# Malware Analysis and Deobfuscation Tools > Search results for `analyze and unpack obfuscated malicious binaries` on awesome-repositories.com. 117 total matches; showing the first 50. Explore on the web: https://awesome-repositories.com/q/analyze-and-unpack-obfuscated-malicious-binaries **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [this search on awesome-repositories.com](https://awesome-repositories.com/q/analyze-and-unpack-obfuscated-malicious-binaries).** ## Results - [jonaslejon/malicious-pdf](https://awesome-repositories.com/repository/jonaslejon-malicious-pdf.md) (4,070 ⭐) — This project is a set of specialized utilities for generating malformed documents, obfuscating payloads, and crafting specific attack vectors to evaluate the resilience of security scanners. It functions as a PDF fuzzing framework and security testing tool designed to create PDF files with embedded payloads for verifying how document viewers and web applications handle vulnerabilities. The toolkit provides capabilities for encoding and hiding malicious content to test the detection effectiveness of security scanners. It includes a security payload generator for crafting specific attack vector - [de4dot/de4dot](https://awesome-repositories.com/repository/de4dot-de4dot.md) (7,428 ⭐) — de4dot is a .NET deobfuscator and unpacker designed to reverse obfuscation and restore readable code and metadata within .NET assemblies. It functions as a bytecode analyzer that simplifies control flow, strips anti-debugging protections, and extracts original payloads from packed executable wrappers. The project distinguishes itself through a modular deobfuscation pipeline and a sandbox environment used for dynamic string decryption, which executes decryption methods to replace encrypted strings with plain-text values. It can identify specific obfuscation tools through pattern-based binary a - [javascript-obfuscator/javascript-obfuscator](https://awesome-repositories.com/repository/javascript-obfuscator-javascript-obfuscator.md) (16,129 ⭐) — This project is a JavaScript code protection tool designed to transform source code into a version that is difficult for humans to read. Its primary purpose is to protect intellectual property and prevent reverse engineering by altering the original program logic. The tool employs several advanced techniques to hinder analysis, including control flow flattening and the injection of dead code. It can compile functions into custom bytecode executed by an embedded virtual machine and encrypt string literals to prevent static analysis of text. Additional capabilities include anti-debugging mecha - [flutter/flutter](https://awesome-repositories.com/repository/flutter-flutter.md) (177,056 ⭐) — This project is a multi-platform UI framework designed for building applications that target mobile, web, and desktop environments from a single codebase. It utilizes a declarative paradigm where the user interface is defined as a function of application state, supported by a layered architecture that includes a high-performance rendering engine and a multi-platform compilation model. The framework provides a comprehensive suite of developer tools, including hot reloading for real-time code injection and diagnostic utilities for monitoring application state and performance. It features a modu - [malwaremusings/unpacker](https://awesome-repositories.com/repository/malwaremusings-unpacker.md) (121 ⭐) — Automated malware unpacker - [skylot/jadx](https://awesome-repositories.com/repository/skylot-jadx.md) (49,088 ⭐) — Jadx is a comprehensive Java decompilation suite designed to transform compiled binary application files into readable source code. It functions as a static analysis workbench, providing a graphical interface for navigating, searching, and inspecting the internal logic of complex software packages. By utilizing a bytecode-to-Java pipeline, the project reconstructs high-level logical structures from low-level binary instructions, making it a primary tool for Android application reverse engineering. The project distinguishes itself through a sophisticated control flow reconstruction engine and - [strazzere/android-unpacker](https://awesome-repositories.com/repository/strazzere-android-unpacker.md) (0 ⭐) — android-unpacker - [docling-project/docling](https://awesome-repositories.com/repository/docling-project-docling.md) (61,674 ⭐) — Docling is a modular framework designed for document parsing, layout analysis, and structured data extraction. It transforms unstructured files and web content into a unified, hierarchical data model that preserves the spatial and semantic relationships between text, tables, images, and layout elements. By normalizing diverse input formats into a consistent internal representation, the library enables uniform processing across various document types. The project distinguishes itself through a schema-driven approach that maps document regions to strongly-typed objects, ensuring data accuracy t - [0xd4d/de4dot](https://awesome-repositories.com/repository/0xd4d-de4dot.md) (7,426 ⭐) — de4dot is a .NET deobfuscator, unpacker, and assembly analysis tool. It is designed to remove obfuscation layers, restore metadata, and simplify bytecode control flow to transform protected binaries back into human-readable code. The project features specialized systems for decrypting strings and constants using both static and dynamic analysis. It identifies specific protection tools through pattern-based detection and strips anti-analysis protections, such as tamper detection and anti-debugging code. The tool provides a suite of reverse engineering capabilities, including binary wrapper un - [ghostty-org/ghostty](https://awesome-repositories.com/repository/ghostty-org-ghostty.md) (56,570 ⭐) — Ghostty is a cross-platform terminal emulator that utilizes GPU-accelerated rendering to provide high-performance text output and low-latency input. It functions as a unified terminal environment, maintaining consistent feature parity and configuration across different operating systems through a specialized windowing abstraction layer. The application is built on a declarative configuration engine that allows users to manage settings, keybindings, and visual themes using modular, plain-text files. It supports dynamic hot-reloading, enabling users to apply configuration changes in real-time w - [usemuffin/obfuscate](https://awesome-repositories.com/repository/usemuffin-obfuscate.md) (36 ⭐) — )](https://github.com/UseMuffin/Obfuscate/actions?query=workflow%3ACI+branch%3Amaster) - [jindrapetrik/jpexs-decompiler](https://awesome-repositories.com/repository/jindrapetrik-jpexs-decompiler.md) (5,404 ⭐) — JPEX Software is a comprehensive reverse engineering suite for SWF binary files, serving as an ActionScript decompiler and editor. It provides a toolkit for decompiling, analyzing, and modifying the internal structure of compiled Flash content, including the extraction of scripts and media assets. The project is distinguished by its ability to perform direct binary modification, allowing users to edit bytecode and replace embedded resources without reverting to high-level source code. It includes a runtime ActionScript bytecode debugger for variable inspection and call stack analysis, as well - [avast-tl/retdec](https://awesome-repositories.com/repository/avast-tl-retdec.md) (8,556 ⭐) — Retdec is an LLVM-based machine code decompiler and static binary analysis tool designed for binary reverse engineering. It translates binary executable code into high-level representations to facilitate the reconstruction of program logic from compiled machine code. The system utilizes a retargetable frontend architecture and a multi-stage lifting pipeline to convert raw bytes into a common intermediate language. It differentiates custom program logic from known library code through signature-based identification and provides utilities for binary symbol demangling to restore human-readable n - [danielbohannon/invoke-obfuscation](https://awesome-repositories.com/repository/danielbohannon-invoke-obfuscation.md) (4,201 ⭐) — Invoke-Obfuscation is a PowerShell-based tool for transforming PowerShell commands and scripts into obfuscated forms to evade signature-based detection. It applies token-level, string-level, and encoding techniques to hide execution logic, and supports compressing commands before obfuscation to reduce size while concealing the original code. The tool distinguishes itself through layered obfuscation that can be applied and reversed one layer at a time, allowing users to restore a script's original form. It offers multiple encoding schemes including ASCII, hex, octal, binary, and XOR, and can h - [sensepost/objection](https://awesome-repositories.com/repository/sensepost-objection.md) (8,896 ⭐) — Objection is a dynamic instrumentation framework and runtime exploration toolkit for mobile application security analysis. It provides a command-line interface to interact with the memory and state of iOS and Android applications during active execution, serving as a toolkit for runtime analysis and security testing. The project distinguishes itself by providing specialized capabilities to bypass common mobile security controls, including SSL pinning, biometric authentication, and root or jailbreak detection. It enables the extraction of sensitive credentials and data from secure storage syst - [dashingsoft/pyarmor](https://awesome-repositories.com/repository/dashingsoft-pyarmor.md) (5,114 ⭐) — Pyarmor is a toolset for protecting Python software through source code obfuscation, bytecode protection, and binary compilation. It functions as a code obfuscator, bytecode protector, and binary compiler designed to prevent reverse engineering and unauthorized access to Python scripts and packages. The project distinguishes itself by providing a comprehensive software license manager that enables hardware-bound licensing. This allows developers to lock script execution to specific physical devices or virtual machines and enforce strict expiration dates via encrypted runtime keys. Its broade - [mandiant/flare-floss](https://awesome-repositories.com/repository/mandiant-flare-floss.md) (3,886 ⭐) — Flare-floss is a security utility and static binary string extractor designed to uncover hidden text and configuration data within compiled binaries. It functions as an obfuscated string decoder and reverse engineering tool to translate encoded strings into readable text for security auditing. The project employs emulated execution to capture the decrypted state of strings in memory by running small chunks of binary code in a virtual CPU. It further utilizes static analysis disassembly, intermediate representation analysis, and heuristic-based pattern matching to identify and decode strings t - [fincept-corporation/finceptterminal](https://awesome-repositories.com/repository/fincept-corporation-finceptterminal.md) (26,900 ⭐) — FinceptTerminal is a quantitative finance platform and financial engineering library designed for asset valuation, risk management, and fixed-income analytics. It provides a comprehensive suite for algorithmic trading and investment strategy automation, integrating specialized language model agents and node-based workflows to automate market research and alpha generation. The project distinguishes itself with a dedicated game theory analysis engine for calculating Nash equilibria and simulating strategic interactions in competitive markets. It also features a specialized credit risk modeling - [pjebs/obfuscator-ios](https://awesome-repositories.com/repository/pjebs-obfuscator-ios.md) (673 ⭐) — Secure your app by obfuscating all the hard-coded security-sensitive strings. - [extremecoders-re/pyinstxtractor](https://awesome-repositories.com/repository/extremecoders-re-pyinstxtractor.md) (4,119 ⭐) — pyinstxtractor is a PyInstaller executable unpacker and Python bytecode recovery tool. It functions as a helper for decompiling compiled Python binaries by extracting bundled binaries and bytecode from executables created with PyInstaller. The project includes a bytecode decryptor to remove encryption from extracted files and a header repair tool that restores corrupted headers. These capabilities ensure that extracted compiled files are compatible with bytecode decompilation software. The utility covers reverse engineering of Python applications, supporting malware analysis workflows throug - [amruthpillai/reactive-resume](https://awesome-repositories.com/repository/amruthpillai-reactive-resume.md) (38,613 ⭐) — This project is a web-based platform designed for creating, managing, and sharing professional resumes. It functions as a structured document builder that integrates artificial intelligence to assist with content generation, editing, and analysis. Users can maintain a collection of resumes, customize their visual presentation through various templates, and export them into multiple formats for job applications. The platform distinguishes itself through its autonomous AI agent capabilities, which can perform research, suggest incremental edits, and apply data patches directly to documents. It - [cryakl/ultimate-rat-collection](https://awesome-repositories.com/repository/cryakl-ultimate-rat-collection.md) (3,558 ⭐) — This project is a curated repository of remote access trojan binaries and malware samples. It serves as a structured analysis dataset and security research toolset designed for studying the behavior and inner workings of remote administration tools. The collection provides a versioned archive of malware samples and backdoor interfaces, with specific categorizations for target platforms including Windows and Android. It organizes these binaries to facilitate the study of malware evolution and the identification of technical patterns. The repository covers several security research areas, incl - [elastic/elasticsearch](https://awesome-repositories.com/repository/elastic-elasticsearch.md) (77,012 ⭐) — Elasticsearch is a distributed search engine and document store designed for the high-performance indexing and retrieval of massive volumes of unstructured data. It functions as a centralized analytics platform, providing a schema-flexible architecture that organizes information into searchable indices while maintaining global cluster state through a distributed consensus mechanism. The platform distinguishes itself through its integrated approach to observability, security, and advanced analytics. It combines full-text, vector, and hybrid search capabilities with machine learning-driven insi - [anishathalye/obfuscated-gradients](https://awesome-repositories.com/repository/anishathalye-obfuscated-gradients.md) (907 ⭐) — Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples - [cuckoosandbox/cuckoo](https://awesome-repositories.com/repository/cuckoosandbox-cuckoo.md) (5,959 ⭐) — Cuckoo is an open-source automated malware analysis system that executes suspicious files inside isolated virtual machines and produces structured behavioral reports. The platform captures system calls, file operations, and network activity during execution, compiling them into comprehensive analysis documents for programmatic consumption. The system operates through a modular analysis pipeline that processes behavioral data, applying YARA signature patterns against captured artifacts to identify known malware families. Each analysis run starts from a clean virtual machine snapshot to ensure - [jirutka/nginx-binaries](https://awesome-repositories.com/repository/jirutka-nginx-binaries.md) (80 ⭐) — Nginx and njs binaries for Linux (x86_64, aarch64, ppc64le), macOS and Windows. Linux binaries are static so works on every Linux. - [dhondta/awesome-executable-packing](https://awesome-repositories.com/repository/dhondta-awesome-executable-packing.md) (1,591 ⭐) — A curated list of awesome resources related to executable packing - [j3pic/lisp-binary](https://awesome-repositories.com/repository/j3pic-lisp-binary.md) (102 ⭐) — A library to easily read and write complex binary formats. - [avelino/awesome-go](https://awesome-repositories.com/repository/avelino-awesome-go.md) (175,576 ⭐) — This project serves as a comprehensive language ecosystem index, functioning as a centralized, community-curated directory for the Go programming language. It organizes a vast landscape of software components, libraries, and development tools into a structured, navigable hierarchy, enabling developers to efficiently discover resources tailored to specific functional domains. The repository distinguishes itself through a decentralized contribution model, where community-driven updates ensure the index remains current with the rapidly evolving software landscape. Beyond simple resource listing, - [ytisf/thezoo](https://awesome-repositories.com/repository/ytisf-thezoo.md) (13,126 ⭐) — TheZoo is a centralized repository and management system designed for the storage, organization, and retrieval of live malicious software samples. It provides a structured environment for security researchers and educators to access, track, and analyze dangerous code for the purpose of threat intelligence and defense development. The system utilizes a command-line interface to manage the lifecycle of malware samples, including the preparation of new submissions and the querying of a centralized database. To ensure safety and authenticity, the platform stores binaries in password-protected, en - [evanw/esbuild](https://awesome-repositories.com/repository/evanw-esbuild.md) (39,934 ⭐) — esbuild is a high-performance JavaScript bundler and transpiler designed to transform modern web assets into production-ready code. Built with a focus on speed, it utilizes a concurrent execution model to perform parsing, linking, and code generation across multiple CPU cores. The engine handles a wide range of tasks, including TypeScript compilation, JSX transformation, and CSS bundling, while maintaining a consistent build process across diverse environments. What distinguishes the project is its architecture, which leverages memory-mapped file processing and a single-pass transformation st - [adamyaxley/obfuscate](https://awesome-repositories.com/repository/adamyaxley-obfuscate.md) (1,307 ⭐) — Source available on GitHub - [radare/radare2](https://awesome-repositories.com/repository/radare-radare2.md) (24,129 ⭐) — radare2 is a reverse engineering framework and binary analysis toolset. It functions as a multi-architecture disassembler, low-level binary debugger, and hexadecimal editor for inspecting executable structures and interpreting machine code when original source files are unavailable. The framework provides capabilities for decompiling machine instructions, performing symbolic analysis, and diffing binary files to identify structural changes across versions. It also includes a digital forensic analyzer and disk analyzer for browsing filesystem formats in userland. The toolset supports binary p - [avast/retdec](https://awesome-repositories.com/repository/avast-retdec.md) (8,556 ⭐) — RetDec is a reverse engineering framework and static binary analysis tool. Its primary purpose is to function as an LLVM-based machine code decompiler that translates binary machine code from multiple architectures into high-level C source code. The system employs a multi-stage lifting pipeline to recover program logic, using an intermediate representation to apply optimizations before emitting source code. It distinguishes itself through the ability to identify compilers and packers, perform executable unpacking, and reconstruct class hierarchies and original program structures. The framewo - [z0ffy/vite-plugin-bundle-obfuscator](https://awesome-repositories.com/repository/z0ffy-vite-plugin-bundle-obfuscator.md) (314 ⭐) — JavaScript obfuscator plugin provides customizable options and multi-threaded support for Vite. - [duckdb/duckdb](https://awesome-repositories.com/repository/duckdb-duckdb.md) (38,805 ⭐) — DuckDB is an in-process analytical database engine designed to run directly within an application process. As a zero-dependency, embedded system, it provides enterprise-grade SQL data processing capabilities without the overhead of managing a dedicated database server. It is built to handle complex analytical and aggregation tasks by storing and retrieving information in columns, allowing for high-performance relational data manipulation. The engine distinguishes itself through a columnar vectorized execution model that maximizes CPU cache efficiency during query operations. It employs adapti - [apple/foundationdb](https://awesome-repositories.com/repository/apple-foundationdb.md) (16,446 ⭐) — FoundationDB is an ACID-compliant distributed transactional key-value store. It functions as a scalable database engine that ensures strict serializability and data consistency across a cluster of servers using a shared-nothing architecture. The system is distinguished by its multi-region replication capabilities, allowing data to be synchronized across different datacenters for high availability and disaster recovery. It utilizes optimistic concurrency control to manage distributed transactions and employs a majority-based coordination system to maintain cluster state. The platform provides - [hasherezade/pe-sieve](https://awesome-repositories.com/repository/hasherezade-pe-sieve.md) (3,559 ⭐) — pe-sieve is a set of diagnostic tools for scanning Windows process memory to identify malicious implants, shellcode, and hooks. It functions as an in-memory implant detector, malware unpacker, and process callstack analyzer designed to locate and dump memory patches and injected code from running processes. The project identifies advanced evasion techniques, such as process hollowing and reflective injection, by verifying portable executable structures in memory. It distinguishes itself by analyzing process callstacks to detect anomalies and redirections and by reconstructing executable heade - [maxalyokhin/binary-synth](https://awesome-repositories.com/repository/maxalyokhin-binary-synth.md) (129 ⭐) — Audio synthesis from binary code of any file - [expo/expo](https://awesome-repositories.com/repository/expo-expo.md) (50,111 ⭐) — Expo is a universal mobile framework designed to build native iOS and Android applications from a single codebase using web-standard technologies. It provides a comprehensive development environment that includes a unified runtime for testing, cloud-based infrastructure for compiling and signing native binaries, and automated tools for managing the entire mobile release lifecycle, including app store submission. The framework distinguishes itself through a plugin-based native configuration engine that programmatically modifies project files, allowing developers to integrate native modules wit - [metaperl/binary-martingale](https://awesome-repositories.com/repository/metaperl-binary-martingale.md) (48 ⭐) — Computer program to automatically trade binary options martingale style - [jgamblin/mirai-source-code](https://awesome-repositories.com/repository/jgamblin-mirai-source-code.md) (9,363 ⭐) — This repository contains the source code for a C-based network botnet designed to compromise Internet of Things devices. It serves as a functional implementation of malware used for security research, behavioral analysis, and the development of threat detection signatures. The project includes a command and control server architecture that manages infected devices via a custom binary protocol and TCP-based command distribution. It employs a cross-compilation toolchain to build and deliver architecture-specific binary payloads across multiple hardware platforms. The codebase covers capabiliti - [macbre/analyze-css](https://awesome-repositories.com/repository/macbre-analyze-css.md) (696 ⭐) — analyze-css - [firerpa/lamda](https://awesome-repositories.com/repository/firerpa-lamda.md) (7,834 ⭐) — This project is an Android RPA framework designed for automating user interfaces and system tasks on rooted Android devices using Python and ADB. It provides a suite of tools for rooted device management, allowing for programmatic control of system settings, application lifecycles, and shell command execution via a remote API. The framework distinguishes itself through a combination of dynamic instrumentation and AI integration. It can inject scripts into running processes to hook Java interfaces and modifies application behavior in real time. Additionally, it supports large language model in - [virustotal/yara](https://awesome-repositories.com/repository/virustotal-yara.md) (9,420 ⭐) — YARA is a pattern matching engine and binary analysis tool used to identify and classify malware samples. It functions as a malware research framework that allows for the definition of file descriptions and detection rules to find indicators of compromise within binaries. The system enables the creation of custom detection rules using strings, wildcards, and regular expressions. These rules use boolean logic to match textual or binary patterns, allowing for the classification of files into specific malware families and the automation of threat intelligence. The engine utilizes Aho-Corasick s - [ccfos/nightingale](https://awesome-repositories.com/repository/ccfos-nightingale.md) (13,108 ⭐) — Nightingale is a Prometheus-compatible monitoring and alerting platform designed to centralize telemetry management across multiple time-series databases. It functions as a multi-source alerting engine and metric data pipeline that ingests telemetry via remote write protocols and triggers alarms based on data from sources such as Prometheus, Elasticsearch, Loki, and ClickHouse. The system is distinguished by its automated alert healing system, which executes predefined scripts and RPC-based corrective actions when monitoring thresholds are breached. It supports distributed alert processing, a - [vxunderground/malwaresourcecode](https://awesome-repositories.com/repository/vxunderground-malwaresourcecode.md) (18,415 ⭐) — This project is a curated archive and cybersecurity research dataset of raw source code from various malware families. It serves as a malware analysis library designed to help researchers study the inner workings of different threats and identify attack patterns across multiple platforms and programming languages. The repository supports security research by providing raw text distribution of original source code. This allows for the study of platform vulnerabilities, threat intelligence gathering, and the development of security products and detection signatures. The collection is organized - [wintellect/wintellect.analyzers](https://awesome-repositories.com/repository/wintellect-wintellect-analyzers.md) (89 ⭐) — .NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes written by Wintellect - [composer/composer](https://awesome-repositories.com/repository/composer-composer.md) (29,457 ⭐) — Composer is a command-line dependency management tool for PHP that automates the process of resolving, downloading, and installing external code libraries. It functions by evaluating version constraints defined in a project's configuration file to calculate a compatible dependency tree, ensuring that applications maintain consistent behavior across different development and production environments. The tool utilizes a structured manifest file as the single source of truth for project requirements and generates a deterministic lock file to record the exact version and hash of every installed d - [x64dbg/x64dbg](https://awesome-repositories.com/repository/x64dbg-x64dbg.md) (48,652 ⭐) — This project is a graphical Windows debugger designed for the analysis and manipulation of compiled binary applications. It functions as a comprehensive binary analysis suite, providing a real-time environment for inspecting CPU registers, monitoring memory states, and tracing instruction execution to investigate system-level software behavior. The tool distinguishes itself through an event-driven debugging loop that allows for precise process control and state modification during runtime. It supports advanced analysis techniques, including hardware-breakpoint injection for monitoring memory