ma-resources

Youtube channels:

• Colin Hardy: https://www.youtube.com/channel/UCND1KVdVt8A580SjdaS4cZg
• OALabs: https://www.youtube.com/channel/UC--DwaiMV-jtO-6EvmKOnqg
• MalwareAnalysisForHedgehogs: https://www.youtube.com/channel/UCVFXrUwuWxNlm6UNZtBLJ-A
• 0xf0x: https://www.youtube.com/channel/UCCnZXAoXRb6GDLjuFo0dmIg
• DissectMalware: https://www.youtube.com/channel/UClshOnMPENbBSAG3KNRnlHw
• Guided Hacking: https://www.youtube.com/channel/UCCMi6F5Ac3kQDfffWXQGZDw
• Honeynet Project: https://www.youtube.com/channel/UCudh0pRD6Fniu9X2hasGK8w
• Josh Stroschein: https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA
• maddiestone: https://www.youtube.com/channel/UCTbTMfVyCfs9p8SPsi3xEZQ
• PacketBomb : https://www.youtube.com/channel/UC6lijopn1t2ETukUSLDDqMA
• Rezky Wulandari: https://www.youtube.com/channel/UC3Z6Aus0YnD6GgRWH-eKzKA
• Sean Gambles: https://www.youtube.com/c/s3anuk/videos
• webpwnized: https://www.youtube.com/channel/UCPeJcqbi8v46Adk59plaaXg
• hasherezade: https://www.youtube.com/channel/UCNWVswPNgn5kutPNa5sprkg
• Lukas Stefanko: https://www.youtube.com/channel/UCg08SXtXlfADk4yAODpShfQ
• Paul Chin: https://www.youtube.com/channel/UCuQbZ4Uv3ecBHsbFhd2BjIw
• Ring Zero Labs: https://www.youtube.com/channel/UCTZCTzlZQF_7WnouKc-Ym_Q
• KirbiflinTV: https://www.youtube.com/channel/UCKnHdBvDXj9Zl15g28XwqMQ

Books:

• Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code: https://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033
• Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software: https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901
• The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory: https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098
• The Ghidra Book: The Definitive Guide: https://www.amazon.com/Ghidra-Book-Definitive-Guide

RSS feeds:

• OA LABS: https://oalabs.openanalysis.net/rss/
• Noah. 的 Twitter: https://rsshub.app/twitter/user/_qaz_qaz?
• herrcore 的 Twitter: https://rsshub.app/twitter/user/herrcore
• sean 的 Twitter: https://rsshub.app/twitter/user/seanmw
• MalwareHunterTeam 的 Twitter: https://rsshub.app/twitter/user/malwrhunterteam
• Colin Hardy 的 Twitter: https://rsshub.app/twitter/user/cybercdh
• nullteilerfrei: https://blag.nullteilerfrei.de/feed/
• malwology: https://malwology.com/feed/
• 0xEvilC0de.com: https://feeds.feedburner.com/0xevilc0de
• Infosec for Breakfast: https://pwnage.io/feed.xml
• Objective-See's Blog: https://objective-see.com/rss.xml
• MalwareBytes Labs: https://blog.malwarebytes.com/feed/
• bl4ckh0l3z: https://twitter.com/bl4ckh0l3z

Sites/blogs:

• Dynamic Malware Analysis in the Modern Era—A State of the Art Survey: https://dl.acm.org/doi/fullHtml/10.1145/3329786
• Phrack: http://www.phrack.org/
• MalwareTech: https://www.malwaretech.com/
• Daring Joker: https://daringjoker.wordpress.com/
• WeLiveSecurity: https://www.welivesecurity.com/category/malware/
• Andrea Fortuna's Blog: https://www.andreafortuna.org/category/cybersecurity
• SentinelOne: https://labs.sentinelone.com/
• CLARK: https://clark.center/
• Security In Bits: https://www.securityinbits.com/
• Malware Traffic Analysis: https://www.malware-traffic-analysis.net/
• hasherezade's 1001 nights: https://hshrzd.wordpress.com/ (https://speakerdeck.com/hshrzd)
• Tuts 4 You: https://forum.tuts4you.com/
• MalwareBytes: https://blog.malwarebytes.com/category/threat-analysis/
• MalwareTips Community: https://malwaretips.com/
• PC Matic Malware Research's on TechTalk: https://techtalk.pcmatic.com/2017/10/04/debugging-unpacking-malicious-software/
  https://techtalk.pcmatic.com/2017/11/29/unpacking-malware-part-2-reconstructing-import-address-table/
  https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
  https://techtalk.pcmatic.com/2017/09/24/all-about-hooking/
• VX Underground: https://vxug.fakedoma.in
  https://github.com/vxunderground/
• LifeInHex: https://lifeinhex.com/
• Fumik0_'s box: https://fumik0.com/

Datasets:

• Kaggle: https://www.kaggle.com/search?q=malware

Emulation:

• Binee: https://github.com/carbonblack/binee
• Qiling: https://www.qiling.io/

Cheat-sheets:

• Tips for Reverse-Engineering Malicious Code: https://zeltser.com/media/docs/reverse-engineering-malicious-code-tips.pdf
• Malware Analysis and Reverse-Engineering Cheat Sheet: https://zeltser.com/media/docs/malware-analysis-cheat-sheet.pdf
• Nmap Cheat Sheet: https://cdn.comparitech.com/wp-content/uploads/2019/06/Nmap-Cheat-Sheet-1.jpg
• Microsoft Win32 API: https://docs.microsoft.com/en-us/windows/win32/api/

Anti RE:

• Anti-Debug Tricks: https://anti-debug.checkpoint.com
• Anti-Reversing: https://www.anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf

Xor:

• Known Plain Text Attack: http://jon.glass/blog/Unxoring-a-rat/
• UnXor left to right vs right to left: https://gitlab.com/antonio.godinho/ma-locky-simple/-/snippets/2022587

RE CTFs:

• MalwareTech Beginner Malware Reversing Challenges: https://www.malwaretech.com/beginner-malware-reversing-challenges
• Cracks: https://crackmes.one/
• A reversing tutorial for newbies by lena151: https://www.youtube.com/playlist?list=PLcFUp5WYCxVYeR7AgsmjzGW6PjamaY6JO
• Beginner Malware Reversing Challenges: https://www.malwaretech.com/beginner-malware-reversing-challenges

Training:

• FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques: https://www.sans.org/course/reverse-engineering-malware-malware-analysis-tools-techniques
• GIAC Reverse Engineering Malware (GREM): https://www.giac.org/certification/reverse-engineering-malware-grem

Free Training:

• Fortinet: https://www.fortinet.com/training/cybersecurity-professionals
• PortSwigger: https://portswigger.net/web-security
• OPEN SECURITY TRAINING.INFO: http://opensecuritytraining.info/Training.html
• Malware Analysis - CSCI 4976: https://github.com/RPISEC/Malware
• Modern Binary Exploitation - CSCI 4968: https://github.com/RPISEC/MBE

Mobile:

• adb tools: https://developer.android.com/studio/releases/platform-tools
• Genymotion: https://www.genymotion.com/fun-zone
• dex2jar: https://github.com/pxb1988/dex2jar
• MobSF: https://github.com/MobSF/Mobile-Security-Framework-MobSF
• apktool: https://ibotpeaches.github.io/Apktool/
• Frida: https://frida.re/docs/android/

ELK:

• ELK (Setup on Ubuntu 20.04): https://gitlab.com/-/snippets/2001211

Others:

• MIASM: https://github.com/cea-sec/miasm (example: https://github.com/eset/malware-research/blob/master/chachaddos/decrypt_second_stage.py)

Reports/ Research Papers:

• ESET Threat Report Q22020: https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
• Growth and Commoditization of Remote Access Trojans: https://static1.squarespace.com/static/59f343f3c027d8a07cc2f2a0/t/5f6486df9680f86a6fcf487d/1600423648304/WACCO_2020-VALEROS-GARCIA.pdf
• Reverse Engineering for Beginners: https://beginners.re/RE4B-EN.pdf (Code: https://beginners.re/src/, Challenges: https://challenges.re/)

