nganhkhoa/mether049-malware
1
0
Fork 0
mirror of https://github.com/nganhkhoa/malware.git synced 2024-06-10 21:32:07 +07:00
Code Issues Projects Releases Wiki Activity

Update malware-analysis_ref_and_memo.md

Browse Source
This commit is contained in:
mether049 2020-02-03 22:50:20 +09:00 committed by GitHub
parent e55e225ff8
commit 262a0d1a2c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
malware-analysis_ref_and_memo.md
View File

@ -24,7 +24,7 @@
|IDA pro|[Lighthouse](https://github.com/gaasedelen/lighthouse)<br>[UEFI_RETool](https://github.com/yeggor/UEFI_RETool/tree/master/ida_plugin)|Not free|multi|||||| |IDA pro|[Lighthouse](https://github.com/gaasedelen/lighthouse)<br>[UEFI_RETool](https://github.com/yeggor/UEFI_RETool/tree/master/ida_plugin)|Not free|multi||||||
|Binary Ninja|[Lighthouse](https://github.com/gaasedelen/lighthouse)|Not free||||||| |Binary Ninja|[Lighthouse](https://github.com/gaasedelen/lighthouse)|Not free|||||||
|Cutter|[CutterDRcov](https://github.com/oddcoder/CutterDRcov)<br>[Jupyter Plugin for Cutter](https://github.com/radareorg/cutter-jupyter)<br>[x64dbgcutter](https://github.com/yossizap/x64dbgcutter)<br>[etc.](https://github.com/radareorg/cutter-plugins)|free|multi|||||| |Cutter|[CutterDRcov](https://github.com/oddcoder/CutterDRcov)<br>[Jupyter Plugin for Cutter](https://github.com/radareorg/cutter-jupyter)<br>[x64dbgcutter](https://github.com/yossizap/x64dbgcutter)<br>[etc.](https://github.com/radareorg/cutter-plugins)|free|multi||||||
|Ghidra|[pwndra](https://github.com/0xb0bb/pwndra)<br>[ghidra_scripts](https://github.com/alephsecurity/general-research-tools/tree/master/ghidra_scripts)|free|multi|||||| |Ghidra|[pwndra](https://github.com/0xb0bb/pwndra)<br>[ghidra_scripts](https://github.com/alephsecurity/general-research-tools/tree/master/ghidra_scripts)<br>[OOAnalyzer](https://insights.sei.cmu.edu/sei_blog/2019/07/using-ooanalyzer-to-reverse-engineer-object-oriented-code-with-ghidra.html)|free|multi||||||
|x64/x32dbg|[DbgChild](https://github.com/David-Reguera-Garcia-Dreg/DbgChild)|free|windows|||||| |x64/x32dbg|[DbgChild](https://github.com/David-Reguera-Garcia-Dreg/DbgChild)|free|windows||||||
|WinDbg||free|windows|Kernel mode debugging possible||||| |WinDbg||free|windows|Kernel mode debugging possible|||||
|GDB|gdbpeda<br>pwngdb|free|linux|||||| |GDB|gdbpeda<br>pwngdb|free|linux||||||
@ -73,12 +73,16 @@
- Fake-net NG - Fake-net NG
- INetSim - INetSim
- Noriben - Noriben
### Forensic ### Forensic
- EQL
- Sysinternals - Sysinternals
- Volatility - Volatility
- malconfscan - malconfscan
- hollowfind - hollowfind
### Threat hunting
- EQL
### Online Sandbox ### Online Sandbox
|name|site|remarks| |name|site|remarks|
|:-|:-|:-| |:-|:-|:-|
@ -111,6 +115,11 @@
[PE-Sieve](https://github.com/hasherezade/pe-sieve)<br> [PE-Sieve](https://github.com/hasherezade/pe-sieve)<br>
- PE-Sieveを使用してシステム全体をスキャン<br> - PE-Sieveを使用してシステム全体をスキャン<br>
[HollowsHunter](https://github.com/hasherezade/hollows_hunter)<br> [HollowsHunter](https://github.com/hasherezade/hollows_hunter)<br>
- ファイルやプロセスメモリ内の文字列の抽出<br>
[strings2](http://split-code.com/strings2.html)<br>
- 文字列,正規表現でプロセスメモリをスキャン<br>
[mnemosyne](https://github.com/nccgroup/mnemosyne)<br>
[Memory Scraping for Fun & Profit - Matt Lewis, NCC Group at CRESTCon & IIP Congress,youtube](https://www.youtube.com/watch?v=5HdYcE-woDc)
- Injecition/Hollowingされたプロセスの自動検出<br> - Injecition/Hollowingされたプロセスの自動検出<br>
[Memhunter](https://github.com/marcosd4h/memhunter)<br> [Memhunter](https://github.com/marcosd4h/memhunter)<br>
- **ref:**<br> - **ref:**<br>
@ -132,7 +141,14 @@
# Doc Analysis # Doc Analysis
- VBA マクロの解析についての資料<br> - VBA マクロの解析についての資料<br>
[Advanced VBA Macros Attack&Defence,BHEU2019](https://www.decalage.info/files/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-Defence.pdf)<br> [Advanced VBA Macros Attack&Defence,BHEU2019](https://www.decalage.info/files/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-Defence.pdf)<br>
- RTFファイルからOLEパッケージオブジェクトを検出し、埋め込みファイルを抽出<br>
[rtfobj](https://github.com/decalage2/oletools/wiki/rtfobj)<br>
# C2 Analysis # C2 Analysis
### Emotet
- Emotetのc2通信部分のエミュレータ<br>
[Emutet](https://github.com/d00rt/emotet_network_protocol)<br>
### Ursnif ### Ursnif
- Ursnif(version 2)のc2通信の仕組みと復号ツールについて<br> - Ursnif(version 2)のc2通信の仕組みと復号ツールについて<br>
[Writing Malware Traffic Decrypters for ISFB/Ursnif](https://labs.sentinelone.com/writing-malware-traffic-decrypters-for-isfb-ursnif/) [Writing Malware Traffic Decrypters for ISFB/Ursnif](https://labs.sentinelone.com/writing-malware-traffic-decrypters-for-isfb-ursnif/)
@ -140,9 +156,13 @@
# Binary Analysis # Binary Analysis
### Symbolic Execurtion ### Symbolic Execurtion
to do... to do...
### Taint Analysis ### Taint Analysis
to do... to do...
### Decompiler ### Decompiler
to do...
### ref: ### ref:
- Intel系アーキテクチャSoftware Developer向けのマニュアル<br> - Intel系アーキテクチャSoftware Developer向けのマニュアル<br>
[Intel® 64 and IA-32 Architectures Software Developer Manuals](https://software.intel.com/en-us/articles/intel-sdm)<br> [Intel® 64 and IA-32 Architectures Software Developer Manuals](https://software.intel.com/en-us/articles/intel-sdm)<br>