About the Author

Source & Credit: This article provided to  www.gbhackers.com by BALAJI N. All the Content of this Article Belongs to Original Author BALAJI N.  www.520waf.com won’t take any credits.

0x00静态分析(Static Analysis)

这个步骤包含抽取和检查不同的二进制组件和一个可执行的静态行为感应。for example, API headers, Referred DLLs, PE areas and all the more such assets without executing the samples.


  • Disassembly(拆分) -Programs can be ported to new computer platforms, by compiling the source code in a different environment.
  • File Fingerprinting(文件指纹) – network data loss prevention solutions for identifying and tracking data across a network
  • Virus Scanning (病毒扫描)-Virus scanning tools and instructions for malware & virus removal. Remove malware, viruses, spyware and other threats. ex: VirusTotal
  • Analyzing memory artefacts(分析内存人工加工) -During the time spent breaking down memory ancient rarities like[RAM dump, pagefile.sys, hiberfile.sys] the inspector can begin Identification of Rogue Process
  • Packer Detection(包装机检测): Packer Detection used to Detect  packers, cryptors, Compilers, Packers Scrambler, Joiners, Installers.+ New Symbols+ .


0x01动态分析(Dynamic  Analysis)



  • single path (execution trace) is examined 检查单路径(执行跟踪)
  • analysis environment possibly not invisible 分析的环境可能不是无形的
  • analysis environment possibly not comprehensive 分析的环境可能不是综合的
  • scalability issues 可拓展性的问题
  • allow to quickly restore analysis environment 允许快速恢复分析用的环境
  • might be detectable (x86 virtualization problems)  可能检测到(x86虚拟话的问题)


0x02内存取证(Memory Forensics)

在物理内存中发现的内存易失性组件。易失性的内存取证包含有关系统运行状态的有价值的信息,提供连接组件到传统法理取证分析的能力(network,file system,registry)。

  • mage the full range of system memory (no reliance on API calls).
  • Image a process’ entire address space to disk, including a process’ loaded DLLs, EXEs, heaps, and stacks.
  • Image a specified driver or all drivers loaded in memory to disk.
  • Hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256.)
  • Verify the digital signatures of the EXEs and DLLs (disk-based).
  • Output all strings in memory on a per-process basis.


  •  WinDbg –Kernel debugger for Windows systems         (Windows系统内核调试器)
  •  Muninn – A script to automate portions of analysis using Volatility
  •  DAMM –Differential Analysis of Malware in Memory, built on Volatility
  •  FindAES –Find AES encryption keys in memory
  •  Volatility — Advanced memory forensics framework

0x03恶意软件检测(Malware Detection)

Signature Based or Pattern Matching(基于签名或模式匹配): A signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus.

Heuristic Analysis or Pro-Active Defense(启发式分析或主动式防御): Heuristic scanning is similar to signature scanning, except that instead of looking for specific signatures, heuristic scanning looks for certain instructions or commands within a program that are not found in typical application programs.

Rule Based(基于规则): The component of the heuristic engine that conducts the analysis (the analyzer) extracts certain rules from a file and this rules will be compared against a set of rule for malicious code.

Behavioral Blocking(行为的阻断): The suspicious behavior approach, by contrast, does not attempt to identify known viruses, but instead monitors the behavior of all programs.

Weight-Based(基于权重): A heuristic engine based on a weight-based system, which is a quite old styled approach, rates each functionality it detects with a certain weight according to the degree of danger

Sandbox(沙箱): allows the file to run in a controlled virtual system (or“sandbox”) to see what it does.


  • YARA – Pattern matching tool for analysts.   分析用的模式匹配工具
  • Yara rules generator – Generate yara rules based on a set of malware samples. Also, contains a good strings DB to avoid false positives.  基于一组恶意软件样板生成yara规则
  • File Scanning Framework – Modular, recursive file scanning solution.模块化的,循环的文件扫描方案
  • hash deep – Compute digest hashes with a variety of algorithms.通过不同的算法计算摘要哈希值
  • Loki – Host-based scanner for IOCs.基于主机的输入输出控制器的扫描器
  • Malfunction – Catalog and compare malware at a function level.在功能级别登记和比较恶意软件
  • MASTIFF – Static analysis framework.静态分析框架

0x04Web域名分析(Web Domain Analysis)

域名分析(Domain analysis)是一个软件工程师学习了解背景信息的步骤流程,检查域名和IP地址。域名分析应该简单的包括一个简短的你发现的总结信息,作为参考将来可以使其他人发现此信息。


  • SpamCop – IP-based spam block list.  基于IP的垃圾邮件黑名单列表
  • SpamHaus – Block list based on domains and IPs. 基于域名和IPs的阻断列表
  • Sucuri SiteCheck – Free Website Malware and Security Scanner.免费网站恶意软件和安全扫描器
  • TekDefense Automatic – OSINT tool for gathering information about URLs, IPs, or hashes.获得有关URLs,IPs,or hashes信息的开源情报工具
  • URLQuery – Free URL Scanner. 免费的URL扫描器
  • IPinfo – Gather information about an IP or domain by searching online resources. 通过在线的资源获取有关IP或者域名的的信息
  • Whois – DomainTools free online whois search.免费的在线whois查询 工具
  • mail checker – Cross-language temporary email detection library. 跨语言的临时email检测库

0x05网络交互分析(Network interactions Analysis)


IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing.


  • Tcpdump – Collect network traffic.  收集网络流量
  • tcpick – Trach and reassemble TCP streams from network traffic.跟踪和重新组合来自网络流量中的TCP流
  • tcpxtract – Extract files from network traffic.从网络流量中提取文件
  • Wireshark – The network traffic analysis tool.网络流量分析工具
  • CapTipper – Malicious HTTP traffic explorer.恶意HTTP流量探针
  • chopshop – Protocol analysis and decoding framework.协议分析和解码框架
  • CloudShark – Web-based tool for packet analysis and malware traffic detection基于Web的包分析工具和恶意软件流量检测

0x06调试&调试器(Debugging & Debugger)



  • obj dump – Part of GNU Binutils, for static analysis of Linux binaries.
  • OllyDbg – An assembly-level debugger for Windows executable
  • FPort – Reports open TCP/IP and UDP ports in a live system and map them to the owning application.
  • GDB – The GNU debugger.
  • IDA Pro – Windows disassembler and debugger, with a free evaluation version. Windows反汇编程序器和调试器,免费的评估版本
  • Immunity Debugger – Debugger for malware analysis and more, with a Python API.  恶意软件调试器,提供一个Python的API

0x07分析恶意URL’s(Analyze malicious URL’s)

如今,站点被暴露给很多的利用它们脆弱性漏洞的威胁。一个沦陷的站点将被用于踏脚石,然后服务于攻击者的恶意目的。例如,URL重定向机制被广泛的应用作为一种方法去执行基于WEB的秘密的攻击。重定向涉及到自动的替代了访问的目标地,通常被WEB的HTTP协议控制。除了这种常规的传统的方法,其他的方法自动的访问外部站点的内容,e.g.,iframe tag,曾经被使用,特别是基于web的攻击。


  • Firebug – Firefox extension for web development.
  • Java Decompiler – Decompile and inspect Java apps.   反编译器和检查JAva apps
  • jsunpack-n – A javascript unpacker that emulates browser functionality.
  • Krakatau – Java decompiler, assembler, and disassembler.
  • Malzilla – Analyze malicious web pages.分析恶意的web页面

0x08沙箱技术(Sandboxes Technique)

沙箱是一个关键的安全系统,隔离程序,避免有恶意的或失败的项目去损坏或者窥探你电脑PC其余的东西。你使用的产品是截止目前你每天跑的 沙箱代码里的重要部分。一个沙箱是一个坚固的控制条件控制什么项目能被执行。沙箱限制代码部分能做的,同样的没有额外的授权同样数量的数量也可能被滥用。


  • firmware.re – Unpacks, scans and analyzes almost any firmware package.  几乎任何固件包的解包,扫描和分析
  • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.   在线恶意软件分析工具
  • IRMA – An asynchronous and customizable analysis platform for suspicious files.  针对可疑文件的异步的自定义的分析平台
  • Cuckoo Sandbox – Open source, self-hosted sandbox, and automated analysis system.  开源,基于主机的沙箱,自动化的分析系统
  • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL.    在GPL许可下发布的Cukoo沙箱的修改版本
  • PDF Examiner – Analyse suspicious PDF files.  分析可疑的PDF文件
  • ProcDot – A graphical malware analysis toolkit.  一个图解的恶意软件分析工具集
  • Recomposer – A helper script for safely uploading binaries to sandbox sites.
  • Sand droid – Automatic and complete Android application analysis system.  自动化的和完整的Android应用分析系统

原文:Most important considerations with Malware Analysis Cheats And Tools list