└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # malware-gems
  2 | 
  3 | ## NOTE: WORK IN PROGRESS! (Updated 1 July 2020)
  4 | 
  5 | 
  6 | ### What's this all about?
  7 | This page contains a list of mostly malware analysis / reverse engineering related tools, training, podcasts, blog posts, literature and just about anything else closely related to the topic. This page serves as a catalog of sorts, containing "gems", some of which you may have stumbled across, and many others that you may not have.  
  8 | 
  9 | 
 10 | ### Who is this page aimed at?
 11 | 
 12 | #### Myself:
 13 | When first starting out, I was overwhelmed by how malware/RE related material was somewhat scattered all over the Internet. With a limited availability of books and training, I started to collect my go-to sites for certain resources and tools in order to achive certain tasks. 
 14 | 
 15 | 
 16 | #### Beginners: 
 17 | I often get asked "how do you get started in malware analysis / RE". I'm hoping this list will provide a starting point at least. Anyone who has been practicing malware analysis for even a small amount of time, knows that there really is no single resource or location that will simply teach the art of malware analysis / RE. Plain and simple. That said, having a useful list of links is at least a starting point. However, one caveat is that this list should NOT replace your OWN time spent researching and learning by yourself. This is very much part of "the journey" towards becomming a better malware analyst / RE, similar to that of becomming a l33t h4x0r! ;)
 18 | 
 19 | 
 20 | #### Anyone else: 
 21 | Regardless of skill/experience level, even the more experienced malware analyst / RE may hopefully find one or two useful gems on this page that they haven't yet stumbled across. This is where the name "malware-gems" originated from... Original, I know.. ;) 
 22 | 
 23 | 
 24 | ### Isn't this similar to other "awesome" lists that exist on Github?
 25 | Perhaps. While the various awesome "awesome" lists (as awesome as they are) gave me inspiration, I wanted to centralise my own tools/links etc due to growing my own malware analysis skills, in the hope that once I have things in one page, things may hopefully become a bit clearer in my head! In some ways, as awesome as the other various "awesome" lists are, I hope that this list will in itself be just as awesome, due to the fact that the this reflects a true and current representation of a malware analyst such as myself, who is building up their own knowledge with active links to tools, reading material etc! 
 26 | 
 27 | 
 28 | ### Anything else?
 29 | 
 30 | If you have any feedback or would like your site listed, feel free to reach out via Twitter.
 31 | Twitter handle: [0x4143](https://twitter.com/0x4143)
 32 | 
 33 | 
 34 | ###### Disclaimer: 
 35 | * Full credits/props/respect to all the respective authors for their content.
 36 | * I suspect that this list may morph gradually over time to possibly include other infosec related tools/links that aren't directly related to malware or RE, but I will try my very best to stay on topic!  =)
 37 | * The links contained in each section are currently in no particular order. 
 38 | * I may clean up the order at some point e.g. alphabetize, or order by preference. 
 39 | * Some tools/links may likely be in the wrong category, I will review this as time goes on. 
 40 | * This is a work-in-progress so bare with me! 
 41 | * Sharing is caring, so feel free to forward this link around. 
 42 | * "Haters gonna hate"!
 43 | * And last but not least, **enjoy! =)
 44 | 
 45 | 
 46 | 
 47 | 
 48 | # Adversary Emulation:
 49 | * APTSimulator - https://github.com/NextronSystems/APTSimulator
 50 | * Caldera - https://github.com/mitre/caldera
 51 | * Atomic Red Team - https://github.com/redcanaryco/atomic-red-team
 52 | * Red Team Automation - https://www.endgame.com/blog/technical-blog/introducing-endgame-red-team-automation
 53 | * Cobalt Strike - https://www.cobaltstrike.com/
 54 | * Red Teaming/Adversary Simulation Toolkit - https://0xsp.com/offensive/red-teaming-toolkit-collection
 55 | * Invoke-APT29 - https://github.com/carbonblack/tau-tools/tree/master/threat_emulation/Invoke-APT29
 56 | 
 57 | 
 58 | 
 59 | # Books:
 60 | * Intelligence Driven Incident Response - http://shop.oreilly.com/product/0636920043614.do
 61 | * Practical Malware Analysis - https://www.nostarch.com/malware
 62 | * Reversing: Secrets of Reverse Engineering - http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0764574817.html
 63 | * Practical Reverse Engineering - http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118787315,subjectCd-CSJ0.html
 64 | * Malware Analyst Cookbook - http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470613033.html
 65 | * IDA Pro Book - https://www.nostarch.com/idapro2.htm
