1
0
mirror of https://github.com/nganhkhoa/malware.git synced 2024-06-10 21:32:07 +07:00
mether049-malware/malware-analysis_ref_and_memo.md
2020-01-13 00:49:13 +09:00

4.5 KiB
Raw Blame History

Tools

Static Analysis and Debug tools

※空欄は調査中(更新予定)

name disassembler decompiler debugger reference
IDA pro (Not free)
Binary Ninja
Cutter r2dec,r2ghidra native
gdb
windbg
etc.
INTRO TO CUTTER FOR MALWARE ANALYSIS(2019-03)
megabeets.net
Cutter: Presenting r2ghidra Decompiler,r2con 2019
Ghidra
x64/x32dbg Snowman
WinDbg
GDB
objdump
Snowman
name plugin price platform remarks
IDA pro Lighthouse Not free multi
Binary Ninja Lighthouse Not free
Cutter CutterDRcov
Jupyter Plugin for Cutter
x64dbgcutter
etc.
free multi
Ghidra pwndra free multi
x64/x32dbg DbgChild free windows
WinDbg free windows Kernel mode debugging possible
GDB gdbpeda
pwngdb
free linux
objdump free linux
Snowman

Tracer

  • drltrace
    • DynamoRIO based
    • ライブラリトレーサ(Windows版ltrace)
  • drstrace
    • DynamoRIO based
    • システムコールトレーサ(Windows版strace)
  • memtrace
    • DynamoRIO based
    • メモリトレーサ
  • bbbuf
    • DynamoRIO based
    • べーシックブロックトレーサ
  • API Monitor
    • GUI(Windows)
    • APIコールを監視ツール

Instrumentation

  • drcov
    • DynamoRIO based
    • カバレッジ計測
    • drrun経由で実行
> drrun.exe -t drcov -- [program name] [arguments]
  • Intel PIN

Traffic Analysis tools

Forensic

  • EQL
  • Sysinternals
  • Volatility
    • malconfscan

Online Sandbox

name site remarks
AMAaaS https://amaaas.com/ apk only
ANYRUN https://app.any.run/#register
Intezer Analyze https://analyze.intezer.com/#/
IRIS-H https://iris-h.services/pages/dashboard maldoc only
CAPE Sandbox https://cape.contextis.com/
Joe Sandbox Cloud https://www.joesandbox.com/
cuckoo https://cuckoo.cert.ee/
cuckoo https://sandbox.pikker.ee/
Hybrid Analysis https://www.hybrid-analysis.com/?lang=ja
ViCheck https://www.vicheck.ca/submitfile.php
Triage https://tria.ge/
Yomi Sandbox https://yomi.yoroi.company/upload
UnpacMe https://www.unpac.me/#/ online unpacker,beta

Unpacker

  • 攻撃者グループTA505が利用するマルウェア(GetandGoDll, Silence, TinyMet, Azorult, KBMiner, etc.)の静的アンパッカー
    TAFOF-Unpacker

Doc Analysis

C2 Analysis

Ursnif

Binary Analysis

Symbolic Execurtion

to do...

Taint Analysis

to do...

Decompiler

ref: