├── .github
    └── FUNDING.yml
├── .travis.yml
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── drop.png
└── 恶意软件分析大合集.md


/.github/FUNDING.yml:
--------------------------------------------------------------------------------
 1 | # These are supported funding model platforms
 2 | 
 3 | github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
 4 | patreon: # Replace with a single Patreon username
 5 | open_collective: # Replace with a single Open Collective username
 6 | ko_fi: rshipp
 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
 9 | custom: # Replace with a single custom sponsorship URL
10 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: ruby
2 | rvm:
3 |     - 2.2
4 | before_script:
5 |     - gem install awesome_bot
6 | script:
7 |     - awesome_bot README.md --white-list CONTRIBUTING.md,amzn.com,carnivore.it,cymru.com,clean-mx.de,woodmann.com,andrototal.org,domaintools.com,reconstructer.org,reddit.com,desenmascara.me,exploit-db.com,travis-ci,tekdefense.com,winitor.com,https://intel.criticalstack.com,handlers.sans.org,bokken.re,openmalware.org
8 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contribution Guidelines
 2 | 
 3 | When making a pull request, please follow these guidelines:
 4 | 
 5 | - One commit per suggestion is preferred
 6 | - Commit message should follow this format: `Add some tool name` (For
 7 |   example, `Add cuckoo-sandbox`) [Why?](http://chris.beams.io/posts/git-commit/)
 8 | - Multiple commits per pull request is OK
 9 | - Lists within each section are alphabetized, please keep them that way
10 | - Add sections if necessary, use existing sections if possible
11 | - Clear, concise descriptions for each link, starting with a capital, ending
12 |   with a period
13 | - Use the following format: `[Item Name](homepage link) - Description.`
14 | - No duplication of tools, put them where they make the most sense
15 | - Wrap lines at ~80 chars, no trailing whitespace or unnecessary newlines
16 | - Prefer quality over quantity, only submit awesome stuff
17 | - By submitting a pull request, you agree to release your submission under
18 |   the [LICENSE](LICENSE)
19 | - Indent wrapped lines even with the start of the line before
20 | 
21 | ```
22 | - That means lines wrap like
23 |   this
24 | - Not
25 | like this
26 | ```
27 | 
28 | 
29 | The rules above take precedence, but in case I missed something, check [the
30 | awesome guidelines](https://github.com/sindresorhus/awesome/blob/master/contributing.md)
31 | too.
32 | 
33 | Properly formatted pull requests will almost always be approved faster than
34 | issues or poorly formatted pull requests, because they mean less work for me!
35 | 
36 | Thanks!
37 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Creative Commons Attribution 4.0 International License (CC BY 4.0)
2 | 
3 | http://creativecommons.org/licenses/by/4.0/
4 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Awesome Malware Analysis [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)
  2 | 
  3 | A curated list of awesome malware analysis tools and resources. Inspired by
  4 | [awesome-python](https://github.com/vinta/awesome-python) and
  5 | [awesome-php](https://github.com/ziadoz/awesome-php).
  6 | 
  7 | [![Drop ICE](drop.png)](https://twitter.com/githubbers/status/1182017616740663296)
  8 | 
  9 | - [Malware Collection](#malware-collection)
 10 |     - [Anonymizers](#anonymizers)
 11 |     - [Honeypots](#honeypots)
 12 |     - [Malware Corpora](#malware-corpora)
 13 | - [Open Source Threat Intelligence](#open-source-threat-intelligence)
 14 |     - [Tools](#tools)
 15 |     - [Other Resources](#other-resources)
 16 | - [Detection and Classification](#detection-and-classification)
 17 | - [Online Scanners and Sandboxes](#online-scanners-and-sandboxes)
 18 | - [Domain Analysis](#domain-analysis)
 19 | - [Browser Malware](#browser-malware)
 20 | - [Documents and Shellcode](#documents-and-shellcode)
 21 | - [File Carving](#file-carving)
 22 | - [Deobfuscation](#deobfuscation)
 23 | - [Debugging and Reverse Engineering](#debugging-and-reverse-engineering)
 24 | - [Network](#network)
 25 | - [Memory Forensics](#memory-forensics)
 26 | - [Windows Artifacts](#windows-artifacts)
 27 | - [Storage and Workflow](#storage-and-workflow)
 28 | - [Miscellaneous](#miscellaneous)
 29 | - [Resources](#resources)
 30 |     - [Books](#books)
 31 |     - [Other](#other)
 32 | - [Related Awesome Lists](#related-awesome-lists)
 33 | - [Contributing](#contributing)
 34 | - [Thanks](#thanks)
 35 | 
 36 | View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大合集.md).
 37 | 
 38 | ---
 39 | 
 40 | ## Malware Collection
 41 | 
 42 | ### Anonymizers
 43 | 
 44 | *Web traffic anonymizers for analysts.*
 45 | 
 46 | * [Anonymouse.org](http://anonymouse.org/) - A free, web based anonymizer.
 47 | * [OpenVPN](https://openvpn.net/) - VPN software and hosting solutions.
 48 | * [Privoxy](http://www.privoxy.org/) - An open source proxy server with some
 49 |   privacy features.
 50 | * [Tor](https://www.torproject.org/) - The Onion Router, for browsing the web
 51 |   without leaving traces of the client IP.
 52 | 
 53 | ### Honeypots
 54 | 
 55 | *Trap and collect your own samples.*
 56 | 
 57 | * [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot.
 58 | * [Cowrie](https://github.com/micheloosterhof/cowrie) - SSH honeypot, based
 59 |   on Kippo.
 60 | * [DemoHunter](https://github.com/RevengeComing/DemonHunter) - Low interaction Distributed Honeypots.
 61 | * [Dionaea](https://github.com/DinoTools/dionaea) - Honeypot designed to trap malware.
 62 | * [Glastopf](https://github.com/mushorg/glastopf) - Web application honeypot.
 63 | * [Honeyd](http://www.honeyd.org/) - Create a virtual honeynet.
 64 | * [HoneyDrive](https://bruteforce.gr/honeydrive/) - Honeypot bundle Linux distro.
 65 | * [Honeytrap](https://github.com/honeytrap/honeytrap) - Opensource system for running, monitoring and managing honeypots.
 66 | * [MHN](https://github.com/pwnlandia/mhn) - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
 67 | * [Mnemosyne](https://github.com/johnnykv/mnemosyne) - A normalizer for
 68 |   honeypot data; supports Dionaea.
 69 | * [Thug](https://github.com/buffer/thug) - Low interaction honeyclient, for
 70 |   investigating malicious websites.
 71 | 
 72 | 
 73 | ### Malware Corpora
 74 | 
 75 | *Malware samples collected for analysis.*
 76 | 
 77 | * [Clean MX](http://support.clean-mx.com/clean-mx/viruses.php) - Realtime
 78 |   database of malware and malicious domains.
 79 | * [Contagio](http://contagiodump.blogspot.com/) - A collection of recent
 80 |   malware samples and analyses.
 81 | * [Exploit Database](https://www.exploit-db.com/) - Exploit and shellcode
 82 |   samples.
 83 | * [Infosec - CERT-PA](https://infosec.cert-pa.it/analyze/submission.html) - Malware samples collection and analysis.
 84 | * [InQuest Labs](https://labs.inquest.net) - Evergrowing searchable corpus of malicious Microsoft documents.
 85 | * [Javascript Mallware Collection](https://github.com/HynekPetrak/javascript-malware-collection) - Collection of almost 40.000 javascript malware samples
 86 | * [Malpedia](https://malpedia.caad.fkie.fraunhofer.de/) - A resource providing
 87 |   rapid identification and actionable context for malware investigations.
 88 | * [Malshare](https://malshare.com) - Large repository of malware actively
 89 |   scrapped from malicious sites.
 90 | * [Ragpicker](https://github.com/robbyFux/Ragpicker) - Plugin based malware
 91 |   crawler with pre-analysis and reporting functionalities
 92 | * [theZoo](https://github.com/ytisf/theZoo) - Live malware samples for
 93 |   analysts.
 94 | * [Tracker h3x](http://tracker.h3x.eu/) - Agregator for malware corpus tracker
 95 |   and malicious download sites.
 96 | * [vduddu malware repo](https://github.com/vduddu/Malware) - Collection of
 97 |   various malware files and source code.
 98 | * [VirusBay](https://beta.virusbay.io/) - Community-Based malware repository and social network.
 99 | * [ViruSign](http://www.virussign.com/) - Malware database that detected by
100 |   many anti malware programs except ClamAV.
101 | * [VirusShare](https://virusshare.com/) - Malware repository, registration
102 |   required.
103 | * [VX Vault](http://vxvault.net) - Active collection of malware samples.
104 | * [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - A list
105 |   of malware sample sources put together by Lenny Zeltser.
106 | * [Zeus Source Code](https://github.com/Visgean/Zeus) - Source for the Zeus
107 |   trojan leaked in 2011.
108 | * [VX Underground](http://vx-underground.org/) - Massive and growing collection of free malware samples.
109 | 
110 | ## Open Source Threat Intelligence
111 | 
112 | ### Tools
113 | 
114 | *Harvest and analyze IOCs.*
115 | 
116 | * [AbuseHelper](https://github.com/abusesa/abusehelper) - An open-source
117 |   framework for receiving and redistributing abuse feeds and threat intel.
118 | * [AlienVault Open Threat Exchange](https://otx.alienvault.com/) - Share and
119 |   collaborate in developing Threat Intelligence.
120 | * [Combine](https://github.com/mlsecproject/combine) - Tool to gather Threat
121 |   Intelligence indicators from publicly available sources.
122 | * [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash.
123 | * [Hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host.
124 | * [IntelMQ](https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation) -
125 |   A tool for CERTs for processing incident data using a message queue.
126 | * [IOC Editor](https://www.fireeye.com/services/freeware/ioc-editor.html) -
127 |   A free editor for XML IOC files.
128 | * [iocextract](https://github.com/InQuest/python-iocextract) - Advanced Indicator
129 |   of Compromise (IOC) extractor, Python library and command-line tool.
130 | * [ioc_writer](https://github.com/mandiant/ioc_writer) - Python library for
131 |   working with OpenIOC objects, from Mandiant.
132 | * [MalPipe](https://github.com/silascutler/MalPipe) - Malware/IOC ingestion and
133 |   processing engine, that enriches collected data.
134 | * [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) -
135 |   Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
136 |   from various lists. Curated by the
137 |   [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework).
138 | * [MISP](https://github.com/MISP/MISP) - Malware Information Sharing
139 |   Platform curated by [The MISP Project](http://www.misp-project.org/).
140 | * [Pulsedive](https://pulsedive.com) - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
141 | * [PyIOCe](https://github.com/pidydx/PyIOCe) - A Python OpenIOC editor.
142 | * [RiskIQ](https://community.riskiq.com/) - Research, connect, tag and
143 |   share IPs and domains. (Was PassiveTotal.)
144 | * [threataggregator](https://github.com/jpsenior/threataggregator) -
145 |   Aggregates security threats from a number of sources, including some of
146 |   those listed below in [other resources](#other-resources).
147 | * [ThreatConnect](https://threatconnect.com/free/) - TC Open allows you to see and
148 |   share open source threat data, with support and validation from our free community.
149 | * [ThreatCrowd](https://www.threatcrowd.org/) - A search engine for threats,
150 |   with graphical visualization.
151 | * [ThreatIngestor](https://github.com/InQuest/ThreatIngestor/) - Build
152 |   automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and
153 |   more.
154 | * [ThreatTracker](https://github.com/michael-yip/ThreatTracker) - A Python
155 |   script to monitor and generate alerts based on IOCs indexed by a set of
156 |   Google Custom Search Engines.
157 | * [TIQ-test](https://github.com/mlsecproject/tiq-test) - Data visualization
158 |   and statistical analysis of Threat Intelligence feeds.
159 | 
160 | ### Other Resources
161 | 
162 | *Threat intelligence and IOC resources.*
163 | 
164 | * [Autoshun](https://www.autoshun.org/) ([list](https://www.autoshun.org/files/shunlist.csv)) -
165 |   Snort plugin and blocklist.
166 | * [Bambenek Consulting Feeds](http://osint.bambenekconsulting.com/feeds/) -
167 |   OSINT feeds based on malicious DGA algorithms.
168 | * [Fidelis Barncat](https://www.fidelissecurity.com/resources/fidelis-barncat) -
169 |   Extensive malware config database (must request access).
170 | * [CI Army](http://cinsscore.com/) ([list](http://cinsscore.com/list/ci-badguys.txt)) -
171 |   Network security blocklists.
172 | * [Critical Stack- Free Intel Market](https://intel.criticalstack.com) - Free
173 |   intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
174 | * [Cybercrime tracker](http://cybercrime-tracker.net/) - Multiple botnet active tracker.
175 | * [FireEye IOCs](https://github.com/fireeye/iocs) - Indicators of Compromise
176 |   shared publicly by FireEye.
177 | * [FireHOL IP Lists](https://iplists.firehol.org/) - Analytics for 350+ IP lists
178 |   with a focus on attacks, malware and abuse. Evolution, Changes History,
179 |   Country Maps, Age of IPs listed, Retention Policy, Overlaps.
180 | * [HoneyDB](https://riskdiscovery.com/honeydb) - Community driven honeypot sensor data collection and aggregation.
181 | * [hpfeeds](https://github.com/rep/hpfeeds) - Honeypot feed protocol.
182 | * [Infosec - CERT-PA lists](https://infosec.cert-pa.it/analyze/statistics.html) ([IPs](https://infosec.cert-pa.it/analyze/listip.txt) - [Domains](https://infosec.cert-pa.it/analyze/listdomains.txt) - [URLs](https://infosec.cert-pa.it/analyze/listurls.txt)) - Blocklist service.
183 | * [InQuest REPdb](https://labs.inquest.net/repdb) - Continuous aggregation of IOCs from a variety of open reputation sources.
184 | * [InQuest IOCdb](https://labs.inquest.net/iocdb) - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.
185 | * [Internet Storm Center (DShield)](https://isc.sans.edu/) - Diary and
186 |   searchable incident database, with a web [API](https://dshield.org/api/).
187 |   ([unofficial Python library](https://github.com/rshipp/python-dshield)).
188 | * [malc0de](http://malc0de.com/database/) - Searchable incident database.
189 | * [Malware Domain List](http://www.malwaredomainlist.com/) - Search and share
190 |   malicious URLs.
191 | * [MetaDefender Threat Intelligence Feed](https://www.opswat.com/developers/threat-intelligence-feed) -
192 |   List of the most looked up file hashes from MetaDefender Cloud.
193 | * [OpenIOC](https://www.fireeye.com/services/freeware.html) - Framework for sharing threat intelligence.
194 | * [Proofpoint Threat Intelligence](https://www.proofpoint.com/us/products/et-intelligence) -
195 |   Rulesets and more. (Formerly Emerging Threats.)
196 | * [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) -
197 |   A list of ransomware overview with details, detection and prevention.
198 | * [STIX - Structured Threat Information eXpression](http://stixproject.github.io) -
199 |   Standardized language to represent and share cyber threat information.
200 |   Related efforts from [MITRE](https://www.mitre.org/):
201 |   - [CAPEC - Common Attack Pattern Enumeration and Classification](http://capec.mitre.org/)
202 |   - [CybOX - Cyber Observables eXpression](http://cyboxproject.github.io)
203 |   - [MAEC - Malware Attribute Enumeration and Characterization](http://maec.mitre.org/)
204 |   - [TAXII - Trusted Automated eXchange of Indicator Information](http://taxiiproject.github.io)
205 | * [SystemLookup](https://www.systemlookup.com/) - SystemLookup hosts a collection of lists that provide information on
206 |   the components of legitimate and potentially unwanted programs.
207 | * [ThreatMiner](https://www.threatminer.org/) - Data mining portal for threat
208 |   intelligence, with search.
209 | * [threatRECON](https://threatrecon.co/) - Search for indicators, up to 1000
210 |   free per month.
211 | * [ThreatShare](https://threatshare.io/) - C2 panel tracker
212 | * [Yara rules](https://github.com/Yara-Rules/rules) - Yara rules repository.
213 | * [YETI](https://github.com/yeti-platform/yeti) - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
214 | * [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS
215 |   blocklists.
216 | 
217 | ## Detection and Classification
218 | 
219 | *Antivirus and other malware identification tools*
220 | 
221 | * [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a
222 |   variety of tools for reporting on Windows PE files.
223 | * [Assemblyline](https://cybercentrecanada.github.io/assemblyline4_docs/) - A scalable file triage and malware analysis system integrating the cyber security community's best tools..
224 | * [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless
225 |   AWS pipeline that scans and alerts on uploaded files based on a set of
226 |   YARA rules.
227 | * [capa](https://github.com/fireeye/capa) - Detects capabilities in executable files.
228 | * [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection.
229 | * [ClamAV](http://www.clamav.net/) - Open source antivirus engine.
230 | * [Detect It Easy(DiE)](https://github.com/horsicq/Detect-It-Easy) - A program for
231 |   determining types of files.
232 | * [Exeinfo PE](http://exeinfo.pe.hu/) - Packer, compressor detector, unpack
233 |   info, internal exe tools.
234 | * [ExifTool](https://sno.phy.queensu.ca/~phil/exiftool/) - Read, write and
235 |   edit file metadata.
236 | * [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) -
237 |   Modular, recursive file scanning solution.
238 | * [fn2yara](https://github.com/cmu-sei/pharos) - FN2Yara is a tool to generate
239 |   Yara signatures for matching functions (code) in an executable program.
240 | * [Generic File Parser](https://github.com/uppusaikiran/generic-parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
241 | * [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with
242 |   a variety of algorithms.
243 | * [HashCheck](https://github.com/gurnec/HashCheck) - Windows shell extension
244 |   to compute hashes with a variety of algorithms.
245 | * [Loki](https://github.com/Neo23x0/Loki) - Host based scanner for IOCs.
246 | * [Malfunction](https://github.com/Dynetics/Malfunction) - Catalog and
247 |   compare malware at a function level.
248 | * [Manalyze](https://github.com/JusticeRage/Manalyze) - Static analyzer for PE
249 | executables.
250 | * [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - Static analysis
251 |   framework.
252 | * [MultiScanner](https://github.com/mitre/multiscanner) - Modular file
253 |   scanning/analysis framework
254 | * [Nauz File Detector(NFD)](https://github.com/horsicq/Nauz-File-Detector) - Linker/Compiler/Tool detector  for Windows, Linux and MacOS.
255 | * [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking
256 |   up hashes in NIST's National Software Reference Library database.
257 | * [packerid](https://github.com/sooshie/packerid) - A cross-platform
258 |   Python alternative to PEiD.
259 | * [PE-bear](https://hshrzd.wordpress.com/pe-bear/) - Reversing tool for PE
260 |   files.
261 | * [PEframe](https://github.com/guelfoweb/peframe) - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
262 | * [PEV](http://pev.sourceforge.net/) - A multiplatform toolkit to work with PE
263 |   files, providing feature-rich tools for proper analysis of suspicious binaries.
264 | * [PortEx](https://github.com/katjahahn/PortEx) - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
265 | * [Quark-Engine](https://github.com/quark-engine/quark-engine) - An Obfuscation-Neglect Android Malware Scoring System
266 | * [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits.
267 | * [ssdeep](https://ssdeep-project.github.io/ssdeep/) - Compute fuzzy hashes.
268 | * [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) -
269 |   Python script for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/)
270 |   database.
271 | * [TrID](http://mark0.net/soft-trid-e.html) - File identifier.
272 | * [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for
273 |   analysts.
274 | * [Yara rules generator](https://github.com/Neo23x0/yarGen) - Generate
275 |   yara rules based on a set of malware samples. Also contains a good
276 |   strings DB to avoid false positives.
277 | * [Yara Finder](https://github.com/uppusaikiran/yara-finder) - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.
278 | 
279 | 
280 | ## Online Scanners and Sandboxes
281 | 
282 | *Web-based multi-AV scanners, and malware sandboxes for automated analysis.*
283 | 
284 | * [anlyz.io](https://sandbox.anlyz.io/) - Online sandbox.
285 | * [any.run](https://app.any.run/) - Online interactive sandbox.
286 | * [AndroTotal](https://andrototal.org/) - Free online analysis of APKs
287 |   against multiple mobile antivirus apps.
288 | * [BoomBox](https://github.com/nbeede/BoomBox) - Automatic deployment of Cuckoo
289 |   Sandbox malware lab using Packer and Vagrant.
290 | * [Cryptam](http://www.cryptam.com/) - Analyze suspicious office documents.
291 | * [Cuckoo Sandbox](https://cuckoosandbox.org/) - Open source, self hosted
292 |   sandbox and automated analysis system.
293 | * [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - Modified
294 |   version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
295 |   legal concerns by the author.
296 | * [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A
297 |   Python API used to control a cuckoo-modified sandbox.
298 | * [DeepViz](https://www.deepviz.com/) - Multi-format file analyzer with
299 |   machine-learning classification.
300 | * [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do
301 |   traffic analysis of Linux malwares and capturing IOCs.
302 | * [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis
303 |   system.
304 | * [filescan.io](https://www.filescan.io/) - Static malware analysis, VBA/Powershell/VBS/JS Emulation  
305 | * [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any
306 |   firmware package.
307 | * [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - An Automated Malware
308 |   Analysis Tool for Linux ELF Files.
309 | * [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware
310 |   analysis tool, powered by VxSandbox.
311 | * [Intezer](https://analyze.intezer.com) - Detect, analyze, and categorize malware by
312 |   identifying code reuse and code similarities.
313 | * [IRMA](http://irma.quarkslab.com/) - An asynchronous and customizable
314 |   analysis platform for suspicious files.
315 | * [Joe Sandbox](https://www.joesecurity.org) - Deep malware analysis with Joe Sandbox.
316 | * [Jotti](https://virusscan.jotti.org/en) - Free online multi-AV scanner.
317 | * [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malware.
318 | * [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis
319 |   of malware behavior.
320 | * [malice.io](https://github.com/maliceio/malice) - Massively scalable malware analysis framework.
321 | * [malsub](https://github.com/diogo-fernan/malsub) - A Python RESTful API framework for
322 |   online malware and URL analysis services.
323 | * [Malware config](https://malwareconfig.com/) - Extract, decode and display online
324 |   the configuration settings from common malwares.
325 | * [MalwareAnalyser.io](https://malwareanalyser.io/) - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
326 | * [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox
327 |   instance.
328 | * [MetaDefender Cloud](https://metadefender.opswat.com/ ) - Scan a file, hash, IP, URL or
329 |   domain address for malware for free.
330 | * [NetworkTotal](https://www.networktotal.com/index.html) - A service that analyzes
331 |   pcap files and facilitates the quick detection of viruses, worms, trojans, and all
332 |   kinds of malware using Suricata configured with EmergingThreats Pro.
333 | * [Noriben](https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to
334 |   collect information about malware in a sandboxed environment.
335 | * [PacketTotal](https://packettotal.com/) - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
336 | * [PDF Examiner](http://www.pdfexaminer.com/) - Analyse suspicious PDF files.
337 | * [ProcDot](http://www.procdot.com) - A graphical malware analysis tool kit.
338 | * [Recomposer](https://github.com/secretsquirrel/recomposer) - A helper
339 |   script for safely uploading binaries to sandbox sites.
340 | * [sandboxapi](https://github.com/InQuest/python-sandboxapi) - Python library for
341 |   building integrations with several open source and commercial malware sandboxes.
342 | * [SEE](https://github.com/F-Secure/see) - Sandboxed Execution Environment (SEE)
343 |   is a framework for building test automation in secured Environments.
344 | * [SEKOIA Dropper Analysis](https://malware.sekoia.fr/) - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
345 | * [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware
346 |   samples and URLs
347 | * [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source
348 |   visualization library and command line tools for logs.  (Cuckoo, Procmon, more
349 |   to come...)
350 | * [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free
351 |   automated sandboxes and services, compiled by Lenny Zeltser.
352 | 
353 | ## Domain Analysis
354 | 
355 | *Inspect domains and IP addresses.*
356 | 
357 | * [AbuseIPDB](https://www.abuseipdb.com/) - AbuseIPDB is a project dedicated
358 |   to helping combat the spread of hackers, spammers, and abusive activity on the internet.
359 | * [badips.com](https://www.badips.com/) - Community based IP blacklist service.
360 | * [boomerang](https://github.com/EmersonElectricCo/boomerang) - A tool designed
361 |   for consistent and safe capture of off network web resources.
362 | * [Cymon](https://cymon.io/) - Threat intelligence tracker, with IP/domain/hash
363 |   search.
364 | * [Desenmascara.me](http://desenmascara.me) - One click tool to retrieve as
365 |   much metadata as possible for a website and to assess its good standing.
366 | * [Dig](https://networking.ringofsaturn.com/) - Free online dig and other
367 |   network tools.
368 | * [dnstwist](https://github.com/elceef/dnstwist) - Domain name permutation
369 |   engine for detecting typo squatting, phishing and corporate espionage.
370 | * [IPinfo](https://github.com/hiddenillusion/IPinfo) - Gather information
371 |   about an IP or domain by searching online resources.
372 | * [Machinae](https://github.com/hurricanelabs/machinae) - OSINT tool for
373 |   gathering information about URLs, IPs, or hashes. Similar to Automator.
374 | * [mailchecker](https://github.com/FGRibreau/mailchecker) - Cross-language
375 |   temporary email detection library.
376 | * [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - Maltego transform
377 |   for the VirusTotal API. Allows domain/IP research, and searching for file
378 |   hashes and scan reports.
379 | * [Multi rbl](http://multirbl.valli.org/) - Multiple DNS blacklist and forward
380 |   confirmed reverse DNS lookup over more than 300 RBLs.
381 | * [NormShield Services](https://services.normshield.com/) - Free API Services
382 |   for detecting possible phishing domains, blacklisted ip addresses and breached
383 |   accounts.
384 | * [PhishStats](https://phishstats.info/) - Phishing Statistics with search for
385 |   IP, domain and website title
386 | * [Spyse](https://spyse.com/) - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
387 | * [SecurityTrails](https://securitytrails.com/) - Historical and current WHOIS,
388 |   historical and current DNS records, similar domains, certificate information
389 |   and other domain and IP related API and tools.
390 | * [SpamCop](https://www.spamcop.net/bl.shtml) - IP based spam block list.
391 | * [SpamHaus](https://www.spamhaus.org/lookup/) - Block list based on
392 |   domains and IPs.
393 | * [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - Free Website Malware
394 |   and Security Scanner.
395 | * [Talos Intelligence](https://talosintelligence.com/) - Search for IP, domain
396 |   or network owner. (Previously SenderBase.)
397 | * [TekDefense Automater](http://www.tekdefense.com/automater/) - OSINT tool
398 |   for gathering information about URLs, IPs, or hashes.
399 | * [URLhaus](https://urlhaus.abuse.ch/) - A project from abuse.ch with the goal
400 |   of sharing malicious URLs that are being used for malware distribution.
401 | * [URLQuery](http://urlquery.net/) - Free URL Scanner.
402 | * [urlscan.io](https://urlscan.io/) - Free URL Scanner & domain information.
403 | * [Whois](https://whois.domaintools.com/) - DomainTools free online whois
404 |   search.
405 | * [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - Free
406 |   online tools for researching malicious websites, compiled by Lenny Zeltser.
407 | * [ZScalar Zulu](https://zulu.zscaler.com/#) - Zulu URL Risk Analyzer.
408 | 
409 | ## Browser Malware
410 | 
411 | *Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and
412 | [documents and shellcode](#documents-and-shellcode) sections.*
413 | 
414 | * [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) - Combines
415 |   multiple Java bytecode viewers and decompilers into one tool, including
416 |   APK/DEX support.
417 | * [Firebug](https://getfirebug.com/) - Firefox extension for web development.
418 | * [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps.
419 | * [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java
420 |   IDX cache files.
421 | * [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript
422 |   malware analysis tool.
423 | * [jsunpack-n](https://github.com/urule99/jsunpack-n) - A javascript
424 |   unpacker that emulates browser functionality.
425 | * [Krakatau](https://github.com/Storyyeller/Krakatau) - Java decompiler,
426 |   assembler, and disassembler.
427 | * [Malzilla](http://malzilla.sourceforge.net/) - Analyze malicious web pages.
428 | * [RABCDAsm](https://github.com/CyberShadow/RABCDAsm) - A "Robust
429 |   ActionScript Bytecode Disassembler."
430 | * [SWF Investigator](https://labs.adobe.com/technologies/swfinvestigator/) -
431 |   Static and dynamic analysis of SWF applications.
432 | * [swftools](http://www.swftools.org/) - Tools for working with Adobe Flash
433 |   files.
434 | * [xxxswf](http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html) - A
435 |   Python script for analyzing Flash files.
436 | 
437 | ## Documents and Shellcode
438 | 
439 | *Analyze malicious JS and shellcode from PDFs and Office documents. See also
440 | the [browser malware](#browser-malware) section.*
441 | 
442 | * [AnalyzePDF](https://github.com/hiddenillusion/AnalyzePDF) - A tool for
443 |   analyzing PDFs and attempting to determine whether they are malicious.
444 | * [box-js](https://github.com/CapacitorSet/box-js) - A tool for studying JavaScript
445 |   malware, featuring JScript/WScript support and ActiveX emulation.
446 | * [diStorm](http://www.ragestorm.net/distorm/) - Disassembler for analyzing
447 |   malicious shellcode.
448 | * [InQuest Deep File Inspection](https://labs.inquest.net/dfi) - Upload common malware lures for Deep File Inspection and heuristical analysis.
449 | * [JS Beautifier](http://jsbeautifier.org/) - JavaScript unpacking and deobfuscation.
450 | * [libemu](http://libemu.carnivore.it/) - Library and tools for x86 shellcode
451 |   emulation.
452 | * [malpdfobj](https://github.com/9b/malpdfobj) - Deconstruct malicious PDFs
453 |   into a JSON representation.
454 | * [OfficeMalScanner](http://www.reconstructer.org/code.html) - Scan for
455 |   malicious traces in MS Office documents.
456 | * [olevba](http://www.decalage.info/python/olevba) - A script for parsing OLE
457 |   and OpenXML documents and extracting useful information.
458 | * [Origami PDF](https://code.google.com/archive/p/origami-pdf) - A tool for
459 |   analyzing malicious PDFs, and more.
460 | * [PDF Tools](https://blog.didierstevens.com/programs/pdf-tools/) - pdfid,
461 |   pdf-parser, and more from Didier Stevens.
462 | * [PDF X-Ray Lite](https://github.com/9b/pdfxray_lite) - A PDF analysis tool,
463 |   the backend-free version of PDF X-RAY.
464 | * [peepdf](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - Python
465 |   tool for exploring possibly malicious PDFs.
466 | * [QuickSand](https://www.quicksand.io/) - QuickSand is a compact C framework
467 |   to analyze suspected malware documents to identify exploits in streams of different
468 |   encodings and to locate and extract embedded executables.
469 | * [Spidermonkey](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) -
470 |   Mozilla's JavaScript engine, for debugging malicious JS.
471 | 
472 | ## File Carving
473 | 
474 | *For extracting files from inside disk and memory images.*
475 | 
476 | * [bulk_extractor](https://github.com/simsong/bulk_extractor) - Fast file
477 |   carving tool.
478 | * [EVTXtract](https://github.com/williballenthin/EVTXtract) - Carve Windows
479 |   Event Log files from raw binary data.
480 | * [Foremost](http://foremost.sourceforge.net/) - File carving tool designed
481 |   by the US Air Force.
482 | * [hachoir3](https://github.com/vstinner/hachoir3) - Hachoir is a Python library
483 |   to view and edit a binary stream field by field.
484 | * [Scalpel](https://github.com/sleuthkit/scalpel) - Another data carving
485 |   tool.
486 | * [SFlock](https://github.com/jbremer/sflock) - Nested archive
487 |   extraction/unpacking (used in Cuckoo Sandbox).
488 | 
489 | ## Deobfuscation
490 | 
491 | *Reverse XOR and other code obfuscation methods.*
492 | 
493 | * [Balbuzard](https://bitbucket.org/decalage/balbuzard/wiki/Home) - A malware
494 |   analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
495 | * [de4dot](https://github.com/0xd4d/de4dot) - .NET deobfuscator and
496 |   unpacker.
497 | * [ex_pe_xor](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html)
498 |   & [iheartxor](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html) -
499 |   Two tools from Alexander Hanel for working with single-byte XOR encoded
500 |   files.
501 | * [FLOSS](https://github.com/fireeye/flare-floss) - The FireEye Labs Obfuscated
502 |   String Solver uses advanced static analysis techniques to automatically
503 |   deobfuscate strings from malware binaries.
504 | * [NoMoreXOR](https://github.com/hiddenillusion/NoMoreXOR) - Guess a 256 byte
505 |   XOR key using frequency analysis.
506 | * [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker) - A generic
507 |   hidden code extractor for Windows malware.
508 | * [PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor) -
509 |   A Python script to extract the contents of a PyInstaller generated Windows
510 |   executable file. The contents of the pyz file (usually pyc files) present
511 |   inside the executable are also extracted and automatically fixed so that a
512 |   Python bytecode decompiler will recognize it.
513 | * [uncompyle6](https://github.com/rocky/python-uncompyle6/) - A cross-version
514 |   Python bytecode decompiler.  Translates Python bytecode back into equivalent
515 |   Python source code.
516 | * [un{i}packer](https://github.com/unipacker/unipacker) - Automatic and
517 |   platform-independent unpacker for Windows binaries based on emulation.
518 | * [unpacker](https://github.com/malwaremusings/unpacker/) - Automated malware
519 |   unpacker for Windows malware based on WinAppDbg.
520 | * [unxor](https://github.com/tomchop/unxor/) - Guess XOR keys using
521 |   known-plaintext attacks.
522 | * [VirtualDeobfuscator](https://github.com/jnraber/VirtualDeobfuscator) -
523 |   Reverse engineering tool for virtualization wrappers.
524 | * [XORBruteForcer](http://eternal-todo.com/var/scripts/xorbruteforcer) -
525 |   A Python script for brute forcing single-byte XOR keys.
526 | * [XORSearch & XORStrings](https://blog.didierstevens.com/programs/xorsearch/) -
527 |   A couple programs from Didier Stevens for finding XORed data.
528 | * [xortool](https://github.com/hellman/xortool) - Guess XOR key length, as
529 |   well as the key itself.
530 | 
531 | ## Debugging and Reverse Engineering
532 | 
533 | *Disassemblers, debuggers, and other static and dynamic analysis tools.*
534 | 
535 | * [angr](https://github.com/angr/angr) - Platform-agnostic binary analysis
536 |   framework developed at UCSB's Seclab.
537 | * [bamfdetect](https://github.com/bwall/bamfdetect) - Identifies and extracts
538 |   information from bots and other malware.
539 | * [BAP](https://github.com/BinaryAnalysisPlatform/bap) - Multiplatform and
540 |   open source (MIT) binary analysis framework developed at CMU's Cylab.
541 | * [BARF](https://github.com/programa-stic/barf-project) - Multiplatform, open
542 |   source Binary Analysis and Reverse engineering Framework.
543 | * [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for
544 |   reverse engineering based on graph visualization.
545 | * [Binary ninja](https://binary.ninja/) - A reversing engineering platform
546 |   that is an alternative to IDA.
547 | * [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool.
548 | * [BluePill](https://github.com/season-lab/bluepill) - Framework for executing and debugging evasive malware and protected executables.
549 | * [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for
550 |   binary analysis and reversing, with support for many architectures and
551 |   bindings in several languages.
552 | * [codebro](https://github.com/hugsy/codebro) - Web based code browser using
553 |   clang to provide basic code analysis.
554 | * [Cutter](https://github.com/radareorg/cutter) - GUI for Radare2.
555 | * [DECAF (Dynamic Executable Code Analysis Framework)](https://github.com/sycurelab/DECAF)
556 |   - A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
557 | * [dnSpy](https://github.com/0xd4d/dnSpy) - .NET assembly editor, decompiler
558 |   and debugger.
559 | * [dotPeek](https://www.jetbrains.com/decompiler/) - Free .NET Decompiler and
560 |   Assembly Browser.
561 | * [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A
562 |   modular debugger with a Qt GUI.
563 | * [Fibratus](https://github.com/rabbitstack/fibratus) - Tool for exploration
564 |   and tracing of the Windows kernel.
565 | * [FPort](https://www.mcafee.com/us/downloads/free-tools/fport.aspx) - Reports
566 |   open TCP/IP and UDP ports in a live system and maps them to the owning application.
567 | * [GDB](http://www.sourceware.org/gdb/) - The GNU debugger.
568 | * [GEF](https://github.com/hugsy/gef) - GDB Enhanced Features, for exploiters
569 |   and reverse engineers.
570 | * [Ghidra](https://github.com/NationalSecurityAgency/ghidra) - A software reverse engineering (SRE) framework created and       maintained by the National Security Agency Research Directorate.
571 | * [hackers-grep](https://github.com/codypierce/hackers-grep) - A utility to
572 |   search for strings in PE executables including imports, exports, and debug
573 |   symbols.
574 | * [Hopper](https://www.hopperapp.com/) - The macOS and Linux Disassembler.
575 | * [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows
576 |   disassembler and debugger, with a free evaluation version.
577 | * [IDR](https://github.com/crypto2011/IDR) - Interactive Delphi Reconstructor
578 |   is a decompiler of Delphi executable files and dynamic libraries.
579 | * [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for
580 |   malware analysis and more, with a Python API.
581 | * [ILSpy](http://ilspy.net/) - ILSpy is the open-source .NET assembly browser and decompiler.
582 | * [Kaitai Struct](http://kaitai.io/) - DSL for file formats / network protocols /
583 |   data structures reverse engineering and dissection, with code generation
584 |   for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
585 | * [LIEF](https://lief.quarkslab.com/) - LIEF provides a cross-platform library
586 |   to parse, modify and abstract ELF, PE and MachO formats.
587 | * [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables.
588 | * [mac-a-mal](https://github.com/phdphuc/mac-a-mal) - An automated framework
589 |   for mac malware hunting.
590 | * [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils,
591 |   for static analysis of Linux binaries.
592 | * [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows
593 |   executables.
594 | * [OllyDumpEx](https://low-priority.appspot.com/ollydumpex/) - Dump memory
595 |   from (unpacked) malware Windows process and store raw or rebuild PE file.
596 |   This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg.
597 | * [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral
598 |   Dynamic Analysis.
599 | * [PEDA](https://github.com/longld/peda) - Python Exploit Development
600 |   Assistance for GDB, an enhanced display with added commands.
601 | * [pestudio](https://winitor.com/) - Perform static analysis of Windows
602 |   executables.
603 | * [Pharos](https://github.com/cmu-sei/pharos) - The Pharos binary analysis framework
604 |   can be used to perform automated static analysis of binaries.
605 | * [plasma](https://github.com/plasma-disassembler/plasma) - Interactive
606 |   disassembler for x86/ARM/MIPS.
607 | * [PPEE (puppy)](https://www.mzrst.com/) - A Professional PE file Explorer for
608 |   reversers, malware researchers and those who want to statically inspect PE
609 |   files in more detail.
610 | * [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) -
611 |   Advanced task manager for Windows.
612 | * [Process Hacker](http://processhacker.sourceforge.net/) - Tool that monitors
613 |   system resources.
614 | * [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) -
615 |   Advanced monitoring tool for Windows programs.
616 | * [PSTools](https://docs.microsoft.com/en-us/sysinternals/downloads/pstools) - Windows
617 |   command-line tools that help manage and investigate live systems.
618 | * [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware
619 |   analysis.
620 | * [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse
621 |   engineering sandbox by the Talos team at Cisco.
622 | * [Qiling Framework](https://www.qiling.io/) - Cross platform emulation and sanboxing
623 |   framework with instruments for binary analysis.
624 | * [QKD](https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg
625 |   server for stealth debugging.
626 | * [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with
627 |   debugger support.
628 | * [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility
629 |   that compares snapshots.
630 | * [RetDec](https://retdec.com/) - Retargetable machine-code decompiler with an
631 |   [online decompilation service](https://retdec.com/decompilation/) and
632 |   [API](https://retdec.com/api/) that you can use in your tools.
633 | * [ROPMEMU](https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect
634 |   and decompile complex code-reuse attacks.
635 | * [Scylla Imports Reconstructor](https://github.com/NtQuery/Scylla) - Find and fix
636 |   the IAT of an unpacked / dumped PE32 malware.
637 | * [ScyllaHide](https://github.com/x64dbg/ScyllaHide) - An Anti-Anti-Debug library
638 |   and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.
639 | * [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a
640 |   plugin for Sublime 3 to aid with malware analyis.
641 | * [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for
642 |   Linux executables.
643 | * [StringSifter](https://github.com/fireeye/stringsifter) - A machine learning tool
644 |   that automatically ranks strings based on their relevance for malware analysis.
645 | * [Triton](https://triton.quarkslab.com/) - A dynamic binary analysis (DBA) framework.
646 | * [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool
647 |   for x86 and x86_64.
648 | * [Vivisect](https://github.com/vivisect/vivisect) - Python tool for
649 |   malware analysis.
650 | * [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/download-windbg) - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
651 | * [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows.
652 | 
653 | ## Network
654 | 
655 | *Analyze network interactions.*
656 | 
657 | * [Bro](https://www.bro.org) - Protocol analyzer that operates at incredible
658 |   scale; both file and network protocols.
659 | * [BroYara](https://github.com/hempnall/broyara) - Use Yara rules from Bro.
660 | * [CapTipper](https://github.com/omriher/CapTipper) -  Malicious HTTP traffic
661 |   explorer.
662 | * [chopshop](https://github.com/MITRECND/chopshop) - Protocol analysis and
663 |   decoding framework.
664 | * [CloudShark](https://www.cloudshark.org) - Web-based tool for packet analysis
665 |   and malware traffic detection.
666 | * [FakeNet-NG](https://github.com/fireeye/flare-fakenet-ng) - Next generation
667 |   dynamic network analysis tool.
668 | * [Fiddler](https://www.telerik.com/fiddler) - Intercepting web proxy designed
669 |   for "web debugging."
670 | * [Hale](https://github.com/pjlantz/Hale) - Botnet C&C monitor.
671 | * [Haka](http://www.haka-security.org/) - An open source security oriented
672 |   language for describing protocols and applying security policies on (live)
673 |   captured traffic.
674 | * [HTTPReplay](https://github.com/jbremer/httpreplay) - Library for parsing
675 |   and reading out PCAP files, including TLS streams using TLS Master Secrets
676 |   (used in Cuckoo Sandbox).
677 | * [INetSim](http://www.inetsim.org/) - Network service emulation, useful when
678 |   building a malware lab.
679 | * [Laika BOSS](https://github.com/lmco/laikaboss) - Laika BOSS is a file-centric
680 |   malware analysis and intrusion detection system.
681 | * [Malcolm](https://github.com/idaholab/Malcolm) - Malcolm is a powerful, easily
682 |   deployable network traffic analysis tool suite for full packet capture artifacts
683 |   (PCAP files) and Zeek logs.
684 | * [Malcom](https://github.com/tomchop/malcom) - Malware Communications
685 |   Analyzer.
686 | * [Maltrail](https://github.com/stamparm/maltrail) - A malicious traffic
687 |   detection system, utilizing publicly available (black)lists containing
688 |   malicious and/or generally suspicious trails and featuring an reporting
689 |   and analysis interface.
690 | * [mitmproxy](https://mitmproxy.org/) - Intercept network traffic on the fly.
691 | * [Moloch](https://github.com/aol/moloch) - IPv4 traffic capturing, indexing
692 |   and database system.
693 | * [NetworkMiner](http://www.netresec.com/?page=NetworkMiner) - Network
694 |   forensic analysis tool, with a free version.
695 | * [ngrep](https://github.com/jpr5/ngrep) - Search through network traffic
696 |   like grep.
697 | * [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and
698 |   traffic visualizer.
699 | * [Python ICAP Yara](https://github.com/RamadhanAmizudin/python-icap-yara) - An
700 |   ICAP Server with yara scanner for URL or content.
701 | * [Squidmagic](https://github.com/ch3k1/squidmagic) - squidmagic is a tool
702 |   designed to analyze a web-based network traffic to detect central command
703 |   and control (C&C) servers and malicious sites, using Squid proxy server and
704 |   Spamhaus.
705 | * [Tcpdump](http://www.tcpdump.org/) - Collect network traffic.
706 | * [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams
707 |   from network traffic.
708 | * [tcpxtract](http://tcpxtract.sourceforge.net/) - Extract files from network
709 |   traffic.
710 | * [Wireshark](https://www.wireshark.org/) - The network traffic analysis
711 |   tool.
712 | 
713 | ## Memory Forensics
714 | 
715 | *Tools for dissecting malware in memory images or running systems.*
716 | 
717 | * [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS
718 |   forensics client supporting hiberfil, pagefile, raw memory analysis.
719 | * [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of
720 |   Malware in Memory, built on Volatility.
721 | * [evolve](https://github.com/JamesHabben/evolve) - Web interface for the
722 |   Volatility Memory Forensics Framework.
723 | * [FindAES](https://sourceforge.net/projects/findaes/) - Find AES
724 |   encryption keys in memory.
725 | * [inVtero.net](https://github.com/ShaneK2/inVtero.net) - High speed memory
726 |   analysis framework developed in .NET supports all Windows x64, includes
727 |   code integrity and write support.
728 | * [Muninn](https://github.com/ytisf/muninn) - A script to automate portions
729 |   of analysis using Volatility, and create a readable report.
730 |   [Orochi](https://github.com/LDO-CERT/orochi) - Orochi is an open source framework for 
731 |   collaborative forensic memory dump analysis. 
732 | * [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework,
733 |   forked from Volatility in 2013.
734 | * [TotalRecall](https://github.com/sketchymoose/TotalRecall) - Script based
735 |   on Volatility for automating various malware analysis tasks.
736 | * [VolDiff](https://github.com/aim4r/VolDiff) - Run Volatility on memory
737 |   images before and after malware execution, and report changes.
738 | * [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced
739 |   memory forensics framework.
740 | * [VolUtility](https://github.com/kevthehermit/VolUtility) - Web Interface for
741 |   Volatility Memory Analysis framework.
742 | * [WDBGARK](https://github.com/swwwolf/wdbgark) -
743 |   WinDBG Anti-RootKit Extension.
744 | * [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit) -
745 |   Live memory inspection and kernel debugging for Windows systems.
746 | 
747 | ## Windows Artifacts
748 | 
749 | * [AChoir](https://github.com/OMENScan/AChoir) - A live incident response
750 |   script for gathering Windows artifacts.
751 | * [python-evt](https://github.com/williballenthin/python-evt) - Python
752 |   library for parsing Windows Event Logs.
753 | * [python-registry](http://www.williballenthin.com/registry/) - Python
754 |   library for parsing registry files.
755 | * [RegRipper](http://brettshavers.cc/index.php/brettsblog/tags/tag/regripper/)
756 |   ([GitHub](https://github.com/keydet89/RegRipper2.8)) -
757 |   Plugin-based registry analysis tool.
758 | 
759 | ## Storage and Workflow
760 | 
761 | * [Aleph](https://github.com/merces/aleph) - Open Source Malware Analysis
762 |   Pipeline System.
763 | * [CRITs](https://crits.github.io/) - Collaborative Research Into Threats, a
764 |   malware and threat repository.
765 | * [FAME](https://certsocietegenerale.github.io/fame/) - A malware analysis
766 |   framework featuring a pipeline that can be extended with custom modules,
767 |   which can be chained and interact with each other to perform end-to-end
768 |   analysis.
769 | * [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and
770 |   search malware.
771 | * [Polichombr](https://github.com/ANSSI-FR/polichombr) - A malware analysis
772 |   platform designed to help analysts to reverse malwares collaboratively.
773 | * [stoQ](http://stoq.punchcyber.com) - Distributed content analysis
774 |   framework with extensive plugin support, from input to output, and everything
775 |   in between.
776 | * [Viper](http://viper.li/) - A binary management and analysis framework for
777 |   analysts and researchers.
778 | 
779 | ## Miscellaneous
780 | 
781 | * [al-khaser](https://github.com/LordNoteworthy/al-khaser) - A PoC malware
782 |   with good intentions that aimes to stress anti-malware systems.
783 | * [CryptoKnight](https://github.com/AbertayMachineLearningGroup/CryptoKnight) - Automated cryptographic algorithm reverse engineering and classification framework.
784 | * [DC3-MWCP](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP) -
785 |   The Defense Cyber Crime Center's Malware Configuration Parser framework.
786 | * [FLARE VM](https://github.com/fireeye/flare-vm) - A fully customizable,
787 |   Windows-based, security distribution for malware analysis.
788 | * [MalSploitBase](https://github.com/misterch0c/malSploitBase) - A database
789 |   containing exploits used by malware.
790 | * [Malware Museum](https://archive.org/details/malwaremuseum) - Collection of
791 |   malware programs that were distributed in the 1980s and 1990s.
792 | * [Malware Organiser](https://github.com/uppusaikiran/malware-organiser) - A simple tool to organise large malicious/benign files into a organised Structure.
793 | * [Pafish](https://github.com/a0rtega/pafish) - Paranoid Fish, a demonstration
794 |   tool that employs several techniques to detect sandboxes and analysis
795 |   environments in the same way as malware families do.
796 | * [REMnux](https://remnux.org/) - Linux distribution and docker images for
797 |   malware reverse engineering and analysis.
798 | * [Tsurugi Linux](https://tsurugi-linux.org/) - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
799 | * [Santoku Linux](https://santoku-linux.com/) - Linux distribution for mobile
800 |   forensics, malware analysis, and security.
801 | 
802 | # Resources
803 | 
804 | ## Books
805 | 
806 | *Essential malware analysis reading material.*
807 | 
808 | * [Learning Malware Analysis](https://www.packtpub.com/networking-and-servers/learning-malware-analysis) - Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware
809 | * [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) -
810 |   Tools and Techniques for Fighting Malicious Code.
811 | * [Mastering Malware Analysis](https://www.packtpub.com/networking-and-servers/mastering-malware-analysis) - Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks
812 | * [Mastering Reverse Engineering](https://www.packtpub.com/networking-and-servers/mastering-reverse-engineering) - Mastering Reverse Engineering: Re-engineer your ethical hacking skills
813 | * [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On
814 |   Guide to Dissecting Malicious Software.
815 | * [Practical Reverse Engineering](https://www.amzn.com/dp/1118787315/) -
816 |   Intermediate Reverse Engineering.
817 | * [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer
818 |   Security and Incident Response.
819 | * [Rootkits and Bootkits](https://www.amazon.com/dp/1593277164) - Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
820 | * [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting
821 |   Malware and Threats in Windows, Linux, and Mac Memory.
822 | * [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide
823 |   to the World's Most Popular Disassembler.
824 | * [The Rootkit Arsenal](https://amzn.com/dp/144962636X) - The Rootkit Arsenal:
825 |   Escape and Evasion in the Dark Corners of the System
826 | 
827 | ## Other
828 | 
829 | * [APT Notes](https://github.com/aptnotes/data) - A collection of papers
830 |   and notes related to Advanced Persistent Threats.
831 | * [Ember](https://github.com/endgameinc/ember) - Endgame Malware BEnchmark for Research,
832 |   a repository that makes it easy to (re)create a machine learning model that can be used
833 |   to predict a score for a PE file based on static analysis.
834 | * [File Formats posters](https://github.com/corkami/pics) - Nice visualization
835 |   of commonly used file format (including PE & ELF).
836 | * [Honeynet Project](http://honeynet.org/) - Honeypot tools, papers, and
837 |   other resources.
838 | * [Kernel Mode](http://www.kernelmode.info/forum/) - An active community
839 |   devoted to malware analysis and kernel development.
840 | * [Malicious Software](https://zeltser.com/malicious-software/) - Malware
841 |   blog and resources by Lenny Zeltser.
842 | * [Malware Analysis Search](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) -
843 |   Custom Google search engine from [Corey Harrell](journeyintoir.blogspot.com/).
844 | * [Malware Analysis Tutorials](http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html) -
845 |   The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning
846 |   practical malware analysis.
847 | * [Malware Analysis, Threat Intelligence and Reverse Engineering](https://www.slideshare.net/bartblaze/malware-analysis-threat-intelligence-and-reverse-engineering) -
848 |   Presentation introducing the concepts of malware analysis, threat intelligence
849 |   and reverse engineering. Experience or prior knowledge is not required. Labs
850 |   link in description.
851 | * [Malware Persistence](https://github.com/Karneades/malware-persistence) - Collection
852 |   of various information focused on malware persistence: detection (techniques),
853 |   response, pitfalls and the log collection (tools).
854 | * [Malware Samples and Traffic](http://malware-traffic-analysis.net/) - This
855 |   blog focuses on network traffic related to malware infections.
856 | * [Malware Search+++](https://addons.mozilla.org/fr/firefox/addon/malware-search-plusplusplus/) Firefox extension allows
857 |   you to easily search some of the most popular malware databases
858 | * [Practical Malware Analysis Starter Kit](https://bluesoul.me/practical-malware-analysis-starter-kit/) -
859 |   This package contains most of the software referenced in the Practical Malware
860 |   Analysis book.
861 | * [RPISEC Malware Analysis](https://github.com/RPISEC/Malware) - These are the
862 |   course materials used in the Malware Analysis course at at Rensselaer Polytechnic
863 |   Institute during Fall 2015.
864 | * [WindowsIR: Malware](http://windowsir.blogspot.com/p/malware.html) - Harlan
865 |   Carvey's page on Malware.
866 | * [Windows Registry specification](https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md) -
867 |   Windows registry file format specification.
868 | * [/r/csirt_tools](https://www.reddit.com/r/csirt_tools/) - Subreddit for CSIRT
869 |   tools and resources, with a
870 |   [malware analysis](https://www.reddit.com/r/csirt_tools/search?q=flair%3A%22Malware%20analysis%22&sort=new&restrict_sr=on) flair.
871 | * [/r/Malware](https://www.reddit.com/r/Malware) - The malware subreddit.
872 | * [/r/ReverseEngineering](https://www.reddit.com/r/ReverseEngineering) -
873 |   Reverse engineering subreddit, not limited to just malware.