 66 | * Art of Assembly - http://www.plantation-productions.com/Webster/www.artofasm.com/index.html
 67 | * The Art of Memory Forensics - http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118825098.html
 68 | * Windows Internals Book 1 - https://www.microsoftpressstore.com/store/windows-internals-part-1-9780735648739
 69 | * Windows Internals Book 2 - https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873 
 70 | * Hacking. The Art of Exploitation - https://www.nostarch.com/hacking2.htm
 71 | * The Shellcoder's Handbook: Discovering and Exploiting Security Holes - http://eu.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html
 72 | * Rootkits: Subverting the Windows Kernel - https://dl.acm.org/citation.cfm?id=1076346
 73 | * Rootkits and Bootkits - https://www.nostarch.com/rootkits
 74 | * The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage - http://www.simonandschuster.com/books/The-Cuckoos-Egg/Cliff-Stoll/9781416507789
 75 | * Rootkits: Subverting the Windows Kernel - https://dl.acm.org/citation.cfm?id=1076346
 76 | * The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System - https://www.safaribooksonline.com/library/view/the-rootkit-arsenal/9781449626365/
 77 | * Learning Malware Analysis - https://www.amazon.co.uk/Learning-Malware-Analysis-techniques-investigate/dp/1788392507/ref=sr_1_1?ie=UTF8&qid=1534162748&sr=8-1&keywords=malware+analysis
 78 | * Sandworm - https://www.penguinrandomhouse.com/books/597684/sandworm-by-andy-greenberg/
 79 | 
 80 | 
 81 | 
 82 | # CheatSheets/Tables:
 83 | * IDA Cheat Sheet - https://securedorg.github.io/idacheatsheet.html
 84 | * Cheat Sheets - https://highon.coffee/blog/cheat-sheet/
 85 | * File Signatures - http://www.garykessler.net/library/file_sigs.html
 86 | * APT Groups and Operations - https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml#
 87 | * Ransomware Overview - https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#
 88 | * Intel Assembler code table - http://www.jegerlehner.ch/intel/
 89 | * ARM Assembly Cheatsheet - https://azeria-labs.com/assembly-basics-cheatsheet/
 90 | * APTnotes - https://github.com/kbandla/APTnotes
 91 | * PE 101 - https://github.com/corkami/pics/blob/master/binary/pe101/pe101.pdf
 92 | * PDF 101 - https://github.com/corkami/docs/blob/master/PDF/PDF.md
 93 | * PDF analysis - https://github.com/zbetcheckin/PDF_analysis
 94 | * Digital Forensics and Incident Response - https://www.jaiminton.com/cheatsheet/DFIR/#
 95 | 
 96 | 
 97 | 
 98 | # CTF's:
 99 | * Flare-On - http://flare-on.com/
100 | * LabyREnth - https://labyrenth.com/mud/
101 | * Facebook CTF - https://github.com/facebook/fbctf
102 | * CTF Field Guide - https://trailofbits.github.io/ctf/
103 | * RootMe - https://www.root-me.org
104 | * RPISEC CSCI 4968 - http://security.cs.rpi.edu/courses/binexp-spring2015/
105 | * Crackmes - https://crackmes.one/
106 | 
107 | 
108 | 
109 | # Decoders:
110 | * CyberChef - https://gchq.github.io/CyberChef/
111 | * KevtheHermit RAT decoders - https://github.com/kevthehermit/RATDecoders
112 | 
113 | 
114 | 
115 | # Debuggers:
116 | * OllyDbg - http://www.ollydbg.de/
117 | * Immunity Debugger - https://www.immunityinc.com/products/debugger/
118 | * X64dbg - https://x64dbg.com/#start
119 | * Rvmi - https://github.com/fireeye/rvmi
120 | * WinDBG - https://docs.microsoft.com/en-gb/windows-hardware/drivers/debugger/debugger-download-tools
121 | 
122 | 
123 | 
124 | # Disassemblers: 
125 | * IDA Pro - https://www.hex-rays.com/products/ida/
126 | * Binary Ninja - https://binary.ninja/
127 | * Radare2 - https://github.com/radare/radare2
128 | * Cutter - https://github.com/radareorg/cutter
129 | * BinNavi - https://github.com/google/binnavi
130 | * Hopper - https://www.hopperapp.com/
131 | * medusa - https://github.com/wisk/medusa
132 | * Disassembler.io - https://www.onlinedisassembler.com/static/home/
133 | * Ghidra - https://ghidra-sre.org/
134 | 
135 | 
136 | 
137 | # Document Analysis Tools: 
138 | * OfficeMalScanner/DisView - http://www.reconstructor.org/
139 | * AnalyzePDF - https://github.com/hiddenillusion/AnalyzePDF
140 | * BiffView - https://www.aldeid.com/wiki/BiffView
141 | * oletools - https://www.decalage.info/python/oletools
142 | * Origami Framework - https://github.com/cogent/origami-pdf
143 | * PDF Stream Dumper - http://sandsprite.com/blogs/index.php?uid=7&pid=57
144 | * CERMINE - https://github.com/CeON/CERMINE
145 | * pdfid - https://blog.didierstevens.com/programs/pdf-tools/
146 | * PDFwalker - https://www.aldeid.com/wiki/Origami/pdfwalker
147 | * Peepdf - http://eternal-todo.com/tools/peepdf-pdf-analysis-tool
148 | * pev - http://pev.sourceforge.net/
149 | * FOCA - https://www.elevenpaths.com/labstools/foca/index.html
150 | * LuckyStrike - https://github.com/curi0usJack/luckystrike
151 | * RTF Cleaner - https://github.com/nicpenning/RTF-Cleaner
152 | * RTFScan - http://www.reconstructer.org/ 
153 | 
154 | 
155 | 
156 | # Dynamic/Behavioural Analysis Tools: 
157 | * CaptureBAT - https://www.honeynet.org/node/315
158 | * Sysinternals Suite - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
159 | * ProcDOT - http://www.procdot.com/
160 | * Process Hacker - http://processhacker.sourceforge.net/
161 | * Sysmon - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
162 | * API Monitor - http://www.rohitab.com/apimonitor
163 | * Regshot - https://sourceforge.net/projects/regshot/
164 | * SwiftonSecurity Sysmon Config - https://github.com/SwiftOnSecurity/sysmon-config
165 | * Capture-Py - https://github.com/fbruzzaniti/Capture-Py
166 | * Windows Kernel Explorer - https://github.com/AxtMueller/Windows-Kernel-Explorer
167 | 
168 | 
169 | 
170 | # Funny/Random: 
171 | * Win95 defrag - http://hultbergs.org/defrag/
172 | * Little Bobby - http://www.littlebobbycomic.com/
173 | * Dilbert - http://dilbert.com/
174 | * XKCD - https://xkcd.com/
175 | * Why the fuck was i breached - https://whythefuckwasibreached.com/
176 | * VIM Adventures - https://vim-adventures.com/
177 | 
178 | 
179 | 
180 | # Honeypots:
181 | * Modern Honey Network - https://github.com/threatstream/mhn
182 | 
183 | 
184 | 
185 | # ICS: 
186 | * Graphical Realism Framework for Industrial Control Simulations - https://github.com/djformby/GRFICS
187 | * ꓘamerka - https://woj-ciech.github.io/kamerka-demo/kamerka.html
188 | 
189 | 
190 | 
191 | # IDA: 
192 | * stackstring_static.py - https://github.com/TakahiroHaruyama/ida_haru/tree/master/stackstring_static
193 | * emotet_payload_decryption.py - https://gist.github.com/levwu/23751fe47f83d42ed6a63280a4f2aaaa
194 | * VB IDC - https://www.hex-rays.com/products/ida/support/freefiles/vb.idc
195 | * Diaphora - https://github.com/joxeankoret/diaphora
196 | * BinDiff - https://www.zynamics.com/bindiff.html
197 | * fnfuzzy - https://github.com/TakahiroHaruyama/ida_haru/tree/master/fn_fuzzy
198 | * BinDiff wrapper - https://github.com/TakahiroHaruyama/ida_haru/tree/master/bindiff
199 | * simpliFiRE.IDAscope - https://bitbucket.org/daniel_plohmann/simplifire.idascope/src/master/
200 | * IDA Plugins - http://www.openrce.org/downloads/browse/IDA_Plugins
201 | * FindCrypt - https://github.com/you0708/ida/tree/master/idapython_tools/findcrypt
202 | 
203 | 
204 | 
205 | # IOT:
206 | * Binwalk - https://github.com/devttys0/binwalk
207 | * JTAG Explained - http://blog.senr.io/blog/jtag-explained
208 | * Firmware Analysis Toolkit - https://github.com/attify/firmware-analysis-toolkit
209 | * Saleae Logic Analyzer software - https://www.saleae.com/downloads/
210 | 
211 | 
212 | 
213 | # IR:
214 | * Detecting Lateral Movement through Tracking Event Logs - https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
215 | * Incident Response Methodologies - https://github.com/certsocietegenerale/IRM
216 | * MITRE ATT&CK Framework - https://attack.mitre.org/wiki/Main_Page
217 | 
218 | 
219 | 
220 | # JavaScript Deobfuscation Tools: 
221 | * SpiderMonkey (js) - https://blog.didierstevens.com/programs/spidermonkey/
222 | * Malzilla - http://malzilla.sourceforge.net/
223 | * Malware-Jail - https://github.com/HynekPetrak/malware-jail
224 | 
225 | 
226 | 
227 | # LNK File Analysis:
228 | * https://lifeinhex.com/analyzing-malicious-lnk-file/
229 | 
230 | 
231 | 
232 | # MAC:
233 | * MacOS Papers, Slides and Thesis Archive - https://papers.put.as/macosx/macosx/
234 | * norimaci - https://github.com/mnrkbys/norimaci
235 | * DTrace: [even better than] strace for OS X - https://8thlight.com/blog/colin-jones/2015/11/06/dtrace-even-better-than-strace-for-osx.html
236 | 
237 | 
238 | 
239 | # Malware Repo's:
240 | * MalwareBazaar - https://bazaar.abuse.ch/
241 | * VXVault - http://vxvault.net/ViriList.php
242 | * MalShare - https://malshare.com/
243 | * CyberCrime Tracker - http://cybercrime-tracker.net/index.php
244 | * TheZoo - https://github.com/ytisf/theZoo
245 | * Endgame Ember - https://github.com/endgameinc/ember
246 | * Global ATM Malware Wall - http://atm.cybercrime-tracker.net/index.php
247 | * What is this C2 - https://github.com/misterch0c/what_is_this_c2
248 | * Connect Trojan - https://www.connect-trojan.com/
249 | * ViriBack C2 Tracker - http://tracker.viriback.com/
250 | * VirusBay - https://beta.virusbay.io/
251 | 
252 | 
253 | 
254 | # Maps / Stats (eye candy):
255 | * ThreatButt - https://threatbutt.com/map/
256 | * BitDefender - https://threatmap.bitdefender.com/
257 | * FireEye - https://www.fireeye.com/cyber-map/threat-map.html
258 | * Global Incident Map - http://www.globalincidentmap.com/
259 | * Tor Flow - https://torflow.uncharted.software/
260 | * Kaspersky Cybermap - https://cybermap.kaspersky.com/
261 | * Security Wizardry - http://www.securitywizardry.com/radar.htm
262 | * Norse Attack Map - http://map.norsecorp.com/#/
263 | * Digital Attack Map - http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16938&view=map
