1
0
mirror of https://github.com/nganhkhoa/malware.git synced 2024-06-10 21:32:07 +07:00
mether049-malware/malware-analysis_ref_and_memo.md
2020-01-22 23:54:21 +09:00

120 lines
5.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Tools
### Static Analysis and Debug tools
※空欄は調査中(更新予定)
|name|disassembler|decompiler|debugger|reference|
|:-|:-|:-|:-|:-|
|IDA pro||(Not free)|||||||
|Binary Ninja|||||||||
|Cutter||r2dec,r2ghidra|native<br>gdb<br>windbg<br>etc.|[INTRO TO CUTTER FOR MALWARE ANALYSIS(2019-03)](https://malwology.com/2019/03/14/intro-to-cutter-for-malware-analysis/)<br>[megabeets.net](https://www.megabeets.net/?s=cutter)<br>[Cutter: Presenting r2ghidra Decompiler,r2con 2019](https://www.youtube.com/watch?v=eHtMiezr7l8&list=LLTk6-mAiILdt3V27uab14LA&index=8&t=0s)
|Ghidra|||||||||
|x64/x32dbg||Snowman|||||||
|WinDbg|||||||||
|GDB|||||||||
|objdump||||
|Snowman|||||||||
|name|plugin|price|platform|remarks|
|:-|:-|:-|:-|:-|
|IDA pro|[Lighthouse](https://github.com/gaasedelen/lighthouse)<br>[UEFI_RETool](https://github.com/yeggor/UEFI_RETool/tree/master/ida_plugin)|Not free|multi||||||
|Binary Ninja|[Lighthouse](https://github.com/gaasedelen/lighthouse)|Not free|||||||
|Cutter|[CutterDRcov](https://github.com/oddcoder/CutterDRcov)<br>[Jupyter Plugin for Cutter](https://github.com/radareorg/cutter-jupyter)<br>[x64dbgcutter](https://github.com/yossizap/x64dbgcutter)<br>[etc.](https://github.com/radareorg/cutter-plugins)|free|multi||||||
|Ghidra|[pwndra](https://github.com/0xb0bb/pwndra)<br>[ghidra_scripts](https://github.com/alephsecurity/general-research-tools/tree/master/ghidra_scripts)|free|multi||||||
|x64/x32dbg|[DbgChild](https://github.com/David-Reguera-Garcia-Dreg/DbgChild)|free|windows||||||
|WinDbg||free|windows|Kernel mode debugging possible|||||
|GDB|gdbpeda<br>pwngdb|free|linux||||||
|objdump||free|linux||
|Snowman|||||||||
### Tracer
- [drltrace](https://github.com/DynamoRIO/drmemory/tree/master/drltrace)
- [DynamoRIO](https://github.com/DynamoRIO/dynamorio) based
- ライブラリトレーサ(Windows版ltrace)
- [drstrace](http://drmemory.org/strace_for_windows.html)
- DynamoRIO based
- システムコールトレーサ(Windows版strace)
- [memtrace](https://github.com/DynamoRIO/dynamorio/blob/master/api/samples/memtrace_simple.c)
- DynamoRIO based
- メモリトレーサ
- [bbbuf](https://github.com/DynamoRIO/dynamorio/blob/master/api/samples/bbbuf.c)
- DynamoRIO based
- べーシックブロックトレーサ
- [API Monitor](http://www.rohitab.com/apimonitor)
- GUI(Windows)
- APIコールを監視ツール
### Instrumentation
- [drcov](http://dynamorio.org/docs/page_drcov.html)
- DynamoRIO based
- カバレッジ計測
- drrun経由で実行
```
> drrun.exe -t drcov -- [program name] [arguments]
```
- Intel PIN
### Traffic Analysis tools
- Wireshark
- ref:
- [Wireshark Tutorial,Unit42(2019)](https://unit42.paloaltonetworks.com/tag/tutorial/)
- tcpdump
- scapy
- [Fiddle](https://www.telerik.com/fiddler)
- Web Proxy debugger
- [EKFiddle](https://github.com/malwareinfosec/EKFiddle)
- ref:
- [Malicious Traffic Analysis with EKFiddle(2019-03)](https://drive.google.com/file/d/1VhZyCiHgtDwcCh7cpVWMCTi9B_Nj66AC/view)
- Burp Suite
- Fake-net NG
- INetSim
- Noriben
### Forensic
- EQL
- Sysinternals
- Volatility
- malconfscan
### Online Sandbox
|name|site|remarks|
|:-|:-|:-|
|AMAaaS|https://amaaas.com/|apk only|
|ANYRUN|https://app.any.run/#register||
|Intezer Analyze|https://analyze.intezer.com/#/||
|IRIS-H|https://iris-h.services/pages/dashboard|maldoc only|
|CAPE Sandbox|https://cape.contextis.com/||
|Joe Sandbox Cloud|https://www.joesandbox.com/||
|cuckoo|https://cuckoo.cert.ee/||
|cuckoo|https://sandbox.pikker.ee/||
|Hybrid Analysis|https://www.hybrid-analysis.com/?lang=ja||
|ViCheck|https://www.vicheck.ca/submitfile.php||
|Triage|https://tria.ge/||
|Yomi Sandbox|https://yomi.yoroi.company/upload||
|UnpacMe|https://www.unpac.me/#/|online unpacker,beta|
### Unpacker/Decryptor
- 攻撃者グループTA505が利用するマルウェア(GetandGoDll, Silence, TinyMet, Azorult, KBMiner, etc.)の静的アンパッカー<br>
[TAFOF-Unpacker](https://github.com/Tera0017/TAFOF-Unpacker)
- Trickbotのartifactを取得するためのdecrypter<br>
[Trickbot artifact decrypter](https://github.com/snemes/malware-analysis/tree/master/trickbot)
# Doc Analysis
- VBA マクロの解析についての資料<br>
[Advanced VBA Macros Attack&Defence,BHEU2019](https://www.decalage.info/files/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-Defence.pdf)<br>
# C2 Analysis
### Ursnif
- Ursnif(version 2)のc2通信の仕組みと復号ツールについて<br>
[Writing Malware Traffic Decrypters for ISFB/Ursnif](https://labs.sentinelone.com/writing-malware-traffic-decrypters-for-isfb-ursnif/)
# Binary Analysis
### Symbolic Execurtion
to do...
### Taint Analysis
to do...
### Decompiler
### ref:
- Intel系アーキテクチャSoftware Developer向けのマニュアル<br>
[Intel® 64 and IA-32 Architectures Software Developer Manuals](https://software.intel.com/en-us/articles/intel-sdm)<br>
- PEファイルのフォーマットについて<br>
[Inside Windows An In-Depth Look into the Win32 Portable Executable File Format, Part 1(2002)](http://bytepointer.com/resources/pietrek_in_depth_look_into_pe_format_pt1.htm)<br>
[Peering Inside the PE: A Tour of the Win32 Portable Executable File Format(1994)](http://bytepointer.com/resources/pietrek_peering_inside_pe.htm)<br>