prxcode/malforge
GitHub: prxcode/malforge
一款离线恶意软件静态分析与检测规则生成工具,可从可疑二进制文件一键产出 YARA、Sigma、IOC 及 MITRE 映射报告。
Stars: 1 | Forks: 0
Malforge
Detection Engineering Toolkit
Generate YARA · Sigma · MITRE ATT&CK · IOC Reports · HTML Reports
from a suspicious binary. One command.
## 功能简介
**Malforge** 接收一个可疑的二进制文件,并生成五个具有可操作性的输出结果:
```
sample.exe → malforge analyze → YARA Rule
Sigma Rule
MITRE ATT&CK Mapping
IOC Report (JSON)
HTML Threat Report
```
它完全在离线状态下运行一个 **10 阶段的分析 pipeline** —— 无需云服务、无需沙箱、无需 Docker:
1. **文件哈希** — MD5、SHA1、SHA256、熵值
2. **PE 解析** — 头信息、节区、导入、导出、时间戳
3. **字符串提取** — ASCII/Unicode 字符串,并按类别分组(URL、IP、注册表、路径)
4. **启发式分析** — 进程注入、键盘记录、加密、反调试、加壳检测
5. **IOC 提取** — 网络指标、文件哈希、注册表项,并附带置信度评分
6. **MITRE ATT&CK 映射** — 从启发式分析和 IOC 中映射出约 13 种技术
7. **YARA 规则生成** — 基于可疑 API + 网络 IOC 生成,并自动验证
8. **Sigma 规则生成** — 基于文件路径、注册表、DNS 和网络 IOC 生成
9. **HTML 报告** — 独立、暗色主题的专业威胁报告
10. **Plugin 钩子** — 使用您自己的分析步骤进行扩展
## 安装说明
```
pip install malforge
```
要求 **Python 3.11+** 和 `yara-python`(在大多数系统上由 pip 自动编译)。
## 快速开始
```
# 分析可疑二进制文件
malforge analyze sample.exe
# 自定义输出目录
malforge analyze sample.exe -o ./results
# 仅输出 JSON 报告(跳过 HTML)
malforge analyze sample.exe --format json
# 跳过 Sigma 规则生成
malforge analyze sample.exe --no-sigma
# 显示版本
malforge --version
```
## 输出结果
```
malforge_output/
├── report.html # Standalone HTML threat report
├── report.json # Full analysis data
├── iocs.json # Extracted IOCs with confidence scores
├── mitre_mapping.json # ATT&CK technique mappings
└── rules/
├── yara_rule.yar # Auto-generated YARA rule
└── sigma_rule.yml # Auto-generated Sigma rule
```
### YARA 规则输出示例
```
rule Malforge_a1b2c3d4 {
meta:
author = "Malforge"
description = "Auto-generated detection rule from static analysis."
date = "2026-06-30"
hash = "a1b2c3d4..."
tlp = "WHITE"
strings:
$s0 = "VirtualAllocEx" ascii wide nocase
$s1 = "WriteProcessMemory" ascii wide nocase
$s2 = "CreateRemoteThread" ascii wide nocase
$ioc_url0 = "http://evil.com/payload.exe" ascii wide
$ioc_ip1 = "203.0.113.50" ascii wide
condition:
uint16(0) == 0x5a4d
and all of ($s*)
and any of ($ioc_*)
}
```
### Sigma 规则输出示例
```
title: Suspicious Activity — Malforge a1b2c3d4
id: 8f14e45f-ceea-367f-a27f-c790a516b3b9
status: experimental
description: Auto-generated Sigma rule for sample a1b2c3d4...
author: Malforge
date: 2026/06/30
logsource:
category: process_creation
product: windows
detection:
selection_files:
Image|endswith:
- '\cmd.exe'
selection_registry:
TargetObject|contains:
- 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
selection_dns:
QueryName|endswith:
- 'malicious-domain.com'
condition: selection_files or selection_registry or selection_dns
falsepositives:
- Unknown
level: medium
```
## 工作原理
```
┌─────────────────────────────────────────────────────┐
│ malforge analyze │
│ │
│ sample.exe ──▶ Read bytes + compute hashes │
│ │ │
│ ├──▶ PE Analyzer (pefile) │
│ │ └── headers, sections, imports, exports │
│ │ │
│ ├──▶ String Extractor │
│ │ └── URLs, IPs, registry, suspicious │
│ │ │
│ ├──▶ Heuristic Engine │
│ │ └── injection, keylog, crypto, packing │
│ │ │
│ ├──▶ IOC Extractor │
│ │ └── typed IOCs with confidence scores │
│ │ │
│ ├──▶ MITRE ATT&CK Mapper │
│ │ └── technique IDs + tactics + evidence │
│ │ │
│ ├──▶ YARA Generator ──▶ Validator │
│ │ │
│ ├──▶ Sigma Generator │
│ │ │
│ └──▶ Report Generator │
│ ├── report.json │
│ ├── report.html │
│ ├── iocs.json │
│ ├── mitre_mapping.json │
│ └── rules/ (yara + sigma) │
└─────────────────────────────────────────────────────┘
```
## Plugin 系统
使用自定义分析步骤扩展 Malforge:
```
# my_plugin.py
from malforge.plugins.base import MalforgePlugin
class VirusTotalPlugin(MalforgePlugin):
name = "virustotal"
version = "1.0.0"
def on_analysis_complete(self, result: dict) -> dict:
# Add VirusTotal lookup results
result["virustotal"] = {"detected": True, "positives": 42}
return result
```
在您的 plugin 的 `pyproject.toml` 中注册:
```
[project.entry-points."malforge.plugins"]
virustotal = "my_plugin:VirusTotalPlugin"
```
```
pip install my-malforge-plugin
malforge plugins list # Shows: virustotal v1.0.0
malforge analyze sample.exe # Plugin runs automatically
```
## 项目结构
```
malforge/
├── src/malforge/
│ ├── cli.py # Click CLI entry point
│ ├── analyzer.py # 10-stage pipeline orchestrator
│ ├── analysis/ # PE parsing, string extraction, heuristics
│ ├── detection/ # YARA + Sigma generation, YARA validation
│ ├── ioc/ # IOC extraction with confidence scoring
│ ├── mitre/ # ATT&CK technique mapping
│ ├── report/ # JSON + HTML report generation
│ └── plugins/ # Plugin base class + entry point loader
├── tests/ # pytest test suite
├── pyproject.toml # Package config (pip install malforge)
├── CONTRIBUTING.md # Plugin dev guide + contribution workflow
└── LICENSE # MIT
```
## 开发说明
```
git clone https://github.com/prxcode/malforge.git
cd malforge
python -m venv .venv && .venv\Scripts\activate
pip install -e ".[dev]"
pytest tests/ -v
```
## 本项目的局限性
Malforge 是一款 **静态分析 + 检测工程** 工具。它不会:
- 执行恶意软件(无沙箱/动态分析)
- 进行完整的逆向工程
- 替代商业 EDR 或威胁情报平台
- 声称具备内存取证能力
它只擅长做好一件事:**二进制文件 → 检测制品**。如果您需要动态分析,请将其与 [CAPEv2](https://github.com/kevoreilly/CAPEv2) 或 [ANY.RUN](https://any.run) 结合使用。
## 许可证
MIT — 查看 [LICENSE](LICENSE)。
## 作者
**Priyanshu** — [@prxcode](https://github.com/prxcode)
标签:DAST, DNS 反向解析, YARA, 云资产可视化, 威胁情报, 开发者工具, 恶意软件分析, 网络信息收集, 调试插件, 逆向工具