264 | * Stats - http://breachlevelindex.com/
265 | * Current Cyber Attacks - http://community.sicherheitstacho.eu/start/main
266 | * FSecure - http://worldmap3.f-secure.com/
267 | * Talos - https://talosintelligence.com/
268 | * Security Wizardry - https://radar.securitywizardry.com/
269 | * Ransomware Attack Map - https://statescoop.com/ransomware-map/
270 | 
271 | 
272 | 
273 | # Memory Forensics: 
274 | * Volatility - http://www.volatilityfoundation.org/
275 | * Memoryze - https://www.fireeye.com/services/freeware/memoryze.html
276 | * DumpIt - https://blog.comae.io/your-favorite-memory-toolkit-is-back-f97072d33d5c
277 | * Hibr2Bin - https://blog.comae.io/your-favorite-memory-toolkit-is-back-f97072d33d5c
278 | * Rekall Memory Forensic Framework - https://github.com/google/rekall
279 | * Clonezilla - http://clonezilla.org/
280 | * dd - https://linux.die.net/man/1/dd
281 | * Fog - https://fogproject.org/
282 | * Forensic Toolkit (FTK) - http://www.accessdata.com/product-download
283 | * Redline - https://www.fireeye.com/services/freeware/redline.html
284 | * MemLabs - https://github.com/stuxnet999/MemLabs
285 | 
286 | 
287 | 
288 | # Misc Tools: 
289 | * File Signature Analysis - https://filesignatures.net/index.php?page=all
290 | * EKFiddle - https://github.com/malwareinfosec/EKFiddle
291 | * XMind - http://www.xmind.net/
292 | * ExamDiff - http://www.prestosoft.com/edp_examdiff.asp
293 | * 7zip - http://www.7-zip.org/download.html
294 | * Visual Studio - https://www.visualstudio.com/
295 | * WinSCP - https://winscp.net/eng/download.php
296 | * Putty - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
297 | * TreeSizeFree - https://www.jam-software.com/treesize_free/
298 | * OneNote - https://www.onenote.com/
299 | * KeePass - https://keepass.info/
300 | * ExifTool - https://www.sno.phy.queensu.ca/~phil/exiftool/
301 | * RegEx 101 - https://regex101.com/
302 | * Byte Counter - https://mothereff.in/byte-counter
303 | * Utilu IE Collection - http://utilu.com/IECollection/
304 | * UserAgentString - http://www.useragentstring.com/
305 | * Maltego - https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.php
306 | * Cmder - http://cmder.net/
307 | * MalPull - https://github.com/ThisIsLibra/MalPull
308 | 
309 | 
310 | 
311 | # .Net Debuggers/Decompilers:
312 | * ILSpy - http://ilspy.net/
313 | * dnSpy - https://github.com/0xd4d/dnSpy
314 | * dotPeek - https://www.jetbrains.com/decompiler/
315 | * de4dot - https://github.com/0xd4d/de4dot
316 | * Reflector - https://www.red-gate.com/products/dotnet-development/reflector/index
317 | 
318 | 
319 | 
320 | # Network Analysis: 
321 | * Wireshark - https://www.wireshark.org/ 
322 | * Network Miner - http://www.netresec.com/?page=NetworkMiner
323 | * LogRhythm Network Monitor Freemium - https://logrhythm.com/network-monitor-freemium/
324 | * dig - https://linux.die.net/man/1/dig
325 | * curl - https://curl.haxx.se/docs/manpage.html
326 | * ApateDNS - https://www.fireeye.com/services/freeware/apatedns.html
327 | * NetCat - http://netcat.sourceforge.net/
328 | * Nslookup - https://linux.die.net/man/1/nslookup
329 | * PDF Stream Dumper - http://sandsprite.com/blogs/index.php?uid=7&pid=57
330 | * Robtex - https://www.robtex.com/
331 | * Belati - https://github.com/aancw/Belati
332 | * Ostinato - http://ostinato.org/
333 | * Burp Suite - https://portswigger.net/burp/
334 | * Hak5 - https://hakshop.com/
335 | * Fiddler - https://www.telerik.com/fiddler
336 | * Shodan - https://www.shodan.io/
337 | * FakeNet-NG - https://github.com/fireeye/flare-fakenet-ng
338 | * Netzob - https://github.com/netzob/netzob
339 | * DShell - https://github.com/USArmyResearchLab/Dshell
340 | * SecurityOnion - https://securityonion.net/
341 | * Reverse engineering network protocols - Reverse Engineering Network Protocols
342 | * MITMProxy - https://mitmproxy.org/
343 | * DNSChef - https://github.com/iphelix/dnschef
344 | 
345 | 
346 | 
347 | # Operating Systems: 
348 | * Remnux - https://remnux.org/
349 | * SIFT - https://digital-forensics.sans.org/community/downloads 
350 | * Kali - https://www.kali.org/
351 | * CAINE - http://www.caine-live.net/
352 | * Metasploitable 3 - https://github.com/rapid7/metasploitable3
353 | * DVWA - http://www.dvwa.co.uk/
354 | * Security Onion - https://securityonion.net/
355 | * FLARE VM - https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html
356 | * OWASP WebGoat - https://www.owasp.org/index.php/WebGoat_Installation#Installing_to_Windows
357 | * OWASP Bricks - https://www.owasp.org/index.php/OWASP_Bricks
358 | * OWASP Mantra - http://www.getmantra.com/
359 | * Tails - https://tails.boum.org/
360 | * Whonix - https://www.whonix.org/
361 | * Santoku - https://santoku-linux.com/about-santoku/
362 | 
363 | 
364 | 
365 | # OSINT Online Tools:
366 | * OSINT Gathering - https://posts.specterops.io/gathering-open-source-intelligence-bee58de48e05
367 | * Automating OSINT Blog - http://www.automatingosint.com/blog/
