-
Notifications
You must be signed in to change notification settings - Fork 10
/
analyzers.yml
176 lines (160 loc) · 7 KB
/
analyzers.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
defaults:
maintained: true
status: info
BE-PUM:
author: Dr. Nguyen Minh Hai
description: BE-PUM (Binary Emulation for PUshdown Model) is a project for analyzing and detecting binary files. Its main focus is on generating CFG (Control Flow Graph) of malware. This project was set out in 2013. It is under management by Dr. Nguyen Minh Hai, HoChiMinh University of Technology.
formats:
- PE
references:
- https://link.springer.com/chapter/10.1007/978-3-319-69456-6_8
- https://dl.acm.org/doi/10.1145/3151137.3160687
source: https://github.com/NMHai/BE-PUM
Capa:
author: Mandiant
description: FLARE team's open-source tool to identify capabilities in executable files
formats:
- All
install:
- wget: https://github.com/mandiant/capa:latest{linux}
- unzip: $OPT/capa
- ln: $OPT/capa/capa
- git: https://github.com/mandiant/capa-rules $OPT/capa/rules
source: https://github.com/mandiant/capa
ClamScan:
description: ClamAV® is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
formats:
- ELF
- PE
install:
- apt: clamav
- exec: sudo freshclam
source: https://www.clamav.net
status: ok
Exeinfo_PE:
description: Exeinfo PE is a program that lets you verify .exe files and check out all their properties. You can also change the file name, directly open the .exe, or simply delete it. Another piece of info provided is the exact size and the point of entry. In short, you can access dozens of different options to edit any Windows executable file.
formats:
- PE
source: https://exeinfo-pe.fr.uptodown.com/windows
F-Prot:
comment: CYREN, which bought F-Prot, has discontinued the product ; signatures update stopped on 31 July 2021.
description: F-PROT Antivirus products are easy to use, reliable and demand little of the user's system resources. With their combined speed and reliable detection methods, F-PROT Antivirus products are the ideal computer security solution for home users.
formats:
- All
install:
- untar: $OPT
- cd: $OPT/f-prot/
- exec:
- sudo ./install-f-prot.pl
- sudo mv /usr/local/bin/fpscan $BIN/f-prot
- sudo chown user $BIN/f-prot
maintained: false
references:
- https://web.archive.org/web/20200711092511/http://www.f-prot.com/products/home_use/linux
- https://sebsauvage.net/wiki/doku.php?id=fprot-linux
source: https://web.archive.org/web/20190308154044/http://files.f-prot.com/files/unix-trial/fp-Linux.x86.64-ws.tar.gz
status: ok
GetTyp:
author: PHaX
description: GetTyp is a file format detection program for DOS. It detects several formats without looking at the filename. It searches the code for special strings and byte code to identify the fileformat.
formats:
- MSDOS
- PE32
install:
- unzip: $OPT/gettyp
- ln: $OPT/gettyp/gt.sh
maintained: false
references:
- https://www.helger.com/gt/gt.htm
source: https://defacto2.net/f/aa2e6ec
status: ok
version: <output>
NPEFileAnalyzer:
comment: PEiD-like detection.
description: NPE File Analyzer is a utility that allow users to view and edit 32bit and 64bit Portable Executable (PE) files, such as .EXE .DLL and .SYS files. This tool provides functions for inspection of unknown binaries, you can analyze sections, resources, import and export tables, relocations, TlsTable, and much more. It has a built-in process manager to analyze running processes and loaded modules.
formats:
- PE
source: https://www.novirusthanks.org/products/npe-file-analyzer/
PE-Bear:
description: PE-bear is a freeware reversing tool for PE files. Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.
formats:
- PE
source: https://github.com/hasherezade/pe-bear-releases
PEdump:
description:
formats:
- PE
install:
- git: https://github.com/zed-0xff/pedump
- gem: pedump
source: https://github.com/zed-0xff/pedump
status: ok
PEscan:
description: pescan is a command line tool to scan portable executable (PE) files to identify how they were constructed.
formats:
- MSDOS
- PE
references:
- https://tzworks.com/prototype_page.php?proto_id=15
- https://www.aldeid.com/wiki/Pescan
source: https://tzworks.com/prototypes/pescan/pescan64.v.0.60.lin.tar.gz
status: commercial
PETools:
description: PE Tools lets you actively research PE files and processes. Process Viewer and PE files Editor, Dumper, Rebuilder, Comparator, Analyzer are included. PE Tools is an oldschool reverse engineering tool with a long history since 2002. PE Tools was initially inspired by LordPE (yoda).
formats:
- PE
install:
- wget: https://github.com/petoolse/petools:latest
- un7z: $OPT/petools
- chmod: PETools.exe
source: https://github.com/petoolse/petools
status: gui
PortEx:
author: Karsten Philipp Boris Hahn
description: Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness.
formats:
- MSDOS
- PE
install:
- wget: https://github.com/struppigel/PortEx:latest
- exec: mv $TMP/portex.jar $OPT/
- java: $OPT/portex.jar
license: apache-2.0
source: https://github.com/katjahahn/PortEx
status: ok
version: <output>
ProgramExecutableAnalyzer:
author: Maurice Lambert
description: This script analyzes MZ-PE (MS-DOS) executable file.
formats:
- PE
install:
- pip: ProgramExecutableAnalyzer
- exec: mv $LOC/bin/ProgramExecutableAnalyzer.py $LOC/bin/program-executable-analyzer
source: https://github.com/mauricelambert/ProgramExecutableAnalyzer
status: ok
TrID:
author: M. Pontello
description: TrID is a utility designed to identify file types from their binary signatures. While there are similar utilities with hard coded logic, TrID has no fixed rules. Instead, it's extensible and can be trained to recognize new formats in a fast and automatic way. It has many uses like identifying what kind of file was sent to you via e-mail, aiding in forensic analysis, supporting in file recovery, etc. TrID uses a database of definitions which describe recurring patterns for supported file types.
formats:
- All
install:
- unzip: $OPT/trid
- ln: $OPT/trid/trid
- ln: $OPT/trid/tridupdate tridupdate
source: https://mark0.net/soft-trid-e.html
status: ok
Unix_File:
comment: This tool is a file analyzer and is only able to detect well-known compressors such as UPX, PEtite or PECompact.
description: file tests each argument in an attempt to classify it. There are three sets of tests, performed in this order ; filesystem tests, magic tests, and language tests. The first test that succeeds causes the file type to be printed.
formats:
- All
install:
- apt: file
references:
- https://linux.die.net/man/1/file
- https://man.openbsd.org/file.1
- https://pubs.opengroup.org/onlinepubs/9699919799/utilities/file.html
- https://man.netbsd.org/libmagic.3
source: https://launchpad.net/ubuntu/+source/file
status: ok