capa
flare-ida
capa | flare-ida | |
---|---|---|
2 | 2 | |
3,854 | 2,104 | |
1.3% | 0.4% | |
9.8 | 3.2 | |
7 days ago | 2 months ago | |
Python | Python | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
capa
-
N00bs Night Malware RE Workshop with @c3rb3ru5d3d53c (OALABS)
Python3 Environment Basics For IDA Pro (Windows) https://www.patreon.com/posts/python3-basics-58467121 Hexcopy (save a click) https://github.com/OALabs/hexcopy-ida HashDB https://github.com/OALabs/hashdb-ida Flare-IDA https://github.com/mandiant/flare-ida Capa https://github.com/mandiant/capa Capa Rules https://github.com/mandiant/capa-rules BinDiff https://www.youtube.com/watch?v=BLBjcZe-C3I
-
How to analyze malicious PDF?
You can detonate it into a VM running an instance of Cuckoo Sandbox. If you want to go the extra mile, you can dump the memory of said VM and analyse it with Volatility Framework. Also, if you want to quickly identify behavioural patterns in executable code, you can use Mandiant's CAPA tool (though idk if it works on .pdfs).
flare-ida
-
N00bs Night Malware RE Workshop with @c3rb3ru5d3d53c (OALABS)
Python3 Environment Basics For IDA Pro (Windows) https://www.patreon.com/posts/python3-basics-58467121 Hexcopy (save a click) https://github.com/OALabs/hexcopy-ida HashDB https://github.com/OALabs/hashdb-ida Flare-IDA https://github.com/mandiant/flare-ida Capa https://github.com/mandiant/capa Capa Rules https://github.com/mandiant/capa-rules BinDiff https://www.youtube.com/watch?v=BLBjcZe-C3I
-
Problems generating and applying FLIRT signatures in IDA for UE4 project
Now it's time to generate pattern files with idb2pat.py script on FLARE github. This one works up to version 7.3 including and doesn't work on 7.4+ because of changes in API calls of IDA. I updated it for IDA 7.5(just renamed a bunch of API calls to different names according to this article by hexrays for porting scripts to newer versions of IDA), but I run into the same problems on 7.2 with the original script.
What are some alternatives?
flare-floss - FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
ret-sync - ret-sync is a set of plugins that helps to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg2/x64dbg) with IDA/Ghidra/Binary Ninja disassemblers.
capa-rules - Standard collection of rules for capa: the tool for enumerating the capabilities of programs
flare-fakenet-ng - FakeNet-NG - Next Generation Dynamic Network Analysis Tool
drakvuf-sandbox - DRAKVUF Sandbox - automated hypervisor-level malware analysis system
tenet - A Trace Explorer for Reverse Engineers
hashdb-ida - HashDB API hash lookup plugin for IDA Pro
ghidra_scripts - Port of devttyS0's IDA plugins to the Ghidra plugin framework, new plugins as well.
STrace - A DTrace on Windows Reimplementation
lumen - A private Lumina server for IDA Pro
hexcopy-ida - IDA plugin for quickly copying disassembly as encoded hex bytes
flare-vm - A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.