368 | * SpiderFoot - https://www.spiderfoot.net/
369 | * Buscador - https://inteltechniques.com/buscador/
370 | 
371 | 
372 | 
373 | # Password Cracking:
374 | * Hashcat - https://github.com/hashcat/hashcat
375 | * Crack.sh - https://crack.sh/
376 | * Mimikatz - https://github.com/gentilkiwi/mimikatz
377 | * Ophcrack - http://ophcrack.sourceforge.net/
378 | 
379 | 
380 | 
381 | # Podcasts:
382 | * Security Now - https://www.grc.com/securitynow.htm
383 | * SANS Stormcast - https://isc.sans.edu/podcast.html
384 | * Down the Security Rabbithole - http://podcast.wh1t3rabbit.net/
385 | * Defensive Security - https://defensivesecurity.org/category/podcast/
386 | * Paul's Security Weekly - https://wiki.securityweekly.com/Show_Notes
387 | * RunAs Radio - http://www.runasradio.com/
388 | * Defensive Security Podcast - https://defensivesecurity.org/
389 | * Darknet Diaries - https://darknetdiaries.com/
390 | * Risky Business Podcast - https://risky.biz/
391 | * Security Nation Podcast - https://podcasts.apple.com/gb/podcast/security-nation/id1124543784
392 | * Smashing Security - https://www.smashingsecurity.com/
393 | 
394 | 
395 | 
396 | # PowerShell decoding:
397 | * PSDecode - https://github.com/R3MRUM/PSDecode
398 | * PyPowerShellXray - https://github.com/JohnLaTwC/PyPowerShellXray
399 | * PowerShellRunBox: Analyzing PowerShell Threats Using PowerShell Debugging - https://darungrim.com/research/2019-10-01-analyzing-powershell-threats-using-powershell-debugging.html
400 | 
401 | 
402 | 
403 | # Ransomware:
404 | * No More Ransomware - https://www.nomoreransom.org/en/index.html
405 | * ID Ransomware - https://id-ransomware.malwarehunterteam.com/
406 | * Emisoft decrypters - https://www.emsisoft.com/ransomware-decryption-tools/
407 | 
408 | 
409 | 
410 | # Reading Material: 
411 | * Reverse Engineering for Beginners - https://beginners.re/
412 | * Phrack - http://phrack.org/
413 | * Crypto 101 - https://www.crypto101.io/
414 | * Hacker Manifesto - http://phrack.org/issues/7/3.html
415 | * How to Become a Hacker - http://www.catb.org/esr/faqs/hacker-howto.html
416 | * Zines - https://github.com/fdiskyou/Zines
417 | * Hackaday - https://hackaday.com/blog/
418 | * Hacktress - http://www.hacktress.com/
419 | * Reddit - https://www.reddit.com/r/ReverseEngineering/
420 | * Windows API Index - https://msdn.microsoft.com/en-gb/library/windows/desktop/hh920508(v=vs.85).aspx
421 | * Raw Hex - https://rawhex.com/
422 | * DigiNinja - https://digi.ninja/
423 | * Team Cymru - http://www.team-cymru.org/index.html
424 | * Lenny Zeltser - https://zeltser.com/malicious-software/
425 | * OverAPI - http://overapi.com/
426 | * HackBack - https://pastebin.com/0SNSvyjJ
427 | * FlexiDie - https://pastebin.com/raw/Y1yf8kq0
428 | * DefCon archive - https://media.defcon.org/
429 | * Malwology - https://malwology.com/
430 | * Stuxnet's Footprint in memory with Volatility - http://mnin.blogspot.co.uk/2011/06/examining-stuxnets-footprint-in-memory.html
431 | * AtomBombing - https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows/
432 | * Malware Archaeology - https://www.malwarearchaeology.com/cheat-sheets
433 | * ShinoLocker - https://shinolocker.com/
434 | * A crash course in x86 assembly for reverse engineers - https://sensepost.com/blogstatic/2014/01/SensePost_crash_course_in_x86_assembly-.pdf
435 | * Zero Days, Thousands of Nights - https://www.rand.org/pubs/research_reports/RR1751.html
436 | * Shadow Brokers Exploit Reference Table - https://docs.google.com/spreadsheets/d/1sD4rebofrkO9Rectt5S3Bzw6RnPpbJrMV-L1mS10HQc/edit#gid=1602324093
437 | * GracefulSecurity - https://www.gracefulsecurity.com/infrastructure-security-articles/
438 | * Cybersecurity ain't easy. Let's talk about it - https://itspmagazine.com/itsp-chronicles/cybersecurity-ain-t-easy-lets-talk-about-it
439 | * How to become the best malware analyst e-v-e-r - http://www.hexacorn.com/blog/2018/04/14/how-to-become-the-best-malware-analyst-e-v-e-r/
440 | * Definitive Dossier of Devilish Debug Details – Part One: PDB Paths and Malware - https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
441 | * Dr Fu's Security Blog - http://fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html
442 | * Encoding vs. Encryption vs. Hashing vs. Obfuscation - https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/
443 | * Introduction to reverse engineering and Assembly - https://kakaroto.homelinux.net/2017/11/introduction-to-reverse-engineering-and-assembly/
444 | * Getting started with reverse engineering - https://lospi.net/developing/software/software%20engineering/reverse%20engineering/assembly/2015/03/06/reversing-with-ida.html
445 | * Guide to x86 Assembly - http://www.cs.virginia.edu/~evans/cs216/guides/x86.html
446 | * Nightmare (RE) - https://github.com/guyinatuxedo/nightmare
447 | * PDB Files: What Every Developer Must Know - https://www.wintellect.com/pdb-files-what-every-developer-must-know
448 | * BOLO: Reverse Engineering — Part 1 (Basic Programming Concepts) - https://medium.com/bugbountywriteup/bolo-reverse-engineering-part-1-basic-programming-concepts-f88b233c63b7
449 | * BOLO: Reverse Engineering — Part 2 (Advanced Programming Concepts) - https://medium.com/@danielabloom/bolo-reverse-engineering-part-2-advanced-programming-concepts-b4e292b2f3e
450 | * String Hashing: Reverse Engineering an Anti-Analysis Control - https://r3mrum.wordpress.com/2018/02/15/string-hashing-reverse-engineering-an-anti-analysis-control/
451 | * Ground Zero: Part 1 – Reverse Engineering Basics – Linux x64 - https://0xdarkvortex.dev/index.php/2018/04/09/ground-zero-part-1-reverse-engineering-basics/
452 | * Let's Build a Compiler - https://compilers.iecc.com/crenshaw/
453 | * Static Malware Analysis with OLE Tools and CyberChef - https://newtonpaul.com/static-malware-analysis-with-ole-tools-and-cyber-chef/
454 | * An Introduction to Reverse Engineering - https://www.muppetlabs.com/~breadbox/txt/bure.html
455 | * VXUnderground - https://vx-underground.org/papers.html
456 | * Tracking Advanced Persistent Threats (APTs) via Shared Code - https://medium.com/@arun_73782/tracking-apts-by-shared-code-5e88a2ae2363
457 | * YARA Hunting for Code Reuse: DoppelPaymer Ransomware & Dridex Families - https://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/
458 | * Here We GO: Crimeware Virus & APT Journey From “RobbinHood” to APT28 - https://www.sentinelone.com/blog/here-we-go-crimeware-apt-journey-from-robbinhood-to-apt28/
459 | * The mysterious case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day - https://securelist.com/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-microsoft-silverlight-0-day/73255/
460 | * Process Injection part 1 of 5 - https://3xpl01tc0d3r.blogspot.com/2019/08/process-injection-part-i.html
461 | * OSINT : Chasing Malware + C&C Servers - https://medium.com/secjuice/chasing-malware-and-c-c-servers-in-osint-style-3c893dc1e8cb
462 | * Daily dose of malware - https://github.com/woj-ciech/Daily-dose-of-malware
463 | * Tracking Malware with Import Hashing - https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
464 | * STOMP 2 DIS: Brilliance in the (Visual) Basics - https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html
465 | * Advanced Binary Deobfuscation - https://github.com/malrev/ABD
466 | * A Case Study Into Solving Crypters/packers in Malware Obfuscation Using an SMT Approach - https://vixra.org/abs/2002.0183
467 | * ReCon Montreal Archives - https://recon.cx/2019/montreal/archives/
468 | * FLARE IDA Pro Script Series: MSDN Annotations IDA Pro for Malware Analysis - https://www.fireeye.com/blog/threat-research/2014/09/flare-ida-pro-script-series-msdn-annotations-ida-pro-for-malware-analysis.html
469 | * Analyzing Modern Malware Techniques - Part 1 (of 4) - https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663
470 | * What Every Computer Programmer Should Know About Windows API, CRT, and the Standard C++ Library - https://www.codeproject.com/Articles/22642/What-Every-Computer-Programmer-Should-Know-About-W
471 | * theForger's Win32 API Programming Tutorial - http://www.winprog.org/tutorial/start.html
472 | * Unbreakable Cryptography in 5 Minutes - https://blog.xrds.acm.org/2012/08/unbreakable-cryptography-in-5-minutes/
473 | * Let’s play (again) with Predator the thief - https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/
474 | * VMProtect Introduction - https://shhoya.github.io/vmp_vmpintro.html
475 | * Azorult loader stages - https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/
476 | * Reversing Malware Command and Control: From Sockets to COM - https://www.fireeye.com/blog/threat-research/2010/08/reversing-malware-command-control-sockets.html
477 | * Indicators of Compromise (IoCs) and Their Role in Attack Defence - https://tools.ietf.org/html/draft-paine-smart-indicators-of-compromise-00
478 | * Zombieland CTF – Reverse Engineering for Beginners - https://mcb101.blog/2019/10/11/zombieland-ctf-reverse-engineering-for-beginners/
479 | * Fu11Shade Windows Exploitation - https://fullpwnops.com/windows-exploitation-pathway.html
480 | 
481 | 
482 | 
483 | # Sandbox Tools (Online):
484 | * VirusTotal - https://www.virustotal.com
485 | * Malwr - https://malwr.com/ 
486 | * Reverse.it - https://www.reverse.it/
487 | * Open Analysis - http://www.openanalysis.net/
488 | * ANY.RUN - https://any.run/
489 | * Hybrid Analysis - https://www.hybrid-analysis.com/
490 | * Intezer Analyze - https://analyze.intezer.com/
491 | 
492 | 
493 | 
494 | # Sandbox Tools (Offline): 
495 | * Noriben - https://github.com/Rurik/Noriben
496 | * Cuckoo - https://www.cuckoosandbox.org/
497 | * PyREBox - https://github.com/Cisco-Talos/pyrebox
498 | * Viper - http://viper.li/
499 | * MISP - http://www.misp-project.org/