Firmware:

• UEFI: https://labs.sentinelone.com/moving-from-common-sense-knowledge-about-uefi-to-actually-dumping-uefi-firmware/

Others:

• Honeynet: https://www.honeynet.org/
• Mitre ATT&CK: https://attack.mitre.org/
• JPMinty Mitre ATT&CK MindMaps: https://raw.githubusercontent.com/JPMinty/MindMaps/master/MITRE%20ATT%26CK/PNG/MITRE%20ATT%26CK%20March%202020%20-%20Dark.png
• Cyber Kill Chain: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
• ASCII Table: https://www.profdavis.net/ascii_table.pdf

Awesome list:

• Awesome Machine Learning for Cyber Security: https://github.com/jivoi/awesome-ml-for-cybersecurity
• Awesome Cybersecurity Blue Team: https://github.com/fabacab/awesome-cybersecurity-blueteam
• Free_CyberSecurity_Professional_Development_Resources: https://github.com/gerryguy311/Free_CyberSecurity_Professional_Development_Resources
• Awesome Incident Response: https://github.com/meirwah/awesome-incident-response
• Awesome Infosec: https://github.com/onlurking/awesome-infosec
• My Infosec Awesome: https://github.com/pe3zx/my-infosec-awesome
• InfoSec-Resources4All: https://github.com/DoGByTe-ZN/infosec-resources4all
• Awesome Social Engineering: https://github.com/v2-dev/awesome-social-engineering
• Information security / Hacking for noobs: https://github.com/tkisason/getting-started-in-infosec
• Awesome Malware Analysis: https://github.com/rshipp/awesome-malware-analysis

Programming Language Specifications/helpers:

Topic	Subject	Resource
Assembler	- General	PC Assembly Language Paul A. Carter The Art of Assembly Language Intel Assembler 80186 and higher Windows Assembly Language & Systems Programming
Javascript	- Specification	ECMAScript® 2020 Language Specification

Assembly Knowledge Resources:

• Jasmin - Practice Assembly
• Using Jasmin to Run x86 Assembly Code
• Compiler Explorer
• (Small list) 80x86 Instructions
• YASM
• SensePost crash course in x86 assembly

Topic	Subject	Resource
Introduction	- How a processor works - Introduction to Assembly - Arquitecture - Convertion (Binary, Decimal, Hexadecimal) - Characters	01 - Introduction to Assembly
Registers	- Registers - Flags - Virtual Memory - Paging - Interrupts	02 - Registers and Components of the CPU Skull security - Registers
Mnemonics	- Assembly Mnemonics - Operands - Instructions - Deirectives, define, data directives and Identifiers - Exercises	04 - Assembly Mnemonics Paul A Carter - PC Assembly Language Paul A Carter Github
Registers Sizes	- Positive number - Negative number - Zero Extend - Sign Extend	08 - Sign Extension
Control Structure	- Compare - Branching	10 - Conditionals

File Formats:

• http://kaitai.io/
• https://ide.kaitai.io/

Topic	Subject	Resource
Portable Executable	- PE	Portable Executable File Format – A Reverse Engineer View PE 101 PE101 - Light Malware Theory - Basic Structure of PE Files Malware Theory - Memory Mapping of PE Files Malware Theory - Portable Executable Resources Malware Theory - PE Malformations and Anomalies corkami pocs

Exploits:

Topic	Subject	Resource
Shellcode	- Shellcode - Buffer overflow	Shellcoding - Modern Binary Exploitation CSCI 4968 - Spring 2015 Sophia D’Antoine Lab: ARM Assembly ShellcodeFrom Zero to ARM Assembly Bind Shellcode Buffer Overflow Attack - Computerphile Shellcoding in Linux From a C project, through assembly, to shellcode
DLL Injection	- Reflective DLL Injection	Reflective DLL Injection By Stephen Fewer
Race conditions	- Exploit race conditions	Secure Coding in C and C++ Race Conditions

