{"id":13683241,"url":"https://github.com/alichtman/malware-techniques","last_synced_at":"2025-08-20T22:14:43.459Z","repository":{"id":111159881,"uuid":"182271978","full_name":"alichtman/malware-techniques","owner":"alichtman","description":"A collection of techniques commonly used in malware to accomplish core tasks.","archived":false,"fork":false,"pushed_at":"2019-06-15T02:27:10.000Z","size":383,"stargazers_count":84,"open_issues_count":15,"forks_count":8,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-06-17T23:03:12.838Z","etag":null,"topics":["linux","macos","malware","malware-analysis","malware-development","malware-research","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alichtman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-04-19T13:52:21.000Z","updated_at":"2025-04-26T23:31:01.000Z","dependencies_parsed_at":null,"dependency_job_id":"e5345b8b-df94-4a9a-9172-82f3bacf6a43","html_url":"https://github.com/alichtman/malware-techniques","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/alichtman/malware-techniques","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alichtman%2Fmalware-techniques","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alichtman%2Fmalware-techniques/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alichtman%2Fmalware-techniques/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alichtman%2Fmalware-techniques/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alichtman","download_url":"https://codeload.github.com/alichtman/malware-techniques/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alichtman%2Fmalware-techniques/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271394607,"owners_count":24751942,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-20T02:00:09.606Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["linux","macos","malware","malware-analysis","malware-development","malware-research","reverse-engineering"],"created_at":"2024-08-02T13:02:05.127Z","updated_at":"2025-08-20T22:14:43.428Z","avatar_url":"https://github.com/alichtman.png","language":"Python","readme":"\u003ch1 align=\"center\"\u003e\n  \u003cimg src=\"img/logo.png\" width=\"95%\" /\u003e\n  \u003cbr /\u003e\n\u003c/h1\u003e\n\nThis collection of programs demonstrates techniques used in malware to accomplish core tasks.\n\nIt's like [Al-Khaser](https://github.com/LordNoteworthy/al-khaser), except focused on `macOS` and `Linux`.\n\n### Catalog\n\n- Anti-Autoanalysis\n- Anti-Reverse Engineering\n- Anti-VM\n- Data-Collection\n- Persistence\n\n### Implementation\n\nThese programs are written in a mix of languages. Currently, the library uses (in order of `strlen(language_name)`):\n\n- `C`\n- `x86`\n- `Bash`\n- `Python`\n- `Objective-C`\n\n### Building and Running\n\nEach program is meant to be run independently. There is no `main.{c,py,m,asm}`.\n\nTypically, each program (written in `C`) can be compiled with `$ gcc FILE -o OUTPUT_FILE`.\n\nExceptions to this are:\n\n- `src/anti-vm/cross-platform/vmware_detect_with_asm.c`, which uses `cmake` for compilation. Instructions can be found in `src/anti-vm/cross-platform/README.md`.\n- `src/anti-autoanalysis/macOS/detectUserActivity`, which uses `clang` for compilation. Instructions can be found in `src/anti-autoanalysis/macOS/detectUserActivity/README.md`\n\n### Motivation\n\nYou can read about the motivation behind this project in this [presentation](https://docs.google.com/presentation/d/1FjnEkCz4cZghtZbn7i9o8X_9fAwUFjIEjv0LaFlopyk/edit?usp=sharing) I gave.\n\n### Acknowledgements\n\nThank you to all the security researchers that made this project possible. Material published by the following researchers was particularly helpful while I was building this library:\n\n- [Patrick Wardle, Objective-See](https://objective-see.com/blog/blog_0x3C.html#CreativeUpdate)\n- [Peter Ferrie, Senior Principal Researcher, Symantec Advanced Threat Research](https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/attacks-on-virtual-machine-emulators-07-en.pdf)\n- [Alexander Omara](https://alexomara.com/blog/)\n","funding_links":[],"categories":["Python"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falichtman%2Fmalware-techniques","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falichtman%2Fmalware-techniques","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falichtman%2Fmalware-techniques/lists"}