ago | Detects capabilities in executable files |
chkrootkit | Local Linux rootkit detection | ||
ClamAV | Open source antivirus engine | ||
Detect It Easy(DiE) | 7,379 | 4 days ago | A program for determining types of files |
Exeinfo PE | Packer, compressor detector, unpack info, internal exe tools | ||
ExifTool | Read, write and edit file metadata | ||
File Scanning Framework | 287 | about 3 years ago | - Modular, recursive file scanning solution |
fn2yara | 1,543 | about 1 month ago | FN2Yara is a tool to generate Yara signatures for matching functions (code) in an executable program |
Generic File Parser | 1 | about 6 years ago | A Single Library Parser to extract meta information,static analysis and detect macros within the files |
hashdeep | 703 | 2 months ago | Compute digest hashes with a variety of algorithms |
HashCheck | 1,752 | almost 3 years ago | Windows shell extension to compute hashes with a variety of algorithms |
Loki | 3,364 | 7 months ago | Host based scanner for IOCs |
Malfunction | 191 | almost 9 years ago | Catalog and compare malware at a function level |
Manalyze | 1,011 | 9 months ago | Static analyzer for PE executables |
MASTIFF | 175 | over 4 years ago | Static analysis framework |
MultiScanner | 617 | about 5 years ago | Modular file scanning/analysis framework |
Nauz File Detector(NFD) | 523 | 1 day ago | Linker/Compiler/Tool detector for Windows, Linux and MacOS |
nsrllookup | 111 | over 3 years ago | A tool for looking up hashes in NIST's National Software Reference Library database |
packerid | 42 | over 4 years ago | A cross-platform Python alternative to PEiD |
PE-bear | Reversing tool for PE files | ||
PEframe | 606 | about 2 years ago | PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents |
PEV | A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries | ||
PortEx | 496 | 21 days ago | Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness |
Quark-Engine | 1,306 | 1 day ago | An Obfuscation-Neglect Android Malware Scoring System |
Rootkit Hunter | Detect Linux rootkits | ||
ssdeep | Compute fuzzy hashes | ||
totalhash.py | - Python script for easy searching of the database | ||
TrID | File identifier | ||
YARA | Pattern matching tool for analysts | ||
Yara rules generator | 1,543 | 4 months ago | Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives |
Yara Finder | 1 | about 6 years ago | A simple tool to yara match the file against various yara rules to find the indicators of suspicion |
Awesome Malware Analysis / Online Scanners and Sandboxes | |||
anlyz.io | Online sandbox | ||
any.run | Online interactive sandbox | ||
AndroTotal | Free online analysis of APKs against multiple mobile antivirus apps | ||
BoomBox | 233 | over 1 year ago | Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant |
Cryptam | Analyze suspicious office documents | ||
Cuckoo Sandbox | Open source, self hosted sandbox and automated analysis system | ||
cuckoo-modified | 270 | about 5 years ago | Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author |
cuckoo-modified-api | 21 | almost 8 years ago | A Python API used to control a cuckoo-modified sandbox |
DeepViz | Multi-format file analyzer with machine-learning classification | ||
detux | 260 | almost 3 years ago | A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs |
DRAKVUF | 1,055 | 12 days ago | Dynamic malware analysis system |
filescan.io | Static malware analysis, VBA/Powershell/VBS/JS Emulation | ||
firmware.re | Unpacks, scans and analyzes almost any firmware package | ||
HaboMalHunter | 730 | over 1 year ago | An Automated Malware Analysis Tool for Linux ELF Files |
Hybrid Analysis | Online malware analysis tool, powered by VxSandbox | ||
Intezer | Detect, analyze, and categorize malware by identifying code reuse and code similarities | ||
IRMA | An asynchronous and customizable analysis platform for suspicious files | ||
Joe Sandbox | Deep malware analysis with Joe Sandbox | ||
Jotti | Free online multi-AV scanner | ||
Limon | 389 | over 8 years ago | Sandbox for Analyzing Linux Malware |
Malheur | 368 | over 5 years ago | Automatic sandboxed analysis of malware behavior |
malice.io | 1,646 | over 1 year ago | Massively scalable malware analysis framework |
malsub | 367 | 5 months ago | A Python RESTful API framework for online malware and URL analysis services |
Malware config | Extract, decode and display online the configuration settings from common malwares | ||
MalwareAnalyser.io | Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning | ||
Malwr | Free analysis with an online Cuckoo Sandbox instance | ||
