Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@av-gantimurov

av-gantimurov/resources.md

Last active February 17, 2024 16:48
Show Gist options
  • Star 11 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save av-gantimurov/3a40b6d7644f0d5e9d458159dccfb77e to your computer and use it in GitHub Desktop.
Save av-gantimurov/3a40b6d7644f0d5e9d458159dccfb77e to your computer and use it in GitHub Desktop.
Download ZIP
List of resources for malware analysts
Raw
resources.md

List of resources for malware analysts

Books

  1. Monappa K.A., "Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware" amazon.
  2. Sikorski M., Honig A., "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" amazon.
  3. Ferrie P., "The "Ultimate" Anti-Debugging Reference" free.
  4. Hale L.M., Adair S., Hartstein B., Richard M., "Malware Analyst’s Cookbook" amazon.
  5. Koret J., Bachaalany E., The Antivirus Hacker's Handbook amazon.
  6. Mohanta A., Saldanha A., "Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware" amazon
  7. Hanel A., "The Beginner's Guide to IDAPython" leanpub.
  8. Eagle C., "The IDA Pro book" amazon.
  9. Sanders C., "Practical Packet Analysis" nostarch.
  10. Dang B., Gazet A., Bachaalany E., Josse S., "Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation" amazon.
  11. Ligh M.H., Case A., Levy J., Walters A., "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory" amazon.
  12. Yosifovich P, Russinovich M.E., Solomon D.A., Ionescu A., "Windows Internals, 7th Edition" microsoftpressstore.
  13. Oktavianto D., Muhardianto I., "Cuckoo Malware Analysis" amazon.
  14. Монаппа К., "Анализ вредоносных программ" labirint.
  15. Сикорски, Хониг, "Вскрытие покажет! Практический анализ вредоносного ПО" labirint.
  16. Юричев Денис, "Reverse Engineering для начинающих" buy.
  17. Соломон, Руссинович, Ионеску, "Внутреннее устройство Windows, 7 издание" labirint.

Articles

  1. Medium Hooking Heaven's Gate
  2. Anti-Debug Protection Techniques: Implementation and Neutralization.
  3. Roth F., "How to Write Simple but Sound Yara Rules".
  4. Sebdraven, "A quick analysis malicious RTF to write yara rule".
  5. Medium Nickels K., "A Top 10 Reading List if You’re Getting Started in Cyber Threat Intelligence".
  6. Symantec Windows Anti-Debug Reference.
  7. Anti-Debug NTSetInformationThread
  8. IDAPython porting guide - article how to porting python scripts from 6.95 to 7.4 IDAPython api.
  9. YT Reverse Engineering C++ Malware With IDA Pro.
  10. YT Practical RE tips - webinar about tips of reverse engineering.
  11. YT Современные технологии и инструменты анализа вредоносного ПО - мастеркласс на PHDays2017 Ивана Пискунова об основных методах анализа ВПО, в том числе обходе основных метода антидебага.
  12. Undestanding Windows Shellcode
  13. Ten process injection techniques

Links

  1. GH Awesome Malware Analysis - curated list of awesome malware analysis tools and resources.
  2. Malware Unicorn Workshops.
  3. Resource: Malware analysis - learning How To Reverse Malware: A collection of guides and tools.
  4. Нарваха Р., "Введение в реверсинг с нуля, используя IDA Pro" - довольно корявый перевод публикаций Нарвахи по реверсингу.
  5. "Введение в крэкингс нуля, используя OllyDbg".
  6. "Избранное: ссылки по reverse engineering" - подборка ссылок по теме.
  7. Digital Security, "Избранное: ссылки по reverse engineering".
  8. Xiang Fu, "Malware Analysis Tutorials: a Reverse Engineering Approach".
  9. GH Malware Analysis - CSCI 4976 - repository contains the materials as developed and used by RPISEC to teach Malware Analysis at Rensselaer Polytechnic Institute in Fall 2015.
  10. YT Open Analysis Live - videos of malware analysis with IDA Pro, x64dbg and others.
  11. Medium Florian Roth - blog of creator of APT scanners Loki, Thor and developer of the Nextron's most comprehensive handcrafted Yara rule feed service – Valhalla.
  12. GH IDAPython cheatsheet.
  13. GH APT notes - repository of publicly-available papers and blogs (sorted by year) related to malicious campaigns/activity/software that have been associated with vendor-defined APT (Advanced Persistent Threat) groups and/or tool-sets.
  14. How to start RE/malware analysis.
  15. GH Repo with Process Injection Techniques
  16. GH Blue Team Notes - Collection of one-liners, small scripts, and some useful tips for blue team work (with screenshots and detailed explanations).
  17. Collection tutorial for newbies - A collection of tutorials aimed particularly for newbie reverse engineers.

Software

My list of software used in my own.

