prxcode/malforge

GitHub: prxcode/malforge

一款离线恶意软件静态分析与检测规则生成工具,可从可疑二进制文件一键产出 YARA、Sigma、IOC 及 MITRE 映射报告。

Stars: 1 | Forks: 0

Malforge

Detection Engineering Toolkit
Generate YARA · Sigma · MITRE ATT&CK · IOC Reports · HTML Reports
from a suspicious binary. One command.

PyPI CI Python License

## 功能简介 **Malforge** 接收一个可疑的二进制文件,并生成五个具有可操作性的输出结果: ``` sample.exe → malforge analyze → YARA Rule Sigma Rule MITRE ATT&CK Mapping IOC Report (JSON) HTML Threat Report ``` 它完全在离线状态下运行一个 **10 阶段的分析 pipeline** —— 无需云服务、无需沙箱、无需 Docker: 1. **文件哈希** — MD5、SHA1、SHA256、熵值 2. **PE 解析** — 头信息、节区、导入、导出、时间戳 3. **字符串提取** — ASCII/Unicode 字符串,并按类别分组(URL、IP、注册表、路径) 4. **启发式分析** — 进程注入、键盘记录、加密、反调试、加壳检测 5. **IOC 提取** — 网络指标、文件哈希、注册表项,并附带置信度评分 6. **MITRE ATT&CK 映射** — 从启发式分析和 IOC 中映射出约 13 种技术 7. **YARA 规则生成** — 基于可疑 API + 网络 IOC 生成,并自动验证 8. **Sigma 规则生成** — 基于文件路径、注册表、DNS 和网络 IOC 生成 9. **HTML 报告** — 独立、暗色主题的专业威胁报告 10. **Plugin 钩子** — 使用您自己的分析步骤进行扩展 ## 安装说明 ``` pip install malforge ``` 要求 **Python 3.11+** 和 `yara-python`(在大多数系统上由 pip 自动编译)。 ## 快速开始 ``` # 分析可疑二进制文件 malforge analyze sample.exe # 自定义输出目录 malforge analyze sample.exe -o ./results # 仅输出 JSON 报告(跳过 HTML) malforge analyze sample.exe --format json # 跳过 Sigma 规则生成 malforge analyze sample.exe --no-sigma # 显示版本 malforge --version ``` ## 输出结果 ``` malforge_output/ ├── report.html # Standalone HTML threat report ├── report.json # Full analysis data ├── iocs.json # Extracted IOCs with confidence scores ├── mitre_mapping.json # ATT&CK technique mappings └── rules/ ├── yara_rule.yar # Auto-generated YARA rule └── sigma_rule.yml # Auto-generated Sigma rule ``` ### YARA 规则输出示例 ``` rule Malforge_a1b2c3d4 { meta: author = "Malforge" description = "Auto-generated detection rule from static analysis." date = "2026-06-30" hash = "a1b2c3d4..." tlp = "WHITE" strings: $s0 = "VirtualAllocEx" ascii wide nocase $s1 = "WriteProcessMemory" ascii wide nocase $s2 = "CreateRemoteThread" ascii wide nocase $ioc_url0 = "http://evil.com/payload.exe" ascii wide $ioc_ip1 = "203.0.113.50" ascii wide condition: uint16(0) == 0x5a4d and all of ($s*) and any of ($ioc_*) } ``` ### Sigma 规则输出示例 ``` title: Suspicious Activity — Malforge a1b2c3d4 id: 8f14e45f-ceea-367f-a27f-c790a516b3b9 status: experimental description: Auto-generated Sigma rule for sample a1b2c3d4... author: Malforge date: 2026/06/30 logsource: category: process_creation product: windows detection: selection_files: Image|endswith: - '\cmd.exe' selection_registry: TargetObject|contains: - 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run' selection_dns: QueryName|endswith: - 'malicious-domain.com' condition: selection_files or selection_registry or selection_dns falsepositives: - Unknown level: medium ``` ## 工作原理 ``` ┌─────────────────────────────────────────────────────┐ │ malforge analyze │ │ │ │ sample.exe ──▶ Read bytes + compute hashes │ │ │ │ │ ├──▶ PE Analyzer (pefile) │ │ │ └── headers, sections, imports, exports │ │ │ │ │ ├──▶ String Extractor │ │ │ └── URLs, IPs, registry, suspicious │ │ │ │ │ ├──▶ Heuristic Engine │ │ │ └── injection, keylog, crypto, packing │ │ │ │ │ ├──▶ IOC Extractor │ │ │ └── typed IOCs with confidence scores │ │ │ │ │ ├──▶ MITRE ATT&CK Mapper │ │ │ └── technique IDs + tactics + evidence │ │ │ │ │ ├──▶ YARA Generator ──▶ Validator │ │ │ │ │ ├──▶ Sigma Generator │ │ │ │ │ └──▶ Report Generator │ │ ├── report.json │ │ ├── report.html │ │ ├── iocs.json │ │ ├── mitre_mapping.json │ │ └── rules/ (yara + sigma) │ └─────────────────────────────────────────────────────┘ ``` ## Plugin 系统 使用自定义分析步骤扩展 Malforge: ``` # my_plugin.py from malforge.plugins.base import MalforgePlugin class VirusTotalPlugin(MalforgePlugin): name = "virustotal" version = "1.0.0" def on_analysis_complete(self, result: dict) -> dict: # Add VirusTotal lookup results result["virustotal"] = {"detected": True, "positives": 42} return result ``` 在您的 plugin 的 `pyproject.toml` 中注册: ``` [project.entry-points."malforge.plugins"] virustotal = "my_plugin:VirusTotalPlugin" ``` ``` pip install my-malforge-plugin malforge plugins list # Shows: virustotal v1.0.0 malforge analyze sample.exe # Plugin runs automatically ``` ## 项目结构 ``` malforge/ ├── src/malforge/ │ ├── cli.py # Click CLI entry point │ ├── analyzer.py # 10-stage pipeline orchestrator │ ├── analysis/ # PE parsing, string extraction, heuristics │ ├── detection/ # YARA + Sigma generation, YARA validation │ ├── ioc/ # IOC extraction with confidence scoring │ ├── mitre/ # ATT&CK technique mapping │ ├── report/ # JSON + HTML report generation │ └── plugins/ # Plugin base class + entry point loader ├── tests/ # pytest test suite ├── pyproject.toml # Package config (pip install malforge) ├── CONTRIBUTING.md # Plugin dev guide + contribution workflow └── LICENSE # MIT ``` ## 开发说明 ``` git clone https://github.com/prxcode/malforge.git cd malforge python -m venv .venv && .venv\Scripts\activate pip install -e ".[dev]" pytest tests/ -v ``` ## 本项目的局限性 Malforge 是一款 **静态分析 + 检测工程** 工具。它不会: - 执行恶意软件(无沙箱/动态分析) - 进行完整的逆向工程 - 替代商业 EDR 或威胁情报平台 - 声称具备内存取证能力 它只擅长做好一件事:**二进制文件 → 检测制品**。如果您需要动态分析,请将其与 [CAPEv2](https://github.com/kevoreilly/CAPEv2) 或 [ANY.RUN](https://any.run) 结合使用。 ## 许可证 MIT — 查看 [LICENSE](LICENSE)。 ## 作者 **Priyanshu** — [@prxcode](https://github.com/prxcode)
标签:DAST, DNS 反向解析, YARA, 云资产可视化, 威胁情报, 开发者工具, 恶意软件分析, 网络信息收集, 调试插件, 逆向工具