Skip to content

Instantly share code, notes, and snippets.

@dotkt

dotkt/resources.md

Forked from av-gantimurov/resources.md
Created June 6, 2020 03:22
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dotkt/e37156be54fcf7be45f7300da3fd0d5e to your computer and use it in GitHub Desktop.
Save dotkt/e37156be54fcf7be45f7300da3fd0d5e to your computer and use it in GitHub Desktop.
Download ZIP
List of resources for malware analysts
Raw
resources.md

List of resources for malware analysts

Books

  1. Monappa K.A., "Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware".
  2. Sikorski M., Honig A., "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software".
  3. Ferrie P., "The "Ultimate" Anti-Debugging Reference".
  4. Hale L.M., Adair S., Hartstein B., Richard M., "Malware Analyst’s Cookbook".
  5. Koret J., Bachaalany E., The Antivirus Hacker's Handbook.
  6. Hanel A., "The Beginner's Guide to IDAPython".
  7. Eagle C., "The IDA Pro book".
  8. Sanders C., "Practical Packet Analysis".
  9. Dang B., Gazet A., Bachaalany E., Josse S., "Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation".
  10. Ligh M.H., Case A., Levy J., Walters A., "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory".
  11. Yosifovich P, Russinovich M.E., Solomon D.A., Ionescu A., "Windows Internals, 7th Edition".
  12. Oktavianto D., Muhardianto I., "Cuckoo Malware Analysis".
  13. Монаппа К., "Анализ вредоносных программ".
  14. Сикорски, Хониг, "Вскрытие покажет! Практический анализ вредоносного ПО".
  15. Юричев Денис, "Reverse Engineering для начинающих".
  16. Соломон, Руссинович, Ионеску, "Внутреннее устройство Windows, 7 издание".

Articles

  1. Anti-Debug Protection Techniques: Implementation and Neutralization.
  2. Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques .
  3. Roth F., "How to Write Simple but Sound Yara Rules".
  4. Sebdraven, "A quick analysis malicious RTF to write yara rule".
  5. Medium Medium Nickels K., "A Top 10 Reading List if You’re Getting Started in Cyber Threat Intelligence".
  6. Symantec Windows Anti-Debug Reference.
  7. Anti-Debug NTSetInformationThread
  8. IDAPython porting guide - article how to porting python scripts from 6.95 to 7.4 IDAPython api.
  9. YT Современные технологии и инструменты анализа вредоносного ПО - мастеркласс на PHDays2017 Ивана Пискунова об основных методах анализа ВПО, в том числе обходе основных метода антидебага.

Links

  1. GH Awesome Malware Analysis - curated list of awesome malware analysis tools and resources.
  2. Malware Unicorn Workshops.
  3. Resource: Malware analysis - learning How To Reverse Malware: A collection of guides and tools.
  4. Нарваха Р., "Введение в реверсинг с нуля, используя IDA Pro" - довольно корявый перевод публикаций Нарвахи по реверсингу.
  5. "Введение в крэкингс нуля, используя OllyDbg".
  6. Digital Security, "Избранное: ссылки по reverse engineering".
  7. Xiang Fu, "Malware Analysis Tutorials: a Reverse Engineering Approach".
  8. GH Malware Analysis - CSCI 4976 - repository contains the materials as developed and used by RPISEC to teach Malware Analysis at Rensselaer Polytechnic Institute in Fall 2015.
  9. YT Open Analysis Live - videos of malware analysis with IDA Pro, x64dbg and others.
  10. Medium Florian Roth - blog of creator of APT scanners Loki, Thor and developer of the Nextron's most comprehensive handcrafted Yara rule feed service – Valhalla.
  11. GH IDAPython cheatsheet.
  12. GH APT notes - repository of publicly-available papers and blogs (sorted by year) related to malicious campaigns/activity/software that have been associated with vendor-defined APT (Advanced Persistent Threat) groups and/or tool-sets.
  13. How to start RE/malware analysis.

Software

My list of software used in my own.

