Malware Analysis and Reverse Engineering

This project is a graphical Windows debugger designed for the analysis and manipulation of compiled binary applications. It functions as a comprehensive binary analysis suite, providing a real-time environment for inspecting CPU registers, monitoring memory states, and tracing instruction execution to investigate system-level software behavior. The tool distinguishes itself through an event-driven debugging loop that allows for precise process control and state modification during runtime. It supports advanced analysis techniques, including hardware-breakpoint injection for monitoring memory access and instruction-set-aware disassembly to translate machine code into readable assembly. These capabilities facilitate specialized tasks such as malware reverse engineering, software vulnerability research, and the analysis of complex system crashes. The platform includes a modular plugin architecture that enables the integration of external libraries for custom analysis and automation. It also features memory-mapped symbol resolution to correlate machine addresses with source code labels, assisting in the interpretation of internal application logic.

Jadx is a comprehensive Java decompilation suite designed to transform compiled binary application files into readable source code. It functions as a static analysis workbench, providing a graphical interface for navigating, searching, and inspecting the internal logic of complex software packages. By utilizing a bytecode-to-Java pipeline, the project reconstructs high-level logical structures from low-level binary instructions, making it a primary tool for Android application reverse engineering. The project distinguishes itself through a sophisticated control flow reconstruction engine and a symbolic deobfuscation engine that restores original code structure by renaming obfuscated identifiers. Beyond its graphical interface, Jadx offers a binary analysis library that allows developers to embed automated decompilation and source code extraction directly into custom security pipelines and software workflows. These capabilities enable detailed application security auditing and the investigation of mobile malware by tracing interactions across large, complex codebases. The platform includes extensive tooling for code navigation, such as cross-referencing class and method usage, jumping to declarations, and mapping dependencies within binary projects. To support the analysis of massive packages, it incorporates performance-oriented features like disk-backed caching, in-memory indexing, and configurable package exclusion to manage memory consumption and processing speed.

Retdec is an LLVM-based machine code decompiler and static binary analysis tool designed for binary reverse engineering. It translates binary executable code into high-level representations to facilitate the reconstruction of program logic from compiled machine code. The system utilizes a retargetable frontend architecture and a multi-stage lifting pipeline to convert raw bytes into a common intermediate language. It differentiates custom program logic from known library code through signature-based identification and provides utilities for binary symbol demangling to restore human-readable names. The toolkit covers a broad range of static analysis capabilities, including the reconstruction of high-level functions, types, and class hierarchies. It also provides visualization tools to generate call graphs and control-flow diagrams to map the execution structure of decompiled binaries.

SpiderFoot is an open-source reconnaissance and intelligence automation framework designed to streamline the collection and correlation of data for security investigations. It functions as a comprehensive platform that automates the querying of hundreds of public data sources to map digital footprints, identify exposed assets, and uncover potential security threats across an organization's external perimeter. The platform distinguishes itself through a modular, plugin-based architecture that executes data gathering tasks in parallel, supported by a directed graph data model that tracks relationships between discovered entities. It utilizes dynamic workflow orchestration and event-driven correlation to guide users through multi-stage investigations, automatically triggering follow-up queries based on newly discovered indicators of compromise. Beyond core reconnaissance, the system provides extensive capabilities for attack surface management, credential leak monitoring, and threat actor tracking. It supports proactive security operations by facilitating automated threat hunting, generating detection signatures, and simulating attack scenarios to identify visibility gaps. The platform also manages the full intelligence lifecycle, from aggregating disparate data feeds and enriching findings with contextual analysis to producing actionable reports for risk evaluation.

Ghidra is a software reverse engineering suite designed to analyze compiled binaries and reconstruct program logic without access to original source code. It provides an interactive environment for disassembly and decompilation, utilizing a platform-independent intermediate representation to maintain consistency across diverse hardware architectures. The framework supports automated binary analysis through programmatic routines, enabling the investigation of complex code patterns and security indicators. The platform distinguishes itself through a modular architecture that allows for extensive customization. Users can define new processor instruction sets using a dedicated specification language, ensuring support for unique hardware without requiring recompilation. Collaborative analysis is facilitated by a database-backed storage system, while a headless execution mode enables the processing of large binary sets via command-line scripts. The suite includes tools for malware analysis and software vulnerability research, providing capabilities for visual navigation of control flow and the development of custom plugins. Developers can extend the core functionality by injecting specialized analysis routines or user interface components through a standardized discovery mechanism. The project provides comprehensive documentation and build tasks to support the configuration of development workspaces for those contributing to the underlying architecture.

This project is a curated archive and cybersecurity research dataset of raw source code from various malware families. It serves as a malware analysis library designed to help researchers study the inner workings of different threats and identify attack patterns across multiple platforms and programming languages. The repository supports security research by providing raw text distribution of original source code. This allows for the study of platform vulnerabilities, threat intelligence gathering, and the development of security products and detection signatures. The collection is organized as a flat-file repository using platform-specific directory mapping to group code by operating system or hardware architecture. It utilizes version-controlled source archiving to preserve historical versions of the source files.

dnSpy is a desktop application designed for the analysis, debugging, and modification of compiled .NET assemblies. It functions as an assembly analysis suite and decompiler, translating binary instruction streams back into readable source code to facilitate reverse engineering when original source files are unavailable. The tool distinguishes itself through an integrated binary patching engine and metadata editor, which allow for the direct modification of executable logic and internal metadata tables. It supports in-process debugging instrumentation, enabling users to inject runtime hooks, set breakpoints, and inspect memory state within compiled binaries to troubleshoot application behavior. Beyond core analysis and debugging, the platform provides an interactive scripting environment for automating repetitive tasks and manipulating assembly structures. It includes capabilities for abstract syntax tree manipulation and memory-mapped file inspection, allowing users to navigate between high-level code constructs and raw binary data.

pe-sieve is a set of diagnostic tools for scanning Windows process memory to identify malicious implants, shellcode, and hooks. It functions as an in-memory implant detector, malware unpacker, and process callstack analyzer designed to locate and dump memory patches and injected code from running processes. The project identifies advanced evasion techniques, such as process hollowing and reflective injection, by verifying portable executable structures in memory. It distinguishes itself by analyzing process callstacks to detect anomalies and redirections and by reconstructing executable headers and section alignments from raw memory dumps. The toolset covers a broad range of forensic and analysis capabilities, including dynamic malware unpacking, signature-based implant identification, and the extraction of process artifacts for offline examination. These scanning and analysis functions are available through a programmatic interface for integration into other security applications.

TheZoo is a centralized repository and management system designed for the storage, organization, and retrieval of live malicious software samples. It provides a structured environment for security researchers and educators to access, track, and analyze dangerous code for the purpose of threat intelligence and defense development. The system utilizes a command-line interface to manage the lifecycle of malware samples, including the preparation of new submissions and the querying of a centralized database. To ensure safety and authenticity, the platform stores binaries in password-protected, encrypted archives and performs cryptographic hash verification on all samples. This approach allows for the controlled distribution and study of malicious code while preventing accidental execution. The repository supports comprehensive research workflows by indexing samples based on specific attributes such as platform and architecture. This metadata-driven organization enables efficient searching and categorization, facilitating the systematic examination of attack vectors and emerging cyber threats.

RevokeMsgPatcher is a binary patching utility designed to modify the execution logic of desktop messaging applications. By applying low-level changes to compiled executable files and libraries, the tool enables functionality not natively supported by the original software, specifically focusing on message persistence and process management. The utility distinguishes itself through targeted binary instrumentation and control flow redirection. It identifies specific function patterns and memory offsets within proprietary software to inject custom assembly instructions. These modifications allow the software to suppress incoming message recall commands, ensuring that deleted content remains visible in chat histories. Additionally, the tool overrides application startup constraints by disabling synchronization primitives, which permits the simultaneous execution of multiple instances of the same messaging client. The project covers a range of binary modification techniques, including static instrumentation and dynamic library injection, to ensure that changes persist across application sessions. It provides automated mechanisms for locating and patching target code blocks, effectively bypassing built-in restrictions to customize the behavior of communication platforms.

The framework is a comprehensive penetration testing platform designed for the development, testing, and execution of security exploits. It serves as a research toolkit and automated assessment environment, enabling security professionals to identify and validate vulnerabilities within networked systems and infrastructure through repeatable, standardized procedures. The platform distinguishes itself through a modular architecture that supports reflective payload injection, allowing for the execution of code directly in memory without writing to disk. It utilizes an asynchronous event loop to manage high-performance, concurrent network connections and features a transport-agnostic communication layer that abstracts protocols to maintain persistent command and control. Users can extend the core functionality through a plugin system and define complex exploit logic using a domain-specific language. The framework provides robust capabilities for remote payload management, including the configuration of network settings like sleep intervals and timeout thresholds. It maintains state persistence across long-running sessions by storing discovered host information and vulnerability data in a relational database. The software is designed for cross-platform deployment, with installation support available for Linux, macOS, and Windows environments.

Flare-floss is a security utility and static binary string extractor designed to uncover hidden text and configuration data within compiled binaries. It functions as an obfuscated string decoder and reverse engineering tool to translate encoded strings into readable text for security auditing. The project employs emulated execution to capture the decrypted state of strings in memory by running small chunks of binary code in a virtual CPU. It further utilizes static analysis disassembly, intermediate representation analysis, and heuristic-based pattern matching to identify and decode strings that use non-standard encodings or lack standard null terminators. The toolset supports workflows for malware binary analysis, security research, and reverse engineering to identify embedded secrets and constants. It also provides capabilities for exporting extracted binary data to external analysis platforms.

This project is a comprehensive cybersecurity tool collection designed to support security research, penetration testing, and vulnerability assessment. It functions as a unified penetration testing suite, providing a centralized environment where professionals can access a wide range of offensive security utilities to identify system weaknesses and study attack vectors. The platform distinguishes itself through a modular architecture that aggregates disparate security scripts into a single, hierarchical command-line interface. It simplifies the management of these utilities by integrating external repositories, allowing users to fetch and organize third-party tools directly into a structured local directory. By utilizing a categorized menu system and shell-based process execution, the suite enables efficient navigation and direct invocation of specialized tools for tasks ranging from forensic analysis and reverse engineering to exploit development. The toolkit covers a broad spectrum of security domains, including web and wireless attack vectors, cloud security, payload creation, and social media analysis. It also incorporates automated environment setup to handle the installation of necessary system packages and language runtimes, ensuring compatibility across its diverse collection of utilities.

radare2 is a reverse engineering framework and binary analysis toolset. It functions as a multi-architecture disassembler, low-level binary debugger, and hexadecimal editor for inspecting executable structures and interpreting machine code when original source files are unavailable. The framework provides capabilities for decompiling machine instructions, performing symbolic analysis, and diffing binary files to identify structural changes across versions. It also includes a digital forensic analyzer and disk analyzer for browsing filesystem formats in userland. The toolset supports binary patching, malware analysis, and software vulnerability research. It features a plugin-based architecture to extend core functionality and an embedded scripting engine to automate analysis workflows.

This project is a comprehensive, community-sourced knowledge base designed for security professionals and researchers. It functions as a centralized repository of offensive security techniques, providing a structured collection of exploit payloads, attack vectors, and methodologies for conducting vulnerability assessments and penetration testing. The repository distinguishes itself through a cross-platform payload taxonomy that categorizes exploitation methods by vulnerability type and target environment, enabling rapid lookup during security assessments. It maintains high standards of data integrity and collaborative growth by utilizing version-controlled knowledge management and template-driven content generation, ensuring that the research remains current and consistent across a wide range of technical domains. The project covers a broad capability surface, including detailed references for web application security, database injection, insecure deserialization, and AI model security testing. It also aggregates external resources, such as research papers and third-party tools, to provide a holistic view of modern threat analysis and defensive research. The documentation is organized as a hierarchical tree of markdown files, designed for easy navigation and reference during active security engagements.

Objection is a dynamic instrumentation framework and runtime exploration toolkit for mobile application security analysis. It provides a command-line interface to interact with the memory and state of iOS and Android applications during active execution, serving as a toolkit for runtime analysis and security testing. The project distinguishes itself by providing specialized capabilities to bypass common mobile security controls, including SSL pinning, biometric authentication, and root or jailbreak detection. It enables the extraction of sensitive credentials and data from secure storage systems, such as keychains and SQLite databases, while allowing for the interception of cryptographic operations. The toolkit covers a broad range of analysis capabilities, including process memory manipulation, heap object inspection, and container filesystem exploration. It also includes monitoring tools for tracing method arguments, analyzing application intents, and configuring application-specific network proxies. Instrumentation is achieved by injecting a JavaScript engine into a running process or embedding a binary gadget into the application to enable analysis on devices without root or jailbreak access.

This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuristic fingerprinting, which adjusts injection techniques in real-time based on server responses. It supports advanced post-exploitation capabilities, including remote command execution on the underlying host operating system and file system access through database-level vulnerabilities. To navigate restricted environments, the software incorporates out-of-band data exfiltration channels and a middleware pipeline for applying user-defined transformations to bypass security filters and web application firewalls. The suite covers a broad range of operational requirements, including stateful session management, anti-CSRF token handling, and extensive request customization. It supports various target specification methods, such as proxy log analysis and remote API management, while offering granular control over scan performance and detection thresholds. The software is distributed as a command-line application, with configuration management supported through external file loading and command-line arguments.

YARA is a pattern matching engine and binary analysis tool used to identify and classify malware samples. It functions as a malware research framework that allows for the definition of file descriptions and detection rules to find indicators of compromise within binaries. The system enables the creation of custom detection rules using strings, wildcards, and regular expressions. These rules use boolean logic to match textual or binary patterns, allowing for the classification of files into specific malware families and the automation of threat intelligence. The engine utilizes Aho-Corasick string matching and a regular expression engine to scan files. It processes data via buffer-based stream processing and transforms human-readable rules into a bytecode format for execution.

Magisk is an Android rooting framework designed to manage system-level modifications and grant administrative access to mobile devices. It functions by patching boot and recovery images to inject custom code into the operating system initialization sequence, allowing for system-wide control while maintaining compatibility with the underlying hardware. The project distinguishes itself through a systemless modification layer that overlays a virtual file system on top of read-only partitions, enabling changes without altering core system files. It includes a policy daemon to manage security contexts and granular access control for privileged applications, alongside dynamic binary instrumentation capabilities that intercept function calls in running processes. These features are supported by a native toolchain that interacts directly with the hardware abstraction layer and kernel. The framework provides a comprehensive suite for device modification management, including tools for patching firmware images, managing bootloader states, and handling recovery-based modifications on devices lacking a dedicated boot ramdisk. It also incorporates a cross-platform build toolchain for compiling and signing deployable packages, facilitating standardized software deployment across diverse hardware models.

GEF is a Python-based extension for GDB that serves as a framework for binary analysis, exploit development, and low-level debugging. It functions as a dynamic analysis extension designed to assist in reverse engineering workflows and malware analysis by enhancing the debugger's ability to inspect process state and memory. The project is distinguished by its specialized heap analysis tools, which allow for the inspection of glibc heap arenas, bins, and chunks to detect memory corruption. It also provides a dedicated toolkit for exploit development, including cyclic pattern generation for offset identification and the ability to patch memory or instructions during runtime. The capability surface covers binary security inspection for mitigations like NX, PIE, and stack canaries, as well as advanced memory operations such as recursive pointer dereferencing and Global Offset Table analysis. It further includes execution control features like instruction tracing, forked process tracking, and the management of remote target connections. The framework is extensible via a Python-based plugin system and an API that allows for the registration of custom debugging commands and contextual data panes.