{"id":13705984,"url":"https://github.com/ANSSI-FR/polichombr","last_synced_at":"2025-05-05T17:31:26.378Z","repository":{"id":46752166,"uuid":"60115234","full_name":"ANSSI-FR/polichombr","owner":"ANSSI-FR","description":"Collaborative malware analysis framework","archived":true,"fork":false,"pushed_at":"2019-01-22T13:48:17.000Z","size":3600,"stargazers_count":375,"open_issues_count":21,"forks_count":60,"subscribers_count":38,"default_branch":"dev","last_synced_at":"2024-11-13T13:39:22.947Z","etag":null,"topics":["ida","ida-plugin","idapro","malware-analysis","malware-research","reverse-engineering","security-tools"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ANSSI-FR.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-05-31T18:54:28.000Z","updated_at":"2024-10-16T02:10:03.000Z","dependencies_parsed_at":"2022-09-24T14:40:31.712Z","dependency_job_id":null,"html_url":"https://github.com/ANSSI-FR/polichombr","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ANSSI-FR%2Fpolichombr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ANSSI-FR%2Fpolichombr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ANSSI-FR%2Fpolichombr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ANSSI-FR%2Fpolichombr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ANSSI-FR","download_url":"https://codeload.github.com/ANSSI-FR/polichombr/tar.gz/refs/heads/dev","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252542252,"owners_count":21764934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ida","ida-plugin","idapro","malware-analysis","malware-research","reverse-engineering","security-tools"],"created_at":"2024-08-02T22:00:50.841Z","updated_at":"2025-05-05T17:31:25.897Z","avatar_url":"https://github.com/ANSSI-FR.png","language":"Python","funding_links":[],"categories":["Storage and Workflow","Tools"],"sub_categories":["Other Resources"],"readme":"# Polichombr\n\n[![Build Status](https://travis-ci.org/ANSSI-FR/polichombr.svg?branch=master)](https://travis-ci.org/ANSSI-FR/polichombr)\n[![Maintainability](https://api.codeclimate.com/v1/badges/b78688130c309307618f/maintainability)](https://codeclimate.com/github/ANSSI-FR/polichombr/maintainability)\n[![Test Coverage](https://api.codeclimate.com/v1/badges/b78688130c309307618f/test_coverage)](https://codeclimate.com/github/ANSSI-FR/polichombr/test_coverage)\n\n## What is Polichombr?\n\nThis tool aim to provide a collaborative malware analysis framework.\n\n## Documentation\n\nA more detailed documentation is placed in the [docs](https://github.com/ANSSI-FR/polichombr/tree/dev/docs) folder\n\n## Features\n* Sample storage and documentation\n* Semi automated malware analysis\n* IDA Pro collaboration\n* Online disassembly\n* Binary matching with the [MACHOC](https://github.com/ANSSI-FR/polichombr/blob/dev/docs/MACHOC_HASH.md) fuzzy hash algorithm\n* Yara matching\n\n## Installation\n\nPlease see the corresponding file in the [docs](https://github.com/ANSSI-FR/polichombr/tree/master/docs) directory\n\n## Example scripts\n\nScripts under the folder [examples](https://github.com/ANSSI-FR/polichombr/tree/master/examples)\npermits some basic actions for a Polichombr instance.\n\n## Screenshots\n\n### Generic sample informations\n\n![screenshot](docs/screenshots/screen_sample_view.png)\n\n### Family/Threat overview\n\n![screenshot](docs/screenshots/screen_family_view.png)\n\n### Online disassembly\n\n![screenshot](docs/screenshots/screen_disass.png)\n\n### Share IDA Pro informations from the WebUI / directly to other users\n\n![screenshot](docs/screenshots/screen_names.png)\n\n### Automated hotpoints detection \n\n![screenshot](docs/screenshots/screen_analyzeit.png)\n\n### Taking notes right from IDA\n\n![screenshot](docs/screenshots/ida_abstract.png)\n\n## Feature documentation\n\n### Malware analysis\n\nPolichombr provides an engine to automate the analysis tasks by identifying\npoints of interest inside the malicious binary, and providing them\nboth on a web interface and inside the analyst's tools via an API.\n\n### Plugins / tasks\n\nAnalysis tasks are loaded from the app/controllers/tasks directory, and must inherit from the Task object.\nIn particular, several tasks are already implemented:\n\n * AnalyzeIt, a ruby script based on metasm, wich is used to identify interesting points in the binary.\n   The goal is to help the analyst by giving hints about where to start. For example,\n   we try to identify crypto loops, functions wich calls sensitive API (file, process, network, ...)\n\n * Peinfo : We load the PE metadata with the peinfo library.\n * Strings : extract ASCII and Unicode strings\n\n### Signatures\n\nWe use several signature models to classify malware:\n\n * Yara\n * imphash\n * Machoc\n\n### Machoc\n\nMachoc is a CFG-based algorithm to classify malware.\nFor more informations, please refer to the following documentation:\n * [Formal description](https://github.com/ANSSI-FR/polichombr/blob/dev/docs/MACHOC_HASH.md)\n * [Originating paper](https://www.sstic.org/media/SSTIC2016/SSTIC-actes/demarche_d_analyse_collaborative_de_codes_malveill/SSTIC2016-Article-demarche_d_analyse_collaborative_de_codes_malveillants-chevalier_le-berre_pourcelot.pdf)\n\n### IDA Collaboration: Skelenox\n\nThis is an IDAPython plugin, wich is used to synchronize the names and comments\nwith the knowledge base, and with other users database\n\n## Contributing\n\nContributions are welcome, so please read [CONTRIBUTING.md](https://github.com/ANSSI-FR/polichombr/blob/master/CONTRIBUTING.md)\nto have a quick start on how to get help or add features in Polichombr\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FANSSI-FR%2Fpolichombr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FANSSI-FR%2Fpolichombr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FANSSI-FR%2Fpolichombr/lists"}