2020-01-03 23:36:38 +07:00
# Tools
2020-01-25 22:05:12 +07:00
- DFIRやマルウェア解析,OSINT,その他の多数のツールに関するデータベース< br >
2020-01-25 22:04:59 +07:00
[DFIR TRAINING(TOOLS) ](https://www.dfir.training/dfirtools/advanced-search )
2020-01-25 22:05:12 +07:00
- infographicsやツールのチートシート< br >
2020-01-25 22:04:59 +07:00
[DFIR TRAINING(RESOUCES-Downloads-Infographics & Cheet Sheets) ](https://www.dfir.training/resources/downloads/cheatsheets-infographics )
2020-02-03 21:55:13 +07:00
### OS/VM
- [FLARE VM ](https://github.com/fireeye/flare-vm )< br >
FireEye社が提供するマルウェア解析, DFIR, ペネトレーションテストに特化したWindowsベースのディストリビューション< br >
Practical Malware Analysis Labsが同梱< br >
- [REMnux ](https://remnux.org/ )< br >
SANSが提供するリバースエンジニアリング, < br >
- [Tsurugi Linux ](https://tsurugi-linux.org/index.php )< br >
DFIR,マルウェア解析, < br >
2020-01-12 22:45:41 +07:00
### Static Analysis and Debug tools
※空欄は調査中(更新予定)
|name|disassembler|decompiler|debugger|reference|
|:-|:-|:-|:-|:-|
|IDA pro|〇 〇 〇
|Binary Ninja|〇
2020-01-12 22:48:10 +07:00
|Cutter|〇 < br > gdb< br > windbg< br > etc.|[INTRO TO CUTTER FOR MALWARE ANALYSIS(2019-03)](https://malwology.com/2019/03/14/intro-to-cutter-for-malware-analysis/)< br > [megabeets.net](https://www.megabeets.net/?s=cutter)< br > [Cutter: Presenting r2ghidra Decompiler,r2con 2019](https://www.youtube.com/watch?v=eHtMiezr7l8& list=LLTk6-mAiILdt3V27uab14LA& index=8& t=0s)
2020-02-03 22:02:51 +07:00
|Ghidra|〇 〇 #Ghidra ,youtube](https://www.youtube.com/watch?v=Q90uZS3taG0)|||||
https://www.youtube.com/watch?v=Q90uZS3taG0|x64/x32dbg|〇 〇
2020-01-12 22:45:41 +07:00
|WinDbg|〇 〇
|GDB|〇 〇
|objdump|〇
|Snowman||〇
|name|plugin|price|platform|remarks|
|:-|:-|:-|:-|:-|
2020-01-19 20:19:40 +07:00
|IDA pro|[Lighthouse](https://github.com/gaasedelen/lighthouse)< br > [UEFI_RETool](https://github.com/yeggor/UEFI_RETool/tree/master/ida_plugin)|Not free|multi||||||
2020-01-12 22:45:41 +07:00
|Binary Ninja|[Lighthouse](https://github.com/gaasedelen/lighthouse)|Not free|||||||
|Cutter|[CutterDRcov](https://github.com/oddcoder/CutterDRcov)< br > [Jupyter Plugin for Cutter](https://github.com/radareorg/cutter-jupyter)< br > [x64dbgcutter](https://github.com/yossizap/x64dbgcutter)< br > [etc.](https://github.com/radareorg/cutter-plugins)|free|multi||||||
2020-02-03 20:50:20 +07:00
|Ghidra|[pwndra](https://github.com/0xb0bb/pwndra)< br > [ghidra_scripts](https://github.com/alephsecurity/general-research-tools/tree/master/ghidra_scripts)< br > [OOAnalyzer](https://insights.sei.cmu.edu/sei_blog/2019/07/using-ooanalyzer-to-reverse-engineer-object-oriented-code-with-ghidra.html)|free|multi||||||
2020-01-12 22:45:41 +07:00
|x64/x32dbg|[DbgChild](https://github.com/David-Reguera-Garcia-Dreg/DbgChild)|free|windows||||||
|WinDbg||free|windows|Kernel mode debugging possible|||||
|GDB|gdbpeda< br > pwngdb|free|linux||||||
|objdump||free|linux||
|Snowman|||||||||
### Tracer
- [drltrace ](https://github.com/DynamoRIO/drmemory/tree/master/drltrace )
- [DynamoRIO ](https://github.com/DynamoRIO/dynamorio ) based
- ライブラリトレーサ(Windows版ltrace)
- [drstrace ](http://drmemory.org/strace_for_windows.html )
- DynamoRIO based
- システムコールトレーサ(Windows版strace)
- [memtrace ](https://github.com/DynamoRIO/dynamorio/blob/master/api/samples/memtrace_simple.c )
- DynamoRIO based
- メモリトレーサ
- [bbbuf ](https://github.com/DynamoRIO/dynamorio/blob/master/api/samples/bbbuf.c )
- DynamoRIO based
- べーシックブロックトレーサ
- [API Monitor ](http://www.rohitab.com/apimonitor )
- GUI(Windows)
- APIコールを監視ツール
### Instrumentation
- [drcov ](http://dynamorio.org/docs/page_drcov.html )
- DynamoRIO based
- カバレッジ計測
- drrun経由で実行
```
> drrun.exe -t drcov -- [program name] [arguments]
```
- Intel PIN
### Traffic Analysis tools
- Wireshark
- ref:
- [Wireshark Tutorial,Unit42(2019) ](https://unit42.paloaltonetworks.com/tag/tutorial/ )
- tcpdump
- scapy
- [Fiddle ](https://www.telerik.com/fiddler )
- Web Proxy debugger
- [EKFiddle ](https://github.com/malwareinfosec/EKFiddle )
- ref:
- [Malicious Traffic Analysis with EKFiddle(2019-03) ](https://drive.google.com/file/d/1VhZyCiHgtDwcCh7cpVWMCTi9B_Nj66AC/view )
- Burp Suite
- Fake-net NG
- INetSim
- Noriben
2020-02-03 20:50:20 +07:00
2020-01-12 22:45:41 +07:00
### Forensic
- Sysinternals
- Volatility
- malconfscan
2020-01-29 01:10:23 +07:00
- hollowfind
2020-02-03 20:50:20 +07:00
### Threat hunting
- EQL
2020-02-03 21:55:13 +07:00
### .NET analysis
- [dnspy ](https://github.com/0xd4d/dnSpy )< br >
.NETデコンパイラ,C#やVBで作成された実行ファイルを高精度でデコンパイルする
### Utilities
- PeBear
- PeStudio
- ResourceHacker
- PEiD
- 010 Editor
- Process Hacker
- RegShot
- RegistryChangesView
- CyberChef
2020-01-03 23:36:38 +07:00
### Online Sandbox
|name|site|remarks|
|:-|:-|:-|
|AMAaaS|https://amaaas.com/|apk only|
|ANYRUN|https://app.any.run/#register||
|Intezer Analyze|https://analyze.intezer.com/#/||
|IRIS-H|https://iris-h.services/pages/dashboard|maldoc only|
|CAPE Sandbox|https://cape.contextis.com/||
|Joe Sandbox Cloud|https://www.joesandbox.com/||
|cuckoo|https://cuckoo.cert.ee/||
|cuckoo|https://sandbox.pikker.ee/||
|Hybrid Analysis|https://www.hybrid-analysis.com/?lang=ja||
|ViCheck|https://www.vicheck.ca/submitfile.php||
|Triage|https://tria.ge/||
|Yomi Sandbox|https://yomi.yoroi.company/upload||
|UnpacMe|https://www.unpac.me/#/|online unpacker,beta|
2020-02-01 22:01:35 +07:00
### Unpacker/Decryptor/Decoder/Extractor/Memory Scanner
2020-02-03 21:59:09 +07:00
- [TAFOF-Unpacker ](https://github.com/Tera0017/TAFOF-Unpacker )< br >
攻撃者グループTA505が利用するマルウェア(GetandGoDll, Silence, TinyMet, Azorult, KBMiner, etc.)の静的アンパッカー< br >
- [Trickbot artifact decrypter ](https://github.com/snemes/malware-analysis/tree/master/trickbot )< br >
Trickbotのartifactを取得するためのdecrypter< br >
- [VolatilityBot ](https://github.com/mkorman90/VolatilityBot )< br >
マルウェアサンプルやメモリダンプの自動分析(コードインジェクションの抽出, , , < br >
- [Loki - Simple IOC Scanner ](https://github.com/Neo23x0/Loki )< br >
IoCスキャナー(パス・ファイル名の正規表現マッチ, , , , < br >
- [flare-floss ](https://github.com/fireeye/flare-floss )< br >
FireEye Labsの静的解析分析技術を利用して, , , < br >
- [PE-Sieve ](https://github.com/hasherezade/pe-sieve )< br >
Process Hollowing,Injectionされた特定のプロセスをダンプ< br >
- [HollowsHunter ](https://github.com/hasherezade/hollows_hunter )< br >
PE-Sieveを使用してシステム全体をスキャン< br >
- [strings2 ](http://split-code.com/strings2.html )< br >
ファイルやプロセスメモリ内の文字列の抽出< br >
- [mnemosyne ](https://github.com/nccgroup/mnemosyne )< br >
文字列,正規表現でプロセスメモリをスキャン< br >
- **ref:**< br >
- [Memory Scraping for Fun & Profit - Matt Lewis, NCC Group at CRESTCon & IIP Congress,youtube ](https://www.youtube.com/watch?v=5HdYcE-woDc )
- [Memhunter ](https://github.com/marcosd4h/memhunter )< br >
Injecition/Hollowingされたプロセスの自動検出< br >
2020-01-27 23:50:45 +07:00
- **ref:**< br >
- [Memhunter (Memory resident malware hunting at scale) ](https://docs.google.com/presentation/d/1hgx2FTNIkry9Nt8LOJVz_rHNhcGfJChxZVGckv7VI8E/edit#slide=id.g5712e7065f_1_1 )< br >
- [Reflective DLL Injection Detection through Memhunte,youtube ](https://www.youtube.com/watch?v=t_fR1sCENkc )< br >
- [Process Hollowing Injection Detection through Memhunter,youtube ](https://www.youtube.com/watch?v=QxCguP76uyg )< br >
2020-01-27 23:44:30 +07:00
- メモリダンプが不要で,感染環境でメモリスキャンを行う
- メモリスキャンのヒューリスティックトリガーにETWデータを利用している
- ETWのSuspicious Eventsとして以下を定義
> - Process Creattion<br>
> - Registry Operations<br>
> - Threads Operations<br>
> - Virtual Alloc Operations<br>
> - Image Load Operations<br>
> - Kernel Audit APIs usage<br>
> - etc.<br>
2020-01-27 21:59:08 +07:00
2020-01-12 01:11:09 +07:00
2020-01-04 00:51:36 +07:00
# Doc Analysis
2020-01-04 00:51:54 +07:00
- VBA マクロの解析についての資料< br >
2020-01-04 00:51:36 +07:00
[Advanced VBA Macros Attack&Defence,BHEU2019 ](https://www.decalage.info/files/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-Defence.pdf )< br >
2020-02-03 21:59:09 +07:00
- [rtfobj ](https://github.com/decalage2/oletools/wiki/rtfobj )< br >
RTFファイルからOLEパッケージオブジェクトを検出し、埋め込みファイルを抽出< br >
2020-02-03 20:50:20 +07:00
2020-01-12 12:53:46 +07:00
# C2 Analysis
2020-02-03 20:50:20 +07:00
### Emotet
2020-02-03 21:59:09 +07:00
- [Emutet ](https://github.com/d00rt/emotet_network_protocol )< br >
Emotetのc2通信部分のエミュレータ< br >
2020-02-03 20:50:20 +07:00
2020-01-12 12:53:46 +07:00
### Ursnif
- Ursnif(version 2)のc2通信の仕組みと復号ツールについて< br >
2020-01-12 12:54:14 +07:00
[Writing Malware Traffic Decrypters for ISFB/Ursnif ](https://labs.sentinelone.com/writing-malware-traffic-decrypters-for-isfb-ursnif/ )
2020-01-03 23:36:38 +07:00
2020-01-04 00:51:36 +07:00
# Binary Analysis
2020-01-03 14:53:28 +07:00
### Symbolic Execurtion
to do...
2020-02-03 20:50:20 +07:00
2020-01-03 14:53:28 +07:00
### Taint Analysis
to do...
2020-02-03 20:50:20 +07:00
2020-01-03 14:53:28 +07:00
### Decompiler
2020-02-03 20:50:20 +07:00
to do...
2020-01-03 14:53:28 +07:00
### ref:
- Intel系アーキテクチャSoftware Developer向けのマニュアル< br >
[Intel® 64 and IA-32 Architectures Software Developer Manuals ](https://software.intel.com/en-us/articles/intel-sdm )< br >
2020-01-21 21:54:08 +07:00
- PEファイルのフォーマットについて< br >
2020-01-21 21:53:36 +07:00
[Inside Windows An In-Depth Look into the Win32 Portable Executable File Format, Part 1(2002) ](http://bytepointer.com/resources/pietrek_in_depth_look_into_pe_format_pt1.htm )< br >
[Peering Inside the PE: A Tour of the Win32 Portable Executable File Format(1994) ](http://bytepointer.com/resources/pietrek_peering_inside_pe.htm )< br >
