Malware Analysis and Incident Response Tools
The idea of this repository is to serve as a base of all the tools that we might be using or I recommend to be used for performing different malware analysis and incident response tasks. The list will be updated with new tools regularly.
- VirusTotal
- HYBRID ANALYSIS
- Any > Run
- Latest malware trends
- Malcore
- Malwr — (uses Cuckoo in background)
- Malware.id
- CFF Explorer
- PE-Bear — by Hasherzade
- Detect-It-Easy — by Hors
- Dependency Walker
- PE Studio
- PPEE — or "puppy", which is a Professional PE file Explorer
- Resource Hacker
- Cerbero
- PE Explorer v2 — by Zodiacon
- CAPA — by FireEye FLARE Team
- Malwoverview
- XPEViewer
- Exeinfo PE — (old version) or here (latest)
- PEiD — (password = tuts4you) + signatures
- ASPack — (trail)
- Detect it Easy (DiE) or here
- TitanMist
- Reflective PE Packer: Amber
- pyinstxtractor — a Python script to extract the contents of a PyInstaller generated executable file.
- pyinstxtractor-ng — a tool to extract the contents of a Pyinstaller generated executable file. Both Linux ELFs and Windows PE executables are supported.
- etc
- Microsoft SysInternals Suite
- Process Hacker
- ProcDOT or here
- RegShot
- Noriben
- X64dbg
- Immunity Debugger
- Rundll32 (LOLBin)
- Injector (Reflective DLL Injection)
- API Monitor
- PE Capture
- Tiny_tracer
- VISION-ProcMon
- Pe-sieve
- Hollows-hunter
- ReverseKit
- Mal_unpack
- etc
- Mandiant ApateDNS
- WinDump
- CaptureBAT
- Fiddler — get the classic version
- Skadi — open source collection of tools that enables the collection, processing and advanced analysis of forensic artifacts and images.
- CyLR — Live Response Collection tool by Alan Orlikoski and Jason Yegge
- Velociraptor
- VolatileDataCollector
- KAPE
- Yara
- YExtend
- IOC Editor
- IOC Finder
- Yara rules
- YaraRET
- Yara Endpoint
- ClamAV
- Osquery
- GRR
- DumpIt (readings: 1, 2)
- Memdump — similar to SysInternals
- Beagle
- Thor-Lite
- Ghidra
- IDA Pro
- Plugins:
- dnSpyEx — .NET Decompiler and Debugger
- Malcat
- Binary Ninja
- ExtremeDumper — for .NET Executables
- Cutter
- Rizin
- Vb decompiler
- P32Dasm — vb decompiler
- Online VB Script DeObfuscator/Obfuscator
- Visual Basic decompiler
- Online Decompiler
- Import Hash Generator
- MonoDevelop
- Decompiler Explorer
- etc
- Rekall
- Volatility
- Volatility Workbench
- Volatility Repository — profiles, plugins, community plugins, etc
- Rekall
- VolWeb
- FireEye Redline
- Belkasoft RAM Capturer — (free requires registration)
- MAGNET RAM Capture — (requires registration)
- Memoryze — by FireEye (requires registration)
- Surge — Collect by Volexity (Commercial)
- OSForensics — by PassMark Software (commercial)
- WinPmem — (open source), part of Rekall Memory forensic framework
- FTK Imager — by AccessData (free requires registration)
- Comae Memory Toolkit (DumpIt) — (free requires registration)
- MemProcFS
- Trufflepig Forensics
- VSTriage
- etc
- Qiling
- Blobrunner
- Frida
- Windows 10 Sandbox
- Shadow Defender
- CAPEv2 — Malware Configuration And Payload Extraction
- Cuckoo — No longer maintained, use CAPEv2 instead
- AssemblyLine4
- VMwareCloak
- Linux Malware Analysis Sandbox
- etc
- bstrings
- BinText
- StringSifter
- Graphivz
- Viper
- Ssdeep
- Visual Studio Code
- Exe_to_dll
- Awesome Docker
- sshx — A secure web-based, collaborative terminal
- etc
- Vergilius Project
- Windows APIs used by Malware
- https://github.com/rshipp/awesome-malware-analysis
- NtDoc
- Life of Binaries
- Intro to x86 — (Assembly x86)
- Intro to x64 — (Assembly 64)
- Intro to x64 — (Assembly 64)
- Intro to Reverse Engineering — (RE) Malware
- Intro to Reverse Engineering — (RE) Software
- Dynamic Malware Analysis
- Ransomware 101
- Learn x64 Assembly
- My YouTube Channel — (will be updated)
- John Hammond - Malware Analysis
- OALabs
- Hasherzade
- MalwareAnalysisForHedgehogs
- All Things IDA
- Hex-Rays
- VXUG Papers — Lots of great research papers all in one place
- Kernel Data Structures — I depend on this reference
- LoadLibrary-GetProcAddress-Replacements
- zerosum0x0 Defcon25 Workshop
- Windows Internals
- PROCESSINFOCLASS Native APIs