MetaDefender Cloud | Scan a file, hash, IP, URL or domain address for malware for free | ||
NetworkTotal | A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro | ||
Noriben | 1,111 | 11 months ago | Uses Sysinternals Procmon to collect information about malware in a sandboxed environment |
PacketTotal | PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within | ||
PDF Examiner | Analyse suspicious PDF files | ||
ProcDot | A graphical malware analysis tool kit | ||
Recomposer | 130 | almost 11 years ago | A helper script for safely uploading binaries to sandbox sites |
sandboxapi | 137 | 8 months ago | Python library for building integrations with several open source and commercial malware sandboxes |
SEE | 812 | about 4 years ago | Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments |
SEKOIA Dropper Analysis | Online dropper analysis (Js, VBScript, Microsoft Office, PDF) | ||
VirusTotal | Free online analysis of malware samples and URLs | ||
Visualize_Logs | 137 | almost 2 years ago | Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...) |
Zeltser's List | Free automated sandboxes and services, compiled by Lenny Zeltser | ||
Awesome Malware Analysis / Domain Analysis | |||
AbuseIPDB | AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet | ||
badips.com | Community based IP blacklist service | ||
boomerang | 37 | over 7 years ago | A tool designed for consistent and safe capture of off network web resources |
Cymon | Threat intelligence tracker, with IP/domain/hash search | ||
Desenmascara.me | One click tool to retrieve as much metadata as possible for a website and to assess its good standing | ||
Dig | Free online dig and other network tools | ||
dnstwist | 4,859 | 14 days ago | Domain name permutation engine for detecting typo squatting, phishing and corporate espionage |
IPinfo | 97 | over 10 years ago | Gather information about an IP or domain by searching online resources |
Machinae | 503 | 5 months ago | OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator |
mailchecker | 1,613 | 5 days ago | Cross-language temporary email detection library |
MaltegoVT | 79 | almost 9 years ago | Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports |
Multi rbl | Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs | ||
NormShield Services | Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts | ||
PhishStats | Phishing Statistics with search for IP, domain and website title | ||
Spyse | subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info, | ||
SecurityTrails | Historical and current WHOIS, historical and current DNS records, similar domains, certificate information and other domain and IP related API and tools | ||
SpamCop | IP based spam block list | ||
SpamHaus | Block list based on domains and IPs | ||
Sucuri SiteCheck | Free Website Malware and Security Scanner | ||
Talos Intelligence | Search for IP, domain or network owner. (Previously SenderBase.) | ||
TekDefense Automater | OSINT tool for gathering information about URLs, IPs, or hashes | ||
URLhaus | A project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution | ||
URLQuery | Free URL Scanner | ||
urlscan.io | Free URL Scanner & domain information | ||
Whois | DomainTools free online whois search | ||
Zeltser's List | Free online tools for researching malicious websites, compiled by Lenny Zeltser | ||
ZScalar Zulu | Zulu URL Risk Analyzer | ||
Awesome Malware Analysis / Browser Malware | |||
Bytecode Viewer | 14,626 | 13 days ago | Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support |
Firebug | Firefox extension for web development | ||
Java Decompiler | Decompile and inspect Java apps | ||
Java IDX Parser | 39 | over 6 years ago | Parses Java IDX cache files |
JSDetox | JavaScript malware analysis tool | ||
jsunpack-n | 161 | over 9 years ago | A javascript unpacker that emulates browser functionality |
Krakatau | 1,974 | 6 months ago | Java decompiler, assembler, and disassembler |
Malzilla | Analyze malicious web pages | ||
RABCDAsm | 431 | over 1 year ago | A "Robust ActionScript Bytecode Disassembler." |
SWF Investigator | - Static and dynamic analysis of SWF applications | ||
swftools | Tools for working with Adobe Flash files | ||
xxxswf | A Python script for analyzing Flash files | ||
Awesome Malware Analysis / Documents and Shellcode | |||
AnalyzePDF | 176 | over 10 years ago | A tool for analyzing PDFs and attempting to determine whether they are malicious |
box-js | 614 | about 2 months ago | A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation |
diStorm | Disassembler for analyzing malicious shellcode | ||
InQuest Deep File Inspection | Upload common malware lures for Deep File Inspection and heuristical analysis | ||
JS Beautifier | JavaScript unpacking and deobfuscation | ||
libemu | Library and tools for x86 shellcode emulation | ||
malpdfobj | 52 | over 13 years ago | Deconstruct malicious PDFs into a JSON representation |
OfficeMalScanner | Scan for malicious traces in MS Office documents | ||
olevba | A script for parsing OLE and OpenXML documents and extracting useful information | ||
Origami PDF | A tool for analyzing malicious PDFs, and more | ||
PDF Tools | pdfid, pdf-parser, and more from Didier Stevens | ||
PDF X-Ray Lite | 35 | almost 13 years ago | A PDF analysis tool, the backend-free version of PDF X-RAY |
peepdf | Python tool for exploring possibly malicious PDFs | ||
QuickSand | QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables | ||
Spidermonkey | - Mozilla's JavaScript engine, for debugging malicious JS | ||
Awesome Malware Analysis / File Carving | |||
bulk_extractor | 1,090 | 6 months ago | Fast file carving tool |
EVTXtract | 184 | over 4 years ago | Carve Windows Event Log files from raw binary data |
Foremost | File carving tool designed by the US Air Force | ||
hachoir3 | 612 | 3 months ago | Hachoir is a Python library to view and edit a binary stream field by field |
Scalpel | 625 | 7 months ago | Another data carving tool |
SFlock | 83 | 10 months ago | Nested archive extraction/unpacking (used in Cuckoo Sandbox) |
Awesome Malware Analysis / Deobfuscation | |||
Balbuzard | A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more | ||
de4dot | 6,912 | about 4 years ago | .NET deobfuscator and unpacker |
ex_pe_xor | & - Two tools from Alexander Hanel for working with single-byte XOR encoded files | ||
FLOSS | 3,207 | 4 days ago | The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries |
NoMoreXOR | 84 | over 6 years ago | Guess a 256 byte XOR key using frequency analysis |
PackerAttacker | 266 | over 6 years ago | A generic hidden code extractor for Windows malware |
PyInstaller Extractor | 2,867 | 3 months ago | - A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it |
uncompyle6 | 3,759 | 5 days ago | A cross-version Python bytecode decompiler. Translates Python bytecode back into equivalent Python source code |
un{i}packer | 649 | 15 days ago | Automatic and platform-independent unpacker for Windows binaries based on emulation |
unpacker | 117 | over 8 years ago | Automated malware unpacker for Windows malware based on WinAppDbg |
unxor | 141 | over 4 years ago | Guess XOR keys using known-plaintext attacks |
VirtualDeobfuscator | 133 | about 1 year ago | - Reverse engineering tool for virtualization wrappers |
XORBruteForcer | - A Python script for brute forcing single-byte XOR keys | ||
XORSearch & XORStrings | - A couple programs from Didier Stevens for finding XORed data | ||
xortool | 1,382 | over 1 year ago | Guess XOR key length, as well as the key itself |
Awesome Malware Analysis / Debugging and Reverse Engineering | |||
angr | 7,508 | 9 days ago | Platform-agnostic binary analysis framework developed at UCSB's Seclab |
bamfdetect | Identifies and extracts information from bots and other malware | ||
BAP | 2,055 | about 2 months ago | Multiplatform and open source (MIT) binary analysis framework developed at CMU's Cylab |
BARF | 1,408 | almost 5 years ago | Multiplatform, open source Binary Analysis and Reverse engineering Framework |
binnavi | 2,873 | almost 4 years ago | Binary analysis IDE for reverse engineering based on graph visualization |
Binary ninja | A reversing engineering platform that is an alternative to IDA | ||
Binwalk | 10,749 | 9 days ago | Firmware analysis tool |
BluePill | 121 | almost 3 years ago | Framework for executing and debugging evasive malware and protected executables |
Capstone | 7,509 | 12 days ago | Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages |
codebro | 44 | about 7 years ago | Web based code browser using clang to provide basic code analysis |
Cutter | GUI for Radare2 | ||
DECAF (Dynamic Executable Code Analysis Framework) | 802 | 3 months ago | - A binary analysis platform based on QEMU. DroidScope is now an extension to DECAF |
dnSpy | 26,416 | almost 4 years ago | .NET assembly editor, decompiler and debugger |
dotPeek | Free .NET Decompiler and Assembly Browser | ||
Evan's Debugger (EDB) | A modular debugger with a Qt GUI | ||
Fibratus | 2,205 | 9 days ago | Tool for exploration and tracing of the Windows kernel |
FPort | Reports open TCP/IP and UDP ports in a live system and maps them to the owning application | ||
GDB | The GNU debugger | ||
GEF | 6,875 | 10 days ago | GDB Enhanced Features, for exploiters and reverse engineers |
Ghidra | 50,988 | 5 days ago | A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate |
hackers-grep | 169 | over 6 years ago | A utility to search for strings in PE executables including imports, exports, and debug symbols |
Hopper | The macOS and Linux Disassembler | ||
IDA Pro | Windows disassembler and debugger, with a free evaluation version | ||
IDR | 959 | about 1 year ago | Interactive Delphi Reconstructor is a decompiler of Delphi executable files and dynamic libraries |
Immunity Debugger | Debugger for malware analysis and more, with a Python API | ||
ILSpy | ILSpy is the open-source .NET assembly browser and decompiler | ||
Kaitai Struct | DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby | ||
LIEF | LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats | ||
ltrace | Dynamic analysis for Linux executables | ||
mac-a-mal | 82 | about 6 years ago | An automated framework for mac malware hunting |
objdump | Part of GNU binutils, for static analysis of Linux binaries | ||
OllyDbg | An assembly-level debugger for Windows executables | ||
OllyDumpEx | Dump memory from (unpacked) malware Windows process and store raw or rebuild PE file. This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg | ||
PANDA | 103 | almost 8 years ago | Platform for Architecture-Neutral Dynamic Analysis |
PEDA | 5,861 | 3 months ago | Python Exploit Development Assistance for GDB, an enhanced display with added commands |
pestudio | Perform static analysis of Windows executables | ||
Pharos | 1,543 | about 1 month ago | The Pharos binary analysis framework can be used to perform automated static analysis of binaries |
plasma | 3,050 | about 3 years ago | Interactive disassembler for x86/ARM/MIPS |
PPEE (puppy) | A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail | ||
Process Explorer | - Advanced task manager for Windows | ||
Process Hacker | Tool that monitors system resources | ||
Process Monitor | - Advanced monitoring tool for Windows programs | ||
PSTools | Windows command-line tools that help manage and investigate live systems | ||
Pyew | 383 | about 5 years ago | Python tool for malware analysis |
PyREBox | 1,652 | 8 months ago | Python scriptable reverse engineering sandbox by the Talos team at Cisco |
Qiling Framework | Cross platform emulation and sanboxing framework with instruments for binary analysis | ||
QKD | 50 | about 3 years ago | QEMU with embedded WinDbg server for stealth debugging |
Radare2 | Reverse engineering framework, with debugger support | ||
RegShot | Registry compare utility that compares snapshots | ||
RetDec | Retargetable machine-code decompiler with an and that you can use in your tools | ||
ROPMEMU | 284 | over 8 years ago | A framework to analyze, dissect and decompile complex code-reuse attacks |
Scylla Imports Reconstructor | 1,108 | over 1 year ago | Find and fix the IAT of an unpacked / dumped PE32 malware |
ScyllaHide | 3,426 | 4 months ago | An Anti-Anti-Debug library and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine |
SMRT | 64 | over 3 years ago | Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis |
strace | Dynamic analysis for Linux executables | ||
StringSifter | 675 | 3 months ago | A machine learning tool that automatically ranks strings based on their relevance for malware analysis |
Triton | A dynamic binary analysis (DBA) framework | ||
Udis86 | 1,016 | over 1 year ago | Disassembler library and tool for x86 and x86_64 |
Vivisect | 934 | about 1 month ago | Python tool for malware analysis |
WinDbg | multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps | ||
X64dbg | An open-source x64/x32 debugger for windows | ||
Awesome Malware Analysis / Network | |||
Bro | Protocol analyzer that operates at incredible scale; both file and network protocols | ||
BroYara | 33 | almost 10 years ago | Use Yara rules from Bro |
CapTipper | 709 | over 1 year ago | Malicious HTTP traffic explorer |
chopshop | 489 | almost 2 years ago | Protocol analysis and decoding framework |
CloudShark | Web-based tool for packet analysis and malware traffic detection | ||
FakeNet-NG | 1,778 | 4 months ago | Next generation dynamic network analysis tool |
Fiddler | Intercepting web proxy designed for "web debugging." | ||
Hale | 185 | over 2 years ago | Botnet C&C monitor |
Haka | An open source security oriented language for describing protocols and applying security policies on (live) captured traffic | ||
HTTPReplay | 95 | almost 3 years ago | Library for parsing and reading out PCAP files, including TLS streams using TLS Master Secrets (used in Cuckoo Sandbox) |
INetSim | Network service emulation, useful when building a malware lab | ||
Laika BOSS | 736 | over 1 year ago | Laika BOSS is a file-centric malware analysis and intrusion detection system |
Malcolm | 353 | 3 days ago | Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs |
Malcom | 1,155 | almost 7 years ago | Malware Communications Analyzer |
Maltrail | 6,447 | 3 days ago | A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface |
mitmproxy | Intercept network traffic on the fly | ||
Moloch | 6,286 | 19 days ago | IPv4 traffic capturing, indexing and database system |
NetworkMiner | Network forensic analysis tool, with a free version | ||
ngrep | 892 | about 1 year ago | Search through network traffic like grep |
PcapViz | 340 | over 1 year ago | Network topology and traffic visualizer |
Python ICAP Yara | 57 | about 3 years ago | An ICAP Server with yara scanner for URL or content |
Squidmagic | 78 | over 6 years ago | squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus |
Tcpdump | Collect network traffic | ||
tcpick | Trach and reassemble TCP streams from network traffic | ||
tcpxtract | Extract files from network traffic | ||
Wireshark | The network traffic analysis tool | ||
Awesome Malware Analysis / Memory Forensics | |||
BlackLight | Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis | ||
DAMM | 209 | over 7 years ago | Differential Analysis of Malware in Memory, built on Volatility |
evolve | 259 | almost 7 years ago | Web interface for the Volatility Memory Forensics Framework |
FindAES | Find AES encryption keys in memory | ||
inVtero.net | 278 | about 1 year ago | High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support |
Muninn | 52 | almost 7 years ago | A script to automate portions of analysis using Volatility, and create a readable report. - Orochi is an open source framework for collaborative forensic memory dump analysis |
Rekall | Memory analysis framework, forked from Volatility in 2013 | ||
TotalRecall | 49 | over 7 years ago | Script based on Volatility for automating various malware analysis tasks |
VolDiff | 192 | about 7 years ago | Run Volatility on memory images before and after malware execution, and report changes |
Volatility | 7,219 | over 1 year ago | Advanced memory forensics framework |
VolUtility | 378 | about 1 month ago | Web Interface for Volatility Memory Analysis framework |
WDBGARK | 611 | about 4 years ago | - WinDBG Anti-RootKit Extension |
WinDbg | - Live memory inspection and kernel debugging for Windows systems | ||
Awesome Malware Analysis / Windows Artifacts | |||
AChoir | 183 | over 2 years ago | A live incident response script for gathering Windows artifacts |
python-evt | 48 | over 1 year ago | Python library for parsing Windows Event Logs |
python-registry | Python library for parsing registry files | ||
RegRipper | ( ) - Plugin-based registry analysis tool | ||
Awesome Malware Analysis / Storage and Workflow | |||
Aleph | 158 | over 3 years ago | Open Source Malware Analysis Pipeline System |
CRITs | Collaborative Research Into Threats, a malware and threat repository | ||
FAME | A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis | ||
Malwarehouse | 133 | over 11 years ago | Store, tag, and search malware |
Polichombr | 374 | over 5 years ago | A malware analysis platform designed to help analysts to reverse malwares collaboratively |
stoQ | Distributed content analysis framework with extensive plugin support, from input to output, and everything in between | ||
Viper | A binary management and analysis framework for analysts and researchers | ||
Awesome Malware Analysis / Miscellaneous | |||
al-khaser | 5,827 | 6 days ago | A PoC malware with good intentions that aimes to stress anti-malware systems |
CryptoKnight | 38 | over 4 years ago | Automated cryptographic algorithm reverse engineering and classification framework |
DC3-MWCP | 295 | 4 months ago | - The Defense Cyber Crime Center's Malware Configuration Parser framework |
FLARE VM | 6,440 | 10 days ago | A fully customizable, Windows-based, security distribution for malware analysis |
MalSploitBase | 536 | about 5 years ago | A database containing exploits used by malware |
Malware Museum | Collection of malware programs that were distributed in the 1980s and 1990s | ||
Malware Organiser | 1 | about 6 years ago | A simple tool to organise large malicious/benign files into a organised Structure |
Pafish | 3,337 | 4 months ago | Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do |
REMnux | Linux distribution and docker images for malware reverse engineering and analysis | ||
Tsurugi Linux | Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities | ||
Santoku Linux | Linux distribution for mobile forensics, malware analysis, and security | ||
Resources / Books | |||
Learning Malware Analysis | Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware | ||
Malware Analyst's Cookbook and DVD | - Tools and Techniques for Fighting Malicious Code | ||
Mastering Malware Analysis | Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks | ||
Mastering Reverse Engineering | Mastering Reverse Engineering: Re-engineer your ethical hacking skills | ||
Practical Malware Analysis | The Hands-On Guide to Dissecting Malicious Software | ||
Practical Reverse Engineering | - Intermediate Reverse Engineering | ||
Real Digital Forensics | Computer Security and Incident Response | ||
Rootkits and Bootkits | Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats | ||
The Art of Memory Forensics | Detecting Malware and Threats in Windows, Linux, and Mac Memory | ||
The IDA Pro Book | The Unofficial Guide to the World's Most Popular Disassembler | ||
The Rootkit Arsenal | The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System | ||
Resources / Other | |||
APT Notes | 1,647 | 2 months ago | A collection of papers and notes related to Advanced Persistent Threats |
Ember | 934 | 2 months ago | Endgame Malware BEnchmark for Research, a repository that makes it easy to (re)create a machine learning model that can be used to predict a score for a PE file based on static analysis |
File Formats posters | 10,468 | 8 months ago | Nice visualization of commonly used file format (including PE & ELF) |
Honeynet Project | Honeypot tools, papers, and other resources | ||
Kernel Mode | An active community devoted to malware analysis and kernel development | ||
Malicious Software | Malware blog and resources by Lenny Zeltser | ||
Malware Analysis Search | - Custom Google search engine from | ||
Malware Analysis Tutorials | - The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning practical malware analysis | ||
Malware Analysis, Threat Intelligence and Reverse Engineering | - Presentation introducing the concepts of malware analysis, threat intelligence and reverse engineering. Experience or prior knowledge is not required. Labs link in description | ||
Malware Persistence | 164 | about 2 months ago | Collection of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools) |
Malware Samples and Traffic | This blog focuses on network traffic related to malware infections | ||
Malware Search+++ | Firefox extension allows you to easily search some of the most popular malware databases | ||
Practical Malware Analysis Starter Kit | - This package contains most of the software referenced in the Practical Malware Analysis book | ||
RPISEC Malware Analysis | 3,742 | about 2 years ago | These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015 |
WindowsIR: Malware | Harlan Carvey's page on Malware | ||
Windows Registry specification | 318 | almost 6 years ago | - Windows registry file format specification |
/r/csirt_tools | Subreddit for CSIRT tools and resources, with a flair | ||
/r/Malware | The malware subreddit | ||
/r/ReverseEngineering | - Reverse engineering subreddit, not limited to just malware | ||
Related Awesome Lists | |||
Android Security | 8,099 | about 1 month ago | |
AppSec | 6,276 | 3 months ago | |
CTFs | 9,715 | 3 months ago | |
Executable Packing | 1,179 | 4 months ago | |
Forensics | 3,927 | about 20 hours ago | |
"Hacking" | 12,967 | 4 months ago | |
Honeypots | 8,520 | about 2 months ago | |
Industrial Control System Security | 1,610 | 12 months ago | |
Incident-Response | 7,584 | 3 months ago | |
Infosec | 5,165 | 8 months ago | |
PCAP Tools | 3,116 | 5 months ago | |
Pentesting | 21,566 | about 24 hours ago | |
Security | 12,322 | 3 months ago | |
Threat Intelligence | 7,958 | about 2 months ago | |
YARA | 3,515 | about 2 months ago |
Backlinks from these awesome lists:
- sindresorhus/awesome
- hack-with-github/awesome-hacking
- bayandin/awesome-awesomeness
- jivoi/awesome-osint
- sbilly/awesome-security
- jnv/lists
- paralax/awesome-honeypots
- decalage2/awesome-security-hardening
- cugu/awesome-forensics
- 0x4d31/awesome-threat-detection
- inquest/awesome-yara
- jaredthecoder/awesome-vehicle-security
- szabgab/awesome-lists
- coopermaa/awesome-awesome
- 0ex/more-awesome
- netanmangal/awesome-hacking
- hexsecs/awesome-embedded-security