Debuggers & disassembers

  1. x64dbg with plugins
    1. GH LabelPEB - Plugin to label PEB addresses.
    2. GH ScyllaHide - advanced open-source x64/x86 user mode Anti-Anti-Debug library.
    3. GH xAnalyzer - plugin is going to make an extensive API functions call detections to add functions definitions, arguments and data types as well as any other complementary information, something close at what you get with OllyDbg analysis engine, in order to make it even more comprehensible to the user just before starting the debuggin task.
    4. GH SwissArmyKnife - Various utilities for extending functionality in x64dbg.
  2. IDA Pro - Windows disassembler and debugger, with a free evaluation version. IDA Pro plugins. List of plugins with last update date.
    1. GH IDA nightfall theme - my fork of IDA Nightall theme with additional support of IDA Pro 7.4.
    2. GH Diaphora - diffing tool for IDA Pro.
    3. GH FindYara - utility to search by YARA rule in IDB.
    4. GH mkYARA - generating YARA rule on executable code. My fork that's supportin Python3.
    5. GH deREferencing - plugin that implements new registers and stack views. Adds dereferenced pointers, colors and other useful information, similar to some GDB plugins (e.g: PEDA, GEF, pwndbg, etc).
    6. GH capa - detects capabilities in executable files. You run it against a PE, ELF, or shellcode file and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
    7. classinformer - IDA Pro Windows object RTTI vftable finder, fixer, and lister plug-in.
    8. d810 - D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation time by modifying IDA Pro microcode.
    9. obpo - Obpo is a microcode-based hex-rays optimizer, uses techniques such as static-program-analysis, dataflow-tracking, concolic-execution to rebuild the obfuscated control flow (such as: OLLVM).
    10. GH HexRaysPyTools - plugin assists in the creation of classes/structures and detection of virtual tables. It also facilitates transforming decompiler output faster and allows to do some stuff which is otherwise impossible.
    11. GH FlirtDB - database with library signatures.
    12. GH IPyIDA - плагин для удобной работы с python консолью

Python libs

  1. GH pefile - multi-platform Python module to parse and work with Portable Executable (aka PE) files.
  2. GH oletools - package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.
  3. GH olefile - Python package to parse, read and write Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office 97-2003 documents, vbaProject.bin in MS Office 2007+ files, Image Composer and FlashPix files, Outlook messages, StickyNotes, several Microscopy file formats, McAfee antivirus quarantine files, etc.
  4. GH yara-python - With this library you can use YARA from your Python programs.
  5. GH mkYARA - generating YARA rule on executable code. My fork that's supporting Python3.
  6. GH Capstone - Capstone dissembly framework.

.Net

  1. GH dnSpyEx - .NET assembly editor, decompiler and debugger.
  2. GH ilSpy - .Net browser and decompiler (used in dnSpy and many others).
  3. dotPeek - Free .NET Decompiler and Assembly Browser.
  4. GH de4dot - .NET deobfuscator and unpacker.
  5. GH MegaDumper - Dump native and .NET assemblies.
  6. GH ExtremeDumper - more powerfull than old MegaDumper for extract .Net modules.
  7. GH .Net deobfuscators

Network

  1. Fakenet-NG - network service emulation written on python.
  2. INetSim - old network service emulation, useful when building a malware lab. Written on perl.
  3. Tcpdump - Collect network traffic.
  4. mitmproxy - Intercept network traffic on the fly.
  5. Wireshark - The network traffic analysis tool.
  6. GH Moloch - IPv4 traffic capturing, indexing and database system.

Hex Editors

  1. HIEW - commercial hex viewer and editor with dissassembler and pe analyzer.
  2. 010editor - commercial hexeditor.
  3. WinHex - commercial disk editor and universal hexadecimal editor (hex editor) used for data recovery and digital forensics.

Detection and Classification

  1. PeID - old tool for determining compiler and packer of binary.
  2. GH Detect It Easy(DiE) - A program for determining types of files.
  3. GH Nauz File Detector - a portable linker/compiler/packer identifier utility.
  4. Exeinfo PE - Packer, compressor detector, unpack info, internal exe tools.
  5. ExifTool - Read, write and edit file metadata.
  6. GH hashdeep - Compute digest hashes with a variety of algorithms.
  7. GH ssdeep - Compute fuzzy hashes.
  8. GH HashCheck - Windows shell extension to compute hashes with a variety of algorithms.
  9. GH Loki - Host based scanner for IOCs written in Python, has issues with UTF-8 names.
  10. Thor - Host based scanner for IOCs written in Go. Without issues with UTF-8 names instead of Loki. For download and use you must be registered (10min mail will be sufficient). License expires after 1 year.
  11. GH YARA and yara tools.
    1. GH yarAnalyzer - creates statistics on a yara rule set and file in a directory.
    2. GH yarGen - generator for YARA rules with white strings DB.

Miscellaneous

  1. Bindiff - comparison tooll for binary files, that assists vulnerability researchers and engineers to quickly find differences and similarities in disassembled code.

  2. Malware Analyst Pack - quick tools designed to meet specific needs while in a malcode testing lab environment.

  3. GH Floss - tool for extractins obfuscated strings from binary by FireEYE.

  4. Systinternals Suite.

    1. Autoruns.
    2. Process Monitor.
    3. ProcDump.
    4. Strings.

  5. Process Hacker - Tool that monitors system resources.

  6. Resourse Hacker - a freeware resource compiler & decompiler for Windows® applications.

  7. Regshot - make snapshot of Windows registry and compare with others.

  8. RegRipper - extract info from Windows Registry.

  9. GH Volatility - parsing memory snapshots.

  10. Belkasoft Live RAM Capturer - BelkaSoft tool to take snapshots of Windows memory.

  11. FAR manager with plugins

    1. Observer.
    2. OLE2Viewer - special thanks to @revitna.
    3. PE Analyzer.
    4. Base64. 1 pestudio - view info abou PE.

  12. ExplorerSuite - NTCore tools for inspecting PE files (CFF Explorer).

  13. PPEE (Professional PE file Explorer).

  14. GH UPX - UPX packer/unpacker.

  15. APImonitor - tool for monitoring Windows API calls.

  16. GH FlareVM - github script to install and configure malware analysts VM.

  17. GH al-khaser - tool to stress anti-malware systems (check most of known anti-debug, anti-injection, timing attacks).

  18. GH Cuckoo sandbox - Open source, self hosted sandbox and automated analysis system.

  19. Cmder - nice console emulator.

  20. NotepadPlusPlus.

  21. 7zip.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment