7 مستودعات
Analyzing a program's behavior by tracing its interactions with the operating system during runtime.
Distinct from Binary Analysis: Distinct from general Binary Analysis by focusing specifically on runtime syscall and execution flow tracing.
Explore 7 awesome GitHub repositories matching part of an awesome list · Dynamic Behavioral Analysis. Refine with filters or upvote what's useful.
This project is an Android RPA framework designed for automating user interfaces and system tasks on rooted Android devices using Python and ADB. It provides a suite of tools for rooted device management, allowing for programmatic control of system settings, application lifecycles, and shell command execution via a remote API. The framework distinguishes itself through a combination of dynamic instrumentation and AI integration. It can inject scripts into running processes to hook Java interfaces and modifies application behavior in real time. Additionally, it supports large language model in
Analyzes application behavior and interactions with the operating system to identify security vulnerabilities.
Blink is a JIT-based instruction emulator and x86-64 Linux emulator designed to run Linux binaries and ELF files across different host operating systems and architectures. It functions as a binary execution sandbox and system call simulator, providing a controlled environment for running programs. The project distinguishes itself with a terminal user interface for monitoring execution, managing breakpoints, and visualizing JIT compilation paths. It supports self-modifying code through a cache-invalidating memory model and provides execution environment isolation using restricted directory ove
Traces system calls and logs execution flow to analyze how programs interact with the operating system.
capa is a binary capability scanner that identifies high-level behaviors and actions an executable can perform, such as network communication or file manipulation. It functions as a malware behavior analysis tool and a MITRE ATT&CK mapping framework, scanning PE, ELF, .NET, and shellcode files through both static analysis and dynamic sandbox report processing. The tool distinguishes itself through a YAML-based detection rule engine that defines detection logic in human-readable files, with conditions expressed as feature combinations and logical operators. It integrates with IDA Pro, Ghidra,
Compiles system calls, file operations, and network activity from malware execution into structured reports.
Cuckoo is an open-source automated malware analysis system that executes suspicious files inside isolated virtual machines and produces structured behavioral reports. The platform captures system calls, file operations, and network activity during execution, compiling them into comprehensive analysis documents for programmatic consumption. The system operates through a modular analysis pipeline that processes behavioral data, applying YARA signature patterns against captured artifacts to identify known malware families. Each analysis run starts from a clean virtual machine snapshot to ensure
Collects system calls, file operations, and network activity and compiles them into structured analysis reports.
Binsider is a collection of specialized toolsets for hexadecimal editing, ELF structural analysis, system call tracing, and execution performance profiling. It provides a suite of utilities designed for binary reverse engineering, encompassing both static structural analysis and dynamic runtime monitoring of compiled binaries. The project distinguishes itself by combining low-level binary manipulation, such as a hex editor for raw byte modification, with an ELF binary analysis tool for inspecting file structures and metadata. It also includes a Linux system call tracer for observing dynamic b
Monitors system calls and runtime activity to observe the behavior of executing programs.
CRIU is a Linux process checkpointing tool and state manager used to freeze running applications and save their memory and state to disk for later restoration. It functions as a container migration engine and an OCI checkpoint image converter, allowing the live state of running containers to be transferred between different hosts. The project distinguishes itself through its ability to persist network connectivity, acting as a TCP connection state persister that saves and reconstructs network socket states to maintain active communication after a restart. It further enables the distribution o
Transfers periodic snapshots of running processes to separate environments for dynamic behavioral analysis and debugging.
PINCE is a dynamic debugger, instruction tracer, and memory scanner designed for the analysis and manipulation of running processes. It functions as a process memory manipulator and editor, allowing for the identification, modification, and monitoring of values within a target application's active memory. The tool distinguishes itself through memory pointer analysis, tracing addresses and offsets to locate static pointers that lead to dynamic data across different sessions. It also enables the execution of internal functions within a running process by manipulating the instruction pointer and
Analyzes runtime behavior through instruction tracing and conditional breakpoints.