Top Python Tools for Malware Analysis.

Last Updated: October 11, 2021

Python developers are in demand in the cybersecurity industry. Malware analysis, a huge part of cybersecurity, is the process of examining malicious software to understand how it operates.  Malware analysts need to be skilled in reverse engineering and programming, as well as familiar with the operation of computers and how they work.

Python is a popular programming language for malware analysis and reverse engineering because it's easy to learn, fast to code, and runs on Windows, Linux, Unix and Mac. This blog post will discuss some of the best python tools (libraries and command-line programs) you can use for malware analysis. 


1. pyew

Pyew is a python command-line tool used to analyse malware. It is basically a command-line hexadecimal editor and disassembler which performs code analysis and let you write scripts using an API to perform many types of malware and other analysis.

For than 4 years, Pyew has been used successfully in large malware analysis systems. They process thousands of files every day with pyew.

$ pyew homepage
$ pyew wiki

Read also: Top 10 Python Libraries for Ethical Hacking.

2. yara-python

yara-python is a python library that allows you to use YARA from your python programs. YARA is a tool that's primarily used for malware detection and research. Hence the yara-python library lets you use YARA to idenfity and classify various malware in python programs by creating descriptions of malware families based on textual or binary patterns. YARA also comes with modules to process PE, ELF analysis.

You can install yara-python by running:

pip install yara-python

$ yara-python homepage
$ yara-python documentation


3. angr

angr is a multi-architecture python framework for analyzing binaries that comes with the capability to perform dynamic symbolic execution and various static analyses.

It is designed to help reverse engineers analyze the internals of complex and closed-source software by providing tools for telling computers to execute program behaviours while analyzing them for potential vulnerabilities. It includes all of the core analysis routines, as well as some higher-level constructs to make it easier to conduct complex analyses.
angr also provides many features that are essential for reverse engineering, such as strings extraction, data clustering, instruction emulation and symbolic execution. It can help you find bugs, figure out how code works, and even exploit vulnerabilities.

pip install angr

$ angr documentation


4. Exefilter

ExeFilter is an open-source python tool and framework used for filtering file formats in webpages, emails, and files. It can detect many file formats and can remove any active content (scripts or macros) according to a configured policy. 

This open-source python tool can be used to protect against malicious active content within files. Exefilter was also designed to filter removable devices either in gateways(email, web services, web, etc) or on user workstations. 

The unique white-list algorithm that comes with exefilter and a large list of supported file formats makes it extremely effective in controlling which file formats can be entered into a secure network.

$ exefilter homepage


5. Malgazer

malgazer is a python library for malware analysis with machine learning.

$ Malgazer (Github)


6. clamd

clamd is a python package that serves as an interface to Clamd( the daemon for ClamAV anti-virus). It allows you to use the ClamAV anti-virus engine on Windows, Linux, MacOSX and other platforms but it requires a running instance of the clamd daemon.

By using clamd, you can add virus detection capabilities to python programs or software. To install the clamd python package, use pip as such:

pip install clamd

$ clamd - PyPI


7. r2pipe

r2pipe is the python API Radare2. Radare2 is a free toolchain or framework for reverse-engineering and analyzing binaries. This toolchain is applied to many low-level tasks such as forensics, software debugging, software reverse engineering, exploiting, and so on.

It is made up of a variety of libraries and programs that can easily be automated using almost any programming language and can be used for analysing malware, simplifying certain tasks, emulating a section of code, decrypting strings or even reverse engineer multiple binaries.

The r2pipe python library provides the simplest and most effective way to script radare2, which consists of just one function that takes a string representing the r2 command to run and returns the output as a string. You can install r2pipe with pip:

pip install r2pipe

$ r2pipe documentation
$ radare2 (r2) documentation


Read also: The Top 13 Ethical Hacking Courses.


Leave a Comment