2020-01-03 23:36:38 +07:00
# Tools
2020-01-25 22:05:12 +07:00
- DFIRやマルウェア解析,OSINT,その他の多数のツールに関するデータベース< br >
2020-01-25 22:04:59 +07:00
[DFIR TRAINING(TOOLS) ](https://www.dfir.training/dfirtools/advanced-search )
2020-01-25 22:05:12 +07:00
- infographicsやツールのチートシート< br >
2020-01-25 22:04:59 +07:00
[DFIR TRAINING(RESOUCES-Downloads-Infographics & Cheet Sheets) ](https://www.dfir.training/resources/downloads/cheatsheets-infographics )
2020-01-12 22:45:41 +07:00
### Static Analysis and Debug tools
※空欄は調査中(更新予定)
|name|disassembler|decompiler|debugger|reference|
|:-|:-|:-|:-|:-|
|IDA pro|〇 〇 〇
|Binary Ninja|〇
2020-01-12 22:48:10 +07:00
|Cutter|〇 < br > gdb< br > windbg< br > etc.|[INTRO TO CUTTER FOR MALWARE ANALYSIS(2019-03)](https://malwology.com/2019/03/14/intro-to-cutter-for-malware-analysis/)< br > [megabeets.net](https://www.megabeets.net/?s=cutter)< br > [Cutter: Presenting r2ghidra Decompiler,r2con 2019](https://www.youtube.com/watch?v=eHtMiezr7l8& list=LLTk6-mAiILdt3V27uab14LA& index=8& t=0s)
2020-01-12 22:45:41 +07:00
|Ghidra|〇 〇
|x64/x32dbg|〇 〇
|WinDbg|〇 〇
|GDB|〇 〇
|objdump|〇
|Snowman||〇
|name|plugin|price|platform|remarks|
|:-|:-|:-|:-|:-|
2020-01-19 20:19:40 +07:00
|IDA pro|[Lighthouse](https://github.com/gaasedelen/lighthouse)< br > [UEFI_RETool](https://github.com/yeggor/UEFI_RETool/tree/master/ida_plugin)|Not free|multi||||||
2020-01-12 22:45:41 +07:00
|Binary Ninja|[Lighthouse](https://github.com/gaasedelen/lighthouse)|Not free|||||||
|Cutter|[CutterDRcov](https://github.com/oddcoder/CutterDRcov)< br > [Jupyter Plugin for Cutter](https://github.com/radareorg/cutter-jupyter)< br > [x64dbgcutter](https://github.com/yossizap/x64dbgcutter)< br > [etc.](https://github.com/radareorg/cutter-plugins)|free|multi||||||
2020-01-15 20:23:37 +07:00
|Ghidra|[pwndra](https://github.com/0xb0bb/pwndra)< br > [ghidra_scripts](https://github.com/alephsecurity/general-research-tools/tree/master/ghidra_scripts)|free|multi||||||
2020-01-12 22:45:41 +07:00
|x64/x32dbg|[DbgChild](https://github.com/David-Reguera-Garcia-Dreg/DbgChild)|free|windows||||||
|WinDbg||free|windows|Kernel mode debugging possible|||||
|GDB|gdbpeda< br > pwngdb|free|linux||||||
|objdump||free|linux||
|Snowman|||||||||
### Tracer
- [drltrace ](https://github.com/DynamoRIO/drmemory/tree/master/drltrace )
- [DynamoRIO ](https://github.com/DynamoRIO/dynamorio ) based
- ライブラリトレーサ(Windows版ltrace)
- [drstrace ](http://drmemory.org/strace_for_windows.html )
- DynamoRIO based
- システムコールトレーサ(Windows版strace)
- [memtrace ](https://github.com/DynamoRIO/dynamorio/blob/master/api/samples/memtrace_simple.c )
- DynamoRIO based
- メモリトレーサ
- [bbbuf ](https://github.com/DynamoRIO/dynamorio/blob/master/api/samples/bbbuf.c )
- DynamoRIO based
- べーシックブロックトレーサ
- [API Monitor ](http://www.rohitab.com/apimonitor )
- GUI(Windows)
- APIコールを監視ツール
### Instrumentation
- [drcov ](http://dynamorio.org/docs/page_drcov.html )
- DynamoRIO based
- カバレッジ計測
- drrun経由で実行
```
> drrun.exe -t drcov -- [program name] [arguments]
