Self-Hosted Malware Analysis Sandboxes

Deno is a high-performance runtime for JavaScript and TypeScript that prioritizes security and developer productivity. Built on the V8 engine, it provides a secure execution environment that enforces a default-deny security model, requiring explicit user authorization for access to system resources like the file system, network, and environment variables. The runtime natively supports modern web-standard APIs, ensuring consistent behavior and portability across different environments. What distinguishes Deno is its integrated approach to the software development lifecycle. It bundles essential utilities—including a formatter, linter, test runner, and dependency manager—directly into the runtime, eliminating the need for external build tools or complex transpilation steps. The platform features a universal module resolution system that supports remote HTTPS URLs, local paths, and standard package registries, all backed by lockfiles to ensure build determinism and supply chain security. Beyond its core runtime capabilities, Deno includes a built-in, persistent key-value database engine that supports atomic transactions and reactive data monitoring. It also provides a robust compatibility layer for the Node.js ecosystem, allowing for the seamless execution of legacy modules and native binary addons. For multi-tenant or distributed applications, the runtime offers isolated sandbox environments that manage resource constraints and security boundaries, facilitating secure code execution in shared infrastructure. The project is distributed as a single binary, providing a unified toolchain for managing dependencies, executing tasks, and configuring runtime security policies.

WebGoat is a deliberately insecure web application designed as an interactive security lab for learning how to identify and exploit common web vulnerabilities. It serves as a containerized sandbox that allows for the simulation and experimentation of web-based attacks and penetration testing techniques without risking production systems. The project functions as a learning lab that maps specific insecure coding patterns to structured lessons. It implements simulated server-side flaws to provide a hands-on environment for studying common security vulnerabilities and defensive coding practices. The application supports deployment through isolated containers and browser-based desktop virtualization to ensure a consistent attack surface. It includes capabilities for managing lesson availability and tracking user progress across the various vulnerable application components.

Ghidra is a software reverse engineering suite designed to analyze compiled binaries and reconstruct program logic without access to original source code. It provides an interactive environment for disassembly and decompilation, utilizing a platform-independent intermediate representation to maintain consistency across diverse hardware architectures. The framework supports automated binary analysis through programmatic routines, enabling the investigation of complex code patterns and security indicators. The platform distinguishes itself through a modular architecture that allows for extensive customization. Users can define new processor instruction sets using a dedicated specification language, ensuring support for unique hardware without requiring recompilation. Collaborative analysis is facilitated by a database-backed storage system, while a headless execution mode enables the processing of large binary sets via command-line scripts. The suite includes tools for malware analysis and software vulnerability research, providing capabilities for visual navigation of control flow and the development of custom plugins. Developers can extend the core functionality by injecting specialized analysis routines or user interface components through a standardized discovery mechanism. The project provides comprehensive documentation and build tasks to support the configuration of development workspaces for those contributing to the underlying architecture.

Bottles is a Wine compatibility manager and prefix manager that provides a graphical interface for running Windows applications on Linux. It functions as a Windows application sandbox and dependency manager, organizing isolated environments to prevent dependency conflicts and protect the host operating system. The project acts as a Wine runner orchestrator, allowing users to download, install, and switch between different compatibility layers and graphics renderers. It distinguishes itself by using community-driven scripts for automated software installation and dependency management, alongside pre-configured environment presets. The system covers a broad range of capabilities, including Windows registry administration, Direct3D to Vulkan graphics translation, and Linux gaming optimization. It provides comprehensive data storage utilities for backing up and cloning environments, as well as a command-line interface for automating container configuration and program execution. Monitoring tools such as process activity tracking and execution log capture are integrated for troubleshooting. Bottles can be deployed as a sandboxed package via Flatpak.

The framework is a comprehensive penetration testing platform designed for the development, testing, and execution of security exploits. It serves as a research toolkit and automated assessment environment, enabling security professionals to identify and validate vulnerabilities within networked systems and infrastructure through repeatable, standardized procedures. The platform distinguishes itself through a modular architecture that supports reflective payload injection, allowing for the execution of code directly in memory without writing to disk. It utilizes an asynchronous event loop to manage high-performance, concurrent network connections and features a transport-agnostic communication layer that abstracts protocols to maintain persistent command and control. Users can extend the core functionality through a plugin system and define complex exploit logic using a domain-specific language. The framework provides robust capabilities for remote payload management, including the configuration of network settings like sleep intervals and timeout thresholds. It maintains state persistence across long-running sessions by storing discovered host information and vulnerability data in a relational database. The software is designed for cross-platform deployment, with installation support available for Linux, macOS, and Windows environments.

Mastra is an orchestration framework designed for building, deploying, and managing autonomous AI agents and multi-agent systems. It provides a comprehensive suite of primitives for creating resilient AI applications, including durable workflow orchestration, event-driven agent loops, and semantic memory management. By integrating these core components, the platform enables developers to build complex, multi-step processes that can reason about goals and execute tasks without manual intervention. The framework distinguishes itself through its focus on observability and secure, isolated execution. It features a built-in telemetry pipeline that captures structured execution traces, logs, and performance metrics, allowing for real-time debugging and evaluation of agent behavior. Furthermore, it utilizes sandboxed environments to isolate code execution and filesystem operations, ensuring that agent interactions remain secure and reproducible. Mastra covers a broad capability surface, including multi-agent delegation hierarchies, schema-validated tool execution, and real-time voice interaction. It supports advanced orchestration patterns such as human-in-the-loop approvals, persistent state management for long-running workflows, and retrieval-augmented generation using vector-based semantic memory. These features are designed to work together to support the entire lifecycle of AI-powered applications, from initial development and testing to production deployment. The project is built for TypeScript environments and provides a modular architecture that integrates with existing web stacks and infrastructure. It includes a client SDK for interacting with remote agents and supports various authentication providers to secure API endpoints and agent resources.

This project is a graphical Windows debugger designed for the analysis and manipulation of compiled binary applications. It functions as a comprehensive binary analysis suite, providing a real-time environment for inspecting CPU registers, monitoring memory states, and tracing instruction execution to investigate system-level software behavior. The tool distinguishes itself through an event-driven debugging loop that allows for precise process control and state modification during runtime. It supports advanced analysis techniques, including hardware-breakpoint injection for monitoring memory access and instruction-set-aware disassembly to translate machine code into readable assembly. These capabilities facilitate specialized tasks such as malware reverse engineering, software vulnerability research, and the analysis of complex system crashes. The platform includes a modular plugin architecture that enables the integration of external libraries for custom analysis and automation. It also features memory-mapped symbol resolution to correlate machine addresses with source code labels, assisting in the interpretation of internal application logic.

Fragments is an open-source AI code generation sandbox that produces code automatically based on user prompts and executes it inside isolated cloud environments. The project provides a secure foundation for running AI-generated code by sandboxing execution away from the host system, preventing potential harm while allowing users to see results immediately. The sandbox supports customization through configurable execution environments defined via Dockerfiles, enabling code to run in specific runtimes or frameworks. Users can integrate different language models and model providers by registering their identifiers, API endpoints, and authentication keys, giving flexibility in choosing which AI powers code generation. The system also streams AI responses incrementally in the user interface, providing real-time feedback as code is generated. Additional capabilities include installing packages from registries like npm or pip during execution, and hosting the sandbox as a deployable web interface. The project's documentation covers setup, configuration of custom environments and models, and deployment instructions for getting a sandbox instance running.

Termux is a mobile terminal emulator and Linux environment runtime that provides a full command-line interface directly on Android devices. It functions as a comprehensive platform for executing native binaries and scripts, featuring an integrated package management system that allows users to download, install, and manage open-source software repositories to extend device functionality. The project distinguishes itself by acting as an embedded execution library, enabling third-party applications to integrate terminal and package management capabilities into their own interfaces without requiring custom forks. It achieves this through a modular architecture that executes code as native libraries, effectively bypassing mobile operating system restrictions that typically prevent the execution of arbitrary binaries from application data folders. To maintain security, the system employs process-isolation-based sandboxing and validates canonical paths to prevent unauthorized command injection or shortcut manipulation. Beyond its core terminal capabilities, the project supports advanced automation through an intent-based system that allows external applications to trigger shell commands. It ensures software portability across different device storage configurations by utilizing dynamic environment-variable-based path resolution. The environment also includes built-in diagnostic tools for log-aggregation-based debugging and maintains a structured process for managing security disclosures and vulnerability reporting.

This project is a comprehensive cybersecurity tool collection designed to support security research, penetration testing, and vulnerability assessment. It functions as a unified penetration testing suite, providing a centralized environment where professionals can access a wide range of offensive security utilities to identify system weaknesses and study attack vectors. The platform distinguishes itself through a modular architecture that aggregates disparate security scripts into a single, hierarchical command-line interface. It simplifies the management of these utilities by integrating external repositories, allowing users to fetch and organize third-party tools directly into a structured local directory. By utilizing a categorized menu system and shell-based process execution, the suite enables efficient navigation and direct invocation of specialized tools for tasks ranging from forensic analysis and reverse engineering to exploit development. The toolkit covers a broad spectrum of security domains, including web and wireless attack vectors, cloud security, payload creation, and social media analysis. It also incorporates automated environment setup to handle the installation of necessary system packages and language runtimes, ensuring compatibility across its diverse collection of utilities.

AVClass and AVClass2 are Python tools to tag / label malware samples. You give them as input the AV labels for a large number of malware samples (e.g., VirusTotal JSON reports) and they output tags extracted from the AV labels of each sample. The original AVClass only outputs family names (i.e.,…

Jadx is a comprehensive Java decompilation suite designed to transform compiled binary application files into readable source code. It functions as a static analysis workbench, providing a graphical interface for navigating, searching, and inspecting the internal logic of complex software packages. By utilizing a bytecode-to-Java pipeline, the project reconstructs high-level logical structures from low-level binary instructions, making it a primary tool for Android application reverse engineering. The project distinguishes itself through a sophisticated control flow reconstruction engine and a symbolic deobfuscation engine that restores original code structure by renaming obfuscated identifiers. Beyond its graphical interface, Jadx offers a binary analysis library that allows developers to embed automated decompilation and source code extraction directly into custom security pipelines and software workflows. These capabilities enable detailed application security auditing and the investigation of mobile malware by tracing interactions across large, complex codebases. The platform includes extensive tooling for code navigation, such as cross-referencing class and method usage, jumping to declarations, and mapping dependencies within binary projects. To support the analysis of massive packages, it incorporates performance-oriented features like disk-backed caching, in-memory indexing, and configurable package exclusion to manage memory consumption and processing speed.

A Python framework that uses machine learning algorithms to implement the metadata recovery attack against obfuscated programs.

This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuristic fingerprinting, which adjusts injection techniques in real-time based on server responses. It supports advanced post-exploitation capabilities, including remote command execution on the underlying host operating system and file system access through database-level vulnerabilities. To navigate restricted environments, the software incorporates out-of-band data exfiltration channels and a middleware pipeline for applying user-defined transformations to bypass security filters and web application firewalls. The suite covers a broad range of operational requirements, including stateful session management, anti-CSRF token handling, and extensive request customization. It supports various target specification methods, such as proxy log analysis and remote API management, while offering granular control over scan performance and detection thresholds. The software is distributed as a command-line application, with configuration management supported through external file loading and command-line arguments.

Executable compression, also known as packing, is any means of compressing an executable file and combining the compressed data with decompression code into a single executable. Packing is designed to be used to decrease storage for large size files. Recently, the approach has also been used to…

LeakCanary is a diagnostic tool designed to identify memory leaks by monitoring object lifecycles and analyzing heap snapshots. It automatically detects objects that fail to be garbage collected after their expected lifespan, providing developers with actionable insights to prevent performance degradation and application crashes. The project distinguishes itself by offloading memory-intensive heap parsing to a separate background process, which minimizes performance impact on the main application during runtime. It includes sophisticated deobfuscation capabilities that map obfuscated stack traces back to original source code, and it supports granular control through reference filtering and custom inspection logic to suppress known false positives. Beyond core detection, the tool offers comprehensive configuration options for managing analysis thresholds, build-specific behaviors, and environment-specific monitoring. It provides both deep heap analysis for development environments and lightweight instance tracking for production builds, ensuring memory health can be monitored across the entire application lifecycle.

Experimental toolkit for static detection of executable packing.

dnSpy is a desktop application designed for the analysis, debugging, and modification of compiled .NET assemblies. It functions as an assembly analysis suite and decompiler, translating binary instruction streams back into readable source code to facilitate reverse engineering when original source files are unavailable. The tool distinguishes itself through an integrated binary patching engine and metadata editor, which allow for the direct modification of executable logic and internal metadata tables. It supports in-process debugging instrumentation, enabling users to inject runtime hooks, set breakpoints, and inspect memory state within compiled binaries to troubleshoot application behavior. Beyond core analysis and debugging, the platform provides an interactive scripting environment for automating repetitive tasks and manipulating assembly structures. It includes capabilities for abstract syntax tree manipulation and memory-mapped file inspection, allowing users to navigate between high-level code constructs and raw binary data.

Citing

UTM is a comprehensive virtualization suite that provides a unified interface for running guest operating systems on host hardware. It functions as a cross-platform system emulator and hypervisor, coordinating both hardware-accelerated virtualization and software-based instruction emulation to execute diverse operating systems. By leveraging native kernel-level virtualization frameworks, the software achieves near-native performance while maintaining strict security through sandboxed process isolation. The project distinguishes itself by enabling full-featured desktop operating systems to run on mobile hardware, alongside support for over thirty processor architectures including x86_64, ARM64, and RISC-V. It provides a graphical management interface that abstracts complex command-line configurations, allowing users to manage the lifecycle of multiple concurrent virtual machine instances. For environments where dynamic code generation is restricted, the software utilizes a threaded instruction interpreter to maintain functionality. Beyond core emulation, the platform includes standardized driver architectures for high-performance device communication and remote rendering protocols for graphical output. It supports various deployment strategies, including sideloading for non-jailbroken devices and repository-based installation for jailbroken systems. The software facilitates resource sharing between host and guest environments, such as shared directories and network port forwarding, to support development, testing, and legacy software preservation.