When it comes to analyzing malware it can be a fairly complex affair. Depending on the complexity of the malware your analysing there are many approaches you can take and each of these will typically require the use of several tools or scripts. This is where comes in to play.

Created by Claudio ‘nex’ Guarnieri, viper is “A binary management and analysis framework dedicated to malware and exploit researchers.” It comes with some basic features that allow you to add search and work with samples. Where it comes into strength is through the community contributed modules. These modules greatly extend vipers functionality.

At the time of writing the current list of modules are as follows.


  • clear – Clear the console
  • close – Close the current session
  • delete – Delete the opened file
  • export – Export the current session to file or zip
  • find – Find a file
  • help – Show this help message
  • info – Show information on the opened file
  • notes – View, add and edit notes on the opened file
  • open – Open a file
  • projects – List or switch existing projects
  • sessions – List or switch sessions
  • store – Store the opened file to the local repository
  • tags – Modify tags of the opened file


  • apk – Parse Android Applications
  • cuckoo – Submit the file to Cuckoo Sandbox
  • debup – Parse McAfee BUP Files
  • editdistance – Edit distance on the filenames
  • email – Parse eml and msg email files
  • exif – Extract Exif MetaData
  • fuzzy – Search for similar files through fuzzy hashing
  • html – Parse html files and extract content
  • ida – Start IDA Pro
  • idx – Parse Java idx files
  • image – Perform analysis on images
  • jar – Parse Java JAR archives
  • office – Office Document Parser
  • pdf – Extract PDF Stream Information
  • pe – Extract information from PE32 headers
  • reports – Online Sandboxes Reports
  • shellcode – Search for known shellcode patterns
  • strings – Extract strings from file
  • virustotal – Lookup the file on VirusTotal
  • xor – Search for xor Strings
  • yara – Run Yara scan


For this installation I’m going to use a basic Linux server 14.04 install. I wont bother you with setting up linux it should be easy enough to follow the steps.

The setup and installation process for viper is not overly complicated but there are several 3rd party components that we will need in order to enable all the features of Viper.

Pre Install

Lets make sure our ubuntu is up to date and then grab some additional components we are going to need.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install build-essential python-dev python-pip git automake libtool libimage-exiftool-perl swig libssl-dev

3rd Party Sources

There are some third-party sources that we need in order to make use of all the available features in viper. For this we need to download and build from a few sources.

I like to store all the temporary build files in one places so I don’t end up with bits and pieces all over the place

mkdir tmp_build

from here ill download all the files im going to need. (Please check for the latest versions if your following this guide literally)

Yara – The pattern matching swiss knife for malware researchers (and everyone else) – Must be 2x or greater

tar zxf v3.0.0.tar.gz
cd yara-3.0.0/
sudo bash
sudo make install

Test to make sure Yara Runs

usage: yara [OPTION]... RULES_FILE FILE | PID
 -t  only print rules tagged as .
 -i  only print rules named .
 -n only print not satisfied rules (negate).
 -g print tags. . . .

Now lets do the python bindings.

cd yara-python/
sudo python install

and return to the root of our build dir ready for the next one.

cd ~/tmp_build/

SSDeep – Computing context triggered piecewise hashes. Also called Fuzzy Hashes.

grab the latest version and away we go. Tested with version 2.10

tar zxf ssdeep-2.10.tar.gz
cd ssdeep-2.10/
sudo make install

Lets install the python bindings to go with it

sudo pip install pydeep

test it works and return to our tmp_build directory

ssdeep -h
cd ~/tmp_build/

AndroGuard – Reverse engineering, Malware and goodware analysis of Android applications … and more (ninja !)

If you want to use viper to analyze android APKS and decompile Java class files we need to install androguard. I leave it up to you to decide  if you want to include all the androguard dependencies. A basic install of the 1.9 release works fine.

tar zxf androguard-1.9.tar.gz
cd androguard-1.9/
sudo python install


EXIF tool allows us to get meta data from files and can display a wealth of information.

git clone
cd pyexiftoool
sudo python install

Viper and Python Dependencies

Viper itself has a few extra python dependencies and then each of the modules may have their own as well. For the most part module authors will include them in the requirements.txt file that comes with viper.

cd in to the directory you want to run viper from, and run the following:

git clone
cd viper
sudo pip install -r requirements.txt

If everything worked we should now be able to run the viper shell.


Ill cover using viper in more detail in some upcoming posts. For now here is a quick example from the main site.

Documentation and Help

The viper Documentation is still being generated but you can find it on If you have any questions or even better if you have something you can contribute head over to the Git Repo or jump on to ###viper


As usual Questions Queries Comments below.