nganhkhoa/mether049-malware
1
0
Fork 0
mirror of https://github.com/nganhkhoa/malware.git synced 2024-06-10 21:32:07 +07:00
Code Issues Projects Releases Wiki Activity
d212948442
mether049-malware/malware-analysis_ref_and_memo.md

115 lines
4.6 KiB
Markdown
Raw Normal View History

First
2020-01-03 23:36:38 +07:00
# Tools
few tools add
2020-01-12 22:45:41 +07:00
### Static Analysis and Debug tools
※空欄は調査中(更新予定)
|name|disassembler|decompiler|debugger|reference|
|:-|:-|:-|:-|:-|
|IDA pro||(Not free)|||||||
|Binary Ninja|||||||||
Update malware-analysis_ref_and_memo.md
2020-01-12 22:48:10 +07:00
|Cutter||r2dec,r2ghidra|native<br>gdb<br>windbg<br>etc.|[INTRO TO CUTTER FOR MALWARE ANALYSIS(2019-03)](https://malwology.com/2019/03/14/intro-to-cutter-for-malware-analysis/)<br>[megabeets.net](https://www.megabeets.net/?s=cutter)<br>[Cutter: Presenting r2ghidra Decompiler,r2con 2019](https://www.youtube.com/watch?v=eHtMiezr7l8&list=LLTk6-mAiILdt3V27uab14LA&index=8&t=0s)
few tools add
2020-01-12 22:45:41 +07:00
|Ghidra|||||||||
|x64/x32dbg||Snowman|||||||
|WinDbg|||||||||
|GDB|||||||||
|objdump||||
|Snowman|||||||||
|name|plugin|price|platform|remarks|
|:-|:-|:-|:-|:-|
|IDA pro|[Lighthouse](https://github.com/gaasedelen/lighthouse)|Not free|multi||||||
|Binary Ninja|[Lighthouse](https://github.com/gaasedelen/lighthouse)|Not free|||||||
|Cutter|[CutterDRcov](https://github.com/oddcoder/CutterDRcov)<br>[Jupyter Plugin for Cutter](https://github.com/radareorg/cutter-jupyter)<br>[x64dbgcutter](https://github.com/yossizap/x64dbgcutter)<br>[etc.](https://github.com/radareorg/cutter-plugins)|free|multi||||||
Update malware-analysis_ref_and_memo.md
2020-01-15 20:23:37 +07:00
|Ghidra|[pwndra](https://github.com/0xb0bb/pwndra)<br>[ghidra_scripts](https://github.com/alephsecurity/general-research-tools/tree/master/ghidra_scripts)|free|multi||||||
few tools add
2020-01-12 22:45:41 +07:00
|x64/x32dbg|[DbgChild](https://github.com/David-Reguera-Garcia-Dreg/DbgChild)|free|windows||||||
|WinDbg||free|windows|Kernel mode debugging possible|||||
|GDB|gdbpeda<br>pwngdb|free|linux||||||
|objdump||free|linux||
|Snowman|||||||||
### Tracer
- [drltrace](https://github.com/DynamoRIO/drmemory/tree/master/drltrace)
- [DynamoRIO](https://github.com/DynamoRIO/dynamorio) based
- ライブラリトレーサ(Windows版ltrace)
- [drstrace](http://drmemory.org/strace_for_windows.html)
- DynamoRIO based
- システムコールトレーサ(Windows版strace)
- [memtrace](https://github.com/DynamoRIO/dynamorio/blob/master/api/samples/memtrace_simple.c)
- DynamoRIO based
- メモリトレーサ
- [bbbuf](https://github.com/DynamoRIO/dynamorio/blob/master/api/samples/bbbuf.c)
- DynamoRIO based
- べーシックブロックトレーサ
- [API Monitor](http://www.rohitab.com/apimonitor)
- GUI(Windows)
- APIコールを監視ツール
### Instrumentation
- [drcov](http://dynamorio.org/docs/page_drcov.html)
- DynamoRIO based
- カバレッジ計測
- drrun経由で実行
```
> drrun.exe -t drcov -- [program name] [arguments]
```
- Intel PIN
### Traffic Analysis tools
- Wireshark
- ref:
- [Wireshark Tutorial,Unit42(2019)](https://unit42.paloaltonetworks.com/tag/tutorial/)
- tcpdump
- scapy
- [Fiddle](https://www.telerik.com/fiddler)
- Web Proxy debugger
- [EKFiddle](https://github.com/malwareinfosec/EKFiddle)
- ref:
- [Malicious Traffic Analysis with EKFiddle(2019-03)](https://drive.google.com/file/d/1VhZyCiHgtDwcCh7cpVWMCTi9B_Nj66AC/view)
- Burp Suite
- Fake-net NG
- INetSim
- Noriben
### Forensic
- EQL
- Sysinternals
- Volatility
- malconfscan
First
2020-01-03 23:36:38 +07:00
### Online Sandbox
|name|site|remarks|
|:-|:-|:-|
|AMAaaS|https://amaaas.com/|apk only|
|ANYRUN|https://app.any.run/#register||
|Intezer Analyze|https://analyze.intezer.com/#/||
|IRIS-H|https://iris-h.services/pages/dashboard|maldoc only|
|CAPE Sandbox|https://cape.contextis.com/||
|Joe Sandbox Cloud|https://www.joesandbox.com/||
|cuckoo|https://cuckoo.cert.ee/||
|cuckoo|https://sandbox.pikker.ee/||
|Hybrid Analysis|https://www.hybrid-analysis.com/?lang=ja||
|ViCheck|https://www.vicheck.ca/submitfile.php||
|Triage|https://tria.ge/||
|Yomi Sandbox|https://yomi.yoroi.company/upload||
|UnpacMe|https://www.unpac.me/#/|online unpacker,beta|
Update malware-analysis_ref_and_memo.md
2020-01-12 01:11:09 +07:00
### Unpacker
Update malware-analysis_ref_and_memo.md
2020-01-12 01:12:15 +07:00
- 攻撃者グループTA505が利用するマルウェア(GetandGoDll, Silence, TinyMet, Azorult, KBMiner, etc.)の静的アンパッカー<br>
Update malware-analysis_ref_and_memo.md
2020-01-12 01:11:09 +07:00
[TAFOF-Unpacker](https://github.com/Tera0017/TAFOF-Unpacker)
Update malware-analysis_ref_and_memo.md
2020-01-04 00:51:36 +07:00
# Doc Analysis
Update malware-analysis_ref_and_memo.md
2020-01-04 00:51:54 +07:00
- VBA マクロの解析についての資料<br>
Update malware-analysis_ref_and_memo.md
2020-01-04 00:51:36 +07:00
[Advanced VBA Macros Attack&Defence,BHEU2019](https://www.decalage.info/files/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-Defence.pdf)<br>
Update malware-analysis_ref_and_memo.md
2020-01-12 12:53:46 +07:00
# C2 Analysis
### Ursnif
- Ursnif(version 2)のc2通信の仕組みと復号ツールについて<br>
Update malware-analysis_ref_and_memo.md
2020-01-12 12:54:14 +07:00
[Writing Malware Traffic Decrypters for ISFB/Ursnif](https://labs.sentinelone.com/writing-malware-traffic-decrypters-for-isfb-ursnif/)
First
2020-01-03 23:36:38 +07:00
Update malware-analysis_ref_and_memo.md
2020-01-04 00:51:36 +07:00
# Binary Analysis
Create malware-analysis_ref_and_memo.md
2020-01-03 14:53:28 +07:00
### Symbolic Execurtion
to do...
### Taint Analysis
to do...
### Decompiler
### ref:
- Intel系アーキテクチャSoftware Developer向けのマニュアル<br>
[Intel® 64 and IA-32 Architectures Software Developer Manuals](https://software.intel.com/en-us/articles/intel-sdm)<br>
Reference in New Issue Copy Permalink