```
- Intel PIN
### Traffic Analysis tools
- Wireshark
- ref:
- [Wireshark Tutorial,Unit42(2019) ](https://unit42.paloaltonetworks.com/tag/tutorial/ )
- tcpdump
- scapy
- [Fiddle ](https://www.telerik.com/fiddler )
- Web Proxy debugger
- [EKFiddle ](https://github.com/malwareinfosec/EKFiddle )
- ref:
- [Malicious Traffic Analysis with EKFiddle(2019-03) ](https://drive.google.com/file/d/1VhZyCiHgtDwcCh7cpVWMCTi9B_Nj66AC/view )
- Burp Suite
- Fake-net NG
- INetSim
- Noriben
### Forensic
- EQL
- Sysinternals
- Volatility
- malconfscan
2020-01-03 23:36:38 +07:00
### Online Sandbox
|name|site|remarks|
|:-|:-|:-|
|AMAaaS|https://amaaas.com/|apk only|
|ANYRUN|https://app.any.run/#register||
|Intezer Analyze|https://analyze.intezer.com/#/||
|IRIS-H|https://iris-h.services/pages/dashboard|maldoc only|
|CAPE Sandbox|https://cape.contextis.com/||
|Joe Sandbox Cloud|https://www.joesandbox.com/||
|cuckoo|https://cuckoo.cert.ee/||
|cuckoo|https://sandbox.pikker.ee/||
|Hybrid Analysis|https://www.hybrid-analysis.com/?lang=ja||
|ViCheck|https://www.vicheck.ca/submitfile.php||
|Triage|https://tria.ge/||
|Yomi Sandbox|https://yomi.yoroi.company/upload||
|UnpacMe|https://www.unpac.me/#/|online unpacker,beta|
2020-01-22 21:53:47 +07:00
### Unpacker/Decryptor
2020-01-12 01:12:15 +07:00
- 攻撃者グループTA505が利用するマルウェア(GetandGoDll, Silence, TinyMet, Azorult, KBMiner, etc.)の静的アンパッカー< br >
2020-01-12 01:11:09 +07:00
[TAFOF-Unpacker ](https://github.com/Tera0017/TAFOF-Unpacker )
2020-01-22 21:54:21 +07:00
- Trickbotのartifactを取得するためのdecrypter< br >
2020-01-22 21:53:47 +07:00
[Trickbot artifact decrypter ](https://github.com/snemes/malware-analysis/tree/master/trickbot )
2020-01-12 01:11:09 +07:00
2020-01-04 00:51:36 +07:00
# Doc Analysis
2020-01-04 00:51:54 +07:00
- VBA マクロの解析についての資料< br >
2020-01-04 00:51:36 +07:00
[Advanced VBA Macros Attack&Defence,BHEU2019 ](https://www.decalage.info/files/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-Defence.pdf )< br >
2020-01-12 12:53:46 +07:00
# C2 Analysis
### Ursnif
- Ursnif(version 2)のc2通信の仕組みと復号ツールについて< br >
2020-01-12 12:54:14 +07:00
[Writing Malware Traffic Decrypters for ISFB/Ursnif ](https://labs.sentinelone.com/writing-malware-traffic-decrypters-for-isfb-ursnif/ )
2020-01-03 23:36:38 +07:00
2020-01-04 00:51:36 +07:00
# Binary Analysis
2020-01-03 14:53:28 +07:00
### Symbolic Execurtion
to do...
### Taint Analysis
to do...
### Decompiler
### ref:
- Intel系アーキテクチャSoftware Developer向けのマニュアル< br >
[Intel® 64 and IA-32 Architectures Software Developer Manuals ](https://software.intel.com/en-us/articles/intel-sdm )< br >
2020-01-21 21:54:08 +07:00
- PEファイルのフォーマットについて< br >
2020-01-21 21:53:36 +07:00
[Inside Windows An In-Depth Look into the Win32 Portable Executable File Format, Part 1(2002) ](http://bytepointer.com/resources/pietrek_in_depth_look_into_pe_format_pt1.htm )< br >
[Peering Inside the PE: A Tour of the Win32 Portable Executable File Format(1994) ](http://bytepointer.com/resources/pietrek_peering_inside_pe.htm )< br >
