RazviOverflow/Malware_Resources

# 恶意软件资源 恶意软件资源。个人收藏集。精选且实用（希望如此）。 ## 通用资源 - [Unprotect Project](https://unprotect.it/) - [Malware Behavior Catalog (MBC)](https://github.com/MBCProject/mbc-markdown) - [Evasion Techniques](https://evasions.checkpoint.com/) - [Repo (Evasions)](https://github.com/CheckPointSW/Evasions) - [Anti-Debug Tricks](https://anti-debug.checkpoint.com/) - [Repo (Anti-Debug-DB)](https://github.com/CheckPointSW/Anti-Debug-DB) - [Malapi.io](https://malapi.io/) - [Windows API Abuse Atlas](https://github.com/danafaye/WindowsAPIAbuseAtlas) - [Malware Bible](https://bible.malcore.io/) - [cocomelonc (malware development/malware tricks)](https://cocomelonc.github.io/) - [Repo](https://github.com/cocomelonc?tab=repositories) - [ATT&CK Tactics](https://attack.mitre.org/tactics/enterprise/) - [ATT&CK Techniques](https://attack.mitre.org/techniques/enterprise/) ## 具体技术 - [Malware Showcase](https://github.com/PatrikH0lop/malware_showcase) - 持久化: - [Malware Persistence](https://github.com/Karneades/malware-persistence) - [Awesome Malware Persistence](https://github.com/Karneades/awesome-malware-persistence) - 进程: - [Process Injection Techniques](https://offensive-panda.github.io/ProcessInjectionTechniques/) - [Ten process injection techniques](https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process) - [Process Injection](https://github.com/3xpl01tc0d3r/ProcessInjection) - [Process Hollowing](https://github.com/adamhlt/Process-Hollowing) - [Process Hollowing](https://github.com/m0n0ph1/Process-Hollowing) - 动态链接库 (DLL): - [DLL Injector](https://github.com/adamhlt/DLL-Injector) - [DLL Hollowing](https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/) - [Code & Process injection](https://www.ired.team/offensive-security/code-injection-process-injection) - 结构化异常处理 (SEH): - 基础: - [A Crash Course on the Depths of Win32: Structured Exception Handling](https://www-user.tu-chemnitz.de/~heha/hsn/chm/Win32SEH.chm/Win32SEH.htm) - [CppCon 2018: James McNellis “Unwinding the Stack: Exploring How C++ Exceptions Work on Windows”](https://www.youtube.com/watch?v=COEv2kq_Ht8)，演讲视频。 - [Debugging custom filters for unhandled exceptions](https://www.debuginfo.com/articles/debugfilters.html) - [Understanding Unhandled Exception Filters](http://uninformed.org/index.cgi?v=4&a=5&p=4) - https://stackoverflow.com/a/54400192 ## 恶意软件样本服务 - [vx-underground](https://www.vx-underground.org/#E:/root/Samples) - [MalwareBazaar](https://bazaar.abuse.ch/browse/) - [MalShare](https://malshare.com/) - [VirusShare](https://virusshare.com/) - [Samplepedia](https://samplepedia.cc/) - 免费可搜索的恶意软件分析训练样本与解决方案资源。 ## 恶意软件样本 GitHub 仓库 - [theZoo](https://github.com/ytisf/theZoo) - [malware-samples](https://github.com/fabrimagic72/malware-samples) - [malware-samples](https://github.com/jstrosch/malware-samples) - [malware-samples](https://github.com/InQuest/malware-samples) - [the-malware-repo](https://github.com/Da2dalus/The-MALWARE-Repo) - [malware-sample-library](https://github.com/mstfknn/malware-sample-library) - [malware-feed](https://github.com/MalwareSamples/Malware-Feed) ## 恶意软件命名、家族及别名 - [Malpedia](https://malpedia.caad.fkie.fraunhofer.de/) ## 分析实验室 / 搭建你的（安全）环境 - [FLARE-VM](https://github.com/mandiant/flare-vm) - [REMnux](https://remnux.org/) - [Reverse Engineer's Toolkit](https://github.com/mentebinaria/retoolkit) - [Indetectables Toolkit](https://github.com/indetectables-net/toolkit) ## 工具 ### 反沙盒、反虚拟机、反虚拟化、反分析、规避等... 概念验证工具 - [Al-Khaser](https://github.com/ayoubfaouzi/al-khaser) - [Sentello](https://github.com/Malwation/sentello) Sentello 是以 Python 脚本实现的 Al-Khaser，由 Malwation 提供。 - [Pafish](https://github.com/a0rtega/pafish) - [Pafishmacro](https://github.com/joesecurity/pafishmacro) Pafish Macro 是以宏启用 Office 文档实现的 Pafish，由 Joe Security 提供。 - [VMAware](https://github.com/kernelwernel/VMAware) - [InviZzzible](https://github.com/CheckPointSW/InviZzzible) - [Hypervisor-Detection](https://github.com/void-stack/Hypervisor-Detection) - [Hypervisor Phantom](https://github.com/Scrut1ny/Hypervisor-Phantom) - [Sandbox_Detector](https://github.com/arxhr007/Malware-Sandbox-Evasion) - [VMDE (Virtual Machines Detection Enhacned)](https://github.com/hfiref0x/VMDE) - [SEMS (Anti-Sandbox and Anti-Virtual Machine Tool)](https://github.com/AlicanAkyol/sems) - [Fake Sandbox Artifacts](https://github.com/NavyTitanium/Fake-Sandbox-Artifacts) - [ShowStopper](https://github.com/CheckPointSW/showstopper/tree/master): 用于探索和测试反调试技术的工具。 #### 恶意软件稻草人 - [Malcrow](https://github.com/Babyhamsta/Malcrow) - [scaremalw](https://github.com/kaganisildak/malwarescarecrow) ### 其他工具 - [TitanHide](https://github.com/mrexodia/TitanHide) - [Mandiant CAPA](https://github.com/mandiant/capa) - [HashDB](https://github.com/OALabs/hashdb) - [PE-sieve](https://github.com/hasherezade/pe-sieve) - [PE-bear](https://github.com/hasherezade/pe-bear) - [C++ Library that offers Debugger Detection (cpp-anti-debug)](https://github.com/BaumFX/cpp-anti-debug) - [TinyTracer](https://github.com/hasherezade/tiny_tracer) ### Windows 瘦身、性能、隐私、优化等... - [Debloat-Windows-10](https://github.com/W4RH4WK/Debloat-Windows-10): 此项目收集了有助于瘦身 Windows 10、调整常见设置和安装基本软件组件的 PowerShell 脚本。 - [Tiny11builder](https://github.com/ntdevlabs/tiny11builder): 用于构建精简版 Windows 11 映像的脚本。 - [Win11Debloat](https://github.com/Raphire/Win11Debloat) - [Sophia-Script-for-Windows](https://github.com/farag2/Sophia-Script-for-Windows) - [Windows10Debloater](https://github.com/Sycnex/Windows10Debloater) *（项目所有者已于 2023 年 9 月 21 日归档）*。 - [ShutUp10++](https://www.oo-software.com/en/shutup10) *（商业免费软件）* - [Blackbird](https://www.getblackbird.net/) *（商业免费软件）* - [Privatezilla](https://github.com/builtbybel/privatezilla) - [Win Debloat Tools](https://github.com/LeDragoX/Win-Debloat-Tools?tab=readme-ov-file) - [bloatbox](https://github.com/builtbybel/bloatbox) - [WindowsSpyBlocker](https://github.com/crazy-max/WindowsSpyBlocker) - [priv10](https://github.com/DavidXanatos/priv10) - [Compilation](https://github.com/just-maik/win-opti-resources) 更多相关工具的合集。 ## Windows API 函数/系统调用: - [Windwos API (and categories) in JSON format](https://github.com/RazviOverflow/winapi_categories_json) - 仓库已迁移至 [Windows API and Syscalls categories](https://github.com/reverseame/winapi-categories)。*保留此链接以防 GitHub 停止重定向* - [Windows System Call Tables](https://github.com/j00ru/windows-syscalls) - [Windows API Function Cheatsheets](https://github.com/snowcra5h/windows-api-function-cheatsheets) - [NTSleuth - Windows Syscall Dataset Library](https://ntsleuth.com/) - [Windows API Arsenal](https://blog.fautl.com/api-list.html) ### 未文档化的 API - [NTAPI Undocumented Functions](http://undocumented.ntinternals.net/) - [GitHub Mirror](https://github.com/undocumented-ntinternals/undocumented-ntinternals.github.io) - [Mirror 2](https://undocumented-ntinternals.github.io/) - [(undocumented) NTInternals.click](https://undocumented.ntinternals.click/) （已失效） - [GitHub Scrapped Content](https://github.com/asimovitch/ntinternals) - [NtDoc](https://ntdoc.m417z.com/) - [ntoskrnl](https://github.com/zhuhuibeishadiao/ntoskrnl) - [nt](https://likeagod.revers.engineering/nt/) - [Vergilius Project](https://www.vergiliusproject.com/) ## 教程、课程（恶意软件分析、逆向工程与漏洞利用相关） - [Malware Unicorn](https://malwareunicorn.org/) - [How to start RE/malware analysis?](https://hshrzd.wordpress.com/how-to-start/) - [Malware Training Vol 1.](https://github.com/hasherezade/malware_training_vol1) - [Malware-Analysis-Training](https://github.com/OpenRCE/Malware-Analysis-Training) - [Zero2Automated](https://courses.zero2auto.com/) （价格实惠） - [Maldev Academy](https://maldevacademy.com/) （价格实惠） - [Windows Malware Analysis for Hedgehogs - Beginner](https://malwareanalysis-for-hedgehogs.learnworlds.com/course/malware-analysis-beginner) （价格实惠。