Binary Analysis/Malware Analysis/Reverse Engineering

learn-to-code#Assembly

Malpedia (Fraunhofer FKIE)
rshipp/awesome-malware-analysis: A curated list of awesome malware analysis tools and resources.

[2007.14266] SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask

"Reverse Engineering for Beginners" free book source

Reverse Engineering 101 - Reverse Engineering - 0x00sec - The Home of the Hacker

Reverse engineering visual novels 101 – Hacker Noon
Reverse engineering visual novels 101, part 2 – Hacker Noon

Intro to Game Hacking: DEFCON 32 - YouTube

Level Up Your Reverse Engineering Skills – Angular In Depth
Practical application of reverse-engineering guidelines and principles

Compiler Explorer check disassembled code for various languages

John Hammond
Binary Exploitation Deep Dive: Return to LIBC (with Matt) - YouTube pwninit, patchelf, gdb+gef, Ghidra
Google CTF - BEGINNER Reverse Engineering w/ ANGR - YouTube
Malware - YouTube
Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS - YouTube

Intel® XED
intelxed/xed: x86 encoder decoder

io12/pwninit: pwninit - automate starting binary exploit challenges

angr
angr/angr: A powerful and user-friendly binary analysis platform!

CyberChef
gchq/CyberChef: The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

010 Editor - Pro Text/Hex Editor | Edit 250+ Formats | Fast & Powerful | Reverse Engineering
010 Editor - Script Repository - Download Scripts

OFRAK

mandiant/flare-floss: FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Vaughan Hilts - Experimentation with Reverse Engineering - Trails in the Sky (FC / SC) Extracting Sprite Data w/ Unix Tools & Kaitai Struct
Introduction · Radare2 Book

Reverse Engineering A Modern IP Camera | Hackaday
Reverse Engineering Shimano Bike Electronics | Hackaday

Unpatchable 0-day in surveillance cam is being exploited to install Mirai | Ars Technica
this is extremely frustrating... - YouTube IP Camera firmware, binwalk, jffs2

KOVTER Malware Analysis - Fileless Persistence in Registry - YouTube

loading another user's HKCU (NTUSER.dat)
shellcode, speakeasy

cojocar/bin2llvm: A binary to LLVM translator

Trail of Bits

Trail of Bits | Open Source

lifting-bits/remill: Library for lifting machine code to LLVM bitcode
lifting-bits/anvill: anvill forges beautiful LLVM bitcode out of raw machine code uses Remill
lifting-bits/mcsema: Framework for lifting x86, amd64, aarch64, sparc32, and sparc64 program binaries to LLVM bitcode 🗃️archived, uses Remill
lifting-bits/vmill 🗃️archived, uses Remill
lifting-bits/rellic: Rellic produces goto-free C output from LLVM bitcode

Magnifier: An Experiment with Interactive Decompilation | Trail of Bits Blog
trailofbits/magnifier 🗃️archived, uses Rellic

IDA

IDA Freeware

EVERYONE in Cyber Security Should Understand Reversing (its EASY) - YouTube ❗!important, C calling convention
EVERYONE in Cyber Security Should Understand Reversing (its EASY) - YouTube ❗!important, C calling convention

Ghidra

Ghidra
NationalSecurityAgency/ghidra: Ghidra is a software reverse engineering (SRE) framework
lifting-bits/sleigh: Unofficial CMake build for Ghidra SLEIGH

Auditing system calls for command injection vulnerabilities using Ghidra's PCode - YouTube Python integration
How Ghidra changed my life - Chris Eagle - YouTube
Getting Started Reversing C++ Objects with Ghidra - YouTube
HackadayU: Reverse Engineering with Ghidra Class 1 - YouTube
Ghidra - Journey from Classified NSA Tool to Open Source - YouTube
Reversing WannaCry - YouTube

Hopper Disassembler

Hopper

Shellcode

Shellcode - Wikiwand
What is shellcode and how is it used? | TechTarget

Emulation of Malicious Shellcode With Speakeasy | Mandiant
mandiant/speakeasy: Windows kernel and user mode emulation.

Cutter

ELF

Executable and Linkable Format - Wikiwand
Global Offset Table - Wikiwand

Making our own executable packer
In-depth: ELF - The Extensible & Linkable Format - YouTube
No really, how does Linux run executables? - YouTube

ELF - A Common Lisp library for manipulating ELF files
GrammaTech/elf: A Common Lisp library for manipulating ELF files

Understanding the ELF specimen | Packt Hub

readelf <binary>

objdump -d -Mintel <binary>

Windows

Resource Hacker

PE format

Portable Executable - Wikiwand

Libpe - a Fast PE32/PE32+ Parsing Library.
evilsocket/libpe: A C/C++ library to parse Windows portable executables written with speed and stability in mind.
gdabah/distorm: Powerful Disassembler Library For x86/AMD64
Home · gdabah/distorm Wiki

trailofbits/pe-parse: Principled, lightweight C/C++ PE parser
pe-parse/pepy at master · trailofbits/pe-parse

Winitor pestudio
pestudio-features.pdf compute entropy, string extraction
PeStudio Overview: Setup, Tutorial and Tips

Exeinfo PE for Windows - Download it from Uptodown for free detect packing

C Sharp

I show you how to Crack a .NET Application (3 clicks) - DEV Community

dnSpy/dnSpy: .NET debugger and assembly editor
Decompiling C# by Example with Cracknet | Codingo

Kani Web decompiler

icsharpcode/ILSpy: .NET Decompiler with support for PDB generation, ReadyToRun, Metadata (&more) - cross-platform!
Debugging a .NET assembly without the source code with Visual Studio - Meziantou's blog

ildasm.exe disasmbler

Java

fesh0r/fernflower: Unofficial mirror of FernFlower Java decompiler (All pulls should be submitted upstream)

mstrobel/procyon: Procyon is a suite of Java metaprogramming tools, including a rich reflection API, a LINQ-inspired expression tree API for runtime code generation, and a Java decompiler.
Java Decompiler · mstrobel/procyon Wiki

Java Decompiler
Java Decompiler

Parsing Java Bytecode with Python - YouTube 2:25:53

Android

Apktool | Apktool
iBotPeaches/Apktool: A tool for reverse engineering Android apk files

skylot/jadx: Dex to Java decompiler
pxb1988/dex2jar: Tools to work with android .dex and java .class files

Java Decompiler
java-decompiler/jd-gui: A standalone Java Decompiler GUI
jd-wrapper/jd-cli: JD-CLI, a standalone command line Java sources from CLASS files
intoolswetrust/jd-cli: Command line Java Decompiler

charles2gan/GDA-android-reversing-Tool: the fastest and most powerful android decompiler(native tool working without Java VM) for the APK, DEX, ODEX, OAT, JAR, AAR, and CLASS file. which supports malicious behavior detection, privacy leaking detection, vulnerability detection, path solving, packer identification, variable tracking, deobfuscation, python&java scripts, device memory extraction, data decryption, and encryption, etc.

ChickenHook/Anubis-pandemidestek: Anubis malware variant for turkish market - full analysis - SHA256: 231d970ea3195b3ba3e11e390b6def78a1c8eb5f0a8b7dccc0b4ec4aee9292ec
Reverse Engineering of the Anubis Malware - ”pandemistek” – intended for the Turkish market – AndroidReverse
Reverse Engineering of the Anubis Malware — Part 1 | by Elliot Alderson | Medium
Infection and removal of Android Malware that uses Accessibility services - YouTube

Android Applications Reversing 101
r0ysue/AndroidSecurityStudy: 安卓应用安全学习
 Writing your first Frida script for Android | Cognisys Labs

Objection Tutorial | HackTricks
sensepost/objection: 📱 objection - runtime mobile exploration patch APK to include Frida

Three Ways to Hack Mobile Apps - YouTube jadx, Frida+Objection, apktool+smail
Frida 脱壳、自动化、objection、Wallbreaker插件、fridaUiTools-CSDN博客

Wasm

What’s in that .wasm? Introducing: wasm-decompile · V8

Dynamic Analysis

x64dbg

Cheat Engine

ANY.RUN - Interactive Online Malware Sandbox
Exploring the Latest Malware Samples - YouTube

MITRE Attack labels
Malware report

Frida

Frida • A world-class dynamic instrumentation toolkit | Observe and reprogram running programs on Windows, macOS, GNU/Linux, iOS, watchOS, tvOS, Android, FreeBSD, and QNX
frida/frida: Clone this repo to build Frida
JavaScript API | Frida • A world-class dynamic instrumentation toolkit
Go API | Frida • A world-class dynamic instrumentation toolkit

dweinstein/awesome-frida: Awesome Frida - A curated list of Frida resources http://www.frida.re/ (https://github.com/frida/frida)

Frida CodeShare
rsenet/FriList: Collection of useful FRIDA Mobile Scripts
TheBountyBox/Awesmoe-Frida-Scripts: A collection of Awesome Frida Scripts for MAPT

0xdea/frida-scripts: A collection of my Frida.re instrumentation scripts to facilitate reverse engineering of mobile apps.
Tracing arbitrary Methods and Function calls on Android and iOS | @Mediaservice.net Technical Blog

federicodotta/Brida: The new bridge between Burp Suite and Frida!

Kernel Monitor/Sandbox

Process Monitor - Windows Sysinternals | Microsoft Docs

Ghetto Forensics: Noriben - The Portable Sandbox System
Rurik/Noriben: Noriben - Portable, Simple, Malware Analysis Sandbox

Fibratus
rabbitstack/fibratus: Tool for exploration and tracing of the Windows kernel
Fibratus Video Teaser – Rabbit Stack run filter or Python filaments
Fibratus Teaser - YouTube

ReClass.NET

ReClassNET/ReClass.NET: More than a ReClass port to the .NET platform.

Reclass Tutorial - ReClass.NET - How To Reverse Structures - YouTube

gdb

learn-to-code#Debugging

nakst/gf: A GDB frontend for Linux.

cyrus-and/gdb-dashboard: Modular visual interface for GDB in Python

hugsy/gef: GEF (GDB Enhanced Features) - a modern experience for GDB with advanced debugging capabilities for exploit devs & reverse engineers on Linux
GEF - GDB Enhanced Features documentation

USB Protocol

USB Reverse Engineering: A Universal Guide | Hackaday
USB Reverse Engineering: Down the rabbit hole | /dev/alias – Hack. Dev. Transcend.

Reverse engineering a USB device with Rust | Harry Gill
mygnu/rcue: Corsair H150i PRO, usb userspace driver

27c3: USB and libusb (en) - YouTube
28c3: Reverse Engineering USB Devices - YouTube
Debugging Usually Slightly Broken (USB) Devices and Drivers - Krzysztof Opasiak, Samsung - YouTube