its-me-anvesh-var/malware-analysis-api-security

# malware-analysis-api-security # 🦠 Malware Analysis & API Security 一个涵盖静态和动态恶意软件分析工作流程、YARA规则开发以及与OWASP API Top 10对齐的API安全测试的实用仓库。使用REMnux、FlareVM和Burp Suite构建。 ## 📂 Repository Structure ``` malware-analysis-api-security/ ├── README.md ├── malware-analysis/ │ ├── static-analysis-checklist.md # Step-by-step static analysis guide │ ├── dynamic-analysis-checklist.md # Dynamic analysis workflow │ ├── analysis-report-template.md # Blank report template │ ├── sample-report-trojan.md # Sample analysis: Generic Trojan │ └── sample-report-ransomware.md # Sample analysis: Ransomware dropper ├── yara-rules/ │ ├── README.md # How to use YARA rules │ ├── ransomware-generic.yar # Generic ransomware detection │ ├── rat-generic.yar # Remote Access Trojan detection │ └── powershell-dropper.yar # PowerShell dropper detection └── api-security/ ├── owasp-api-top10-notes.md # OWASP API Top 10 explained ├── burpsuite-testing-checklist.md # Burp Suite API testing workflow └── findings-report-template.md # API pentest findings template ``` ## 🛠️ Tools Used | Tool | Purpose | |---|---| | REMnux | 基于Linux的恶意软件分析发行版 | | FlareVM | Windows恶意软件分析环境 | | PEStudio | 静态PE文件分析 | | strings / FLOSS | 从二进制文件中提取字符串 | | Wireshark | 网络流量分析 | | Process Monitor | 动态行为监控 | | YARA | 基于模式的恶意软件检测 | | Burp Suite Community | API安全测试 | | Postman | API请求构造 | ## 🔬 Malware Analysis Workflow ### Static Analysis (No execution required) ``` 1. File identification → file, exiftool 2. Hash generation → md5sum, sha256sum → VirusTotal lookup 3. String extraction → strings, FLOSS 4. PE header analysis → PEStudio, PE-bear 5. Import/export analysis → suspicious API calls 6. Packer detection → Detect-It-Easy (DIE) 7. YARA scanning → custom + community rules ``` ### Dynamic Analysis (Isolated VM only) ``` 1. Snapshot baseline → take clean VM snapshot 2. Process monitoring → Process Monitor, Process Hacker 3. Network monitoring → Wireshark, Fakenet-NG 4. Registry monitoring → Regshot (before/after comparison) 5. File system changes → Process Monitor file filter 6. Memory analysis → Volatility (post-execution) 7. Restore snapshot → never skip this step ``` ## 🎯 YARA Rules 请参见 [yara-rules/](yara-rules/) 获取涵盖以下内容的检测规则： - 通用勒索软件行为模式 - 远程访问木马（RAT）指标 - PowerShell投放器签名 **运行YARA扫描：** ``` yara -r yara-rules/ransomware-generic.yar /path/to/samples/ yara -r yara-rules/rat-generic.yar /path/to/samples/ ``` ## 🔐 API Security Testing 与OWASP API Security Top 10 (2023) 对齐： | # | Vulnerability | Tested With | |---|---|---| | API1 | Broken Object Level Authorization | Burp Suite + manual | | API2 | Broken Authentication | Burp Intruder | | API3 | Broken Object Property Level Auth | Manual inspection | | API4 | Unrestricted Resource Consumption | Burp Repeater | | API5 | Broken Function Level Authorization | Manual + Burp | | API6 | Unrestricted Access to Sensitive Flows | Burp Sequencer | | API7 | Server Side Request Forgery | Burp Collaborator | | API8 | Security Misconfiguration | Manual headers check | | API9 | Improper Inventory Management | Endpoint enumeration | | API10 | Unsafe Consumption of APIs | Third-party API review | ## ⚠️ Disclaimer 所有恶意软件分析均在无互联网连接的隔离虚拟机上进行。仓库中不存储实际的恶意软件样本，仅包含分析报告、IOC（入侵指标）和检测规则。 所有API安全测试均在获得明确书面许可的情况下，针对故意设置的脆弱应用程序或系统进行。 ## 🏅 Author **Anvesh Raju Vishwaraju** CompTIA Security+ | eJPTv2 | CASA-APIsec M.S. Cybersecurity — UNC Charlotte, USA 🔗 [LinkedIn](https://linkedin.com/in/arv007) | [GitHub](https://github.com/its-me-anvesh-var)

标签：API安全, Burp Suite, DAST, DNS信息、DNS暴力破解, FlareVM, FLOSS, JSON输出, OWASP API Top 10, PEStudio, Postman, Powershelldropper, Process Monitor, REmnux, Wireshark, YARA规则, 云安全监控, 勒索软件检测, 句柄查看, 合规性检查, 字符串提取, 安全测试, 恶意软件分析, 报告模板, 攻击性安全, 特洛伊木马分析, 行为监控, 远程访问木马, 静态分析