ida_yara
A Python script for scanning data within an IDB using Yara
What does a malicious package actually look like in practice? We'll walk through some hypothetical exercises to see how malware generally works, and what sort of functions we might expect, from relatively simple and temporary, to complex. Additionally, as we are focused primarily on Javascript for this post, we really need to think about two different threat models: what does in-browser malware look like, and how is that going to differ from on-host malware? Attacker Motivations and Mentality As we begin this thought experiment, the first thing to consider is what a potential attacker's targets and goals would be. On-Host The whole concept of "on-host" malware in NPM packages seems a bit unintuitive at first blush, as the immediate association is generally with browser-focused concerns - which must be safe, since the run in the browser sandbox. There are, interestingly enough, some serious advantages from an attacker's perspective.
A Python script for scanning data within an IDB using Yara
A tool to fuzz query strings and identify vulnerabilities
Kaitai Struct is a declarative language for describing binary data structures.
A dataset release policy for the Android Malware Genome Project, requiring authentication and justification for access to the dataset.
Studying Android malware behaviors through Information Flow monitoring techniques.
Search gadgets on binaries to facilitate ROP exploitation.