874 | 
875 | 
876 | 
877 | # Related Awesome Lists
878 | 
879 | * [Android Security](https://github.com/ashishb/android-security-awesome)
880 | * [AppSec](https://github.com/paragonie/awesome-appsec)
881 | * [CTFs](https://github.com/apsdehal/awesome-ctf)
882 | * [Executable Packing](https://github.com/dhondta/awesome-executable-packing)
883 | * [Forensics](https://github.com/Cugu/awesome-forensics)
884 | * ["Hacking"](https://github.com/carpedm20/awesome-hacking)
885 | * [Honeypots](https://github.com/paralax/awesome-honeypots)
886 | * [Industrial Control System Security](https://github.com/hslatman/awesome-industrial-control-system-security)
887 | * [Incident-Response](https://github.com/meirwah/awesome-incident-response)
888 | * [Infosec](https://github.com/onlurking/awesome-infosec)
889 | * [PCAP Tools](https://github.com/caesar0301/awesome-pcaptools)
890 | * [Pentesting](https://github.com/enaqx/awesome-pentest)
891 | * [Security](https://github.com/sbilly/awesome-security)
892 | * [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence)
893 | * [YARA](https://github.com/InQuest/awesome-yara)
894 | 
895 | # [Contributing](CONTRIBUTING.md)
896 | 
897 | Pull requests and issues with suggestions are welcome! Please read the
898 | [CONTRIBUTING](CONTRIBUTING.md) guidelines before submitting a PR.
899 | 
900 | # Thanks
901 | 
902 | This list was made possible by:
903 | 
904 | * Lenny Zeltser and other contributors for developing REMnux, where I
905 |   found many of the tools in this list;
906 | * Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for
907 |   writing the *Malware Analyst's Cookbook*, which was a big inspiration for
908 |   creating the list;
909 | * And everyone else who has sent pull requests or suggested links to add here!
910 | 
911 | Thanks!
912 | 


--------------------------------------------------------------------------------
/drop.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rshipp/awesome-malware-analysis/179887b9bfb04bb736348b2dc9d331bc860c6ef7/drop.png


--------------------------------------------------------------------------------
/恶意软件分析大合集.md:
--------------------------------------------------------------------------------
  1 | # 恶意软件分析大合集 [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)
  2 | 
  3 | 
  4 | 这个列表记录着那些令人称赞的恶意软件分析工具和资源。受到 [awesome-python](https://github.com/vinta/awesome-python) 和 [awesome-php](https://github.com/ziadoz/awesome-php) 的启迪。
  5 | 
  6 | - [恶意软件集合](#恶意软件集合)
  7 |     - [匿名代理](#匿名代理)
  8 |     - [蜜罐](#蜜罐)
  9 |     - [恶意软件样本库](#恶意软件样本库)
 10 | - [开源威胁情报](#开源威胁情报)
 11 |     - [工具](#工具)
 12 |     - [其他资源](#其他资源)
 13 | - [检测与分类](#检测与分类)
 14 | - [在线扫描与沙盒](#在线扫描与沙盒)
 15 | - [域名分析](#域名分析)
 16 | - [浏览器恶意软件](#浏览器恶意软件)
 17 | - [文档和 Shellcode](#文档和-Shellcode)
 18 | - [文件提取](#文件提取)
 19 | - [去混淆](#去混淆)
 20 | - [调试与逆向工程](#调试与逆向工程)
 21 | - [网络](#网络)
 22 | - [内存取证](#内存取证)
 23 | - [Windows 神器](#Windows-神器)
 24 | - [存储和工作流](#存储和工作流)
 25 | - [杂项](#杂项)
 26 | - [资源](#资源)
 27 |     - [书籍](#书籍)
 28 |     - [其它](#其它)
 29 | - [相关 Awesome 清单](#相关-Awesome-清单)
 30 | - [贡献者](#做出贡献)
 31 | - [致谢](#致谢)
 32 | 
 33 | ---
 34 | 
 35 | ## 恶意软件集合
 36 | 
 37 | ### 匿名代理
 38 | 
 39 | *对于分析人员的 Web 流量匿名方案*
 40 | 
 41 | * [Anonymouse.org](http://anonymouse.org/) - 一个免费、基于 Web 的匿名代理
 42 | * [OpenVPN](https://openvpn.net/) - VPN 软件和托管解决方案
 43 | * [Privoxy](http://www.privoxy.org/) - 一个带有隐私保护功能的开源代理服务器
 44 | * [Tor](https://www.torproject.org/) - 洋葱路由器，为了在浏览网页时不留下客户端 IP 地址
 45 | 
 46 | ### 蜜罐
 47 | 
 48 | *捕获和收集你自己的样本*
 49 | 
 50 | * [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA 蜜罐
 51 | * [Cowrie](https://github.com/micheloosterhof/cowrie) - 基于 Kippo 的 SSH 蜜罐
 52 | * [DemoHunter](https://github.com/RevengeComing/DemonHunter) - 低交互分布式蜜罐
 53 | * [Dionaea](http://dionaea.carnivore.it/) - 用来捕获恶意软件的蜜罐
 54 | * [Glastopf](http://glastopf.org/) - Web 应用蜜罐
 55 | * [Honeyd](http://honeyd.org/) - 创建一个虚拟蜜罐
 56 | * [HoneyDrive](https://bruteforce.gr/honeydrive/) - 蜜罐包的 Linux 发行版
 57 | * [Honeytrap](https://github.com/honeytrap/honeytrap) - 运行、监控、管理蜜罐的开源系统
 58 | * [MHN](https://github.com/pwnlandia/mhn) - MHN 是管理蜜罐的集中式服务器，可以快速部署蜜罐收集数据，并提供统一的 Web 界面
 59 | * [Mnemosyne](https://github.com/johnnykv/mnemosyne) - 受 Dinoaea 支持的蜜罐数据标准化
 60 | * [Thug](https://github.com/buffer/thug) - 用来调查恶意网站的低交互蜜罐
 61 | 
 62 | ### 恶意软件样本库
 63 | 
 64 | *收集用于分析的恶意软件样本*
 65 | 
 66 | * [Clean MX](http://support.clean-mx.com/clean-mx/viruses.php) - 恶意软件和恶意域名的实时数据库
 67 | * [Contagio](http://contagiodump.blogspot.com/) - 近期的恶意软件样本和分析的收集
 68 | * [Exploit Database](https://www.exploit-db.com/) - Exploit 和 shellcode 样本
 69 | * [Infosec - CERT-PA](https://infosec.cert-pa.it/analyze/submission.html) - 恶意软件样本收集与分析
 70 | * [InQuest Labs](https://labs.inquest.net) - 恶意 Microsoft 文档语料库
 71 | * [Javascript Mallware Collection](https://github.com/HynekPetrak/javascript-malware-collection) - 收集了将近四万个 JavaScript 恶意样本
 72 | * [Malpedia](https://malpedia.caad.fkie.fraunhofer.de/) - 为调查恶意软件提供快速可识别、可操作的上下文资源
 73 | * [Malshare](https://malshare.com) - 在恶意网站上得到的大量恶意样本库
 74 | * [Ragpicker](https://github.com/robbyFux/Ragpicker) - 基于 malware crawler 的一个插件
 75 | * [theZoo](https://github.com/ytisf/theZoo) - 分析人员的实时恶意样本库
 76 | * [Tracker h3x](http://tracker.h3x.eu/) - Agregator 的恶意软件跟踪和下载地址
 77 | * [vduddu malware repo](https://github.com/vduddu/Malware) - 多种恶意软件文件与源码收集
 78 | * [VirusBay](https://beta.virusbay.io/) - 基于社区的恶意软件仓库
 79 | * [ViruSign](http://www.virussign.com/) - 除 ClamAV 外的反病毒程序检出的恶意软件数据库
 80 | * [VirusShare](http://virusshare.com/) - 恶意软件库
 81 | * [VX Vault](http://vxvault.net/) - 恶意软件样本的主动收集
 82 | * [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - 由 Lenny Zeltser 整理的恶意软件样本源列表
 83 | * [Zeus Source Code](https://github.com/Visgean/Zeus) - 2011 年 Zeus 源码泄露
 84 | 
 85 | ## 开源威胁情报
 86 | 
 87 | ### 工具
 88 | 
 89 | *收集、分析 IOC 信息*
 90 | 
 91 | * [AbuseHelper](https://github.com/abusesa/abusehelper) - 用于接收和重新分发威胁情报的开源框架
 92 | * [AlienVault Open Threat Exchange](https://otx.alienvault.com/) - 威胁情报的共享与合作
 93 | * [Combine](https://github.com/mlsecproject/combine) - 从公开的信息源中得到威胁情报信息
 94 | * [Fileintel](https://github.com/keithjjones/fileintel) - 文件情报
 95 | * [Hostintel](https://github.com/keithjjones/hostintel) - 主机情报
 96 | * [IntelMQ](https://www.enisa.europa.eu/activities/cert/support/incident-handling-automation) - CERT 使用消息队列来处理应急数据的工具
 97 | * [IOC Editor](https://www.mandiant.com/resources/download/ioc-editor/) - Mandiant 出品的一个免费的 XML IOC 文件编辑器
 98 | * [iocextract](https://github.com/InQuest/python-iocextract) - 高级 IOC 提取工具，Python 库与命令行工具
 99 | * [ioc_writer](https://github.com/mandiant/ioc_writer) - 开发的用于 OpenIOC 对象的 Python 库
100 | * [MalPipe](https://github.com/silascutler/MalPipe) - 恶意软件/IOC 提取和处理引擎，收集丰富的数据
101 | * [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) - 由 [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework)发起，之前叫做 CIF (Collective Intelligence Framework)，从各种信息源聚合 IOC 信息
102 | * [MISP](https://github.com/MISP/MISP) - 由 [The MISP Project](http://www.misp-project.org/) 发起的恶意软件信息共享平台
103 | * [Pulsedive](https://pulsedive.com) - 社区驱动的免费威胁情报平台，在开源资源中收集 IOC
104 | * [PyIOCe](https://github.com/pidydx/PyIOCe) - 一个 Python OpenIOC 编辑器
105 | * [RiskIQ](https://community.riskiq.com/) - 研究、链接、标注和分享 IP 与 域名
106 | * [threataggregator](https://github.com/jpsenior/threataggregator) - 聚合来自多个信息源的安全威胁，包括 [other resources](#other-resources) 列表中的一些
107 | * [ThreatConnect](https://threatconnect.com/free/) - TC Open 用于查看、共享开源数据，将会得到社区的支持与验证
108 | * [ThreatCrowd](https://www.threatcrowd.org/) - 带有图形可视化的威胁搜索引擎
109 | * [ThreatTracker](https://github.com/michael-yip/ThreatTracker) - 一个 Python 脚本，用于根据 Google 自定义搜索引擎检索的 IOC 监视、生成警报
110 | * [TIQ-test](https://github.com/mlsecproject/tiq-test) - 威胁情报源的数据可视化和统计分析
111 | 
112 | ### 其他资源
113 | 
114 | *威胁情报和 IOC 资源*
115 | 
116 | * [Autoshun](http://autoshun.org/) ([list](http://autoshun.org/)) - Snort 插件和黑名单
117 | * [Bambenek Consulting Feeds](http://osint.bambenekconsulting.com/feeds/) - 基于恶意 DGA 算法的 OSINT 订阅
118 | * [Fidelis Barncat](https://www.fidelissecurity.com/resources/fidelis-barncat) - 可扩展的恶意软件配置数据库（必须有请求权限）
119 | * [CI Army](http://www.ciarmy.com/) ([list](http://www.ciarmy.com/list/ci-badguys.txt)) - 网络安全黑名单
120 | * [Critical Stack- Free Intel Market](https://intel.CriticalStack.com) - 免费的英特尔去重聚合项目，有超过 90 种订阅以及超过一百二十万个威胁情报信息
121 | * [Cybercrime tracker](http://cybercrime-tracker.net/) - 多个僵尸网络的活动跟踪
122 | * [FireEye IOCs](https://github.com/fireeye/iocs) - 由 FireEye 共享的 IOC 信息
123 | * [FireHOL IP Lists](https://iplists.firehol.org/) - 针对攻击、恶意软件的更改历史、国家地图和保留政策的 350+ IP 的跟踪
124 | * [HoneyDB](https://riskdiscovery.com/honeydb) - 社区驱动的蜜罐传感器数据收集与聚合
125 | * [hpfeeds](https://github.com/rep/hpfeeds) - 蜜罐订阅协议
126 | * [CERT-PA 列表](https://infosec.cert-pa.it/analyze/statistics.html) ([IP](https://infosec.cert-pa.it/analyze/listip.txt) - [域名](https://infosec.cert-pa.it/analyze/listdomains.txt) - [URL](https://infosec.cert-pa.it/analyze/listurls.txt)) - 黑名单服务
127 | * [InQuest REPdb](https://labs.inquest.net/repdb) - 聚合来自各种开源信誉来源的 IOC 指标
128 | * [InQuest IOCdb](https://labs.inquest.net/iocdb) - 聚合来自博客、Github 仓库与 Twitter 的 IOC 指标
129 | * [Internet Storm Center (DShield)](https://isc.sans.edu/) - 日志和可搜索的事件数据库，并且带有 Web [API](https://dshield.org/api/)([非官方 Python 库](https://github.com/rshipp/python-dshield)).
