mirror of
https://github.com/nganhkhoa/malware.git
synced 2024-06-10 21:32:07 +07:00
Update malware-analysis_ref_and_memo.md
This commit is contained in:
mether049
GitHub
parent
e55e225ff8
commit
262a0d1a2c
@ -24,7 +24,7 @@
|
||||
|IDA pro|[Lighthouse](https://github.com/gaasedelen/lighthouse)<br>[UEFI_RETool](https://github.com/yeggor/UEFI_RETool/tree/master/ida_plugin)|Not free|multi||||||
|
||||
|Binary Ninja|[Lighthouse](https://github.com/gaasedelen/lighthouse)|Not free|||||||
|
||||
|Cutter|[CutterDRcov](https://github.com/oddcoder/CutterDRcov)<br>[Jupyter Plugin for Cutter](https://github.com/radareorg/cutter-jupyter)<br>[x64dbgcutter](https://github.com/yossizap/x64dbgcutter)<br>[etc.](https://github.com/radareorg/cutter-plugins)|free|multi||||||
|
||||
|Ghidra|[pwndra](https://github.com/0xb0bb/pwndra)<br>[ghidra_scripts](https://github.com/alephsecurity/general-research-tools/tree/master/ghidra_scripts)|free|multi||||||
|
||||
|Ghidra|[pwndra](https://github.com/0xb0bb/pwndra)<br>[ghidra_scripts](https://github.com/alephsecurity/general-research-tools/tree/master/ghidra_scripts)<br>[OOAnalyzer](https://insights.sei.cmu.edu/sei_blog/2019/07/using-ooanalyzer-to-reverse-engineer-object-oriented-code-with-ghidra.html)|free|multi||||||
|
||||
|x64/x32dbg|[DbgChild](https://github.com/David-Reguera-Garcia-Dreg/DbgChild)|free|windows||||||
|
||||
|WinDbg||free|windows|Kernel mode debugging possible|||||
|
||||
|GDB|gdbpeda<br>pwngdb|free|linux||||||
|
||||
@ -73,12 +73,16 @@
|
||||
- Fake-net NG
|
||||
- INetSim
|
||||
- Noriben
|
||||
|
||||
### Forensic
|
||||
- EQL
|
||||
- Sysinternals
|
||||
- Volatility
|
||||
- malconfscan
|
||||
- hollowfind
|
||||
|
||||
### Threat hunting
|
||||
- EQL
|
||||
|
||||
### Online Sandbox
|
||||
|name|site|remarks|
|
||||
|:-|:-|:-|
|
||||
@ -111,6 +115,11 @@
|
||||
[PE-Sieve](https://github.com/hasherezade/pe-sieve)<br>
|
||||
- PE-Sieveを使用してシステム全体をスキャン<br>
|
||||
[HollowsHunter](https://github.com/hasherezade/hollows_hunter)<br>
|
||||
- ファイルやプロセスメモリ内の文字列の抽出<br>
|
||||
[strings2](http://split-code.com/strings2.html)<br>
|
||||
- 文字列,正規表現でプロセスメモリをスキャン<br>
|
||||
[mnemosyne](https://github.com/nccgroup/mnemosyne)<br>
|
||||
[Memory Scraping for Fun & Profit - Matt Lewis, NCC Group at CRESTCon & IIP Congress,youtube](https://www.youtube.com/watch?v=5HdYcE-woDc)
|
||||
- Injecition/Hollowingされたプロセスの自動検出<br>
|
||||
[Memhunter](https://github.com/marcosd4h/memhunter)<br>
|
||||
- **ref:**<br>
|
||||
@ -132,7 +141,14 @@
|
||||
# Doc Analysis
|
||||
- VBA マクロの解析についての資料<br>
|
||||
[Advanced VBA Macros Attack&Defence,BHEU2019](https://www.decalage.info/files/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-Defence.pdf)<br>
|
||||
- RTFファイルからOLEパッケージオブジェクトを検出し、埋め込みファイルを抽出<br>
|
||||
[rtfobj](https://github.com/decalage2/oletools/wiki/rtfobj)<br>
|
||||
|
||||
# C2 Analysis
|
||||
### Emotet
|
||||
- Emotetのc2通信部分のエミュレータ<br>
|
||||
[Emutet](https://github.com/d00rt/emotet_network_protocol)<br>
|
||||
|
||||
### Ursnif
|
||||
- Ursnif(version 2)のc2通信の仕組みと復号ツールについて<br>
|
||||
[Writing Malware Traffic Decrypters for ISFB/Ursnif](https://labs.sentinelone.com/writing-malware-traffic-decrypters-for-isfb-ursnif/)
|
||||
@ -140,9 +156,13 @@
|
||||
# Binary Analysis
|
||||
### Symbolic Execurtion
|
||||
to do...
|
||||
|
||||
### Taint Analysis
|
||||
to do...
|
||||
|
||||
### Decompiler
|
||||
to do...
|
||||
|
||||
### ref:
|
||||
- Intel系アーキテクチャSoftware Developer向けのマニュアル<br>
|
||||
[Intel® 64 and IA-32 Architectures Software Developer Manuals](https://software.intel.com/en-us/articles/intel-sdm)<br>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user