├── LICENSE
├── .travis.yml
├── CONTRIBUTING.md
├── 恶意软件分析大合集.md
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
1 | Creative Commons Attribution 4.0 International License (CC BY 4.0)
2 | 
3 | http://creativecommons.org/licenses/by/4.0/
4 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: ruby
2 | rvm:
3 |     - 2.2
4 | before_script:
5 |     - gem install awesome_bot
6 | script:
7 |     - awesome_bot README.md --white-list CONTRIBUTING.md,amzn.com,carnivore.it,cymru.com,clean-mx.de,woodmann.com,andrototal.org,domaintools.com,reconstructer.org,reddit.com,desenmascara.me,exploit-db.com,travis-ci,tekdefense.com,winitor.com,https://intel.criticalstack.com,handlers.sans.org,bokken.re,openmalware.org
8 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contribution Guidelines
 2 | 
 3 | When making a pull request, please follow these guidelines:
 4 | 
 5 | - One commit per suggestion is preferred
 6 | - Commit message should follow this format: `Add some tool name` (For
 7 |   example, `Add cuckoo-sandbox`) [Why?](http://chris.beams.io/posts/git-commit/)
 8 | - Multiple commits per pull request is OK
 9 | - Lists within each section are alphabetized, please keep them that way
10 | - Add sections if necessary, use existing sections if possible
11 | - Clear, concise descriptions for each link, starting with a capital, ending
12 |   with a period
13 | - Use the following format: `[Item Name](homepage link) - Description.`
14 | - No duplication of tools, put them where they make the most sense
15 | - Wrap lines at ~80 chars, no trailing whitespace or unnecessary newlines
16 | - Prefer quality over quantity, only submit awesome stuff
17 | - By submitting a pull request, you agree to release your submission under
18 |   the [LICENSE](LICENSE)
19 | - Indent wrapped lines even with the start of the line before
20 | 
21 | ```
22 | - That means lines wrap like
23 |   this
24 | - Not
25 | like this
26 | ```
27 | 
28 | 
29 | The rules above take precedence, but in case I missed something, check [the
30 | awesome guidelines](https://github.com/sindresorhus/awesome/blob/master/contributing.md)
31 | too.
32 | 
33 | Properly formatted pull requests will almost always be approved faster than
34 | issues or poorly formatted pull requests, because they mean less work for me!
35 | 
36 | Thanks!
37 | 


--------------------------------------------------------------------------------
/恶意软件分析大合集.md:
--------------------------------------------------------------------------------
  1 | # 恶意软件分析大合集
  2 | 
  3 | 
  4 | 这个列表记录着那些令人称赞的恶意软件分析工具和资源。受到 [awesome-python](https://github.com/vinta/awesome-python) 和 [awesome-php](https://github.com/ziadoz/awesome-php) 的启迪。
  5 | 
  6 | - [恶意软件分析大合集](#恶意软件分析大合集)
  7 |     - [恶意软件集合](#恶意软件集合)
  8 |         - [匿名代理](#匿名代理)
  9 |         - [蜜罐](#蜜罐)
 10 |         - [恶意软件样本库](#恶意软件样本库)
 11 |     - [开源威胁情报](#开源威胁情报)
 12 |         - [工具](#工具)
 13 |         - [其他资源](#其他资源)
 14 |     - [检测与分类](#检测与分类)
 15 |     - [在线扫描与沙盒](#在线扫描与沙盒)
 16 |     - [域名分析](#域名分析)
 17 |     - [浏览器恶意软件](#浏览器恶意软件)
 18 |     - [文档和 Shellcode](#文档和-Shellcode)
 19 |     - [文件提取](#文件提取)
 20 |     - [去混淆](#去混淆)
 21 |     - [调试与逆向工程](#调试与逆向工程)
 22 |     - [网络](#网络)
 23 |     - [内存取证](#内存取证)
 24 |     - [Windows 神器](#Windows-神器)
 25 |     - [存储和工作流](#存储和工作流)
 26 |     - [杂项](#杂项)
 27 | - [资源](#资源)
 28 |     - [书籍](#书籍)
 29 |     - [Twitter](#Twitter)
 30 |     - [其它](#其它)
 31 | - [相关 Awesome 清单](#相关-Awesome-清单)
 32 | - [贡献者](#做出贡献)
 33 | - [致谢](#致谢)
 34 | 
 35 | ---
 36 | 
 37 | ## 恶意软件集合
 38 | 
 39 | ### 匿名代理
 40 | 
 41 | *对于分析人员的 Web 流量匿名方案*
 42 | 
 43 | * [Anonymouse.org](http://anonymouse.org/) - 一个免费、基于 Web 的匿名代理
 44 | * [OpenVPN](https://openvpn.net/) - VPN 软件和托管解决方案
 45 | * [Privoxy](http://www.privoxy.org/) - 一个带有隐私保护功能的开源代理服务器
 46 | * [Tor](https://www.torproject.org/) - 洋葱路由器，为了在浏览网页时不留下客户端 IP 地址
 47 | 
 48 | ### 蜜罐
 49 | 
 50 | *捕获和收集你自己的样本*
 51 | 
 52 | * [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA 蜜罐
 53 | * [Cowrie](https://github.com/micheloosterhof/cowrie) - 基于 Kippo 的 SSH 蜜罐
 54 | * [Dionaea](http://dionaea.carnivore.it/) - 用来捕获恶意软件的蜜罐
 55 | * [Glastopf](http://glastopf.org/) - Web 应用蜜罐
 56 | * [Honeyd](http://honeyd.org/) - 创建一个虚拟蜜罐
 57 | * [HoneyDrive](http://honeydrive.org/) - 蜜罐包的 Linux 发行版
 58 | * [Mnemosyne](https://github.com/johnnykv/mnemosyne) - 受 Dinoaea 支持的蜜罐数据标准化
 59 | * [Thug](https://github.com/buffer/thug) - 用来调查恶意网站的低交互蜜罐
 60 | 
 61 | ### 恶意软件样本库
 62 | 
 63 | *收集用于分析的恶意软件样本*
 64 | 
 65 | * [Clean MX](http://support.clean-mx.de/clean-mx/viruses.php) - 恶意软件和恶意域名的实时数据库
 66 | * [Contagio](http://contagiodump.blogspot.com/) - 近期的恶意软件样本和分析的收集
 67 | * [Exploit Database](https://www.exploit-db.com/) - Exploit 和 shellcode 样本
 68 | * [Malshare](https://malshare.com) - 在恶意网站上得到的大量恶意样本库
 69 | * [MalwareDB](http://malwaredb.malekal.com/) - 恶意软件样本库
 70 | * [Open Malware Project](http://openmalware.org/) - 样本信息和下载
 71 | * [Ragpicker](https://github.com/robbyFux/Ragpicker) - 基于 malware crawler 的一个插件
 72 | * [theZoo](https://github.com/ytisf/theZoo) - 分析人员的实时恶意样本库
 73 | * [Tracker h3x](http://tracker.h3x.eu/) - Agregator 的恶意软件跟踪和下载地址
 74 | * [ViruSign](http://www.virussign.com/) - 除 ClamAV 外的反病毒程序检出的恶意软件数据库
 75 | * [VirusShare](http://virusshare.com/) - 恶意软件库
 76 | * [VX Vault](http://vxvault.net/) - 恶意软件样本的主动收集
 77 | * [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - 由 Lenny Zeltser 整理的恶意软件样本源列表
 78 | * [Zeus Source Code](https://github.com/Visgean/Zeus) - 2011 年 Zeus 源码泄露
 79 | 
 80 | ## 开源威胁情报
 81 | 
 82 | ### 工具
 83 | 
 84 | *收集、分析 IOC 信息*
 85 | 
 86 | * [AbuseHelper](https://github.com/abusesa/abusehelper) - 用于接收和重新分发威胁情报的开源框架
 87 | * [AlienVault Open Threat Exchange](https://otx.alienvault.com/) - 威胁情报的共享与合作
 88 | * [Combine](https://github.com/mlsecproject/combine) - 从公开的信息源中得到威胁情报信息
 89 | * [Fileintel](https://github.com/keithjjones/fileintel) - 文件情报
 90 | * [Hostintel](https://github.com/keithjjones/hostintel) - 主机情报
 91 | * [IntelMQ](https://www.enisa.europa.eu/activities/cert/support/incident-handling-automation) - CERT 使用消息队列来处理应急数据的工具
 92 | * [IOC Editor](https://www.mandiant.com/resources/download/ioc-editor/) - Mandiant 出品的一个免费的 XML IOC 文件编辑器
 93 | * [ioc_writer](https://github.com/mandiant/ioc_writer) - 开发的用于 OpenIOC 对象的 Python 库
 94 | * [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) - 由 [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework)发起，之前叫做 CIF (Collective Intelligence Framework)，从各种信息源聚合 IOC 信息
 95 | * [MISP](https://github.com/MISP/MISP) - 由 [The MISP Project](http://www.misp-project.org/) 发起的恶意软件信息共享平台
 96 | * [PyIOCe](https://github.com/pidydx/PyIOCe) - 一个 Python OpenIOC 编辑器
 97 | * [RiskIQ](https://community.riskiq.com/) - 研究、链接、标注和分享 IP 与 域名
 98 | * [threataggregator](https://github.com/jpsenior/threataggregator) - 聚合来自多个信息源的安全威胁，包括 [other resources](#other-resources) 列表中的一些
 99 | * [ThreatCrowd](https://www.threatcrowd.org/) - 带有图形可视化的威胁搜索引擎
100 | * [TIQ-test](https://github.com/mlsecproject/tiq-test) - 威胁情报源的数据可视化和统计分析
101 | 
102 | ### 其他资源
103 | 
104 | *威胁情报和 IOC 资源*
105 | 
106 | * [Autoshun](http://autoshun.org/) ([list](http://autoshun.org/)) - Snort 插件和黑名单
107 | * [Bambenek Consulting Feeds](http://osint.bambenekconsulting.com/feeds/) - 基于恶意 DGA 算法的 OSINT 订阅
108 | * [Fidelis Barncat](https://www.fidelissecurity.com/resources/fidelis-barncat) - 可扩展的恶意软件配置数据库（必须有请求权限）
109 | * [CI Army](http://www.ciarmy.com/) ([list](http://www.ciarmy.com/list/ci-badguys.txt)) - 网络安全黑名单
110 | * [Critical Stack- Free Intel Market](https://intel.CriticalStack.com) - 免费的英特尔去重聚合项目，有超过 90 种订阅以及超过一百二十万个威胁情报信息
111 | * [CRDF ThreatCenter](http://threatcenter.crdf.fr/) - 由 CRDF 提供的新威胁检出
112 | * [Cybercrime tracker](http://cybercrime-tracker.net/) - 多个僵尸网络的活动跟踪
113 | * [FireEye IOCs](https://github.com/fireeye/iocs) - 由 FireEye 共享的 IOC 信息
114 | * [FireHOL IP Lists](https://iplists.firehol.org/) - 针对攻击、恶意软件的更改历史、国家地图和保留政策的 350+ IP 的跟踪
115 | * [hpfeeds](https://github.com/rep/hpfeeds) - 蜜罐订阅协议
116 | * [Internet Storm Center (DShield)](https://isc.sans.edu/) - 日志和可搜索的事件数据库，并且带有 Web [API](https://dshield.org/api/)([非官方 Python 库](https://github.com/rshipp/python-dshield)).
117 | * [malc0de](http://malc0de.com/database/) - 搜索事件数据库
118 | * [Malware Domain List](http://www.malwaredomainlist.com/) - 搜索和分享恶意软件 URL
119 | * [OpenIOC](http://openioc.org/) - 威胁情报共享框架
120 | * [Palevo Blocklists](https://palevotracker.abuse.ch/blocklists.php) - 蜜罐 C&C 黑名单
121 | * [Proofpoint Threat Intelligence](https://www.proofpoint.com/us/products/et-intelligence) - 以前新兴威胁的规则集
122 | * [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) - 勒索软件的概述列表
123 | * [STIX - Structured Threat Information eXpression](http://stix.mitre.org/) - 通过标准化的语言来表示、共享网络威胁信息
124 |   [MITRE](http://mitre.org) 相关:
125 |   - [CAPEC - 常见攻击模式枚举与分类](http://capec.mitre.org/)
126 |   - [CybOX - 网络观测 eXpression](http://cybox.mitre.org/)
127 |   - [MAEC - 恶意软件特征枚举与界定](http://maec.mitre.org/)
128 |   - [TAXII - 可信的指标信息自动化交换](http://taxii.mitre.org/)
129 | * [threatRECON](https://threatrecon.co/) - 搜索指标，每月最多一千次
130 | * [Yara rules](https://github.com/Yara-Rules/rules) - Yara 规则集
131 | * [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS 黑名单
132 | 
133 | ## 检测与分类
134 | 
135 | *反病毒和其他恶意软件识别工具*
136 | 
137 | * [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Windows PE 文件的分析器
138 | * [chkrootkit](http://www.chkrootkit.org/) - 本地 Linux rootkit 检测
139 | * [ClamAV](http://www.clamav.net/) - 开源反病毒引擎
140 | * [Detect-It-Easy](https://github.com/horsicq/Detect-It-Easy) - 用于确定文件类型的程序
141 | * [ExifTool](https://sno.phy.queensu.ca/~phil/exiftool/) - 读、写、编辑文件的元数据
142 | * [File Scanning Framework](http://www.sno.phy.queensu.ca/%7Ephil/exiftool/) - 模块化的递归文件扫描解决方案
143 | * [hashdeep](https://github.com/jessek/hashdeep) - 用各种算法计算哈希值
144 | * [Loki](https://github.com/Neo23x0/Loki) - 基于主机的 IOC 扫描器
145 | * [Malfunction](https://github.com/Dynetics/Malfunction) - 在功能层面对恶意软件进行分类和比较
146 | * [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - 静态分析框架
147 | * [MultiScanner](https://github.com/MITRECND/multiscanner) - 模块化文件扫描/分析框架
148 | * [nsrllookup](https://github.com/rjhansen/nsrllookup) - 查询 NIST's National Software Reference Library 数据库中哈希的工具
149 | * [packerid](http://handlers.sans.org/jclausing/packerid.py) - 跨平台的 PEiD 的替代品
150 | * [PEV](http://pev.sourceforge.net/) - 为正确分析可疑的二进制文件提供功能丰富工具的 PE 文件多平台分析工具集
151 | * [Rootkit Hunter](http://rkhunter.sourceforge.net/) - 检测 Linux 的 rootkits
152 | * [ssdeep](https://ssdeep-project.github.io/ssdeep/) - 计算模糊哈希值
153 | * [totalhash.py](https://gist.github.com/malc0de/10270150) - 一个简单搜索[TotalHash.com](http://totalhash.com/) 数据库的 Python 脚本
154 | * [TrID](http://mark0.net/soft-trid-e.html) - 文件识别
155 | * [YARA](https://plusvic.github.io/yara/) - 分析师利用的模式识别工具
156 | * [Yara rules generator](https://github.com/Neo23x0/yarGen) - 基于恶意样本生成 yara 规则，也包含避免误报的字符串数据库
157 | 
158 | ## 在线扫描与沙盒
159 | 
160 | *基于 Web 的多反病毒引擎扫描器和恶意软件自动分析的沙盒*
161 | 
162 | * [AndroTotal](https://andrototal.org/) - 利用多个移动反病毒软件进行免费在线分析 App
163 | * [AVCaesar](https://avcaesar.malware.lu/) - Malware.lu 在线扫描器和恶意软件集合
164 | * [Cryptam](http://www.cryptam.com/) - 分析可疑的 Office 文档
165 | * [Cuckoo Sandbox](http://cuckoosandbox.org/) - 开源、自主的沙盒和自动分析系统
166 | * [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - GPL 许可证的 Cuckoo 沙盒的修改版，由于法律原因作者没有将其分支合并
167 | * [cuckoo-modified-api](https://github.com/brad-accuvant/cuckoo-modified) - 用于控制 cuckoo-modified 沙盒的 Python API
168 | * [DeepViz](https://www.deepviz.com/) - 通过机器学习分类来分析的多格式文件分析器
169 | * [detux](https://github.com/detuxsandbox/detux/) - 一个用于对 Linux 恶意软件流量分析与 IOC 信息捕获的沙盒
170 | * [DRAKVUF](https://github.com/tklengyel/drakvuf) - 动态恶意软件分析系统
171 | * [firmware.re](http://firmware.re/) - 解包、扫描、分析绝大多数固件包
172 | * [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - Linux平台上的自动化恶意代码分析工具.
173 | * [Hybrid Analysis](https://www.hybrid-analysis.com/) - 由 VxSandbox 支持的在线恶意软件分析工具
174 | * [IRMA](http://irma.quarkslab.com/) - 异步、可定制的可疑文件分析平台
175 | * [Joe Sandbox](https://www.joesecurity.org/) - 深度恶意软件分析
176 | * [Jotti](https://virusscan.jotti.org/en) - 免费在线多反病毒引擎扫描器
177 | * [Limon](https://github.com/monnappa22/Limon) - 分析 Linux 恶意软件的沙盒
178 | * [Malheur](https://github.com/rieck/malheur) - 恶意行为的自动化沙盒分析
179 | * [Malware config](https://malwareconfig.com/) - 从常见的恶意软件提取、解码和在线配置
180 | * [Malwr](https://malwr.com/) - 免费的在线 Cuckoo 沙盒分析实例
181 | * [MASTIFF Online](https://mastiff-online.korelogic.com/) - 在线恶意软件静态分析
182 | * [Metadefender.com](https://www.metadefender.com/) - 扫描文件、哈希或恶意软件的 IP 地址
183 | * [NetworkTotal](https://www.networktotal.com/index.html) - 一个分析 pcap 文件的服务，使用配置了 EmergingThreats Pro 的Suricata 快速检测病毒、蠕虫、木马和各种恶意软件
184 | * [Noriben](https://github.com/Rurik/Noriben) - 使用 Sysinternals Procmon 收集恶意软件在沙盒环境下的进程信息
185 | * [PDF Examiner](http://www.pdfexaminer.com/) - 收集可疑的 PDF 文件
186 | * [ProcDot](http://www.procdot.com/) - 一个可视化恶意软件分析工具集
187 | * [Recomposer](https://github.com/secretsquirrel/recomposer) - 安全上传二进制程序到沙盒网站的辅助脚本
188 | * [Sand droid](http://sanddroid.xjtu.edu.cn/) - 自动化、完整的 Android 应用程序分析系统
189 | * [SEE](https://github.com/F-Secure/see) - 在安全环境中构建测试自动化的框架
190 | * [VirusTotal](https://www.virustotal.com/) - 免费的在线恶意软件样本和 URL 分析
191 | * [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - 用于日志的开源可视化库和命令行工具（Cuckoo、Procmon 等）
192 | * [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Lenny Zeltser 创建的免费自动沙盒服务
193 | 
194 | ## 域名分析
195 | 
196 | *检查域名和 IP 地址*
197 | 
198 | * [Desenmascara.me](http://desenmascara.me) - 一键点击即可得到尽可能多的检索元数据以评估一个网站的信誉度
199 | * [Dig](http://networking.ringofsaturn.com/) - 免费的在线 dig 以及其他网络工具
200 | * [dnstwist](https://github.com/elceef/dnstwist) - 用于检测钓鱼网站和公司间谍活动的域名排名网站
201 | * [IPinfo](https://github.com/hiddenillusion/IPinfo) - 通过搜索在线资源收集关于 IP 或 域名的信息
202 | * [Machinae](https://github.com/hurricanelabs/machinae) - 类似 Automator 的 OSINT 工具，用于收集有关 URL、IP 或哈希的信息
203 | * [mailchecker](https://github.com/FGRibreau/mailchecker) - 跨语言临时邮件检测库
204 | * [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - 让 Maltego 使用 VirusTotal API，允许搜索域名、IP 地址、文件哈希、报告
205 | * [Multi rbl](http://multirbl.valli.org/) - 多个 DNS 黑名单，反向查找超过 300 个 RBL。
206 | * [SpamCop](https://www.spamcop.net/bl.shtml) - 垃圾邮件 IP 黑名单IP
207 | * [SpamHaus](http://www.spamhaus.org/lookup/) - 基于域名和 IP 的黑名单
208 | * [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - 免费的网站恶意软件与安全扫描器
209 | * [Talos Intelligence](https://talosintelligence.com/) - 搜索 IP、域名或网络的所有者
210 | * [TekDefense Automator](http://www.tekdefense.com/automater/) - 收集关于 URL、IP 和哈希值的 OSINT 工具
211 | * [URLQuery](http://urlquery.net/) - 免费的 URL 扫描器
212 | * [Whois](http://whois.domaintools.com/) - DomainTools 家免费的 whois 搜索
213 | * [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - 由 Lenny Zeltser 整理的免费在线恶意软件工具集
214 | * [ZScalar Zulu](https://zulu.zscaler.com/#) - Zulu URL 风险分析
215 | 
216 | ## 浏览器恶意软件
217 | 
218 | *分析恶意 URL，也可以参考 [domain analysis](#domain-analysis) 和 [documents and shellcode](#documents-and-shellcode) 部分*
219 | 
220 | * [Firebug](https://getfirebug.com/) - Firefox Web 开发扩展
221 | * [Java Decompiler](http://jd.benow.ca/) - 反编译并检查 Java 的应用
222 | * [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - 解析 Java IDX 缓存文件
223 | * [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript 恶意软件分析工具
224 | * [jsunpack-n](https://github.com/urule99/jsunpack-n) - 一个 javascript 解压软件，可以模拟浏览器功能
225 | * [Krakatau](https://github.com/Storyyeller/Krakatau) - Java 的反编译器、汇编器与反汇编器
226 | * [Malzilla](http://malzilla.sourceforge.net/) - 分析恶意 Web 页面
227 | * [RABCDAsm](https://github.com/CyberShadow/RABCDAsm) - 一个健壮的 ActionScript 字节码反汇编
228 | * [swftools](http://www.swftools.org/) - PDF 转换成 SWF 的工具
229 | * [xxxswf](http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html) - 分析 Flash 文件的 Python 脚本
230 | 
231 | ## 文档和 Shellcode
232 | 
233 | *在 PDF、Office 文档中分析恶意 JS 和 Shellcode，也可参考[browser malware](#browser-malware) 部分*