500 | * Sandboxie - https://www.sandboxie.com/
501 | * Ph0neutria - https://github.com/phage-nz/ph0neutria
502 | * FlareVM - https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html
503 | 
504 | 
505 | 
506 | # Shellcode Tools: 
507 | * JMP2IT - https://github.com/adamkramer/jmp2it
508 | * Shellcode2exe.py - https://github.com/MarioVilas/shellcode_tools
509 | * ConvertShellCode - http://le-tools.com/ConvertShellcode.html
510 | * scdbg - http://sandsprite.com/blogs/index.php?uid=7&pid=152
511 | 
512 | 
513 | 
514 | # Static Analysis Tools: 
515 | * PEiD -https://www.aldeid.com/wiki/PEiD
516 | * McAfee FileInsight - https://www.mcafee.com/uk/downloads/free-tools/fileinsight.aspx
517 | * HashMyFiles - http://www.nirsoft.net/utils/hash_my_files.html 
518 | * CFF Explorer - http://www.ntcore.com/exsuite.php
519 | * AnalyzePESig - https://blog.didierstevens.com/2012/10/01/searching-for-that-adobe-cert/
520 | * ByteHist - https://www.cert.at/downloads/software/bytehist_en.html
521 | * Exeinfo - http://exeinfo.pe.hu/
522 | * Scylla - https://github.com/NtQuery/Scylla
523 | * MASTIFF - https://git.korelogic.com/mastiff.git/
524 | * PEframe - https://github.com/guelfoweb/peframe
525 | * PEscan - https://tzworks.net/prototype_page.php?proto_id=15
526 | * PEstudio - https://www.winitor.com/
527 | * PE-Bear - https://hshrzd.wordpress.com/2013/07/09/introducing-new-pe-files-reversing-tool/
528 | * PE-sieve - https://github.com/hasherezade/pe-sieve
529 | * Flare-Floss - https://github.com/fireeye/flare-floss
530 | * PatchDiff2 - https://github.com/filcab/patchdiff2
531 | * PE Insider - http://cerbero.io/peinsider/
532 | * Resource Hacker - http://www.angusj.com/resourcehacker/
533 | * DarunGrim - https://github.com/ohjeongwook/DarunGrim
534 | * Mal Tindex - https://github.com/joxeankoret/maltindex
535 | * Manalyze - https://github.com/JusticeRage/Manalyze
536 | * PDBlaster - https://github.com/SecurityRiskAdvisors/PDBlaster
537 | * ImpFuzzy - https://github.com/JPCERTCC/impfuzzy
538 | * Florentino - https://github.com/0xsha/florentino/blob/master/README.md
539 | * Viper - https://viper.li/en/latest/
540 | 
541 | 
542 | 
543 | # Text/hex Editor Tools:
544 | * Notepad++ - https://notepad-plus-plus.org/
545 | * 010 Editor - https://www.sweetscape.com/010editor/
546 | * HxD - https://mh-nexus.de/en/hxd/
547 | * BinText - https://www.aldeid.com/wiki/BinText
548 | * Hexinator - https://hexinator.com/
549 | 
550 | 
551 | 
552 | # Threat Intelligence:
553 | * ThreatMiner - https://www.threatminer.org/
554 | * RiskIQ Community - https://community.riskiq.com/home
555 | * PasteBin - https://pastebin.com/
556 | * Shodan - https://www.shodan.io/
557 | * Censys - https://censys.io/
558 | * DNSdumpster - https://dnsdumpster.com/
559 | * URLHaus - https://urlhaus.abuse.ch/
560 | * AlienVault OTX - https://otx.alienvault.com/
561 | * C2 Tracker - http://tracker.viriback.com/stats.php
562 | * MISP - https://www.misp-project.org/
563 | * The Hive - https://thehive-project.org/
564 | * Yeti - https://yeti-platform.github.io/
565 | * Using ATT&CK for CTI Training - https://attack.mitre.org/resources/training/cti/
566 | * PasteScraper - https://github.com/PimmyTrousers/pastescraper
567 | 
568 | 
569 | 
570 | # Training: 
571 | * Cybrary - https://www.cybrary.it/
572 | * Corelan Team - https://www.corelan.be/
573 | * Open Security Training - http://opensecuritytraining.info/Training.html
574 | * Offensive Computer Security - http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html
575 | * PentesterLab - https://pentesterlab.com/
576 | * Malware Traffic Analysis - http://www.malware-traffic-analysis.net/training-exercises.html
577 | * MIT Open Courseware - https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-858-computer-systems-security-fall-2014/video-lectures/
578 | * OALabs - https://vimeo.com/oalabs
579 | * OALabs - https://www.youtube.com/channel/UC--DwaiMV-jtO-6EvmKOnqg/videos
580 | * MalwareAnalysisForHedgeHogs - https://www.youtube.com/channel/UCVFXrUwuWxNlm6UNZtBLJ-A
581 | * Malware Unicorn - https://securedorg.github.io/
582 | * Tuts4You - https://tuts4you.com/
583 | * Lenas Reversing for Newbies - https://tuts4you.com/download.php?list.17
584 | * Introduction to WinDBG - https://www.youtube.com/watch?list=PLhx7-txsG6t6n_E2LgDGqgvJtCHPL7UFu&time_continue=1&v=8zBpqc3HkSE
585 | * Colin Hardy - https://www.youtube.com/channel/UCND1KVdVt8A580SjdaS4cZg/videos
586 | * OWASP AppSec Tutorials - http://owasp-academy.teachable.com/p/owasp-appsec-tutorials
587 | * Modern Binary Exploitation - https://github.com/RPISEC/MBE
588 | * FuzzySecurity - http://www.fuzzysecurity.com/tutorials.html
589 | * Linux Journey - https://linuxjourney.com/
590 | * Pivot Project - http://pivotproject.org/
591 | * Security Tube - http://www.securitytube-training.com/index.html
592 | * Packet Life Cheat Sheets - http://packetlife.net/library/cheat-sheets/?_escaped_fragment_=#!