130 | * [malc0de](http://malc0de.com/database/) - 搜索事件数据库
131 | * [Malware Domain List](http://www.malwaredomainlist.com/) - 搜索和分享恶意软件 URL
132 | * [Metadefender Threat Intelligence Feed](https://www.opswat.com/developers/threat-intelligence-feed) -
133 |   在 MetaDefender Cloud 中查询文件哈希值
134 | * [OpenIOC](http://openioc.org/) - 威胁情报共享框架
135 | * [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) - 勒索软件的概述列表
136 | * [STIX - Structured Threat Information eXpression](http://stix.mitre.org/) - 通过标准化的语言来表示、共享网络威胁信息
137 |   [MITRE](http://mitre.org) 相关:
138 |   - [CAPEC - 常见攻击模式枚举与分类](http://capec.mitre.org/)
139 |   - [CybOX - 网络观测 eXpression](http://cybox.mitre.org/)
140 |   - [MAEC - 恶意软件特征枚举与界定](http://maec.mitre.org/)
141 |   - [TAXII - 可信的指标信息自动化交换](http://taxii.mitre.org/)
142 | * [SystemLookup](https://www.systemlookup.com/) - SystemLookup 可以提供合法的或PUP的组件信息
143 | * [ThreatMiner](https://www.threatminer.org/) - 威胁情报数据挖掘接口
144 | * [threatRECON](https://threatrecon.co/) - 搜索指标，每月最多一千次
145 | * [ThreatShare](https://threatshare.io/) - C2 面板跟踪
146 | * [Yara rules](https://github.com/Yara-Rules/rules) - Yara 规则集
147 | * [YETI](https://github.com/yeti-platform/yeti) - Yeti 是一个旨在组织数据中的可观察性、IOC 指标、TTP 和威胁情报
148 | * [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS 黑名单
149 | 
150 | ## 检测与分类
151 | 
152 | *反病毒和其他恶意软件识别工具*
153 | 
154 | * [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Windows PE 文件的分析器
155 | * [Assemblyline](https://cybercentrecanada.github.io/assemblyline4_docs/) - 大规模分布式文件分析框架
156 | * [BinaryAlert](https://github.com/airbnb/binaryalert) - 开源、无服务 AWS 管道，用于对上传的文件使用 YARA 进行扫描和报警
157 | * [capa](https://github.com/fireeye/capa) - 检测可执行文件的攻击能力
158 | * [chkrootkit](http://www.chkrootkit.org/) - 本地 Linux rootkit 检测
159 | * [ClamAV](http://www.clamav.net/) - 开源反病毒引擎
160 | * [Detect It Easy(DiE)](https://github.com/horsicq/Detect-It-Easy) - 用于确定文件类型的程序
161 | * [Exeinfo PE](http://exeinfo.pe.hu/) - 加壳、压缩检测工具，带有脱壳信息
162 | * [ExifTool](https://sno.phy.queensu.ca/~phil/exiftool/) - 读、写、编辑文件的元数据
163 | * [File Scanning Framework](http://www.sno.phy.queensu.ca/%7Ephil/exiftool/) - 模块化的递归文件扫描解决方案
164 | * [Generic File Parser](https://github.com/uppusaikiran/generic-parser) - 单个库解析工具，用来提取元数据、进行静态分析与检测文件内的宏
165 | * [hashdeep](https://github.com/jessek/hashdeep) - 用各种算法计算哈希值
166 | * [HashCheck](https://github.com/gurnec/HashCheck) - 可使用各种算法计算哈希值的 Windows shell 扩展
167 | * [Loki](https://github.com/Neo23x0/Loki) - 基于主机的 IOC 扫描器
168 | * [Malfunction](https://github.com/Dynetics/Malfunction) - 在功能层面对恶意软件进行分类和比较
169 | * [Manalyze](https://github.com/JusticeRage/Manalyze) - PE 文件的静态分析工具
170 | * [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - 静态分析框架
171 | * [MultiScanner](https://github.com/MITRECND/multiscanner) - 模块化文件扫描/分析框架
172 | * [Nauz File Detector(NFD)](https://github.com/horsicq/Nauz-File-Detector) - 跨平台（Windows、Linux、MacOS）的链接器/编译器检测
173 | * [nsrllookup](https://github.com/rjhansen/nsrllookup) - 查询 NIST's National Software Reference Library 数据库中哈希的工具
174 | * [packerid](http://handlers.sans.org/jclausing/packerid.py) - 跨平台的 PEiD 的替代品
175 | * [PE-bear](https://hshrzd.wordpress.com/pe-bear/) - PE 文件的逆向工具
176 | * [PEframe](https://github.com/guelfoweb/peframe) - PEframe 可以对 PE 文件与 Office 文档文件进行静态分析
177 | * [PEV](http://pev.sourceforge.net/) - 为正确分析可疑的二进制文件提供功能丰富工具的 PE 文件多平台分析工具集
178 | * [PortEx](https://github.com/katjahahn/PortEx) - 聚焦于与 PE 文件相关恶意软件分析的 Java 库
179 | * [Quark-Engine](https://github.com/quark-engine/quark-engine) - 能够对抗混淆的 Android 恶意软件评估系统
180 | * [Rootkit Hunter](http://rkhunter.sourceforge.net/) - 检测 Linux 的 rootkits
181 | * [ssdeep](https://ssdeep-project.github.io/ssdeep/) - 计算模糊哈希值
182 | * [totalhash.py](https://gist.github.com/malc0de/10270150) - 一个简单搜索[TotalHash.com](http://totalhash.com/) 数据库的 Python 脚本
183 | * [TrID](http://mark0.net/soft-trid-e.html) - 文件识别
184 | * [YARA](https://plusvic.github.io/yara/) - 分析师利用的模式识别工具
185 | * [Yara rules generator](https://github.com/Neo23x0/yarGen) - 基于恶意样本生成 yara 规则，也包含避免误报的字符串数据库
186 | * [Yara Finder](https://github.com/uppusaikiran/yara-finder) - 使用不同 yara 规则匹配文件的简单工具，以期找到可疑指标
187 | 
188 | ## 在线扫描与沙盒
189 | 
190 | *基于 Web 的多反病毒引擎扫描器和恶意软件自动分析的沙盒*
191 | 
192 | * [anlyz.io](https://sandbox.anlyz.io/) - 在线沙盒
193 | * [any.run](https://app.any.run/) - 在线交互式沙盒
194 | * [AndroTotal](https://andrototal.org/) - 利用多个移动反病毒软件进行免费在线分析 App
195 | * [AVCaesar](https://avcaesar.malware.lu/) - Malware.lu 在线扫描器和恶意软件集合
196 | * [BoomBox](https://github.com/nbeede/BoomBox) - 使用 Packer 与 Vagrant 自动部署的 Cuckoo 沙盒
197 | * [Cryptam](http://www.cryptam.com/) - 分析可疑的 Office 文档
198 | * [Cuckoo Sandbox](http://cuckoosandbox.org/) - 开源、自主的沙盒和自动分析系统
199 | * [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - GPL 许可证的 Cuckoo 沙盒的修改版，由于法律原因作者没有将其分支合并
200 | * [cuckoo-modified-api](https://github.com/brad-accuvant/cuckoo-modified) - 用于控制 cuckoo-modified 沙盒的 Python API
201 | * [DeepViz](https://www.deepviz.com/) - 通过机器学习分类来分析的多格式文件分析器
202 | * [detux](https://github.com/detuxsandbox/detux/) - 一个用于对 Linux 恶意软件流量分析与 IOC 信息捕获的沙盒
203 | * [DRAKVUF](https://github.com/tklengyel/drakvuf) - 动态恶意软件分析系统
204 | * [firmware.re](http://firmware.re/) - 解包、扫描、分析绝大多数固件包
205 | * [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - Linux平台上的自动化恶意代码分析工具.
206 | * [Hybrid Analysis](https://www.hybrid-analysis.com/) - 由 VxSandbox 支持的在线恶意软件分析工具
207 | * [Intezer](https://analyze.intezer.com) - 通过识别代码重用与代码相似度来检测、分析归类恶意软件
208 | * [IRMA](http://irma.quarkslab.com/) - 异步、可定制的可疑文件分析平台
209 | * [Joe Sandbox](https://www.joesecurity.org/) - 深度恶意软件分析
210 | * [Jotti](https://virusscan.jotti.org/en) - 免费在线多反病毒引擎扫描器
211 | * [Limon](https://github.com/monnappa22/Limon) - 分析 Linux 恶意软件的沙盒
212 | * [Malheur](https://github.com/rieck/malheur) - 恶意行为的自动化沙盒分析
213 | * [malice.io](https://github.com/maliceio/malice) - 大规模弹性恶意软件分析框架
214 | * [malsub](https://github.com/diogo-fernan/malsub) - 提供在线恶意软件与 URL 分析服务的 Python RESTful API 框架
215 | * [Malware config](https://malwareconfig.com/) - 从常见的恶意软件提取、解码和在线配置
216 | * [MalwareAnalyser.io](https://malwareanalyser.io/) - 基于异常的在线恶意软件静态检测，采用启发式检测引擎，通过数据挖掘与机器学习赋能
217 | * [Malwr](https://malwr.com/) - 免费的在线 Cuckoo 沙盒分析实例
218 | * [MASTIFF Online](https://mastiff-online.korelogic.com/) - 在线恶意软件静态分析
219 | * [MetaDefender Cloud](https://metadefender.opswat.com/) - 扫描文件、哈希或恶意软件的 IP 地址
220 | * [NetworkTotal](https://www.networktotal.com/index.html) - 一个分析 pcap 文件的服务，使用配置了 EmergingThreats Pro 的Suricata 快速检测病毒、蠕虫、木马和各种恶意软件
221 | * [Noriben](https://github.com/Rurik/Noriben) - 使用 Sysinternals Procmon 收集恶意软件在沙盒环境下的进程信息
222 | * [PacketTotal](https://packettotal.com/) - 分析 .pcap 文件、可视化网络流量的在线引擎
223 | * [PDF Examiner](http://www.pdfexaminer.com/) - 收集可疑的 PDF 文件
224 | * [ProcDot](http://www.procdot.com/) - 一个可视化恶意软件分析工具集
225 | * [Recomposer](https://github.com/secretsquirrel/recomposer) - 安全上传二进制程序到沙盒网站的辅助脚本
226 | * [sandboxapi](https://github.com/InQuest/python-sandboxapi) - 整合多个开源、商业恶意软件沙盒的 Python 库
227 | * [SEE](https://github.com/F-Secure/see) - 在安全环境中构建测试自动化的框架
228 | * [SEKOIA Dropper Analysis](https://malware.sekoia.fr/) - 在线 dropper 分析，支持 Js、VBScript, Microsoft Office, PDF
229 | * [VirusTotal](https://www.virustotal.com/) - 免费的在线恶意软件样本和 URL 分析
230 | * [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - 用于日志的开源可视化库和命令行工具（Cuckoo、Procmon 等）
231 | * [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Lenny Zeltser 创建的免费自动沙盒服务
232 | 
233 | ## 域名分析
234 | 
235 | *检查域名和 IP 地址*
236 | 
237 | * [AbuseIPDB](https://www.abuseipdb.com/) - AbuseIPDB 是一个旨在帮助防御攻击蔓延、垃圾邮件传播与互联网滥用活动的项目
238 | * [badips.com](https://www.badips.com/) - 基于 IP 黑名单服务的社区
239 | * [boomerang](https://github.com/EmersonElectricCo/boomerang) - 旨在安全地捕获网络资源而设计的工具
240 | * [Cymon](https://cymon.io/) - 威胁情报跟踪、具有 IP、域名、哈希值搜索功能
241 | * [Desenmascara.me](http://desenmascara.me) - 一键点击即可得到尽可能多的检索元数据以评估一个网站的信誉度
242 | * [Dig](http://networking.ringofsaturn.com/) - 免费的在线 dig 以及其他网络工具
243 | * [dnstwist](https://github.com/elceef/dnstwist) - 用于检测钓鱼网站和公司间谍活动的域名排名网站
244 | * [IPinfo](https://github.com/hiddenillusion/IPinfo) - 通过搜索在线资源收集关于 IP 或 域名的信息
245 | * [Machinae](https://github.com/hurricanelabs/machinae) - 类似 Automator 的 OSINT 工具，用于收集有关 URL、IP 或哈希的信息
246 | * [mailchecker](https://github.com/FGRibreau/mailchecker) - 跨语言临时邮件检测库
247 | * [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - 让 Maltego 使用 VirusTotal API，允许搜索域名、IP 地址、文件哈希、报告
248 | * [Multi rbl](http://multirbl.valli.org/) - 多个 DNS 黑名单，反向查找超过 300 个 RBL
249 | * [NormShield Services](https://services.normshield.com/) - 用于检测潜在的钓鱼域名、黑名单中的 IP 地址与非法账户
250 | * [PhishStats](https://phishstats.info/) - 搜索IP、域名和网站标题的钓鱼统计信息
251 | * [Spyse](https://spyse.com/) - 子域名、whois、相关域名、DNS、主机自治域、证书信息
252 | * [SecurityTrails](https://securitytrails.com/) - 历史与当前WHOIS、DNS数据，相似域名、证书信息以及其他与域名和 IP 相关的数据
253 | * [SpamCop](https://www.spamcop.net/bl.shtml) - 垃圾邮件 IP 黑名单IP
254 | * [SpamHaus](http://www.spamhaus.org/lookup/) - 基于域名和 IP 的黑名单
255 | * [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - 免费的网站恶意软件与安全扫描器
256 | * [Talos Intelligence](https://talosintelligence.com/) - 搜索 IP、域名或网络的所有者
257 | * [TekDefense Automator](http://www.tekdefense.com/automater/) - 收集关于 URL、IP 和哈希值的 OSINT 工具
258 | * [URLhaus](https://urlhaus.abuse.ch/) - 由abuse.ch所支撑的项目，旨在提供用于分发恶意软件的URL列表
259 | * [URLQuery](http://urlquery.net/) - 免费的 URL 扫描器
260 | * [urlscan.io](https://urlscan.io/) - 免费 URL 扫描器与域名信息
261 | * [Whois](http://whois.domaintools.com/) - DomainTools 家免费的 whois 搜索
262 | * [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - 由 Lenny Zeltser 整理的免费在线恶意软件工具集
263 | * [ZScalar Zulu](https://zulu.zscaler.com/#) - Zulu URL 风险分析
264 | 
265 | ## 浏览器恶意软件
266 | 
267 | *分析恶意 URL，也可以参考 [domain analysis](#domain-analysis) 和 [documents and shellcode](#documents-and-shellcode) 部分*
268 | 
269 | * [Firebug](https://getfirebug.com/) - Firefox Web 开发扩展
270 | * [Java Decompiler](http://jd.benow.ca/) - 反编译并检查 Java 的应用
271 | * [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - 解析 Java IDX 缓存文件
272 | * [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript 恶意软件分析工具
273 | * [jsunpack-n](https://github.com/urule99/jsunpack-n) - 一个 javascript 解压软件，可以模拟浏览器功能
274 | * [Krakatau](https://github.com/Storyyeller/Krakatau) - Java 的反编译器、汇编器与反汇编器
275 | * [Malzilla](http://malzilla.sourceforge.net/) - 分析恶意 Web 页面
276 | * [RABCDAsm](https://github.com/CyberShadow/RABCDAsm) - 一个健壮的 ActionScript 字节码反汇编
277 | * [SWF Investigator](https://labs.adobe.com/technologies/swfinvestigator/) - SWF 应用程序的静态、动态分析
278 | * [swftools](http://www.swftools.org/) - PDF 转换成 SWF 的工具
279 | * [xxxswf](http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html) - 分析 Flash 文件的 Python 脚本
280 | 
281 | ## 文档和 Shellcode
282 | 
283 | *在 PDF、Office 文档中分析恶意 JS 和 Shellcode，也可参考[browser malware](#browser-malware) 部分*
284 | 
285 | * [AnalyzePDF](https://github.com/hiddenillusion/AnalyzePDF) - 分析 PDF 并尝试判断其是否是恶意文件的工具
286 | * [box-js](https://github.com/CapacitorSet/box-js) - 用于研究 JavaScript 恶意软件的工具，支持 JScript/WScript 和 ActiveX 仿真功能
287 | * [diStorm](http://www.ragestorm.net/distorm/) - 分析恶意 Shellcode 的反汇编器
288 | * [JS Beautifier](http://jsbeautifier.org/) - JavaScript 脱壳和去混淆
289 | * [libemu](http://libemu.carnivore.it/) - x86 shellcode 仿真的库和工具
290 | * [malpdfobj](https://github.com/9b/malpdfobj) - 解构恶意 PDF 为 JSON 表示
291 | * [OfficeMalScanner](http://www.reconstructer.org/code.html) - 扫描 MS Office 文档中的恶意跟踪
292 | * [olevba](http://www.decalage.info/python/olevba) - 解析 OLE 和 OpenXML 文档，并提取有用信息的脚本
293 | * [Origami PDF](https://code.google.com/p/origami-pdf/) - 一个分析恶意 PDF 的工具
294 | * [PDF Tools](http://blog.didierstevens.com/programs/pdf-tools/) - Didier Stevens 开发的许多关于 PDF 的工具
295 | * [PDF X-Ray Lite](https://github.com/9b/pdfxray_lite) - PDF 分析工具，PDF X-RAY 的无后端版本
296 | * [peepdf](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - 用来探索可能是恶意的 PDF 的 Python 工具
297 | * [QuickSand](https://www.quicksand.io/) - QuickSand 是一个紧凑的 C 框架，用于分析可疑的恶意软件文档，以识别不同编码流中的漏洞，并定位和提取嵌入的可执行文件
298 | * [Spidermonkey](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) - Mozilla 的 JavaScript 引擎，用来调试可疑 JS 代码
299 | 
300 | ## 文件提取
301 | 
302 | *从硬盘和内存镜像中提取文件*
303 | 
304 | * [bulk_extractor](https://github.com/simsong/bulk_extractor) - 快速文件提取工具
305 | * [EVTXtract](https://github.com/williballenthin/EVTXtract) - 从原始二进制数据提取 Windows 事件日志文件
306 | * [Foremost](http://foremost.sourceforge.net/) - 由 US Air Force 设计的文件提取工具
307 | * [hachoir3](https://github.com/vstinner/hachoir3) - 处理二进制程序的 Python 库的集合
308 | * [Scalpel](https://github.com/sleuthkit/scalpel) - 另一个数据提取工具
309 | * [SFlock](https://github.com/jbremer/sflock) - 嵌套提取/解压文档（Cuckoo 沙盒使用）
310 | 
311 | ## 去混淆
312 | 
313 | *破解异或或其它代码混淆方法*
314 | 
315 | * [Balbuzard](https://bitbucket.org/decalage/balbuzard/wiki/Home) - 去除混淆(XOR、ROL等)的恶意软件分析工具
316 | * [de4dot](https://github.com/0xd4d/de4dot) - .NET 去混淆与脱壳
317 | * [ex_pe_xor](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html) 和 [iheartxor](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html) - Alexander Hanel 开发的用于去除单字节异或编码的文件的两个工具
318 | * [FLOSS](https://github.com/fireeye/flare-floss) - FireEye 实验室的混淆字符串求解工具，使用高级静态分析技术来自动去除恶意软件二进制文件中的字符串
319 | * [NoMoreXOR](https://github.com/hiddenillusion/NoMoreXOR) - 通过频率分析来猜测一个 256 字节的异或密钥
320 | * [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker) - Windows 恶意软件的通用隐藏代码提取程序
321 | * [un{i}packer](https://github.com/unipacker/unipacker) - 基于模拟器的自动、平台无关的 Windows 程序脱壳器
322 | * [unpacker](https://github.com/malwaremusings/unpacker/) - 基于 WinAppDbg 的自动 Windows 恶意软件脱壳器
323 | * [unxor](https://github.com/tomchop/unxor/) - 通过已知明文攻击来猜测一个异或密钥
324 | * [VirtualDeobfuscator](https://github.com/jnraber/VirtualDeobfuscator) - 虚拟逆向分析工具
325 | * [XORBruteForcer](http://eternal-todo.com/var/scripts/xorbruteforcer) - 爆破单字节异或密钥的 Python 脚本
326 | * [XORSearch 和 XORStrings](http://blog.didierstevens.com/programs/xorsearch/) - Didier Stevens 开发的用于寻找异或混淆后数据的两个工具
327 | * [xortool](https://github.com/hellman/xortool) - 猜测异或密钥和密钥的长度
328 | 
329 | ## 调试和逆向工程
330 | 
331 | *反编译器、调试器和其他静态、动态分析工具*
332 | 
333 | * [angr](https://github.com/angr/angr) - UCSB 的安全实验室开发的跨平台二进制分析框架
334 | * [bamfdetect](https://github.com/bwall/bamfdetect) - 识别和提取奇迹人和其他恶意软件的信息
335 | * [BAP](https://github.com/BinaryAnalysisPlatform/bap) - CMU 的安全实验室开发的跨平台开源二进制分析框架
336 | * [BARF](https://github.com/programa-stic/barf-project) - 跨平台、开源二进制分析逆向框架
337 | * [binnavi](https://github.com/google/binnavi) - 基于图形可视化的二进制分析 IDE
338 | * [Binary ninja](https://binary.ninja/) - 可替换 IDA 的逆向工程平台
339 | * [Binwalk](http://binwalk.org/) - 固件分析工具
340 | * [BluePill](https://github.com/season-lab/bluepill) - 用于执行和调试逃避型恶意软件和受保护的可执行文件的框架
341 | * [Capstone](https://github.com/aquynh/capstone) - 二进制分析反汇编框架，支持多种架构和许多语言
342 | * [codebro](https://github.com/hugsy/codebro) - 使用 clang 提供基础代码分析的 Web 端代码浏览器
343 | * [Cutter](https://github.com/radareorg/cutter) - Radare2 的 GUI
344 | * [DECAF (Dynamic Executable Code Analysis Framework)](https://github.com/sycurelab/DECAF)
345 |   - 基于 QEMU 的二进制分析平台，DroidScope 是 DECAF 的扩展
346 | * [dnSpy](https://github.com/0xd4d/dnSpy) - .NET 编辑器、编译器、调试器
347 | * [dotPeek](https://www.jetbrains.com/decompiler/) - 免费 .NET 反编译与汇编浏览器
348 | * [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - Qt GUI 程序的模块化调试器
349 | * [Fibratus](https://github.com/rabbitstack/fibratus) - 探索、跟踪 Windows 内核的工具
350 | * [FPort](http://www.mcafee.com/us/downloads/free-tools/fport.aspx#) - 实时查看系统中打开的 TCP/IP 和 UDP 端口，并映射到应用程序
351 | * [GDB](http://www.sourceware.org/gdb/) - GNU 调试器
352 | * [GEF](https://github.com/hugsy/gef) - 针对开发人员和逆向工程师的 GDB 增强版
353 | * [hackers-grep](https://github.com/codypierce/hackers-grep) - 用来搜索 PE 程序中的导入表、导出表、字符串、调试符号
354 | * [Hopper](https://www.hopperapp.com/) - macOS 和 Linux 反汇编器
355 | * [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows 反汇编和调试器，有免费评估版
356 | * [IDR](https://github.com/crypto2011/IDR) - Interactive Delphi Reconstructor 是用于 Delphi 可执行程序与动态库的反编译器
357 | * [Immunity Debugger](http://debugger.immunityinc.com/) - 带有 Python API 的恶意软件调试器
358 | * [ILSpy](http://ilspy.net/) - ILSpy 开源的 .NET 汇编浏览器与反编译器
359 | * [Kaitai Struct](http://kaitai.io/) - 用于文件格式/网络协议/数据结构的逆向工程，用于 C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby 的代码生成
360 | * [LIEF](https://lief.quarkslab.com/) - LIEF 提供了一个跨平台的解析、修改、抽象 ELF、PE、MachO 格式的库
361 | * [ltrace](http://ltrace.org/) - Linux 可执行文件的动态分析
362 | * [mac-a-mal](https://github.com/phdphuc/mac-a-mal) - 用于恶意软件搜索的自动化框架
363 | * [objdump](https://en.wikipedia.org/wiki/Objdump) - GNU 工具集的一部分，面向 Linux 二进制程序的静态分析
364 | * [OllyDbg](http://www.ollydbg.de/) - Windows 可执行程序汇编级调试器
365 | * [PANDA](https://github.com/moyix/panda) - 动态分析平台
366 | * [PEDA](https://github.com/longld/peda) - 基于 GDB 的 Pythton Exploit 开发辅助工具，增强显示及增强的命令
367 | * [pestudio](https://winitor.com/) - Windows 可执行程序的静态分析
368 | * [Pharos](https://github.com/cmu-sei/pharos) - 二进制文件自动静态分析的二进制分析框架
369 | * [plasma](https://github.com/joelpx/plasma) - 面向 x86/ARM/MIPS 的交互式反汇编器
370 | * [PPEE (puppy)](https://www.mzrst.com/) - 专业的 PE 文件资源管理器
371 | * [Process Explorer](https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx) - 高级 Windows 任务管理器
372 | * [Process Hacker](http://processhacker.sourceforge.net/) - 监控系统资源的工具
373 | * [Process Monitor](https://docs.microsoft.com/sysinternals/downloads/procmon) - Windows 下高级程序监控工具
374 | * [PSTools](https://docs.microsoft.com/sysinternals/downloads/pstools) - 可以帮助管理员实时管理系统的 Windows 命令行工具
375 | * [Pyew](https://github.com/joxeankoret/pyew) - 恶意软件分析的 Python 工具
376 | * [PyREBox](https://github.com/Cisco-Talos/pyrebox) - 思科 Talos 团队出品的 Python 脚本化逆向工程沙盒
377 | * [QKD](https://github.com/ispras/qemu/releases/) - 嵌入 WinDbg 实现隐形调试的 QEMU
378 | * [Radare2](http://www.radare.org/r/) - 带有调试器支持的逆向工程框架
379 | * [RegShot](https://sourceforge.net/projects/regshot/) - 利用快照实现注册表比较
380 | * [RetDec](https://retdec.com/) - 可重定向的机器码反编译器，同时有[在线反编译服务](https://retdec.com/decompilation/)和 [API](https://retdec.com/api/)
381 | * [ROPMEMU](https://github.com/vrtadmin/ROPMEMU) - 分析、解析、反编译复杂的代码重用攻击的框架
382 | * [SMRT](https://github.com/pidydx/SMRT) - Sublime 3 中辅助恶意软件分析的插件
383 | * [strace](http://sourceforge.net/projects/strace/) - Linux 可执行文件的动态分析
384 | * [StringSifter](https://github.com/fireeye/stringsifter) - 基于恶意相关性进行自动字符串排序的机器学习工具
385 | * [Triton](http://triton.quarkslab.com/) - 一个动态二进制分析框架
386 | * [Udis86](https://github.com/vmt/udis86) - x86 和 x86_64 的反汇编库和工具
387 | * [Vivisect](https://github.com/vivisect/vivisect) - 恶意软件分析的 Python 工具
388 | * [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/download-windbg) - 用于 Windows 操作系统的多用途调试器，可以调试用户态应用程序、设备驱动程序与内核转储
389 | * [X64dbg](https://github.com/x64dbg/) - Windows 的一个开源 x64/x32 调试器
390 | 
391 | ## 网络
392 | 
393 | *分析网络交互*
394 | 
395 | * [Bro](https://www.bro.org) - 支持惊人规模的文件和网络协议的协议分析工具
396 | * [BroYara](https://github.com/hempnall/broyara) - 基于 Bro 的 Yara 规则集
397 | * [CapTipper](https://github.com/omriher/CapTipper) -  恶意 HTTP 流量管理器
398 | * [chopshop](https://github.com/MITRECND/chopshop) - 协议分析和解码框架
399 | * [CloudShark](https://www.cloudshark.org) - 基于 Web 的数据包分析与恶意流量检测工具
400 | * [FakeNet-NG](https://github.com/fireeye/flare-fakenet-ng) - 下一代动态网络分析工具
401 | * [Fiddler](http://www.telerik.com/fiddler) - 专为 Web 调试开发的 Web 代理
402 | * [Hale](https://github.com/pjlantz/Hale) - 僵尸网络 C&C 监视器