Debuggers & disassembers

  1. OllyDbg with plugins
    1. OllyDumpEx - process memory dumper for OllyDbg
    2. Ollydump = dump debuggee process and rebuild IAT.
    3. GH ScyllaHide - advanced open-source x64/x86 user mode Anti-Anti-Debug library.
    4. Command Bar.
    5. Phant0m - Plug-in for concealment of OllyDbg.
  2. x64dbg with plugins
    1. GH LabelPEB - Plugin to label PEB addresses.
    2. GH ScyllaHide - advanced open-source x64/x86 user mode Anti-Anti-Debug library.
    3. GH xAnalyzer - plugin is going to make an extensive API functions call detections to add functions definitions, arguments and data types as well as any other complementary information, something close at what you get with OllyDbg analysis engine, in order to make it even more comprehensible to the user just before starting the debuggin task.
    4. GH SwissArmyKnife - Various utilities for extending functionality in x64dbg.
  3. IDA Pro - Windows disassembler and debugger, with a free evaluation version. IDA Pro plugins.
    1. GH Diaphora - diffing tool for IDA Pro.
    2. GH FindYara - utility to search by YARA rule in IDB.
    3. GH IDA nightfall theme - my fork of IDA Nightall theme with additional support of IDA Pro 7.3.
    4. GH mkYARA - generating YARA rule on executable code.
    5. GH ScyllaHide - advanced open-source x64/x86 user mode Anti-Anti-Debug library.

Python libs

  1. GH pefile - multi-platform Python module to parse and work with Portable Executable (aka PE) files.
  2. GH oletools - package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.
  3. GH olefile - Python package to parse, read and write Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office 97-2003 documents, vbaProject.bin in MS Office 2007+ files, Image Composer and FlashPix files, Outlook messages, StickyNotes, several Microscopy file formats, McAfee antivirus quarantine files, etc.
  4. GH yara-python - With this library you can use YARA from your Python programs.
  5. GH mkYARA - generating YARA rule on executable code.

.Net

  1. GH dnSpy - .NET assembly editor, decompiler and debugger.
  2. dotPeek - Free .NET Decompiler and Assembly Browser.
  3. GH de4dot - .NET deobfuscator and unpacker.
  4. GH MegaDumper - Dump native and .NET assemblies.

Network

  1. INetSim - Network service emulation, useful when building a malware lab.
  2. Tcpdump - Collect network traffic.
  3. mitmproxy - Intercept network traffic on the fly.
  4. Wireshark - The network traffic analysis tool.
  5. GH Moloch - IPv4 traffic capturing, indexing and database system.

Hex Editors

  1. HIEW - commercial hex viewer and editor with dissassembler and pe analyzer.
  2. 010editor - commercial hexeditor.
  3. WinHex - commercial disk editor and universal hexadecimal editor (hex editor) used for data recovery and digital forensics.

Detection and Classification

  1. PeID - old tool for determining compiler and packer of binary.
  2. GH Detect It Easy(DiE) - A program for determining types of files.
  3. Exeinfo PE - Packer, compressor detector, unpack info, internal exe tools.
  4. ExifTool - Read, write and edit file metadata.
  5. GH hashdeep - Compute digest hashes with a variety of algorithms.
  6. GH ssdeep - Compute fuzzy hashes.
  7. GH HashCheck - Windows shell extension to compute hashes with a variety of algorithms.
  8. GH Loki - Host based scanner for IOCs written in Python, has issues with UTF-8 names.
  9. GH YARA and yara tools.
    1. GH yarAnalyzer - creates statistics on a yara rule set and file in a directory.
    2. GH yarGen - generator for YARA rules with white strings DB.

Miscellaneous

  1. Bindiff - comparison tooll for binary files, that assists vulnerability researchers and engineers to quickly find differences and similarities in disassembled code.

  2. Malware Analyst Pack - quick tools designed to meet specific needs while in a malcode testing lab environment.

  3. GH Floss - tool for extractins obfuscated strings from binary by FireEYE.

  4. Systinternals Suite.

    1. Autoruns.
    2. Process Monitor.
    3. ProcDump.
    4. Strings.

  5. Process Hacker - Tool that monitors system resources.

  6. Resourse Hacker - a freeware resource compiler & decompiler for Windows® applications.

  7. Regshot - make snapshot of Windows registry and compare with others.

  8. RegRipper - extract info from Windows Registry.

  9. GH Volatility - parsing memory snapshots.

  10. Belkasoft Live RAM Capturer - BelkaSoft tool to take snapshots of Windows memory.

  11. FAR manager with plugins

    1. Observer.
    2. OLE2Viewer - special thanks to @revitna.
    3. PE Analyzer.
    4. Base64.

  12. ExplorerSuite - NTCore tools for inspecting PE files (CFF Explorer).

  13. PPEE (Professional PE file Explorer).

  14. GH UPX - UPX packer/unpacker.

  15. APImonitor.

  16. GH FlareVM - github script to install and configure malware analysts VM.

  17. GH al-khaser - tool to stress anti-malware systems (check most of known anti-debug, anti-injection, timing attacks).

  18. GH Cuckoo sandbox - Open source, self hosted sandbox and automated analysis system.

  19. Cmder - nice console emulator.

  20. NotepadPlusPlus.

  21. 7zip.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment