# Tools ### Static Analysis and Debug tools ※空欄は調査中(更新予定) |name|disassembler|decompiler|debugger|reference| |:-|:-|:-|:-|:-| |IDA pro|〇|〇(Not free)|〇|||||| |Binary Ninja|〇|||||||| |Cutter|〇|r2dec,r2ghidra|native
gdb
windbg
etc.|[INTRO TO CUTTER FOR MALWARE ANALYSIS(2019-03)](https://malwology.com/2019/03/14/intro-to-cutter-for-malware-analysis/)
[megabeets.net](https://www.megabeets.net/?s=cutter)
[Cutter: Presenting r2ghidra Decompiler,r2con 2019](https://www.youtube.com/watch?v=eHtMiezr7l8&list=LLTk6-mAiILdt3V27uab14LA&index=8&t=0s) |Ghidra|〇|〇||||||| |x64/x32dbg|〇|Snowman|〇|||||| |WinDbg|〇||〇|||||| |GDB|〇||〇|||||| |objdump|〇||| |Snowman||〇||||||| |name|plugin|price|platform|remarks| |:-|:-|:-|:-|:-| |IDA pro|[Lighthouse](https://github.com/gaasedelen/lighthouse)|Not free|multi|||||| |Binary Ninja|[Lighthouse](https://github.com/gaasedelen/lighthouse)|Not free||||||| |Cutter|[CutterDRcov](https://github.com/oddcoder/CutterDRcov)
[Jupyter Plugin for Cutter](https://github.com/radareorg/cutter-jupyter)
[x64dbgcutter](https://github.com/yossizap/x64dbgcutter)
[etc.](https://github.com/radareorg/cutter-plugins)|free|multi|||||| |Ghidra|[pwndra](https://github.com/0xb0bb/pwndra)
[ghidra_scripts](https://github.com/alephsecurity/general-research-tools/tree/master/ghidra_scripts)|free|multi|||||| |x64/x32dbg|[DbgChild](https://github.com/David-Reguera-Garcia-Dreg/DbgChild)|free|windows|||||| |WinDbg||free|windows|Kernel mode debugging possible||||| |GDB|gdbpeda
pwngdb|free|linux|||||| |objdump||free|linux|| |Snowman||||||||| ### Tracer - [drltrace](https://github.com/DynamoRIO/drmemory/tree/master/drltrace) - [DynamoRIO](https://github.com/DynamoRIO/dynamorio) based - ライブラリトレーサ(Windows版ltrace) - [drstrace](http://drmemory.org/strace_for_windows.html) - DynamoRIO based - システムコールトレーサ(Windows版strace) - [memtrace](https://github.com/DynamoRIO/dynamorio/blob/master/api/samples/memtrace_simple.c) - DynamoRIO based - メモリトレーサ - [bbbuf](https://github.com/DynamoRIO/dynamorio/blob/master/api/samples/bbbuf.c) - DynamoRIO based - べーシックブロックトレーサ - [API Monitor](http://www.rohitab.com/apimonitor) - GUI(Windows) - APIコールを監視ツール ### Instrumentation - [drcov](http://dynamorio.org/docs/page_drcov.html) - DynamoRIO based - カバレッジ計測 - drrun経由で実行 ``` > drrun.exe -t drcov -- [program name] [arguments] ``` - Intel PIN ### Traffic Analysis tools - Wireshark - ref: - [Wireshark Tutorial,Unit42(2019)](https://unit42.paloaltonetworks.com/tag/tutorial/) - tcpdump - scapy - [Fiddle](https://www.telerik.com/fiddler) - Web Proxy debugger - [EKFiddle](https://github.com/malwareinfosec/EKFiddle) - ref: - [Malicious Traffic Analysis with EKFiddle(2019-03)](https://drive.google.com/file/d/1VhZyCiHgtDwcCh7cpVWMCTi9B_Nj66AC/view) - Burp Suite - Fake-net NG - INetSim - Noriben ### Forensic - EQL - Sysinternals - Volatility - malconfscan ### Online Sandbox |name|site|remarks| |:-|:-|:-| |AMAaaS|https://amaaas.com/|apk only| |ANYRUN|https://app.any.run/#register|| |Intezer Analyze|https://analyze.intezer.com/#/|| |IRIS-H|https://iris-h.services/pages/dashboard|maldoc only| |CAPE Sandbox|https://cape.contextis.com/|| |Joe Sandbox Cloud|https://www.joesandbox.com/|| |cuckoo|https://cuckoo.cert.ee/|| |cuckoo|https://sandbox.pikker.ee/|| |Hybrid Analysis|https://www.hybrid-analysis.com/?lang=ja|| |ViCheck|https://www.vicheck.ca/submitfile.php|| |Triage|https://tria.ge/|| |Yomi Sandbox|https://yomi.yoroi.company/upload|| |UnpacMe|https://www.unpac.me/#/|online unpacker,beta| ### Unpacker - 攻撃者グループTA505が利用するマルウェア(GetandGoDll, Silence, TinyMet, Azorult, KBMiner, etc.)の静的アンパッカー
[TAFOF-Unpacker](https://github.com/Tera0017/TAFOF-Unpacker) # Doc Analysis - VBA マクロの解析についての資料
[Advanced VBA Macros Attack&Defence,BHEU2019](https://www.decalage.info/files/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-Defence.pdf)
# C2 Analysis ### Ursnif - Ursnif(version 2)のc2通信の仕組みと復号ツールについて
[Writing Malware Traffic Decrypters for ISFB/Ursnif](https://labs.sentinelone.com/writing-malware-traffic-decrypters-for-isfb-ursnif/) # Binary Analysis ### Symbolic Execurtion to do... ### Taint Analysis to do... ### Decompiler ### ref: - Intel系アーキテクチャSoftware Developer向けのマニュアル
[Intel® 64 and IA-32 Architectures Software Developer Manuals](https://software.intel.com/en-us/articles/intel-sdm)