mirror of
https://github.com/nganhkhoa/malware.git
synced 2024-06-10 21:32:07 +07:00
5.3 KiB
5.3 KiB
Tools
Static Analysis and Debug tools
※空欄は調査中(更新予定)
name | disassembler | decompiler | debugger | reference |
---|---|---|---|---|
IDA pro | 〇 | 〇(Not free) | 〇 | |
Binary Ninja | 〇 | |||
Cutter | 〇 | r2dec,r2ghidra | native gdb windbg etc. |
INTRO TO CUTTER FOR MALWARE ANALYSIS(2019-03) megabeets.net Cutter: Presenting r2ghidra Decompiler,r2con 2019 |
Ghidra | 〇 | 〇 | ||
x64/x32dbg | 〇 | Snowman | 〇 | |
WinDbg | 〇 | 〇 | ||
GDB | 〇 | 〇 | ||
objdump | 〇 | |||
Snowman | 〇 |
name | plugin | price | platform | remarks |
---|---|---|---|---|
IDA pro | Lighthouse UEFI_RETool |
Not free | multi | |
Binary Ninja | Lighthouse | Not free | ||
Cutter | CutterDRcov Jupyter Plugin for Cutter x64dbgcutter etc. |
free | multi | |
Ghidra | pwndra ghidra_scripts |
free | multi | |
x64/x32dbg | DbgChild | free | windows | |
WinDbg | free | windows | Kernel mode debugging possible | |
GDB | gdbpeda pwngdb |
free | linux | |
objdump | free | linux | ||
Snowman |
Tracer
- drltrace
- DynamoRIO based
- ライブラリトレーサ(Windows版ltrace)
- drstrace
- DynamoRIO based
- システムコールトレーサ(Windows版strace)
- memtrace
- DynamoRIO based
- メモリトレーサ
- bbbuf
- DynamoRIO based
- べーシックブロックトレーサ
- API Monitor
- GUI(Windows)
- APIコールを監視ツール
Instrumentation
- drcov
- DynamoRIO based
- カバレッジ計測
- drrun経由で実行
> drrun.exe -t drcov -- [program name] [arguments]
- Intel PIN
Traffic Analysis tools
Forensic
- EQL
- Sysinternals
- Volatility
- malconfscan
Online Sandbox
name | site | remarks |
---|---|---|
AMAaaS | https://amaaas.com/ | apk only |
ANYRUN | https://app.any.run/#register | |
Intezer Analyze | https://analyze.intezer.com/#/ | |
IRIS-H | https://iris-h.services/pages/dashboard | maldoc only |
CAPE Sandbox | https://cape.contextis.com/ | |
Joe Sandbox Cloud | https://www.joesandbox.com/ | |
cuckoo | https://cuckoo.cert.ee/ | |
cuckoo | https://sandbox.pikker.ee/ | |
Hybrid Analysis | https://www.hybrid-analysis.com/?lang=ja | |
ViCheck | https://www.vicheck.ca/submitfile.php | |
Triage | https://tria.ge/ | |
Yomi Sandbox | https://yomi.yoroi.company/upload | |
UnpacMe | https://www.unpac.me/#/ | online unpacker,beta |
Unpacker/Decryptor
- 攻撃者グループTA505が利用するマルウェア(GetandGoDll, Silence, TinyMet, Azorult, KBMiner, etc.)の静的アンパッカー
TAFOF-Unpacker - Trickbotのartifactを取得するためのdecrypter
Trickbot artifact decrypter
Doc Analysis
- VBA マクロの解析についての資料
Advanced VBA Macros Attack&Defence,BHEU2019
C2 Analysis
Ursnif
- Ursnif(version 2)のc2通信の仕組みと復号ツールについて
Writing Malware Traffic Decrypters for ISFB/Ursnif
Binary Analysis
Symbolic Execurtion
to do...
Taint Analysis
to do...
Decompiler
ref:
- Intel系アーキテクチャSoftware Developer向けのマニュアル
Intel® 64 and IA-32 Architectures Software Developer Manuals - PEファイルのフォーマットについて
Inside Windows An In-Depth Look into the Win32 Portable Executable File Format, Part 1(2002)
Peering Inside the PE: A Tour of the Win32 Portable Executable File Format(1994)