Threat Hunting:

• TH Playbook
• MISP
• MISP user documentation
• MISP Virtual Machines
• The Hive
• The Hive - Cortex
• OpenCTI

Open Source Intelligence:

Subject	Resource
Network	Robtex CentralOps
Devices	Shodan
White/Black lists	Spamhaus URLhaus
General	Malpedia MalwareWorld ThreatMiner
Sandbox	Hybrid Analysis AlienVault - Open Threat Exchange

Virtual Machines:

• REMnux: A Linux Toolkit for Malware Analysis: https://remnux.org/
• Flare-VM: https://github.com/fireeye/flare-vm

Hardening VM:

• Byte Atlas: https://byte-atlas.blogspot.com/2017/02/hardening-vbox-win7x64.html
• PAFish: https://github.com/a0rtega/pafish
• Amtivmdetection: https://github.com/nsmfoo/antivmdetection (Prowling blog: https://blog.prowling.nu/2013/08/modifying-virtualbox-settings-for.html)
• VBoxHardenedLoader: https://github.com/hfiref0x/VBoxHardenedLoader

Tools (Windows Analysis machine):

Name	URL
7zip	https://www.7-zip.org/download.html
BareTail	https://baremetalsoft.com/baretail/
CyberChef	https://github.com/gchq/CyberChef/releases
x64dbg	https://sourceforge.net/projects/x64dbg/files/latest/download - Plugin OllyDumpEx: https://low-priority.appspot.com/ollydumpex/#download - Plugin xAnalyzer x86x64: https://github.com/ThunderCls/xAnalyzer/releases/ - Plugin ScyllaHide: https://github.com/x64dbg/ScyllaHide/releases
de4dot	https://github.com/de4dot/de4dot
Detect It Easy (die)	https://github.com/horsicq/DIE-engine/releases
DLL_to_EXE	https://github.com/hasherezade/dll_to_exe/releases
dnSpy	https://github.com/dnSpy/dnSpy/releases
Ghidra (64 Bits)	https://github.com/NationalSecurityAgency/ghidra/releases - BinDiff: https://www.zynamics.com/software.html - Setup BinDiff with Ghidra: https://github.com/ubfx/BinDiffHelper & https://github.com/google/binexport - Create Ghidra scripts: https://nuculabs.dev/2019/10/13/ghidra-scripting-annotating-linux-system-calls/ - Community https://gist.github.com/adulau/a3a0eefb7828d52747a9d247a82eeeef
HxD	https://mh-nexus.de/en/downloads.php?product=HxD20
hollows_hunter	https://github.com/hasherezade/hollows_hunter/releases Video: https://www.youtube.com/watch?v=rH4XzNwgVoo https://www.youtube.com/watch?v=-QgMDtVRAzM
IDA Freeware (64 Bits)	https://www.hex-rays.com/products/ida/support/download_freeware/ - IDA 7 Freeware Linux fix: https://github.com/WqyJh/qwingraph_qt5
NetworkMiner	https://www.netresec.com/?download=NetworkMiner
Notepad++	https://notepad-plus-plus.org/downloads/
PEBear	https://github.com/hasherezade/pe-bear-releases/releases
Quassel	https://quassel-irc.org/downloads
Resource Hacker	http://angusj.com/resourcehacker/#download
UniExtract2	https://github.com/Bioruebe/UniExtract2/releases
WinMerge	https://winmerge.org/downloads/?lang=en
AlternateStreamView	https://www.nirsoft.net/utils/alternate_data_streams.html
AutoRuns	https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
Burp Suite	https://portswigger.net/burp/communitydownload
bytecode-viewer	https://github.com/Konloch/bytecode-viewer/releases
capa	https://github.com/fireeye/capa/releases
CSVFileView	https://www.nirsoft.net/utils/csv_file_view.html
DLL Export Viewer	https://www.nirsoft.net/utils/dll_export_viewer.html
DriverView	https://www.nirsoft.net/utils/driverview.html
Exeinfo PE	http://exeinfo.xn.pl/
Floss	https://github.com/fireeye/flare-floss/releases
HashMyFiles	https://www.nirsoft.net/utils/hash_my_files.html
iText RUPS	https://github.com/itext/i7j-rups/releases
jpexs-decompiler	https://github.com/jindrapetrik/jpexs-decompiler/releases - Flash utilities: https://www.adobe.com/support/flashplayer/debug_downloads.html (Download Flash Player projector content debugger, Flash Player projector and PlayerGlobal.swc)
MegaDumper	https://github.com/CodeCracker-Tools/MegaDumper
Netcat (Windows version)	https://eternallybored.org/misc/netcat/
pe_to_shellcode	https://github.com/hasherezade/pe_to_shellcode/releases
Process Monitor	https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
Process Dump	http://split-code.com/processdump.html
PortEx	https://github.com/katjahahn/PortEx/releases
Process Explorer	https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer - Windows Processes: https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
RawCap	https://www.netresec.com/?page=RawCap
RegShot	https://sourceforge.net/projects/regshot/files/latest/download
SearchMyFiles	https://www.nirsoft.net/utils/search_my_files.html
SSView	https://www.mitec.cz/ssv.html
Windows Strings	https://docs.microsoft.com/en-us/sysinternals/downloads/strings
Sysmon	https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
TaskSchedulerView	https://www.nirsoft.net/utils/task_scheduler_view.html
tiny_tracer	https://github.com/hasherezade/tiny_tracer/releases (TAG usage with PEBear @ 7:44) https://www.youtube.com/watch?v=pZW_BAO8EJ8 (Usage) https://www.youtube.com/watch?v=-YVrU4-507A
WMI Code Creator	https://www.microsoft.com/en-us/download/details.aspx?id=8572
Yara	https://github.com/VirusTotal/yara/releases

Extra Tools (Analysis machine):

Name	URL
PAFish	https://github.com/a0rtega/pafish/releases
NPCap	https://nmap.org/npcap/
Wireshark	https://www.wireshark.org/download.html
DevManView	https://www.nirsoft.net/utils/device_manager_view.html
VolumeID	https://docs.microsoft.com/en-us/sysinternals/downloads/volumeid

Tools (Linux Gateway machine):

Name	URL
Avalonia ILSpy	https://github.com/icsharpcode/AvaloniaILSpy
Volatility	git clone https://github.com/volatilityfoundation/volatility3.git Volatility 3: https://github.com/volatilityfoundation/volatility3/ Volatility 2: https://www.volatilityfoundation.org/ Volatility docs Symbols for Windows Symbols for Mac Symbols for Linux Volatility Cheat Sheet
Wireshark	Ubuntu PPA: https://launchpad.net/~wireshark-dev/+archive/ubuntu/stable Wireshark Wiki MaxMind GeoIP DB setup
Yara	sudo apt install yara Yara Rules Yara documentation (ReadTheDocs) Didier Stevens's rules Neo23x0 YARA Performance Guidelines [David Bernal Detecting malicious files with YARA rules as they traverse the network](https://i.blackhat.com/USA-19/Wednesday/

Honeypots:

Name	URL
Installing T-Pot Honeypot Framework in the Cloud	https://www.stratosphereips.org/blog/2020/10/10/installing-t-pot-honeypot-framework-in-the-cloud https://github.com/telekom-security/tpotce https://github.com/armedpot/honeytrap/

Unpacking:

Name	URL
Unpacking ISFB (including the custom 'PX' format)	https://www.youtube.com/watch?v=KvOpNznu_3w Unpackers

Boilerplate (up for investigation):

• https://koodous.com
• https://github.com/JPMinty/theZoo
• https://bitbucket.org/kao/myauttoexe/src/master/
• http://infocon.hackingand.coffee/
• https://hshrzd.wordpress.com/how-to-start/
• https://mitmproxy.org/
• https://www.youtube.com/playlist?list=PLhx7-txsG6t6n_E2LgDGqgvJtCHPL7UFu
• https://beta.virusbay.io/
• https://tracker.fumik0.com/learning