Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/alichtman/malware-techniques

A collection of techniques commonly used in malware to accomplish core tasks.
https://github.com/alichtman/malware-techniques

linux macos malware malware-analysis malware-development malware-research reverse-engineering

Last synced: 17 days ago
JSON representation

A collection of techniques commonly used in malware to accomplish core tasks.

Host: GitHub
URL: https://github.com/alichtman/malware-techniques
Owner: alichtman
License: mit
Created: 2019-04-19T13:52:21.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2019-06-15T02:27:10.000Z (over 5 years ago)
Last Synced: 2024-10-11T10:29:36.012Z (about 1 month ago)
Topics: linux, macos, malware, malware-analysis, malware-development, malware-research, reverse-engineering
Language: Python
Homepage:
Size: 374 KB
Stars: 85
Watchers: 8
Forks: 8
Open Issues: 15
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

This collection of programs demonstrates techniques used in malware to accomplish core tasks.

It's like [Al-Khaser](https://github.com/LordNoteworthy/al-khaser), except focused on `macOS` and `Linux`.

### Catalog

- Anti-Autoanalysis
- Anti-Reverse Engineering
- Anti-VM
- Data-Collection
- Persistence

### Implementation

These programs are written in a mix of languages. Currently, the library uses (in order of `strlen(language_name)`):

- `C`
- `x86`
- `Bash`
- `Python`
- `Objective-C`

### Building and Running

Each program is meant to be run independently. There is no `main.{c,py,m,asm}`.

Typically, each program (written in `C`) can be compiled with `$ gcc FILE -o OUTPUT_FILE`.

Exceptions to this are:

- `src/anti-vm/cross-platform/vmware_detect_with_asm.c`, which uses `cmake` for compilation. Instructions can be found in `src/anti-vm/cross-platform/README.md`.
- `src/anti-autoanalysis/macOS/detectUserActivity`, which uses `clang` for compilation. Instructions can be found in `src/anti-autoanalysis/macOS/detectUserActivity/README.md`

### Motivation

You can read about the motivation behind this project in this [presentation](https://docs.google.com/presentation/d/1FjnEkCz4cZghtZbn7i9o8X_9fAwUFjIEjv0LaFlopyk/edit?usp=sharing) I gave.

### Acknowledgements

Thank you to all the security researchers that made this project possible. Material published by the following researchers was particularly helpful while I was building this library:

- [Patrick Wardle, Objective-See](https://objective-see.com/blog/blog_0x3C.html#CreativeUpdate)
- [Peter Ferrie, Senior Principal Researcher, Symantec Advanced Threat Research](https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/attacks-on-virtual-machine-emulators-07-en.pdf)
- [Alexander Omara](https://alexomara.com/blog/)