593 | * SecurityXploded - http://securityxploded.com/
594 | * MalwareMustDie - https://www.youtube.com/playlist?list=PLSe6fLFf1YDX-2sog70220BchQmhVqQ75
595 | * Win32Assembly - http://win32assembly.programminghorizon.com/tutorials.html
596 | * RPISEC - https://github.com/RPISEC/Malware/blob/master/README.md
597 | * RPISEC - https://github.com/RPISEC/MBE
598 | * Reverse Engineering Challenges - https://challenges.re/
599 | * HackerOne - https://www.hackerone.com/
600 | * Google Python Class - https://developers.google.com/edu/python/
601 | * Guide to x86 Assembly - http://www.cs.virginia.edu/~evans/cs216/guides/x86.html
602 | * Code Blocks - http://www.codeblocks.org/
603 | * Wireshark Course - https://www.youtube.com/watch?v=XTSc2mPF4II&t=25s
604 | * Maltrak Malware Analyst webinar - http://maltrak.com/webinar-registration
605 | * Intro to ARM assembly basics - https://azeria-labs.com/writing-arm-assembly-part-1/
606 | * Life in Hex - https://lifeinhex.com/category/reversing/
607 | * The Cuckoo's Egg Decompiled Online Course - http://chrissanders.org/cuckoosegg/
608 | * Creating Yara Rules for Malware Detection - https://www.real0day.com/hacking-tutorials/yara
609 | * Windows Privilege Escalation Guide - https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
610 | * Amr Thabet shellcode training - https://www.youtube.com/channel/UCkY_8Hz8ojyQQ9S6bPnHa7g
611 | * Hexacorn Converting Shellcode to Portable Executable (32- and 64- bit) - http://www.hexacorn.com/blog/2015/12/10/converting-shellcode-to-portable-executable-32-and-64-bit/
612 | * Learn Forensics with David Cowen - https://www.youtube.com/user/LearnForensics/featured
613 | * Raphael Mudge (various, In-memory evasion/detection) - https://www.youtube.com/user/DashnineMedia/videos
614 | * Assembly programming tutorial - https://www.tutorialspoint.com/assembly_programming/index.htm
615 | * RPISec Training - https://github.com/RPISEC/Malware
616 | * Intro to Computer Science - https://www.edx.org/course/introduction-to-computer-science-and-programming-7
617 | * Ringzer0 - https://www.ringzer0.training/
618 | * Reversing Hero - https://www.reversinghero.com/
619 | * MIT Open Courseware - https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-00-introduction-to-computer-science-and-programming-fall-2008/video-lectures/
620 | * Reverse Engineering and malware analysis 101 - https://github.com/abhisek/reverse-engineering-and-malware-analysis
621 | * Reverse engineering intel x64 - https://github.com/0xdidu/Reverse-Engineering-Intel-x64-101
622 | * C++ Tutorial for Beginners - Full Course - https://www.youtube.com/watch?v=vLnPwxZdW4Y
623 | * ELF Reversing Tutorial - https://www.youtube.com/playlist?list=PLsNNY-Xea3ra42GZDnvTB46G4p-5oUpFf
624 | * Adversary Tactics: PowerShell - https://github.com/specterops/at-ps
625 | * Malware Unicorn Reverse Engineering 101 - https://malwareunicorn.org/workshops/re101.html#0
626 | * Modern Binary Exploitation - http://security.cs.rpi.edu/courses/binexp-spring2015/
627 | * Ghidra Courses - https://ghidra.re/online-courses/
628 | * Technical Writing Courses - https://developers.google.com/tech-writing
629 | * Introduction to Malware Analysis and Reverse Engineering - https://class.malware.re/
630 | * Binary Analysis Course - https://maxkersten.nl/binary-analysis-course/
631 | * Josh Stroschein - https://www.youtube.com/user/jstrosch/videos
632 | * How to hack together your own CS degree online for free - https://www.freecodecamp.org/news/how-to-hack-your-own-cs-degree-for-free/
633 | * Zero 2 Automated - https://courses.zero2auto.com/adv-malware-analysis-course
634 | 
635 | 
636 | 
637 | # Unpacking:
638 | * UnpacMe - https://www.unpac.me/#/
639 | * Unipacker - https://github.com/unipacker/unipacker
640 | 
641 | 
642 | 
643 | # VBA Deobfuscation Tools: 
644 | * pcodedmp - https://github.com/bontchev/pcodedmp
645 | * vba-dynamic-hook - https://github.com/eset/vba-dynamic-hook
646 | * ViperMonkey - https://github.com/decalage2/ViperMonkey
647 | 
648 | 
649 | 
650 | # Video:
651 | * Teach Yourself Computer Science - https://teachyourselfcs.com/
652 | * CS50 at Harvard - https://cs50.harvard.edu/
653 | * J4vv4D - https://www.j4vv4d.com/videos/
654 | * Movies for Hackers - https://github.com/k4m4/movies-for-hackers
655 | * Can You Hack It - https://www.youtube.com/watch?v=GWr5kbHt_2E
656 | * Chris Nickerson talk - http://www.irongeek.com/i.php?page=videos/derbycon5/teach-me14-started-from-the-bottom-now-im-here-how-to-ruin-your-life-by-getting-everything-you-ever-wanted-chris-nickerson
657 | * Zoz - Don't Fuck it Up - https://www.youtube.com/watch?v=J1q4Ir2J8P8
658 | * Rob Joyce (NSA) - Disrupting Nation State Hackers - https://www.youtube.com/watch?v=bDJb8WOJYdA
659 | * Movies for Hackers - https://github.com/k4m4/movies-for-hackers
660 | * Wannacry: The Marcus Hutchins Story - All 3 Chapters - https://www.youtube.com/watch?v=vveLaA-z3-o&t=451s
661 | * DEF CON 23 - Chris Domas - Repsych: Psychological Warfare in Reverse Engineering - https://www.youtube.com/watch?v=HlUe0TUHOIc
662 | * SAS2018: Finding aliens, star weapons and ponies with YARA - https://www.youtube.com/watch?v=fbidgtOXvc0
663 | 
664 | 
665 | 
666 | # XOR Decoding Tools:
667 | * bbcrack - https://www.decalage.info/python/balbuzard
668 | * Brutexor - https://www.aldeid.com/wiki/Brutexor-iheartxor
669 | * ConverterNET - http://www.kahusecurity.com/2017/converternet-v0-1-released/
670 | * NoMoreXOR - https://github.com/hiddenillusion/NoMoreXOR
671 | 
672 | 
673 | 
674 | # Yara Related:
675 | * Yara - https://virustotal.github.io/yara/
676 | * Stringless Yara Rules - https://inquest.net/blog/2018/09/30/yara-performance
677 | * YarGen - https://github.com/Neo23x0/yarGen
678 | * Yara-Rules - https://github.com/Yara-Rules/rules
679 | * CONFidence 2019: "Utilizing YARA to Find Evolving Malware" - Jay Rosenberg - https://www.youtube.com/watch?v=XMZ-c2Zwzjg
680 | * SANS Webcast - YARA - Effectively using and generating rules - https://www.youtube.com/watch?v=5A_O8X_JljI
681 | * Klara - https://github.com/KasperskyLab/klara
682 | * Open Source Yara Rules - https://github.com/mikesxrs/Open-Source-YARA-rules
683 | 


--------------------------------------------------------------------------------