bap - Binary Analysis Platform

•    OCaml

The Carnegie Mellon University Binary Analysis Platform (CMU BAP) is a reverse engineering and program analysis platform that works with binary code and doesn't require the source code. BAP supports multiple architectures: ARM, x86, x86-64, PowerPC, and MIPS. BAP disassembles and lifts binary code into the RISC-like BAP Instruction Language (BIL). Program analysis is performed using the BIL representation and is architecture independent in a sense that it will work equally well for all supported architectures. The platform comes with a set of tools, libraries, and plugins. The documentation and tutorial are also available. The main purpose of BAP is to provide a toolkit for implementing automated program analysis. BAP is written in OCaml and it is the preferred language to write analysis, we have bindings to C, Python and Rust. The Primus Framework also provide a Lisp-like DSL for writing program analysis tools. BAP is developed in CMU, Cylab and is sponsored by various grants from the United States Department of Defense, Siemens AG, and the Korea government, see sponsors for more information.

awesome-malware-analysis - A curated list of awesome malware analysis tools and resources.

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php. View Chinese translation: 恶意软件分析大合集.md.

panda - Platform for Architecture-Neutral Dynamic Analysis

•    C

PANDA is an open-source Platform for Architecture-Neutral Dynamic Analysis. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion instruction boot of FreeBSD, e.g., is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugin architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. It is currently being developed in collaboration with MIT Lincoln Laboratory, NYU, and Northeastern University.

Mobile-Security-Framework-MobSF - Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing

•    Python

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. Your generous donations will keep us motivated.

Inspeckage - Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more

•    Java

Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime. Logcat.html page. A experimental page with websocket to show some information from the logcat.

MobileApp-Pentest-Cheatsheet - The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics

The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics and checklist, which is mapped OWASP Mobile Risk Top 10 for conducting pentest. Your contributions and suggestions are welcome.

awesome-frida - Awesome Frida - A curated list of Frida resources http://www

A curated list of awesome projects, libraries, and tools powered by Frida. Frida is Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript into native apps that run on Windows, Mac, Linux, iOS and Android.

HaboMalHunter - HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo

•    Python

HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system. The tool help security analyst extracting the static and dynamic features from malware effectively and efficiently. The generated report provides significant information about process, file I/O, network and system calls. The tool can be used for the static and dynamic analysis of ELF files on the Linux x86/x64 platform.

symbolic-execution - History of symbolic execution (as well as SAT/SMT solving, fuzzing, and taint data tracking)

There is also temporary timeline of some tools not displayed in the diagrams above. ⚠️ PNG preview could be outdated. See symbolic-execution.svg for the latest version.

pathgrind - Path based Dynamic Analysis

•    C

Path based Dynamic Analysis

CircuitBreaker - Nintendo Switch hacking toolkit

•    Javascript

This is Circuit Breaker, a Nintendo Switch hacking toolkit. It is heavily based upon the PegaSwitch toolkit and the ReSwitched team deserves a huge amount of credit for their work, without which this project would be impossible. Make sure you have all the ruby gems installed. Installing ruby and bundler are outside of the scope of this document.

hakbot-origin-controller - Vendor-Neutral Security Tool Automation Controller (over REST)

•    Java

Vendor-Neutral Security Tool Automation Controller (over REST)

redexer - The Redexer binary instrumentation framework for Dalvik bytecode

•    OCaml

Redexer is a reengineering tool that manipulates Android app binaries. This tool is able to parse a DEX file into an in-memory data structure; to infer with which parameters the app uses certain permissions (we name this feature RefineDroid); to modify and unparse that data structure to produce an output DEX file (we name these features Dr. Android, which stands for Dalvik Rewriting for Android). This tool is tested under OCaml 4.02.2 and Ruby 1.8.6(7), so you need to install them (or higher versions of them).

IntelliDroid - A targeted input generator for Android that improves the effectiveness of dynamic malware analysis

•    Java

IntelliDroid is an analysis tool for Android applications that extracts call paths leading to specific behavior and executes these paths precisely during run time. When given a set of targeted behaviors, the static analysis component traverses the application's call graph to find paths to these behaviors. It also extracts path constraints, which are used to determine the input values that can trigger these paths. The dynamic component takes the extracted paths/constraints and injects the input values into the Android device, triggering the targeted behaviors. For further details, please see our paper and slides (NDSS 2016).

StaDynA - StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications

StaDynA is a system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). Our tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.

FromJS - Understand JavaScript apps. See where each character on the screen came from in code.

•    Javascript

FromJS is dynamic dataflow analysis tool. You can use it to discover code and understand JavaScript apps. FromJS is in currently. If you find any issues (you probably will) please report them on Github.

inspect-code - Run code and get the value of every expression.

•    Javascript

Run code and get every expression's value. Powering js-playgrounds. inspect-code takes a string of code, instruments it to spy on every expression and uses lolex to make setTimeout & co. run sync in the end. After running it inside Node's vm, it returns every expression, with its code and values. This is similar to what JS code coverage tools do.

generic-parser - A Single Library Parser to extract meta information,static analysis and detect macros within the files

•    Python

A Single Library Parser to extract meta information,static analysis and detect macros within the files.