403 | * [Haka](http://www.haka-security.org/) - 一个安全导向的开源语言，用于在实时流量捕获时描述协议、应用安全策略
404 | * [HTTPReplay](https://github.com/jbremer/httpreplay) - 解析 PCAP 文件的库，包括使用 TLS 主密钥（用于 Cuckoo）的 TLS 流
405 | * [INetSim](http://www.inetsim.org/) -  网络服务模拟。建设一个恶意软件分析实验室十分有用
406 | * [Laika BOSS](https://github.com/lmco/laikaboss) - Laika BOSS 是一种以文件为中心的恶意软件分析和入侵检测系统
407 | * [Malcom](https://github.com/tomchop/malcom) - 恶意软件通信分析仪
408 | * [Maltrail](https://github.com/stamparm/maltrail) - 一个恶意流量检测系统，利用公开的黑名单来检测恶意和可疑的通信流量，带有一个报告和分析界面
409 | * [mitmproxy](https://mitmproxy.org/) - 拦截网络流量通信
410 | * [Moloch](https://github.com/aol/moloch) - IPv4 流量捕获，带有索引和数据库系统
411 | * [NetworkMiner](http://www.netresec.com/?page=NetworkMiner) - 有免费版本的网络取证分析工具
412 | * [ngrep](https://github.com/jpr5/ngrep) - 像 grep 一样收集网络流量
413 | * [PcapViz](https://github.com/mateuszk87/PcapViz) - 网络拓扑与流量可视化
414 | * [Python ICAP Yara](https://github.com/RamadhanAmizudin/python-icap-yara) - 带有 YARA 扫描器的 ICAP 服务器，用于 URL 或内容
415 | * [Squidmagic](https://github.com/ch3k1/squidmagic) - 用于分析基于 Web 的网络流量，使用 Squid 代理服务器和 Spamhaus 检测 C&C 服务器和恶意网站
416 | * [Tcpdump](http://www.tcpdump.org/) - 收集网络流
417 | * [tcpick](http://tcpick.sourceforge.net/) - 从网络流量中重构 TCP 流
418 | * [tcpxtract](http://tcpxtract.sourceforge.net/) - 从网络流量中提取文件
419 | * [Wireshark](https://www.wireshark.org/) - 网络流量分析工具
420 | 
421 | ## 内存取证
422 | 
423 | *在内存映像或正在运行的系统中分析恶意软件的工具*
424 | 
425 | * [BlackLight](https://www.blackbagtech.com/blacklight.html) - 支持 hiberfil、pagefile 与原始内存分析的 Windows / MacOS 取证客户端
426 | * [DAMM](https://github.com/504ensicsLabs/DAMM) - 基于 Volatility 的内存中恶意软件的差异分析
427 | * [evolve](https://github.com/JamesHabben/evolve) - 用于 Volatility Memory 取证框架的 Web 界面
428 | * [FindAES](http://jessekornblum.livejournal.com/269749.html) - 在内存中寻找 AES 加密密钥
429 | * [inVtero.net](https://github.com/ShaneK2/inVtero.net) - .NET 开发的高速内存分析框架，支持所有 Windows x64 平台，包括代码完整性和写入支持
430 | * [Muninn](https://github.com/ytisf/muninn) - 一个使用 Volatility 的自动化分析脚本，可以生成一份可读报告
431 | * [Rekall](http://www.rekall-forensic.com/) - 内存分析框架，2013 年 Volatility 的分支版本
432 | * [TotalRecall](https://github.com/sketchymoose/TotalRecall) - 基于 Volatility 自动执行多恶意样本分析任务的脚本
433 | * [VolDiff](https://github.com/aim4r/VolDiff) - 在恶意软件执行前后，在内存映像中运行 Volatility 并生成对比报告
434 | * [Volatility](https://github.com/volatilityfoundation/volatility) - 先进的内存取证框架
435 | * [VolUtility](https://github.com/kevthehermit/VolUtility) - Volatility 内存分析框架的 Web 接口
436 | * [WDBGARK](https://github.com/swwwolf/wdbgark) - WindDBG 反 Rootkit 扩展
437 | * [WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365) - Windows 系统的实时内存检查和内核调试工具
438 | 
439 | ## Windows 神器
440 | 
441 | * [AChoir](https://github.com/OMENScan/AChoir) - 一个用来收集 Windows 实时事件响应脚本集
442 | * [python-evt](https://github.com/williballenthin/python-evt) - 用来解析 Windows 事件日志的 Python 库
443 | * [python-registry](http://www.williballenthin.com/registry/) - 用于解析注册表文件的 Python 库
444 | * [RegRipper](https://regripper.wordpress.com/) ([GitHub](https://github.com/keydet89/RegRipper2.8)) - 基于插件集的工具
445 | 
446 | ## 存储和工作流
447 | 
448 | * [Aleph](https://github.com/trendmicro/aleph) - 开源恶意软件分析管道系统
449 | * [CRITs](https://crits.github.io/) - 关于威胁、恶意软件的合作研究
450 | * [FAME](https://certsocietegenerale.github.io/fame/) - 恶意软件分析框架，可以使用自定义模块进行扩展管道，并将它们链接起来并彼此交互以执行端到端分析
451 | * [Malwarehouse](https://github.com/sroberts/malwarehouse) - 存储、标注与搜索恶意软件
452 | * [Polichombr](https://github.com/ANSSI-FR/polichombr) - 一个恶意软件分析平台，旨在帮助分析师逆向恶意软件。
453 | * [stoQ](http://stoq.punchcyber.com/) - 分布式内容分析框架，具有广泛的插件支持
454 | * [Viper](http://viper.li/) - 分析人员的二进制管理和分析框架
455 | 
456 | ## 杂项
457 | 
458 | * [al-khaser](https://github.com/LordNoteworthy/al-khaser) - 一个旨在突出反恶意软件系统的 PoC 恶意软件
459 | * [CryptoKnight](https://github.com/AbertayMachineLearningGroup/CryptoKnight) - 自动化加密算法逆向工程与分类框架
460 | * [DC3-MWCP](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP) - 反网络犯罪中心的恶意软件配置解析框架
461 | * [FLARE VM](https://github.com/fireeye/flare-vm) - 用于恶意软件分析、基于 Windows 定制的安全发行版
462 | * [MalSploitBase](https://github.com/misterch0c/malSploitBase) - 包含恶意软件利用的漏洞的数据库
463 | * [Malware Museum](https://archive.org/details/malwaremuseum) - 收集 20 世纪八九十年代流行的恶意软件
464 | * [Malware Organiser](https://github.com/uppusaikiran/malware-organiser) - 将大型恶意/良性文件组织到有组织的结构的工具
465 | * [Pafish](https://github.com/a0rtega/pafish) - Paranoid Fish，与恶意软件家族的行为一致，采用多种技术来检测沙盒和分析环境的演示工具
466 | * [REMnux](https://remnux.org/) - 面向恶意软件逆向工程师和分析人员的 Linux 发行版和 Docker 镜像
467 | * [Santoku Linux](https://santoku-linux.com/) - 移动取证的 Linux 发行版
468 | 
469 | # 资源
470 | 
471 | ## 书籍
472 | 
473 | *基础恶意软件分析阅读书单*
474 | 
475 | * [Learning Malware Analysis](https://www.packtpub.com/networking-and-servers/learning-malware-analysis) - Learning Malware Analysis: 探索 Windows 恶意软件分析领域的概念、工具与技术
476 | * [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) - 打击恶意代码的工具和技术
477 | * [Mastering Malware Analysis](https://www.packtpub.com/networking-and-servers/mastering-malware-analysis) - Mastering Malware Analysis: 对抗恶意软件、APT、网络犯罪与 IoT 攻击的完整指南
478 | * [Mastering Reverse Engineering](https://www.packtpub.com/networking-and-servers/mastering-reverse-engineering) - Mastering Reverse Engineering: 逆向工程技巧
479 | * [Practical Malware Analysis](https://amzn.com/dp/1593272901) - 剖析恶意软件的手边书
480 | * [Practical Reverse Engineering](https://www.amzn.com/dp/1118787315/) -
481 |   Intermediate Reverse Engineering.
482 | * [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - 计算机安全与应急响应
483 | * [Rootkits and Bootkits](https://www.amazon.com/dp/1593277164) - Rootkits and Bootkits: 逆向现代恶意软件与下一代威胁
484 | * [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - 在 Windows、Linux 和 Mac 系统的内存中检测恶意软件和威胁
485 | * [The IDA Pro Book](https://amzn.com/dp/1593272898) - 世界上最流行的反汇编器的非官方指南
486 | * [The Rootkit Arsenal](https://amzn.com/dp/144962636X) - 系统黑暗角落的潜行者：The Rootkit Arsenal
487 | 
488 | ## 其它
489 | 
490 | * [APT Notes](https://github.com/kbandla/APTnotes) - 一个收集 APT 相关文献的合辑
491 | * [Ember](https://github.com/endgameinc/ember) - Endgame 恶意软件研究基准数据库，用于创建机器学习模型，模型基于静态分析的结果来进行评分
492 | * [File Formats posters](https://github.com/corkami/pics) - 常用文件格式的可视化（包括 PE 与 ELF）
493 | * [Honeynet Project](http://honeynet.org/) - 蜜罐工具、论文和其他资源
494 | * [Kernel Mode](http://www.kernelmode.info/forum/) - 一个致力于恶意软件分析和内核开发的活跃社区
495 | * [Malicious Software](https://zeltser.com/malicious-software/) - Lenny Zeltser 的恶意软件博客和资源
496 | * [Malware Analysis Search](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) - [Corey Harrell](journeyintoir.blogspot.com/) 自定义的用于恶意软件分析的 Google 搜索
497 | * [Malware Analysis Tutorials](http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html) - 由 Xiang Fu 博士提供的恶意软件分析教程，是一个学习恶意软件分析的重要资源
498 | * [Malware analysis, threat intelligence and reverse engineering](https://www.slideshare.net/bartblaze/malware-analysis-threat-intelligence-and-reverse-engineering) - 不需要先验知识的恶意软件分析、威胁情报和逆向工程概念介绍
499 | * [Malware Persistence](https://github.com/Karneades/malware-persistence) - 专注于恶意软件持久化的仓库，包括检测、响应与日志收集等
500 | * [Malware Samples and Traffic](http://malware-traffic-analysis.net/) - 此博客重点介绍与恶意软件感染相关的网络流量
501 | * [Malware Search+++](https://addons.mozilla.org/fr/firefox/addon/malware-search-plusplusplus/) - 搜索常用恶意软件数据库的 Firefox 浏览器插件
502 | * [Practical Malware Analysis Starter Kit](https://bluesoul.me/practical-malware-analysis-starter-kit/) - 此软件包包含 Practical Malware Analysis 书中引用的大多数软件
503 | * [RPISEC Malware Analysis](https://github.com/RPISEC/Malware) - 2015 年秋季 Rensselaer Polytechnic Institute 的恶意软件分析课程中使用的课程材料
504 | * [WindowsIR: Malware](http://windowsir.blogspot.com/p/malware.html) - Harlan Carvey 的恶意软件页面
505 | * [Windows Registry specification](https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md) - Windows 注册表文件格式规范
506 | * [/r/csirt_tools](https://www.reddit.com/r/csirt_tools/) - CSIRT 工具和资源的子版块，讲[恶意软件分析](https://www.reddit.com/r/csirt_tools/search?q=flair%3A%22Malware%20analysis%22&sort=new&restrict_sr=on)的天才
507 | * [/r/Malware](https://www.reddit.com/r/Malware) - 恶意软件的子版块
508 | * [/r/ReverseEngineering](https://www.reddit.com/r/ReverseEngineering) - 逆向工程子版块，不仅限于恶意软件
509 | 
510 | # 相关 Awesome 清单
511 | 
512 | * [Android Security](https://github.com/ashishb/android-security-awesome)
513 | * [AppSec](https://github.com/paragonie/awesome-appsec)
514 | * [CTFs](https://github.com/apsdehal/awesome-ctf)
515 | * [Forensics](https://github.com/Cugu/awesome-forensics)
516 | * ["Hacking"](https://github.com/carpedm20/awesome-hacking)
517 | * [Honeypots](https://github.com/paralax/awesome-honeypots)
518 | * [Industrial Control System Security](https://github.com/hslatman/awesome-industrial-control-system-security)
519 | * [Incident-Response](https://github.com/meirwah/awesome-incident-response)
520 | * [Infosec](https://github.com/onlurking/awesome-infosec)
521 | * [PCAP Tools](https://github.com/caesar0301/awesome-pcaptools)
522 | * [Pentesting](https://github.com/enaqx/awesome-pentest)
523 | * [Security](https://github.com/sbilly/awesome-security)
524 | * [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence)
525 | * [YARA](https://github.com/InQuest/awesome-yara)
526 | 
527 | # [做出贡献](CONTRIBUTING.md)
528 | 
529 | 欢迎提出问题或者 Pull requests！请在提交 Pull request 之前阅读 [CONTRIBUTING](CONTRIBUTING.md)。
530 | 
531 | # 致谢
532 | 
533 | 这个列表需要感谢如下一些人:
534 | 
535 | * Lenny Zeltser 和 REMnux 的其他开发者贡献了这个列表中很多工具
536 | * Michail Hale Ligh、Steven Adair、Blake Hartstein 和 Mather Richard 著有 *Malware Analyst's Cookbook*，这本书为这个列表的创建提供了很大的灵感
537 | * 每一个提交 Pull request 以及提出建议的人
538 | 
539 | 十分感谢!
540 | 


--------------------------------------------------------------------------------