常有折扣和捆绑优惠） - [PWN College](https://pwn.college/) - [Windows Malware Analysis for Hedgehogs - Intermediate](https://malwareanalysis-for-hedgehogs.learnworlds.com/course/intermediate-level) （价格实惠。常有折扣和捆绑优惠） - [PWN College](https://pwn.college/) - [MALOPS](https://malops.io/) - 以 CTF 形式进行恶意软件逆向分析。 - [Nightmare Course (intro to binary exploitation / reverse engineering)](https://guyinatuxedo.github.io/) - [Comprehensive Reverse Engineering tutorial](https://github.com/mytechnotalent/Reverse-Engineering) - [Win32API Reverse Engineering tutorial](https://github.com/mytechnotalent/Hacking-Windows) - [Fuzzy Security](https://fuzzysecurity.com/tutorials.html) - [Binary Exploitation notes by ir0nstone](https://ir0nstone.gitbook.io/notes/) - [CTF101 - Binary Explitation](https://ctf101.org/binary-exploitation/overview/) - [Reverse Engineering for Everyone](https://0xinfection.github.io/reversing/) - [Windows x64 Reverse Engineering](https://github.com/0xZ0F/Z0FCourse_ReverseEngineering) - [Linux Exploitation Course](https://github.com/nnamon/linux-exploitation-course) - [CS6265: Information Security Lab](https://tc.gts3.org/cs6265/2019/tut/) - [Overviw of GLIBC heap exploitation techniques](https://0x434b.dev/overview-of-glibc-heap-exploitation-techniques/) - [Fundamentals of Malware Analysis Course Online For Free tutorial With Certificate](https://www.mindluster.com/certificate/6905) - [Malware Analysis](https://ost2.fyi/Malware%20Analysis.html)，来自 Open Security Training - [Dissection Windows Malware Series](https://8ksec.io/windows-malware-series/) - [SecTube](https://sectube.tv/)，堪称最大的信息安全活动视频集合，包含不同类别： - [Binary Exploitation](https://sectube.tv/categories/binary-exploitation) - [Malware](https://sectube.tv/categories/malware) - [Windows](https://sectube.tv/categories/windows) - [Reversing](https://sectube.tv/categories/reverse) ### 规避 / 反分析（反调试、反虚拟化等） - [The "Ultimate" Anti-Debugging reference](http://pferrie.epizy.com/papers/antidebug.pdf) - [Mirror](https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf) - [Anti-debugging--a developers view](https://masters.donntu.ru/2011/fknt/barinov/library/antidebugging.pdf) - [The (Anti-)EDR Compendium](https://blog.deeb.ch/posts/how-edr-works/) - 科学但非学术性的恶意软件反调试、反反汇编和反虚拟化技术概述 - 高级与否？通用型与针对性恶意软件中反调试与反虚拟化技术使用的比较研究 - 理解现代恶意软件中的反虚拟化与反调试行为 - 自动化动态恶意软件分析规避与反规避综述：PC、移动端及 Web - 恶意软件动态分析规避技术综述 - 通过反调试实现的软件保护 - [Anti-Unpacker Tricks](https://pferrie.tripod.com/papers/unpackers.pdf) - 逆向工程参考手册—— [反分析章节](https://github.com/mindsleader/reverse-engineering-reference-manual/blob/master/contents/anti-analysis/anti-analysis.md) - [The Art of Unpacking](https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf) - [Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks](https://doi.org/10.1016/j.future.2020.11.004) - [Defeating Anti-Debugging Techniques for Malware Analysis Using a Debugger](https://www.astesj.com/publications/ASTESJ_0506142.pdf) - [An evaluation of anti-evasion techniques implemented in malware analysis sandboxes and debuggers](https://www.politesi.polimi.it/retrieve/e8bf6aee-9f9e-46d7-8b8d-911ac2dfbc50/Bova_Salvatore-10499292.pdf) - [Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware](https://mdbailey.web.engr.illinois.edu/publications/dsn08_final.pdf) - [A Systematical and longitudinal study of evasive behaviors in windows malware](https://doi.org/10.1016/j.cose.2021.102550) - [Longitudingal Study of the Prevalence of MAlware Evasive Techniques](https://arxiv.org/pdf/2112.11289) ## 其他集合、列表或合集 - [Awesome Malware Techniques](https://github.com/fr0gger/Awesome_Malware_Techniques) - [Curated List of Malware Analysis Resources](https://github.com/rshipp/awesome-malware-analysis) - [Malware Analysis Resources](https://gist.github.com/enderdzz/3f630ecd2660ea95e5a2bfba4e45aab6) - [Malware Analysis Resources](https://github.com/fwosar/malware-analysis-resources) ## 推荐和/或有趣的阅读材料 ### 逆向工程 - [Reversing - Secrets of Reverse Engineering](https://repo.zenk-security.com/Reversing%20.%20cracking/Reversing%20-%20Secrets%20Of%20Reverse%20Engineering%20(2005).pdf) - [Reverse Engineering for Beginners](https://beginners.re/) - [Mirror](https://bdigital.uvhm.edu.mx/wp-content/uploads/2020/07/Reverse-Engineering-for-Beginners.pdf) ### Windows 架构 / 系统调用 - [Windows API](https://en.wikipedia.org/wiki/Windows_API#Versions) - [Windows Native API](https://en.wikipedia.org/wiki/Windows_Native_API) - [ntoskrnl.exe](https://en.wikipedia.org/wiki/Ntoskrnl.exe) - [Architecture of Windows NT](https://en.wikipedia.org/wiki/Architecture_of_Windows_NT#Executive) - [System Service DEscriptor Table (SSDT)](https://en.wikipedia.org/wiki/System_Service_Descriptor_Table) - [NTDLL](https://www.geoffchappell.com/studies/windows/win32/ntdll/index.htm?ta=11&tx=4) - [Native API Functions](https://www.geoffchappell.com/studies/windows/win32/ntdll/api/native.htm) - [Nt vs. Zw - Clearing Confusion on the Native API](https://www.osronline.com/article.cfm%5earticle=257.htm) - [A Syscall Journey in the Windows Kernel](https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/) - Windows Internals:. - [Part 1: System Architecture, Processes, Threads, Memory Management, and More](https://www.octawian.ro/fisiere/situri/asor/build/html/_downloads/122f95f9a032396603a837c53b125bb8/Russinovich_M_WinInternals_part1_7th_ed.pdf). [Mirror, lower quality](https://empyreal96.github.io/nt-info-depot/Windows-Internals-PDFs/Windows%20System%20Internals%207e%20Part%201.pdf); [Sixth edition, Part 1](https://apprize.best/microsoft/internals/index.html) - [Part 2](https://doc.lagout.org/security/Windows%20Internals.pdf); [Sixth edition, Part 2](https://apprize.best/microsoft/internals_1/index.html) - [Windows Native API: When and why use Zw vs Nt prefixed api calls?](https://stackoverflow.com/questions/4770553/windows-native-api-when-and-why-use-zw-vs-nt-prefixed-api-calls) - [Using Nt and Zw Versions of the Native System Services Routines](https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/using-nt-and-zw-versions-of-the-native-system-services-routines) - Inside Windows debugging : a practical guide to debugging and tracing strategies in Windows by Tarik Soulami. - [Kernel Karnage](https://blog.nviso.eu/2021/10/21/kernel-karnage-part-1/) 系列，作者 [cerbersec](https://x.com/cerbersec)。 ### 相关主题 - [PE101: A Windows Executable Walkthourg (64 bis)](https://raw.githubusercontent.com/corkami/pics/refs/heads/master/binary/pe101/pe101-64.svg) - [Microsoft Portable Executable and Common Object File Format Specification](https://courses.cs.washington.edu/courses/cse378/03wi/lectures/LinkerFiles/coff.pdf) - [PE Format Layout](https://drive.google.com/file/d/0B3_wGJkuWLytbnIxY1J5WUs4MEk/view?pli=1&resourcekey=0-n5zZ2UW39xVTH8ZSu6C2aQ) - [The Life of Binaries](https://www.youtube.com/playlist?list=PLUFkSN0XLZ-n_Na6jwqopTt1Ki57vMIc3) - [PowerShell in Depth](https://apprize.best/microsoft/powershell_1/index.html)

标签：ATT&CK框架, Conpot, DAST, DLL注入, DOM解析, SSH蜜罐, Windows安全, 中高交互蜜罐, 二进制利用, 云资产清单, 内存操作, 内核模块, 反调试, 安全资源, 工具, 恶意软件分析, 恶意软件开发, 恶意软件行为, 教程, 数据库, 流量审计, 端点可见性, 网络安全, 规避技术, 资源集合, 进程注入, 逆向工具, 逆向工程, 隐私保护, 黑客技术