VectorKernel PoCs for Kernelmode rootkit techniques research or education. Currently focusing on Windows OS. All modules support 64-bit OS only. NOTE Some modules use ExAllocatePool2 API to allocate kernel pool memory. ExAllocatePool2 API is not...
ELFEN: Linux Malware Analysis Sandbox ELFEN is a dockerized sandbox for analyzing Linux (file type: ELF) malware. It leverages an array of open-source technologies to perform both static and dynamic analysis. Results are available...
Qu1cksc0pe This tool allows statically analysis Windows, Linux, osx, executables, and also APK files. You can get: What DLL files are used. Functions and API. Sections and segments. URLs, IP addresses, and emails. Android...
Android Disassembler Analyze malicious app on your phone Android Disassembler is an application that is able to analyze several types of files such as APK files, dex files, shared libraries (aka .so files) (NDK,...
Arya – The Reverse YARA Arya is a unique tool that produces pseudo-malicious files meant to trigger YARA rules. You can think of it as a reverse YARA because it does exactly the opposite...
Verdict-as-a-Service Verdict-as-a-Service (VaaS) is a cloud service that provides capabilities to scan files for malware and other threats. It allows you to easily integrate malware detection in your application with a few lines of code....
PMAT-labs – The labs for Practical Malware Analysis & Triage This repository contains live malware samples for use in the Practical Malware Analysis & Triage course (PMAT). These samples are either written to emulate...
PortEx PortEx is a Java library for static malware analysis of Portable Executable files. Its focus is on PE malformation robustness, and anomaly detection. PortEx is written in Java and Scala, and targeted at...
landrun A lightweight, secure sandbox for running Linux processes using Landlock LSM. Think firejail, but with kernel-level security and minimal overhead. Linux Landlock is a kernel-native security module that lets unprivileged processes sandbox themselves...
CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of malware analysis with the goal of extracting payloads and configuration from malware. This allows CAPE to...
FileInsight-plugins: decoding toolbox of McAfee FileInsight hex editor for malware analysis FileInsight-plugins is a large set of plugins for the McAfee FileInsight hex editor. It adds many capabilities such as decryption, decompression, searching XOR-ed...
Speakeasy Speakeasy is a portable, modular, binary emulator designed to emulate Windows kernel and user mode malware. Instead of attempting to perform dynamic analysis using an entire virtualized operating system, Speakeasy will emulate specific...
MEGR-APT MEGR-APT is a scalable APT hunting system to discover suspicious subgraphs matching an attack scenario (query graph) published in Cyber Threat Intelligence (CTI) reports. MEGR-APT hunts APTs in a twofold process: (i) memory-efficient...
freki Freki is a free and open-source malware analysis platform. Goals Facilitate malware analysis and reverse engineering; Provide an easy-to-use REST API for different projects; Easy deployment (via Docker); Allow the addition of new...
AlphaGolang AlphaGolang is a collection of IDAPython scripts to help malware reverse engineers master Go binaries. The idea is to break the scripts into concrete steps, thus avoiding brittle monolithic scripts, and mimicking the...
Malduck Malduck is your ducky companion in malware analysis journeys. It is mostly based on the Roach project, which derives many concepts from mlib library created by Maciej Kotowicz. The purpose of the fork was to make Roach...