234 | 
235 | * [AnalyzePDF](https://github.com/hiddenillusion/AnalyzePDF) - 分析 PDF 并尝试判断其是否是恶意文件的工具
236 | * [box-js](https://github.com/CapacitorSet/box-js) - 用于研究 JavaScript 恶意软件的工具，支持 JScript/WScript 和 ActiveX 仿真功能
237 | * [diStorm](http://www.ragestorm.net/distorm/) - 分析恶意 Shellcode 的反汇编器
238 | * [JS Beautifier](http://jsbeautifier.org/) - JavaScript 脱壳和去混淆
239 | * [JS Deobfuscator ](http://www.kahusecurity.com/2015/new-javascript-deobfuscator-tool/) - 对那些使用 eval 或 document.write 的简单 Javascript 去混淆
240 | * [libemu](http://libemu.carnivore.it/) - x86 shellcode 仿真的库和工具
241 | * [malpdfobj](https://github.com/9b/malpdfobj) - 解构恶意 PDF 为 JSON 表示
242 | * [OfficeMalScanner](http://www.reconstructer.org/code.html) - 扫描 MS Office 文档中的恶意跟踪
243 | * [olevba](http://www.decalage.info/python/olevba) - 解析 OLE 和 OpenXML 文档，并提取有用信息的脚本
244 | * [Origami PDF](https://code.google.com/p/origami-pdf/) - 一个分析恶意 PDF 的工具
245 | * [PDF Tools](http://blog.didierstevens.com/programs/pdf-tools/) - Didier Stevens 开发的许多关于 PDF 的工具
246 | * [PDF X-Ray Lite](https://github.com/9b/pdfxray_lite) - PDF 分析工具，PDF X-RAY 的无后端版本
247 | * [peepdf](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - 用来探索可能是恶意的 PDF 的 Python 工具
248 | * [QuickSand](https://www.quicksand.io/) - QuickSand 是一个紧凑的 C 框架，用于分析可疑的恶意软件文档，以识别不同编码流中的漏洞，并定位和提取嵌入的可执行文件
249 | * [Spidermonkey](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) - Mozilla 的 JavaScript 引擎，用来调试可疑 JS 代码
250 | 
251 | ## 文件提取
252 | 
253 | *从硬盘和内存镜像中提取文件*
254 | 
255 | * [bulk_extractor](https://github.com/simsong/bulk_extractor) - 快速文件提取工具
256 | * [EVTXtract](https://github.com/williballenthin/EVTXtract) - 从原始二进制数据提取 Windows 事件日志文件
257 | * [Foremost](http://foremost.sourceforge.net/) - 由 US Air Force 设计的文件提取工具
258 | * [Hachoir](https://bitbucket.org/haypo/hachoir) - 处理二进制程序的 Python 库的集合
259 | * [Scalpel](https://github.com/sleuthkit/scalpel) - 另一个数据提取工具
260 | 
261 | ## 去混淆
262 | 
263 | *破解异或或其它代码混淆方法*
264 | 
265 | * [Balbuzard](https://bitbucket.org/decalage/balbuzard/wiki/Home) - 去除混淆(XOR、ROL等)的恶意软件分析工具
266 | * [de4dot](https://github.com/0xd4d/de4dot) - .NET 去混淆与脱壳
267 | * [ex_pe_xor](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html) 和 [iheartxor](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html) - Alexander Hanel 开发的用于去除单字节异或编码的文件的两个工具
268 | * [FLOSS](https://github.com/fireeye/flare-floss) - FireEye 实验室的混淆字符串求解工具，使用高级静态分析技术来自动去除恶意软件二进制文件中的字符串
269 | * [NoMoreXOR](https://github.com/hiddenillusion/NoMoreXOR) - 通过频率分析来猜测一个 256 字节的异或密钥
270 | * [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker) - Windows 恶意软件的通用隐藏代码提取程序
271 | * [unpacker](https://github.com/malwaremusings/unpacker/) - 基于 WinAppDbg 的自动 Windows 恶意软件脱壳器
272 | * [unxor](https://github.com/tomchop/unxor/) - 通过已知明文攻击来猜测一个异或密钥
273 | * [VirtualDeobfuscator](https://github.com/jnraber/VirtualDeobfuscator) - 虚拟逆向分析工具
274 | * [XORBruteForcer](http://eternal-todo.com/var/scripts/xorbruteforcer) - 爆破单字节异或密钥的 Python 脚本
275 | * [XORSearch 和 XORStrings](http://blog.didierstevens.com/programs/xorsearch/) - Didier Stevens 开发的用于寻找异或混淆后数据的两个工具
276 | * [xortool](https://github.com/hellman/xortool) - 猜测异或密钥和密钥的长度
277 | 
278 | ## 调试和逆向工程
279 | 
280 | *反编译器、调试器和其他静态、动态分析工具*
281 | 
282 | * [angr](https://github.com/angr/angr) - UCSB 的安全实验室开发的跨平台二进制分析框架
283 | * [bamfdetect](https://github.com/bwall/bamfdetect) - 识别和提取奇迹人和其他恶意软件的信息
284 | * [BAP](https://github.com/BinaryAnalysisPlatform/bap) - CMU 的安全实验室开发的跨平台开源二进制分析框架
285 | * [BARF](https://github.com/programa-stic/barf-project) - 跨平台、开源二进制分析逆向框架
286 | * [binnavi](https://github.com/google/binnavi) - 基于图形可视化的二进制分析 IDE
287 | * [Binwalk](http://binwalk.org/) - 固件分析工具
288 | * [Bokken](https://inguma.eu/projects/bokken) - Pyew 和 Radare 的界面版
289 | * [Capstone](https://github.com/aquynh/capstone) - 二进制分析反汇编框架，支持多种架构和许多语言
290 | * [codebro](https://github.com/hugsy/codebro) - 使用 clang 提供基础代码分析的 Web 端代码浏览器
291 | * [dnSpy](https://github.com/0xd4d/dnSpy) - .NET 编辑器、编译器、调试器
292 | * [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - Qt GUI 程序的模块化调试器
293 | * [Fibratus](https://github.com/rabbitstack/fibratus) - 探索、跟踪 Windows 内核的工具
294 | * [FPort](http://www.mcafee.com/us/downloads/free-tools/fport.aspx#) - 实时查看系统中打开的 TCP/IP 和 UDP 端口，并映射到应用程序
295 | * [GDB](http://www.sourceware.org/gdb/) - GNU 调试器
296 | * [GEF](https://github.com/hugsy/gef) - 针对开发人员和逆向工程师的 GDB 增强版
297 | * [hackers-grep](https://github.com/codypierce/hackers-grep) - 用来搜索 PE 程序中的导入表、导出表、字符串、调试符号
298 | * [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows 反汇编和调试器，有免费评估版
299 | * [Immunity Debugger](http://debugger.immunityinc.com/) - 带有 Python API 的恶意软件调试器
300 | * [ltrace](http://ltrace.org/) - Linux 可执行文件的动态分析
301 | * [objdump](https://en.wikipedia.org/wiki/Objdump) - GNU 工具集的一部分，面向 Linux 二进制程序的静态分析
302 | * [OllyDbg](http://www.ollydbg.de/) - Windows 可执行程序汇编级调试器
303 | * [PANDA](https://github.com/moyix/panda) - 动态分析平台
304 | * [PEDA](https://github.com/longld/peda) - 基于 GDB 的 Pythton Exploit 开发辅助工具，增强显示及增强的命令
305 | * [pestudio](https://winitor.com/) - Windows 可执行程序的静态分析
306 | * [plasma](https://github.com/joelpx/plasma) - 面向 x86/ARM/MIPS 的交互式反汇编器
307 | * [PPEE (puppy)](https://www.mzrst.com/) - 专业的 PE 文件资源管理器
308 | * [Process Explorer](https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx) - 高级 Windows 任务管理器
309 | * [Process Monitor](https://docs.microsoft.com/sysinternals/downloads/procmon) - Windows 下高级程序监控工具
310 | * [PSTools](https://docs.microsoft.com/sysinternals/downloads/pstools) - 可以帮助管理员实时管理系统的 Windows 命令行工具
311 | * [Pyew](https://github.com/joxeankoret/pyew) - 恶意软件分析的 Python 工具
312 | * [Radare2](http://www.radare.org/r/) - 带有调试器支持的逆向工程框架
313 | * [RetDec](https://retdec.com/) - 可重定向的机器码反编译器，同时有在线反编译服务和 API
314 | * [ROPMEMU](https://github.com/vrtadmin/ROPMEMU) - 分析、解析、反编译复杂的代码重用攻击的框架
315 | * [SMRT](https://github.com/pidydx/SMRT) - Sublime 3 中辅助恶意软件分析的插件
316 | * [strace](http://sourceforge.net/projects/strace/) - Linux 可执行文件的动态分析
317 | * [Triton](http://triton.quarkslab.com/) - 一个动态二进制分析框架
318 | * [Udis86](https://github.com/vmt/udis86) - x86 和 x86_64 的反汇编库和工具
319 | * [Vivisect](https://github.com/vivisect/vivisect) - 恶意软件分析的 Python 工具
320 | * [X64dbg](https://github.com/x64dbg/) - Windows 的一个开源 x64/x32 调试器
321 | 
322 | ## 网络
323 | 
324 | *分析网络交互*
325 | 
326 | * [Bro](https://www.bro.org) - 支持惊人规模的文件和网络协议的协议分析工具
327 | * [BroYara](https://github.com/hempnall/broyara) - 基于 Bro 的 Yara 规则集
328 | * [CapTipper](https://github.com/omriher/CapTipper) -  恶意 HTTP 流量管理器
329 | * [chopshop](https://github.com/MITRECND/chopshop) - 协议分析和解码框架
330 | * [Fiddler](http://www.telerik.com/fiddler) - 专为 Web 调试开发的 Web 代理
331 | * [Hale](https://github.com/pjlantz/Hale) - 僵尸网络 C&C 监视器
332 | * [Haka](http://www.haka-security.org/) - 一个安全导向的开源语言，用于在实时流量捕获时描述协议、应用安全策略
333 | * [INetSim](http://www.inetsim.org/) -  网络服务模拟。建设一个恶意软件分析实验室十分有用
334 | * [Laika BOSS](https://github.com/lmco/laikaboss) - Laika BOSS 是一种以文件为中心的恶意软件分析和入侵检测系统
335 | * [Malcom](https://github.com/tomchop/malcom) - 恶意软件通信分析仪
336 | * [Maltrail](https://github.com/stamparm/maltrail) - 一个恶意流量检测系统，利用公开的黑名单来检测恶意和可疑的通信流量，带有一个报告和分析界面
337 | * [mitmproxy](https://mitmproxy.org/) - 拦截网络流量通信
338 | * [Moloch](https://github.com/aol/moloch) - IPv4 流量捕获，带有索引和数据库系统
339 | * [NetworkMiner](http://www.netresec.com/?page=NetworkMiner) - 有免费版本的网络取证分析工具
340 | * [ngrep](http://ngrep.sourceforge.net/) - 像 grep 一样收集网络流量
341 | * [PcapViz](https://github.com/mateuszk87/PcapViz) - 网络拓扑与流量可视化
342 | * [Tcpdump](http://www.tcpdump.org/) - 收集网络流
343 | * [tcpick](http://tcpick.sourceforge.net/) - 从网络流量中重构 TCP 流
344 | * [tcpxtract](http://tcpxtract.sourceforge.net/) - 从网络流量中提取文件
345 | * [Wireshark](https://www.wireshark.org/) - 网络流量分析工具
346 | 
347 | ## 内存取证
348 | 
349 | *在内存映像或正在运行的系统中分析恶意软件的工具*
350 | 
351 | * [BlackLight](https://www.blackbagtech.com/blacklight.html) - 支持 hiberfil、pagefile 与原始内存分析的 Windows / MacOS 取证客户端
352 | * [DAMM](https://github.com/504ensicsLabs/DAMM) - 基于 Volatility 的内存中恶意软件的差异分析
353 | * [evolve](https://github.com/JamesHabben/evolve) - 用于 Volatility Memory 取证框架的 Web 界面
354 | * [FindAES](http://jessekornblum.livejournal.com/269749.html) - 在内存中寻找 AES 加密密钥
355 | * [Muninn](https://github.com/ytisf/muninn) - 一个使用 Volatility 的自动化分析脚本，可以生成一份可读报告
356 | * [Rekall](http://www.rekall-forensic.com/) - 内存分析框架，2013 年 Volatility 的分支版本
357 | * [TotalRecall](https://github.com/sketchymoose/TotalRecall) - 基于 Volatility 自动执行多恶意样本分析任务的脚本
358 | * [VolDiff](https://github.com/aim4r/VolDiff) - 在恶意软件执行前后，在内存映像中运行 Volatility 并生成对比报告
359 | * [Volatility](https://github.com/volatilityfoundation/volatility) - 先进的内存取证框架
360 | * [VolUtility](https://github.com/kevthehermit/VolUtility) - Volatility 内存分析框架的 Web 接口
361 | * [WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365) - Windows 系统的实时内存检查和内核调试工具
362 | 
363 | ## Windows 神器
364 | 
365 | * [AChoir](https://github.com/OMENScan/AChoir) - 一个用来收集 Windows 实时事件响应脚本集
366 | * [python-evt](https://github.com/williballenthin/python-evt) - 用来解析 Windows 事件日志的 Python 库
367 | * [python-registry](http://www.williballenthin.com/registry/) - 用于解析注册表文件的 Python 库
368 | * [RegRipper](https://regripper.wordpress.com/) ([GitHub](https://github.com/keydet89/RegRipper2.8)) - 基于插件集的工具
369 | 
370 | ## 存储和工作流
371 | 
372 | * [Aleph](https://github.com/trendmicro/aleph) - 开源恶意软件分析管道系统
373 | * [CRITs](https://crits.github.io/) - 关于威胁、恶意软件的合作研究
374 | * [Malwarehouse](https://github.com/sroberts/malwarehouse) - 存储、标注与搜索恶意软件
375 | * [Polichombr](https://github.com/ANSSI-FR/polichombr) - 一个恶意软件分析平台，旨在帮助分析师逆向恶意软件。
376 | * [stoQ](http://stoq.punchcyber.com/) - 分布式内容分析框架，具有广泛的插件支持
377 | * [Viper](http://viper.li/) - 分析人员的二进制管理和分析框架
378 | 
379 | ## 杂项
380 | 
381 | * [al-khaser](https://github.com/LordNoteworthy/al-khaser) - 一个旨在突出反恶意软件系统的 PoC 恶意软件
382 | * [Binarly](http://www.binar.ly/search) - 海量恶意软件字节的搜索引擎
383 | * [DC3-MWCP](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP) - 反网络犯罪中心的恶意软件配置解析框架
384 | * [MalSploitBase](https://github.com/misterch0c/malSploitBase) - 包含恶意软件利用的漏洞的数据库
385 | * [Malware Museum](https://archive.org/details/malwaremuseum) - 收集 20 世纪八九十年代流行的恶意软件
386 | * [Pafish](https://github.com/a0rtega/pafish) - Paranoid Fish，与恶意软件家族的行为一致，采用多种技术来检测沙盒和分析环境的演示工具
387 | * [REMnux](https://remnux.org/) - 面向恶意软件逆向工程师和分析人员的 Linux 发行版和 Docker 镜像
388 | * [Santoku Linux](https://santoku-linux.com/) - 移动取证的 Linux 发行版
389 | 
390 | # 资源
391 | 
392 | ## 书籍
393 | 
394 | *基础恶意软件分析阅读书单*
395 | 
396 | * [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) - 打击恶意代码的工具和技术
397 | * [Practical Malware Analysis](https://amzn.com/dp/1593272901) - 剖析恶意软件的手边书
398 | * [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - 计算机安全与应急响应
399 | * [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - 在 Windows、Linux 和 Mac 系统的内存中检测恶意软件和威胁
400 | * [The IDA Pro Book](https://amzn.com/dp/1593272898) - 世界上最流行的反汇编器的非官方指南
401 | * [Real Digital Forensics](https://amzn.com/dp/144962636X) - 用于移动取证、恶意软件分析的 Linux 发行版
402 | 
403 | ## Twitter
404 | 
405 | *一些相关的 Twitter 账户*
406 | 
407 | * Adamb [@Hexacorn](https://twitter.com/Hexacorn)
408 | * Andrew Case [@attrc](https://twitter.com/attrc)
409 | * Binni Shah [@binitamshah](https://twitter.com/binitamshah)
410 | * Claudio [@botherder](https://twitter.com/botherder)
411 | * Dustin Webber [@mephux](https://twitter.com/mephux)
412 | * Glenn [@hiddenillusion](https://twitter.com/hiddenillusion)
413 | * jekil [@jekil](https://twitter.com/jekil)
414 | * Jurriaan Bremer [@skier_t](https://twitter.com/skier_t)
415 | * Lenny Zeltser [@lennyzeltser](https://twitter.com/lennyzeltser)
416 | * Liam Randall [@hectaman](https://twitter.com/hectaman)
417 | * Mark Schloesser [@repmovsb](https://twitter.com/repmovsb)
418 | * Michael Ligh (MHL) [@iMHLv2](https://twitter.com/iMHLv2)
419 | * Monnappa [@monnappa22](https://twitter.com/monnappa22)
420 | * Open Malware [@OpenMalware](https://twitter.com/OpenMalware)
421 | * Richard Bejtlich [@taosecurity](https://twitter.com/taosecurity)
422 | * Volatility [@volatility](https://twitter.com/volatility)
423 | 
424 | ## 其它
425 | 
426 | * [APT Notes](https://github.com/kbandla/APTnotes) - 一个收集 APT 相关文献的合辑
427 | * [File Formats posters](https://github.com/corkami/pics) - 常用文件格式的可视化（包括 PE 与 ELF）
428 | * [Honeynet Project](http://honeynet.org/) - 蜜罐工具、论文和其他资源
429 | * [Kernel Mode](http://www.kernelmode.info/forum/) - 一个致力于恶意软件分析和内核开发的活跃社区
430 | * [Malicious Software](https://zeltser.com/malicious-software/) - Lenny Zeltser 的恶意软件博客和资源
431 | * [Malware Analysis Search](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) - [Corey Harrell](journeyintoir.blogspot.com/) 自定义的用于恶意软件分析的 Google 搜索
432 | * [Malware Analysis Tutorials](http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html) - 由 Xiang Fu 博士提供的恶意软件分析教程，是一个学习恶意软件分析的重要资源
433 | * [Malware Samples and Traffic](http://malware-traffic-analysis.net/) - 此博客重点介绍与恶意软件感染相关的网络流量
434 | * [Practical Malware Analysis Starter Kit](https://bluesoul.me/practical-malware-analysis-starter-kit/) - 此软件包包含 Practical Malware Analysis 书中引用的大多数软件
435 | * [WindowsIR: Malware](http://windowsir.blogspot.com/p/malware.html) - Harlan Carvey 的恶意软件页面
436 | * [/r/csirt_tools](https://www.reddit.com/r/csirt_tools/) - CSIRT 工具和资源的子版块，讲[恶意软件分析](https://www.reddit.com/r/csirt_tools/search?q=flair%3A%22Malware%20analysis%22&sort=new&restrict_sr=on)的天才
437 | * [/r/Malware](https://www.reddit.com/r/Malware) - 恶意软件的子版块
438 | * [/r/ReverseEngineering](https://www.reddit.com/r/ReverseEngineering) - 逆向工程子版块，不仅限于恶意软件
439 | 
440 | # 相关 Awesome 清单
441 | 
442 | * [Android Security](https://github.com/ashishb/android-security-awesome)
443 | * [AppSec](https://github.com/paragonie/awesome-appsec)
444 | * [CTFs](https://github.com/apsdehal/awesome-ctf)
445 | * [Forensics](https://github.com/Cugu/awesome-forensics)
446 | * ["Hacking"](https://github.com/carpedm20/awesome-hacking)
447 | * [Honeypots](https://github.com/paralax/awesome-honeypots)
448 | * [Industrial Control System Security](https://github.com/hslatman/awesome-industrial-control-system-security)
449 | * [Incident-Response](https://github.com/meirwah/awesome-incident-response)
450 | * [Infosec](https://github.com/onlurking/awesome-infosec)
451 | * [PCAP Tools](https://github.com/caesar0301/awesome-pcaptools)
452 | * [Pentesting](https://github.com/enaqx/awesome-pentest)
453 | * [Security](https://github.com/sbilly/awesome-security)
454 | * [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence)
455 | * [YARA](https://github.com/InQuest/awesome-yara)
456 | 
457 | # [做出贡献](CONTRIBUTING.md)
458 | 
459 | 欢迎提出问题或者 Pull requests！请在提交 Pull request 之前阅读 [CONTRIBUTING][1]。
460 | 
461 | # 致谢
462 | 
463 | 这个列表需要感谢如下一些人:
464 | 
465 | * Lenny Zeltser 和 REMnux 的其他开发者贡献了这个列表中很多工具
466 | * Michail Hale Ligh、Steven Adair、Blake Hartstein 和 Mather Richard 著有 *Malware Analyst's Cookbook*，这本书为这个列表的创建提供了很大的灵感
467 | * 每一个提交 Pull request 以及提出建议的人
468 | 
469 | 十分感谢!
470 | 
471 | 
472 |   [1]: https://github.com/rshipp/awesome-malware-analysis/blob/master/CONTRIBUTING.md
473 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Awesome Malware Analysis
  2 | 
  3 | [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)
  4 | 
  5 | A curated list of awesome malware analysis tools and resources. Inspired by
  6 | [awesome-python](https://github.com/vinta/awesome-python) and
  7 | [awesome-php](https://github.com/ziadoz/awesome-php).
  8 | 
  9 | - [Awesome Malware Analysis](#awesome-malware-analysis)
 10 |     - [Malware Collection](#malware-collection)
 11 |         - [Anonymizers](#anonymizers)
 12 |         - [Honeypots](#honeypots)
 13 |         - [Malware Corpora](#malware-corpora)
 14 |     - [Open Source Threat Intelligence](#open-source-threat-intelligence)
 15 |         - [Tools](#tools)
 16 |         - [Other Resources](#other-resources)
 17 |     - [Detection and Classification](#detection-and-classification)
 18 |     - [Online Scanners and Sandboxes](#online-scanners-and-sandboxes)
 19 |     - [Domain Analysis](#domain-analysis)
 20 |     - [Browser Malware](#browser-malware)
 21 |     - [Documents and Shellcode](#documents-and-shellcode)
 22 |     - [File Carving](#file-carving)
 23 |     - [Deobfuscation](#deobfuscation)
 24 |     - [Debugging and Reverse Engineering](#debugging-and-reverse-engineering)
 25 |     - [Network](#network)
 26 |     - [Memory Forensics](#memory-forensics)
 27 |     - [Windows Artifacts](#windows-artifacts)
 28 |     - [Storage and Workflow](#storage-and-workflow)
 29 |     - [Miscellaneous](#miscellaneous)
 30 | - [Resources](#resources)
 31 |     - [Books](#books)
 32 |     - [Twitter](#twitter)
 33 |     - [Other](#other)
 34 | - [Related Awesome Lists](#related-awesome-lists)
 35 | - [Contributing](#contributing)
 36 | - [Thanks](#thanks)
 37 | 
 38 | ---
 39 | 
 40 | ## Malware Collection
 41 | 
 42 | ### Anonymizers
 43 | 
 44 | *Web traffic anonymizers for analysts.*
 45 | 
 46 | * [Anonymouse.org](http://anonymouse.org/) - A free, web based anonymizer.
 47 | * [OpenVPN](https://openvpn.net/) - VPN software and hosting solutions.
 48 | * [Privoxy](http://www.privoxy.org/) - An open source proxy server with some
 49 |   privacy features.
 50 | * [Tor](https://www.torproject.org/) - The Onion Router, for browsing the web
 51 |   without leaving traces of the client IP.
 52 | 
 53 | ### Honeypots
 54 | 
 55 | *Trap and collect your own samples.*
 56 | 
 57 | * [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot.
 58 | * [Cowrie](https://github.com/micheloosterhof/cowrie) - SSH honeypot, based
 59 |   on Kippo.  
 60 | * [DemoHunter](https://github.com/RevengeComing/DemonHunter) - Low interaction Distributed Honeypots.  
 61 | * [Dionaea](https://github.com/DinoTools/dionaea) - Honeypot designed to trap malware.   
 62 | * [Glastopf](https://github.com/mushorg/glastopf) - Web application honeypot.
 63 | * [Honeyd](http://www.honeyd.org/) - Create a virtual honeynet.
 64 | * [HoneyDrive](http://bruteforcelab.com/honeydrive) - Honeypot bundle Linux distro.
 65 | * [Mnemosyne](https://github.com/johnnykv/mnemosyne) - A normalizer for
 66 |   honeypot data; supports Dionaea.
 67 | * [Thug](https://github.com/buffer/thug) - Low interaction honeyclient, for
 68 |   investigating malicious websites.
 69 | 
 70 | ### Malware Corpora
 71 | 
 72 | *Malware samples collected for analysis.*
 73 | 
 74 | * [Clean MX](http://support.clean-mx.de/clean-mx/viruses.php) - Realtime
 75 |   database of malware and malicious domains.
 76 | * [Contagio](http://contagiodump.blogspot.com/) - A collection of recent
 77 |   malware samples and analyses.
 78 | * [Exploit Database](https://www.exploit-db.com/) - Exploit and shellcode
 79 |   samples.
 80 | * [Malshare](https://malshare.com) - Large repository of malware actively
 81 |   scrapped from malicious sites.
 82 | * [MalwareDB](http://malwaredb.malekal.com/) - Malware samples repository.
 83 | * [Open Malware Project](http://openmalware.org/) - Sample information and
 84 |   downloads. Formerly Offensive Computing.
 85 | * [Ragpicker](https://github.com/robbyFux/Ragpicker) - Plugin based malware
 86 |   crawler with pre-analysis and reporting functionalities
 87 | * [theZoo](https://github.com/ytisf/theZoo) - Live malware samples for
 88 |   analysts.
 89 | * [Tracker h3x](http://tracker.h3x.eu/) - Agregator for malware corpus tracker
 90 |   and malicious download sites.
 91 | * [ViruSign](http://www.virussign.com/) - Malware database that detected by
 92 |   many anti malware programs except ClamAV.
 93 | * [VirusShare](https://virusshare.com/) - Malware repository, registration
 94 |   required.
 95 | * [VX Vault](http://vxvault.net) - Active collection of malware samples.
 96 | * [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - A list
 97 |   of malware sample sources put together by Lenny Zeltser.
 98 | * [Zeus Source Code](https://github.com/Visgean/Zeus) - Source for the Zeus
 99 |   trojan leaked in 2011.
100 | 
101 | ## Open Source Threat Intelligence
102 | 
103 | ### Tools
104 | 
105 | *Harvest and analyze IOCs.*
106 | 
107 | * [AbuseHelper](https://github.com/abusesa/abusehelper) - An open-source
108 |   framework for receiving and redistributing abuse feeds and threat intel.
109 | * [AlienVault Open Threat Exchange](https://otx.alienvault.com/) - Share and
110 |   collaborate in developing Threat Intelligence.
111 | * [Combine](https://github.com/mlsecproject/combine) - Tool to gather Threat
112 |   Intelligence indicators from publicly available sources.
113 | * [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash.
114 | * [Hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host.
115 | * [IntelMQ](https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation) -
116 |   A tool for CERTs for processing incident data using a message queue.
117 | * [IOC Editor](https://www.fireeye.com/services/freeware/ioc-editor.html) -
118 |   A free editor for XML IOC files.
119 | * [ioc_writer](https://github.com/mandiant/ioc_writer) - Python library for
120 |   working with OpenIOC objects, from Mandiant.
121 | * [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) -
122 |   Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
123 |   from various lists. Curated by the
124 |   [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework).
125 | * [MISP](https://github.com/MISP/MISP) - Malware Information Sharing
126 |   Platform curated by [The MISP Project](http://www.misp-project.org/).
127 | * [Pulsedive](https://pulsedive.com) - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
128 | * [PyIOCe](https://github.com/pidydx/PyIOCe) - A Python OpenIOC editor.
129 | * [RiskIQ](https://community.riskiq.com/) - Research, connect, tag and
130 |   share IPs and domains. (Was PassiveTotal.)
131 | * [threataggregator](https://github.com/jpsenior/threataggregator) -
132 |   Aggregates security threats from a number of sources, including some of
133 |   those listed below in [other resources](#other-resources).
134 | * [ThreatCrowd](https://www.threatcrowd.org/) - A search engine for threats,
135 |   with graphical visualization.
136 | * [ThreatTracker](https://github.com/michael-yip/ThreatTracker) - A Python
137 |   script to monitor and generate alerts based on IOCs indexed by a set of
138 |   Google Custom Search Engines.
139 | * [TIQ-test](https://github.com/mlsecproject/tiq-test) - Data visualization
140 |   and statistical analysis of Threat Intelligence feeds.
141 | 
142 | ### Other Resources
143 | 
144 | *Threat intelligence and IOC resources.*
145 | 
146 | * [Autoshun](https://www.autoshun.org/) ([list](https://www.autoshun.org/files/shunlist.csv)) -
147 |   Snort plugin and blocklist.
148 | * [Bambenek Consulting Feeds](http://osint.bambenekconsulting.com/feeds/) -
149 |   OSINT feeds based on malicious DGA algorithms.
150 | * [Fidelis Barncat](https://www.fidelissecurity.com/resources/fidelis-barncat) -
151 |   Extensive malware config database (must request access).
152 | * [CI Army](http://cinsscore.com/) ([list](http://cinsscore.com/list/ci-badguys.txt)) -
153 |   Network security blocklists.
154 | * [Critical Stack- Free Intel Market](https://intel.criticalstack.com) - Free
155 |   intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
156 | * [Cybercrime tracker](http://cybercrime-tracker.net/) - Multiple botnet active tracker.
157 | * [FireEye IOCs](https://github.com/fireeye/iocs) - Indicators of Compromise
158 |   shared publicly by FireEye.
159 | * [FireHOL IP Lists](https://iplists.firehol.org/) - Analytics for 350+ IP lists
160 |   with a focus on attacks, malware and abuse. Evolution, Changes History,
161 |   Country Maps, Age of IPs listed, Retention Policy, Overlaps.
162 | * [hpfeeds](https://github.com/rep/hpfeeds) - Honeypot feed protocol.
163 | * [Internet Storm Center (DShield)](https://isc.sans.edu/) - Diary and
164 |   searchable incident database, with a web [API](https://dshield.org/api/).
165 |   ([unofficial Python library](https://github.com/rshipp/python-dshield)).
166 | * [malc0de](http://malc0de.com/database/) - Searchable incident database.
167 | * [Malware Domain List](http://www.malwaredomainlist.com/) - Search and share
168 |   malicious URLs.
169 | * [Metadefender Threat Intelligence Feeds](https://metadefender.opswat.com/threat-intelligence-feeds) -
170 |   List of the most looked up file hashes from Metadefender malware feed.
171 | * [OpenIOC](https://www.fireeye.com/services/freeware.html) - Framework for sharing threat intelligence.
172 | * [Proofpoint Threat Intelligence](https://www.proofpoint.com/us/products/et-intelligence) -
173 |   Rulesets and more. (Formerly Emerging Threats.)
174 | * [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) -
175 |   A list of ransomware overview with details, detection and prevention.
176 | * [STIX - Structured Threat Information eXpression](http://stixproject.github.io) -
177 |   Standardized language to represent and share cyber threat information.
178 |   Related efforts from [MITRE](https://www.mitre.org/):
179 |   - [CAPEC - Common Attack Pattern Enumeration and Classification](http://capec.mitre.org/)
180 |   - [CybOX - Cyber Observables eXpression](http://cyboxproject.github.io)
181 |   - [MAEC - Malware Attribute Enumeration and Characterization](http://maec.mitre.org/)
182 |   - [TAXII - Trusted Automated eXchange of Indicator Information](http://taxiiproject.github.io)
183 | * [ThreatMiner](https://www.threatminer.org/) - Data mining portal for threat
184 |   intelligence, with search.
185 | * [threatRECON](https://threatrecon.co/) - Search for indicators, up to 1000
186 |   free per month.
187 | * [Yara rules](https://github.com/Yara-Rules/rules) - Yara rules repository.
188 | * [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS
189 |   blocklists.
190 | 
191 | ## Detection and Classification
192 | 
193 | *Antivirus and other malware identification tools*
194 | 
195 | * [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a
196 |   variety of tools for reporting on Windows PE files.
197 | * [Assemblyline](https://bitbucket.org/cse-assemblyline/assemblyline) - A scalable 
198 |   distributed file analysis framework.
199 | * [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless
200 |   AWS pipeline that scans and alerts on uploaded files based on a set of
201 |   YARA rules.
202 | * [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection.
203 | * [ClamAV](http://www.clamav.net/) - Open source antivirus engine.
204 | * [Detect-It-Easy](https://github.com/horsicq/Detect-It-Easy) - A program for
205 |   determining types of files.
206 | * [ExifTool](https://sno.phy.queensu.ca/~phil/exiftool/) - Read, write and
207 |   edit file metadata.
208 | * [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) -
209 |   Modular, recursive file scanning solution.
210 | * [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with
211 |   a variety of algorithms.
212 | * [Loki](https://github.com/Neo23x0/Loki) - Host based scanner for IOCs.
213 | * [Malfunction](https://github.com/Dynetics/Malfunction) - Catalog and
214 |   compare malware at a function level.
215 | * [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - Static analysis
216 |   framework.
217 | * [MultiScanner](https://github.com/mitre/multiscanner) - Modular file
218 |   scanning/analysis framework
219 | * [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking
220 |   up hashes in NIST's National Software Reference Library database.
221 | * [packerid](http://handlers.sans.org/jclausing/packerid.py) - A cross-platform
222 |   Python alternative to PEiD.
223 | * [PEV](http://pev.sourceforge.net/) - A multiplatform toolkit to work with PE
224 |   files, providing feature-rich tools for proper analysis of suspicious binaries.
225 | * [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits.
226 | * [ssdeep](https://ssdeep-project.github.io/ssdeep/) - Compute fuzzy hashes.
227 | * [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) -
228 |   Python script for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/)
229 |   database.
230 | * [TrID](http://mark0.net/soft-trid-e.html) - File identifier.
231 | * [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for
232 |   analysts.
233 | * [Yara rules generator](https://github.com/Neo23x0/yarGen) - Generate
234 |   yara rules based on a set of malware samples. Also contains a good
235 |   strings DB to avoid false positives.
236 | 
237 | 
238 | ## Online Scanners and Sandboxes
239 | 
240 | *Web-based multi-AV scanners, and malware sandboxes for automated analysis.*
241 | 
242 | * [anlyz.io](https://sandbox.anlyz.io/) - Online sandbox.
243 | * [AndroTotal](https://andrototal.org/) - Free online analysis of APKs
244 |   against multiple mobile antivirus apps.
245 | * [AVCaesar](https://avcaesar.malware.lu/) - Malware.lu online scanner and
246 |   malware repository.
247 | * [Cryptam](http://www.cryptam.com/) - Analyze suspicious office documents.
248 | * [Cuckoo Sandbox](https://cuckoosandbox.org/) - Open source, self hosted
249 |   sandbox and automated analysis system.
250 | * [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - Modified
251 |   version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
252 |   legal concerns by the author.
253 | * [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A
254 |   Python API used to control a cuckoo-modified sandbox.
255 | * [DeepViz](https://www.deepviz.com/) - Multi-format file analyzer with
256 |   machine-learning classification.
257 | * [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do
258 |   traffic analysis of Linux malwares and capturing IOCs.
259 | * [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis
260 |   system.
261 | * [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any
262 |   firmware package.
263 | * [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - An Automated Malware
264 |   Analysis Tool for Linux ELF Files.
265 | * [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware
266 |   analysis tool, powered by VxSandbox.
267 | * [Intezer](https://analyze.intezer.com) - Detect, analyze, and categorize malware by
268 |   identifying code reuse and code similarities.
269 | * [IRMA](http://irma.quarkslab.com/) - An asynchronous and customizable
270 |   analysis platform for suspicious files.
271 | * [Joe Sandbox](https://www.joesecurity.org) - Deep malware analysis with Joe Sandbox.
272 | * [Jotti](https://virusscan.jotti.org/en) - Free online multi-AV scanner.
273 | * [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malware.
274 | * [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis
275 |   of malware behavior.
276 | * [malsub](https://github.com/diogo-fernan/malsub) - A Python RESTful API framework for
277 |   online malware and URL analysis services.
278 | * [Malware config](https://malwareconfig.com/) - Extract, decode and display online
279 |   the configuration settings from common malwares.
280 | * [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox
281 |   instance.
282 | * [Metadefender](https://metadefender.opswat.com/ ) - Scan a file, hash or IP
283 |   address for malware (free).
284 | * [NetworkTotal](https://www.networktotal.com/index.html) - A service that analyzes
285 |   pcap files and facilitates the quick detection of viruses, worms, trojans, and all
286 |   kinds of malware using Suricata configured with EmergingThreats Pro.
287 | * [Noriben](https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to
288 |   collect information about malware in a sandboxed environment.
289 | * [PacketTotal](https://packettotal.com/) - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within. 
290 | * [PDF Examiner](http://www.pdfexaminer.com/) - Analyse suspicious PDF files.
291 | * [ProcDot](http://www.procdot.com) - A graphical malware analysis tool kit.
292 | * [Recomposer](https://github.com/secretsquirrel/recomposer) - A helper
293 |   script for safely uploading binaries to sandbox sites.
294 | * [SEE](https://github.com/F-Secure/see) - Sandboxed Execution Environment (SEE)
295 |   is a framework for building test automation in secured Environments.
296 | * [SEKOIA Dropper Analysis](https://malware.sekoia.fr/) - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
297 | * [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware
298 |   samples and URLs
299 | * [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source
300 |   visualization library and command line tools for logs.  (Cuckoo, Procmon, more
301 |   to come...)
302 | * [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free
303 |   automated sandboxes and services, compiled by Lenny Zeltser.
304 | 
305 | ## Domain Analysis
306 | 
307 | *Inspect domains and IP addresses.*
308 | 
309 | * [badips.com](https://www.badips.com/) - Community based IP blacklist service.
310 | * [boomerang](https://github.com/EmersonElectricCo/boomerang) - A tool designed
311 |   for consistent and safe capture of off network web resources.
312 | * [Cymon](https://cymon.io/) - Threat intelligence tracker, with IP/domain/hash
313 |   search.
314 | * [Desenmascara.me](http://desenmascara.me) - One click tool to retrieve as
315 |   much metadata as possible for a website and to assess its good standing.
316 | * [Dig](https://networking.ringofsaturn.com/) - Free online dig and other
317 |   network tools.
318 | * [dnstwist](https://github.com/elceef/dnstwist) - Domain name permutation
319 |   engine for detecting typo squatting, phishing and corporate espionage.
320 | * [IPinfo](https://github.com/hiddenillusion/IPinfo) - Gather information
321 |   about an IP or domain by searching online resources.
322 | * [Machinae](https://github.com/hurricanelabs/machinae) - OSINT tool for
323 |   gathering information about URLs, IPs, or hashes. Similar to Automator.
324 | * [mailchecker](https://github.com/FGRibreau/mailchecker) - Cross-language
325 |   temporary email detection library.
326 | * [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - Maltego transform
327 |   for the VirusTotal API. Allows domain/IP research, and searching for file
328 |   hashes and scan reports.
329 | * [Multi rbl](http://multirbl.valli.org/) - Multiple DNS blacklist and forward
330 |   confirmed reverse DNS lookup over more than 300 RBLs.
331 | * [NormShield Services](https://services.normshield.com/) - Free API Services
332 |   for detecting possible phishing domains, blacklisted ip addresses and breached
333 |   accounts.
334 | * [SpamCop](https://www.spamcop.net/bl.shtml) - IP based spam block list.
335 | * [SpamHaus](https://www.spamhaus.org/lookup/) - Block list based on
336 |   domains and IPs.
337 | * [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - Free Website Malware
338 |   and Security Scanner.
339 | * [Talos Intelligence](https://talosintelligence.com/) - Search for IP, domain
340 |   or network owner. (Previously SenderBase.)
341 | * [TekDefense Automater](http://www.tekdefense.com/automater/) - OSINT tool
342 |   for gathering information about URLs, IPs, or hashes.
343 | * [URLQuery](http://urlquery.net/) - Free URL Scanner.
344 | * [Whois](https://whois.domaintools.com/) - DomainTools free online whois
345 |   search.
346 | * [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - Free
347 |   online tools for researching malicious websites, compiled by Lenny Zeltser.
348 | * [ZScalar Zulu](https://zulu.zscaler.com/#) - Zulu URL Risk Analyzer.
349 | 
350 | ## Browser Malware
351 | 
352 | *Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and
353 | [documents and shellcode](#documents-and-shellcode) sections.*
354 | 
355 | * [Firebug](https://getfirebug.com/) - Firefox extension for web development.
356 | * [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps.
357 | * [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java
358 |   IDX cache files.
359 | * [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript
360 |   malware analysis tool.
361 | * [jsunpack-n](https://github.com/urule99/jsunpack-n) - A javascript
362 |   unpacker that emulates browser functionality.
363 | * [Krakatau](https://github.com/Storyyeller/Krakatau) - Java decompiler,
364 |   assembler, and disassembler.
365 | * [Malzilla](http://malzilla.sourceforge.net/) - Analyze malicious web pages.
366 | * [RABCDAsm](https://github.com/CyberShadow/RABCDAsm) - A "Robust
367 |   ActionScript Bytecode Disassembler."
368 | * [swftools](http://www.swftools.org/) - Tools for working with Adobe Flash
369 |   files.
370 | * [xxxswf](http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html) - A
371 |   Python script for analyzing Flash files.
372 | 
373 | ## Documents and Shellcode
374 | 
375 | *Analyze malicious JS and shellcode from PDFs and Office documents. See also
376 | the [browser malware](#browser-malware) section.*
377 | 
378 | * [AnalyzePDF](https://github.com/hiddenillusion/AnalyzePDF) - A tool for
379 |   analyzing PDFs and attempting to determine whether they are malicious.
380 | * [box-js](https://github.com/CapacitorSet/box-js) - A tool for studying JavaScript
381 |   malware, featuring JScript/WScript support and ActiveX emulation.
382 | * [diStorm](http://www.ragestorm.net/distorm/) - Disassembler for analyzing
383 |   malicious shellcode.
384 | * [JS Beautifier](http://jsbeautifier.org/) - JavaScript unpacking and deobfuscation.
385 | * [JS Deobfuscator](http://www.kahusecurity.com/2015/new-javascript-deobfuscator-tool/) -
386 |   Deobfuscate simple Javascript that use eval or document.write to conceal
387 |   its code.
388 | * [libemu](http://libemu.carnivore.it/) - Library and tools for x86 shellcode
389 |   emulation.
390 | * [malpdfobj](https://github.com/9b/malpdfobj) - Deconstruct malicious PDFs
391 |   into a JSON representation.
392 | * [OfficeMalScanner](http://www.reconstructer.org/code.html) - Scan for
393 |   malicious traces in MS Office documents.
394 | * [olevba](http://www.decalage.info/python/olevba) - A script for parsing OLE
395 |   and OpenXML documents and extracting useful information.
396 | * [Origami PDF](https://code.google.com/archive/p/origami-pdf) - A tool for
397 |   analyzing malicious PDFs, and more.
398 | * [PDF Tools](https://blog.didierstevens.com/programs/pdf-tools/) - pdfid,
399 |   pdf-parser, and more from Didier Stevens.
400 | * [PDF X-Ray Lite](https://github.com/9b/pdfxray_lite) - A PDF analysis tool,
401 |   the backend-free version of PDF X-RAY.
402 | * [peepdf](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - Python
403 |   tool for exploring possibly malicious PDFs.
404 | * [QuickSand](https://www.quicksand.io/) - QuickSand is a compact C framework
405 |   to analyze suspected malware documents to identify exploits in streams of different
406 |   encodings and to locate and extract embedded executables.
407 | * [Spidermonkey](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) -
408 |   Mozilla's JavaScript engine, for debugging malicious JS.
409 | 
410 | ## File Carving
411 | 
412 | *For extracting files from inside disk and memory images.*
413 | 
414 | * [bulk_extractor](https://github.com/simsong/bulk_extractor) - Fast file
415 |   carving tool.
416 | * [EVTXtract](https://github.com/williballenthin/EVTXtract) - Carve Windows
417 |   Event Log files from raw binary data.
418 | * [Foremost](http://foremost.sourceforge.net/) - File carving tool designed
419 |   by the US Air Force.
420 | * [hachoir3](https://github.com/vstinner/hachoir3) - Hachoir is a Python library 
421 |   to view and edit a binary stream field by field.
422 | * [Scalpel](https://github.com/sleuthkit/scalpel) - Another data carving
423 |   tool.
424 | * [SFlock](https://github.com/jbremer/sflock) - Nested archive
425 |   extraction/unpacking (used in Cuckoo Sandbox).
426 | 
427 | ## Deobfuscation
428 | 
429 | *Reverse XOR and other code obfuscation methods.*
430 | 
431 | * [Balbuzard](https://bitbucket.org/decalage/balbuzard/wiki/Home) - A malware
432 |   analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
433 | * [de4dot](https://github.com/0xd4d/de4dot) - .NET deobfuscator and
434 |   unpacker.
435 | * [ex_pe_xor](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html)
436 |   & [iheartxor](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html) -
437 |   Two tools from Alexander Hanel for working with single-byte XOR encoded
438 |   files.
439 | * [FLOSS](https://github.com/fireeye/flare-floss) - The FireEye Labs Obfuscated
440 |   String Solver uses advanced static analysis techniques to automatically
441 |   deobfuscate strings from malware binaries.
442 | * [NoMoreXOR](https://github.com/hiddenillusion/NoMoreXOR) - Guess a 256 byte
443 |   XOR key using frequency analysis.
444 | * [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker) - A generic
445 |   hidden code extractor for Windows malware.
446 | * [unpacker](https://github.com/malwaremusings/unpacker/) - Automated malware
447 |   unpacker for Windows malware based on WinAppDbg.
448 | * [unxor](https://github.com/tomchop/unxor/) - Guess XOR keys using
449 |   known-plaintext attacks.
450 | * [VirtualDeobfuscator](https://github.com/jnraber/VirtualDeobfuscator) -
451 |   Reverse engineering tool for virtualization wrappers.
452 | * [XORBruteForcer](http://eternal-todo.com/var/scripts/xorbruteforcer) -
453 |   A Python script for brute forcing single-byte XOR keys.
454 | * [XORSearch & XORStrings](https://blog.didierstevens.com/programs/xorsearch/) -
455 |   A couple programs from Didier Stevens for finding XORed data.
456 | * [xortool](https://github.com/hellman/xortool) - Guess XOR key length, as
457 |   well as the key itself.
458 | 
459 | ## Debugging and Reverse Engineering
460 | 
461 | *Disassemblers, debuggers, and other static and dynamic analysis tools.*
462 | 
463 | * [angr](https://github.com/angr/angr) - Platform-agnostic binary analysis
464 |   framework developed at UCSB's Seclab.
465 | * [bamfdetect](https://github.com/bwall/bamfdetect) - Identifies and extracts
466 |   information from bots and other malware.
467 | * [BAP](https://github.com/BinaryAnalysisPlatform/bap) - Multiplatform and
468 |   open source (MIT) binary analysis framework developed at CMU's Cylab.
469 | * [BARF](https://github.com/programa-stic/barf-project) - Multiplatform, open
470 |   source Binary Analysis and Reverse engineering Framework.
471 | * [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for
472 |   reverse engineering based on graph visualization.
473 | * [Binary ninja](https://binary.ninja/) - A reversing engineering platform
474 |   that is an alternative to IDA.
475 | * [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool.
476 | * [Bokken](http://www.bokken.re/) - GUI for Pyew and Radare.
477 |   ([mirror](https://github.com/inguma/bokken))
478 | * [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for
479 |   binary analysis and reversing, with support for many architectures and
480 |   bindings in several languages.
481 | * [codebro](https://github.com/hugsy/codebro) - Web based code browser using
482 |   clang to provide basic code analysis.
483 | * [DECAF (Dynamic Executable Code Analysis Framework)](https://github.com/sycurelab/DECAF) 
484 |   - A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
485 | * [dnSpy](https://github.com/0xd4d/dnSpy) - .NET assembly editor, decompiler
486 |   and debugger.
487 | * [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A
488 |   modular debugger with a Qt GUI.
489 | * [Fibratus](https://github.com/rabbitstack/fibratus) - Tool for exploration
490 |   and tracing of the Windows kernel.
491 | * [FPort](https://www.mcafee.com/us/downloads/free-tools/fport.aspx) - Reports
492 |   open TCP/IP and UDP ports in a live system and maps them to the owning application.
493 | * [GDB](http://www.sourceware.org/gdb/) - The GNU debugger.
494 | * [GEF](https://github.com/hugsy/gef) - GDB Enhanced Features, for exploiters
495 |   and reverse engineers.
496 | * [hackers-grep](https://github.com/codypierce/hackers-grep) - A utility to
497 |   search for strings in PE executables including imports, exports, and debug
498 |   symbols.
499 | * [Hopper](https://www.hopperapp.com/) - The macOS and Linux Disassembler.
500 | * [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows
501 |   disassembler and debugger, with a free evaluation version.
502 | * [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for
503 |   malware analysis and more, with a Python API.
504 | * [ILSpy](http://ilspy.net/) - ILSpy is the open-source .NET assembly browser and decompiler.
505 | * [Kaitai Struct](http://kaitai.io/) - DSL for file formats / network protocols /
506 |   data structures reverse engineering and dissection, with code generation
507 |   for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
508 | * [LIEF](https://lief.quarkslab.com/) - LIEF provides a cross-platform library
509 |   to parse, modify and abstract ELF, PE and MachO formats.
510 | * [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables.
511 | * [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils,
512 |   for static analysis of Linux binaries.
513 | * [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows
514 |   executables.
515 | * [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral
516 |   Dynamic Analysis.
517 | * [PEDA](https://github.com/longld/peda) - Python Exploit Development
518 |   Assistance for GDB, an enhanced display with added commands.
519 | * [pestudio](https://winitor.com/) - Perform static analysis of Windows
520 |   executables.
521 | * [Pharos](https://github.com/cmu-sei/pharos) - The Pharos binary analysis framework
522 |   can be used to perform automated static analysis of binaries.
523 | * [plasma](https://github.com/plasma-disassembler/plasma) - Interactive
524 |   disassembler for x86/ARM/MIPS.
525 | * [PPEE (puppy)](https://www.mzrst.com/) - A Professional PE file Explorer for
526 |   reversers, malware researchers and those who want to statically inspect PE
527 |   files in more detail.
528 | * [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) -
529 |   Advanced task manager for Windows.
530 | * [Process Hacker](http://processhacker.sourceforge.net/) - Tool that monitors
531 |   system resources.
532 | * [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) -
533 |   Advanced monitoring tool for Windows programs.
534 | * [PSTools](https://docs.microsoft.com/en-us/sysinternals/downloads/pstools) - Windows
535 |   command-line tools that help manage and investigate live systems.
536 | * [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware
537 |   analysis.
538 | * [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse
539 |   engineering sandbox by the Talos team at Cisco.
540 | * [QKD](https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg
541 |   server for stealth debugging.
542 | * [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with
543 |   debugger support.
544 | * [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility
545 |   that compares snapshots.
546 | * [RetDec](https://retdec.com/) - Retargetable machine-code decompiler with an
547 |   [online decompilation service](https://retdec.com/decompilation/) and
548 |   [API](https://retdec.com/api/) that you can use in your tools.
549 | * [ROPMEMU](https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect
550 |   and decompile complex code-reuse attacks.
551 | * [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a
552 |   plugin for Sublime 3 to aid with malware analyis.
553 | * [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for
554 |   Linux executables.
555 | * [Triton](https://triton.quarkslab.com/) - A dynamic binary analysis (DBA) framework.
556 | * [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool
557 |   for x86 and x86_64.
558 | * [Vivisect](https://github.com/vivisect/vivisect) - Python tool for
559 |   malware analysis.
560 | * [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/download-windbg) - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
561 | * [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows.
562 | 
563 | ## Network
564 | 
565 | *Analyze network interactions.*
566 | 
567 | * [Bro](https://www.bro.org) - Protocol analyzer that operates at incredible
568 |   scale; both file and network protocols.
569 | * [BroYara](https://github.com/hempnall/broyara) - Use Yara rules from Bro.
570 | * [CapTipper](https://github.com/omriher/CapTipper) -  Malicious HTTP traffic
571 |   explorer.
572 | * [chopshop](https://github.com/MITRECND/chopshop) - Protocol analysis and
573 |   decoding framework.
574 | * [CloudShark](https://www.cloudshark.org) - Web-based tool for packet analysis
575 |   and malware traffic detection.
576 | * [Fiddler](https://www.telerik.com/fiddler) - Intercepting web proxy designed
577 |   for "web debugging."
578 | * [Hale](https://github.com/pjlantz/Hale) - Botnet C&C monitor.
579 | * [Haka](http://www.haka-security.org/) - An open source security oriented
580 |   language for describing protocols and applying security policies on (live)
581 |   captured traffic.
582 | * [HTTPReplay](https://github.com/jbremer/httpreplay) - Library for parsing
583 |   and reading out PCAP files, including TLS streams using TLS Master Secrets
584 |   (used in Cuckoo Sandbox).
585 | * [INetSim](http://www.inetsim.org/) - Network service emulation, useful when
586 |   building a malware lab.
587 | * [Laika BOSS](https://github.com/lmco/laikaboss) - Laika BOSS is a file-centric
588 |   malware analysis and intrusion detection system.
589 | * [Malcom](https://github.com/tomchop/malcom) - Malware Communications
590 |   Analyzer.
591 | * [Maltrail](https://github.com/stamparm/maltrail) - A malicious traffic
592 |   detection system, utilizing publicly available (black)lists containing
593 |   malicious and/or generally suspicious trails and featuring an reporting
594 |   and analysis interface.
595 | * [mitmproxy](https://mitmproxy.org/) - Intercept network traffic on the fly.
596 | * [Moloch](https://github.com/aol/moloch) - IPv4 traffic capturing, indexing
597 |   and database system.
598 | * [NetworkMiner](http://www.netresec.com/?page=NetworkMiner) - Network
599 |   forensic analysis tool, with a free version.
600 | * [ngrep](http://ngrep.sourceforge.net/) - Search through network traffic
601 |   like grep.
602 | * [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and
603 |   traffic visualizer.
604 | * [Python ICAP Yara](https://github.com/RamadhanAmizudin/python-icap-yara) - An
605 |   ICAP Server with yara scanner for URL or content.
606 | * [Squidmagic](https://github.com/ch3k1/squidmagic) - squidmagic is a tool
607 |   designed to analyze a web-based network traffic to detect central command
608 |   and control (C&C) servers and malicious sites, using Squid proxy server and
609 |   Spamhaus.
610 | * [Tcpdump](http://www.tcpdump.org/) - Collect network traffic.
611 | * [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams
612 |   from network traffic.
613 | * [tcpxtract](http://tcpxtract.sourceforge.net/) - Extract files from network
614 |   traffic.
615 | * [Wireshark](https://www.wireshark.org/) - The network traffic analysis
616 |   tool.
617 | 
618 | ## Memory Forensics
619 | 
620 | *Tools for dissecting malware in memory images or running systems.*
621 | 
622 | * [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS
623 |   forensics client supporting hiberfil, pagefile, raw memory analysis.
624 | * [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of
625 |   Malware in Memory, built on Volatility.
626 | * [evolve](https://github.com/JamesHabben/evolve) - Web interface for the
627 |   Volatility Memory Forensics Framework.
628 | * [FindAES](https://sourceforge.net/projects/findaes/) - Find AES
629 |   encryption keys in memory.
630 | * [inVtero.net](https://github.com/ShaneK2/inVtero.net) - High speed memory
631 |   analysis framework developed in .NET supports all Windows x64, includes
632 |   code integrity and write support.
633 | * [Muninn](https://github.com/ytisf/muninn) - A script to automate portions
634 |   of analysis using Volatility, and create a readable report.
635 | * [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework,
636 |   forked from Volatility in 2013.
637 | * [TotalRecall](https://github.com/sketchymoose/TotalRecall) - Script based
638 |   on Volatility for automating various malware analysis tasks.
639 | * [VolDiff](https://github.com/aim4r/VolDiff) - Run Volatility on memory
640 |   images before and after malware execution, and report changes.
641 | * [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced
642 |   memory forensics framework.
643 | * [VolUtility](https://github.com/kevthehermit/VolUtility) - Web Interface for
644 |   Volatility Memory Analysis framework.
645 | * [WDBGARK](https://github.com/swwwolf/wdbgark) -
646 |   WinDBG Anti-RootKit Extension.
647 | * [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit) -
648 |   Live memory inspection and kernel debugging for Windows systems.
649 | 
650 | ## Windows Artifacts
651 | 
652 | * [AChoir](https://github.com/OMENScan/AChoir) - A live incident response
653 |   script for gathering Windows artifacts.
654 | * [python-evt](https://github.com/williballenthin/python-evt) - Python
655 |   library for parsing Windows Event Logs.
656 | * [python-registry](http://www.williballenthin.com/registry/) - Python
657 |   library for parsing registry files.
658 | * [RegRipper](http://brettshavers.cc/index.php/brettsblog/tags/tag/regripper/)
659 |   ([GitHub](https://github.com/keydet89/RegRipper2.8)) -
660 |   Plugin-based registry analysis tool.
661 | 
662 | ## Storage and Workflow
663 | 
664 | * [Aleph](https://github.com/merces/aleph) - Open Source Malware Analysis
665 |   Pipeline System.
666 | * [CRITs](https://crits.github.io/) - Collaborative Research Into Threats, a
667 |   malware and threat repository.
668 | * [FAME](https://certsocietegenerale.github.io/fame/) - A malware analysis
669 |   framework featuring a pipeline that can be extended with custom modules,
670 |   which can be chained and interact with each other to perform end-to-end
671 |   analysis.
672 | * [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and
673 |   search malware.
674 | * [Polichombr](https://github.com/ANSSI-FR/polichombr) - A malware analysis
675 |   platform designed to help analysts to reverse malwares collaboratively.
676 | * [stoQ](http://stoq.punchcyber.com) - Distributed content analysis
677 |   framework with extensive plugin support, from input to output, and everything
678 |   in between.
679 | * [Viper](http://viper.li/) - A binary management and analysis framework for
680 |   analysts and researchers.
681 | 
682 | ## Miscellaneous
683 | 
684 | * [al-khaser](https://github.com/LordNoteworthy/al-khaser) - A PoC malware
685 |   with good intentions that aimes to stress anti-malware systems.
686 | * [DC3-MWCP](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP) -
687 |   The Defense Cyber Crime Center's Malware Configuration Parser framework.
688 | * [FLARE VM](https://github.com/fireeye/flare-vm) - A fully customizable,
689 |   Windows-based, security distribution for malware analysis.
690 | * [MalSploitBase](https://github.com/misterch0c/malSploitBase) - A database
691 |   containing exploits used by malware.
692 | * [Malware Museum](https://archive.org/details/malwaremuseum) - Collection of
693 |   malware programs that were distributed in the 1980s and 1990s.
694 | * [Malware Organiser](https://github.com/uppusaikiran/malware-organiser) - A simple tool to organise large malicious/benign files into a organised Structure.
695 | * [Pafish](https://github.com/a0rtega/pafish) - Paranoid Fish, a demonstration
696 |   tool that employs several techniques to detect sandboxes and analysis
697 |   environments in the same way as malware families do.
698 | * [REMnux](https://remnux.org/) - Linux distribution and docker images for
699 |   malware reverse engineering and analysis.
700 | * [Santoku Linux](https://santoku-linux.com/) - Linux distribution for mobile
701 |   forensics, malware analysis, and security.
702 | 
703 | # Resources
704 | 
705 | ## Books
706 | 
707 | *Essential malware analysis reading material.*
708 | 
709 | * [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) -
710 |   Tools and Techniques for Fighting Malicious Code.
711 | * [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On
712 |   Guide to Dissecting Malicious Software.
713 | * [Practical Reverse Engineering](https://www.amzn.com/dp/1118787315/) -
714 |   Intermediate Reverse Engineering.
715 | * [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer
716 |   Security and Incident Response.
717 | * [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting
718 |   Malware and Threats in Windows, Linux, and Mac Memory.
719 | * [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide
720 |   to the World's Most Popular Disassembler.
721 | * [The Rootkit Arsenal](https://amzn.com/dp/144962636X) - The Rootkit Arsenal:
722 |   Escape and Evasion in the Dark Corners of the System
723 | 
724 | ## Twitter
725 | 
726 | *Some relevant Twitter accounts.*
727 | 
728 | * Adamb [@Hexacorn](https://twitter.com/Hexacorn)
729 | * Andrew Case [@attrc](https://twitter.com/attrc)
730 | * Binni Shah [@binitamshah](https://twitter.com/binitamshah)
731 | * Claudio [@botherder](https://twitter.com/botherder)
732 | * Dustin Webber [@mephux](https://twitter.com/mephux)
733 | * Glenn [@hiddenillusion](https://twitter.com/hiddenillusion)
734 | * jekil [@jekil](https://twitter.com/jekil)
735 | * Jurriaan Bremer [@skier_t](https://twitter.com/skier_t)
736 | * Lenny Zeltser [@lennyzeltser](https://twitter.com/lennyzeltser)
737 | * Liam Randall [@hectaman](https://twitter.com/hectaman)
738 | * Mark Schloesser [@repmovsb](https://twitter.com/repmovsb)
739 | * Michael Ligh (MHL) [@iMHLv2](https://twitter.com/iMHLv2)
740 | * Monnappa [@monnappa22](https://twitter.com/monnappa22)
741 | * Open Malware [@OpenMalware](https://twitter.com/OpenMalware)
742 | * Richard Bejtlich [@taosecurity](https://twitter.com/taosecurity)
743 | * Volatility [@volatility](https://twitter.com/volatility)
744 | 
745 | ## Other
746 | 
747 | * [APT Notes](https://github.com/aptnotes/data) - A collection of papers
748 |   and notes related to Advanced Persistent Threats.
749 | * [File Formats posters](https://github.com/corkami/pics) - Nice visualization
750 |   of commonly used file format (including PE & ELF).
751 | * [Honeynet Project](http://honeynet.org/) - Honeypot tools, papers, and
752 |   other resources.
753 | * [Kernel Mode](http://www.kernelmode.info/forum/) - An active community
754 |   devoted to malware analysis and kernel development.
755 | * [Malicious Software](https://zeltser.com/malicious-software/) - Malware
756 |   blog and resources by Lenny Zeltser.
757 | * [Malware Analysis Search](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) -
758 |   Custom Google search engine from [Corey Harrell](journeyintoir.blogspot.com/).
759 | * [Malware Analysis Tutorials](http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html) -   The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning
760 |   practical malware analysis.
761 | * [Malware Samples and Traffic](http://malware-traffic-analysis.net/) - This
762 |   blog focuses on network traffic related to malware infections.
763 | * [Practical Malware Analysis Starter Kit](https://bluesoul.me/practical-malware-analysis-starter-kit/) -
764 |   This package contains most of the software referenced in the Practical Malware
765 |   Analysis book.
766 | * [RPISEC Malware Analysis](https://github.com/RPISEC/Malware) - These are the
767 |   course materials used in the Malware Analysis course at at Rensselaer Polytechnic
768 |   Institute during Fall 2015.
769 | * [WindowsIR: Malware](http://windowsir.blogspot.com/p/malware.html) - Harlan
770 |   Carvey's page on Malware.
771 | * [Windows Registry specification](https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md) - Windows registry file format specification.
772 | * [/r/csirt_tools](https://www.reddit.com/r/csirt_tools/) - Subreddit for CSIRT
773 |   tools and resources, with a
774 |   [malware analysis](https://www.reddit.com/r/csirt_tools/search?q=flair%3A%22Malware%20analysis%22&sort=new&restrict_sr=on) flair.
775 | * [/r/Malware](https://www.reddit.com/r/Malware) - The malware subreddit.
776 | * [/r/ReverseEngineering](https://www.reddit.com/r/ReverseEngineering) -
777 |   Reverse engineering subreddit, not limited to just malware.
778 | 
779 | 
780 | 
781 | 
782 | # Related Awesome Lists
783 | 
784 | * [Android Security](https://github.com/ashishb/android-security-awesome)
785 | * [AppSec](https://github.com/paragonie/awesome-appsec)
786 | * [CTFs](https://github.com/apsdehal/awesome-ctf)
787 | * [Forensics](https://github.com/Cugu/awesome-forensics)
788 | * ["Hacking"](https://github.com/carpedm20/awesome-hacking)
789 | * [Honeypots](https://github.com/paralax/awesome-honeypots)
790 | * [Industrial Control System Security](https://github.com/hslatman/awesome-industrial-control-system-security)
791 | * [Incident-Response](https://github.com/meirwah/awesome-incident-response)
792 | * [Infosec](https://github.com/onlurking/awesome-infosec)
793 | * [PCAP Tools](https://github.com/caesar0301/awesome-pcaptools)
794 | * [Pentesting](https://github.com/enaqx/awesome-pentest)
795 | * [Security](https://github.com/sbilly/awesome-security)
796 | * [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence)
797 | * [YARA](https://github.com/InQuest/awesome-yara)
798 | 
799 | # [Contributing](CONTRIBUTING.md)
800 | 
801 | Pull requests and issues with suggestions are welcome! Please read the
802 | [CONTRIBUTING](CONTRIBUTING.md) guidelines before submitting a PR.
803 | 
804 | # Thanks
805 | 
806 | This list was made possible by:
807 | 
808 | * Lenny Zeltser and other contributors for developing REMnux, where I
809 |   found many of the tools in this list;
810 | * Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for
811 |   writing the *Malware Analyst's Cookbook*, which was a big inspiration for
812 |   creating the list;
813 | * And everyone else who has sent pull requests or suggested links to add here!
814 | 
815 | Thanks!
816 | 


--------------------------------------------------------------------------------