From 06d88bb5ebbf8c59bca8bcb41a94b06bedb33644 Mon Sep 17 00:00:00 2001 From: liebesu Date: Fri, 11 Sep 2015 17:00:16 +0800 Subject: [PATCH] Create remnuxtools.html add remnuxtools --- remnuxtools.html | 192 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 192 insertions(+) create mode 100644 remnuxtools.html diff --git a/remnuxtools.html b/remnuxtools.html new file mode 100644 index 0000000..ead7c6f --- /dev/null +++ b/remnuxtools.html @@ -0,0 +1,192 @@ +REMnux Tools + +Category Tool Name How to Invoke (Basic Command) Description Package Tool Source/Info +Edit and View Files: Binary VBinDiff vbindiff Compare binary files vbindiff (APT) http://www.cjmweb.net/vbindiff/ +Edit and View Files: Binary wxHexEditor wxHexEditor Graphical hex editor wxhexeditor (APT) http://sourceforge.net/projects/wxhexeditor/ +Edit and View Files: Documents Xpdf xpdf PDF viewer xpdf (APT) http://www.foolabs.com/xpdf/ +Edit and View FIles: Images feh feh Image viewer feh (APT) http://feh.finalrewind.org/ +Edit and View Files: Images ImageMagick display Image viewer imagemagick (APT) http://www.imagemagick.org/ +Edit and View Files: Text Geany geany Powerful text editor with an integrated developer environment geany (APT) http://www.geany.org/ +Edit and View Files: Text SciTE scite Simple, yet powerful text editor scite (APT) http://www.scintilla.org/SciTE.html +Examine Browser Malware: Flash extract_swf extract_swf.py Extract Flash object from files remnux-scripts (APT) https://gist.github.com/noonat/821548 +Examine Browser Malware: Flash flare flare Extract and decompile ActionScript from SWF files remnux-flare (APT) http://www.nowrap.de/flare.html +Examine Browser Malware: Flash RABCDAsm rabcdasm, abcexport Examine ActionScript from Flash files remnux-rabcdasm (APT) https://github.com/CyberShadow/RABCDAsm +Examine Browser Malware: Flash SWF Tools swfdump, swfextract, swfstrings, etc. A toolkit for examining, creating and modifying Flash files swftools (APT) http://www.swftools.org/ +Examine Browser Malware: Flash xxxswf xxxswf.py Extract Flash objects from other files remnux-scripts (APT) https://bitbucket.org/Alexander_Hanel/xxxswf +Examine Browser Malware: Java CFR cfr Decompile Java class files remnux-cfr (APT) http://www.benf.org/other/cfr/ +Examine Browser Malware: Java Jad jad Java Decompiler remnux-jad (APT) http://varaneckas.com/jad +Examine Browser Malware: Java Java Cache IDX Parser idx_parser.py Examine Java IDX files remnux-scripts (APT) https://github.com/Rurik/Java_IDX_Parser/ +Examine Browser Malware: Java Java Decompiler jd-gui Decompile Java class files remnux-jd-gui (APT) http://jd.benow.ca/ +Examine Browser Malware: JavaScript ExtractScripts extractscripts.py Extract JavaScript scripts from an HTML file remnux-didier (APT) http://blog.didierstevens.com/programs/extractscripts/ +Examine Browser Malware: JavaScript Firebug firefox, F12 JavaScript debugger for Firefox get-remnux http://getfirebug.com/ +Examine Browser Malware: JavaScript JS Beautifier js-beautify Reformat JavaScript scripts to improve their readability jsbeautifier (PIP) https://github.com/einars/js-beautify +Examine Browser Malware: JavaScript JSDetox jsdetox Decode obfuscated JavaScript remnux/jsdetox (Docker) http://www.relentless-coding.com/projects/jsdetox/ +Examine Browser Malware: JavaScript objects.js js -f /usr/share/remnux/objects.js -f malware.js Library of JavaScript objects commonly defined by a browser or a PDF reader remnux-config (APT) +Examine Browser Malware: JavaScript Rhino Debugger rhino-debugger Standalone JavaScript debugger rhino (APT) https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Debugger +Examine Browser Malware: JavaScript SpiderMonkey js, js-didier JavaScript engine from Mozilla libmozjs-24-bin (APT),  https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey + remnux-js-didier (APT) +Examine Browser Malware: JavaScript V8 d8 Command-line shell (d8) for the JavaScript engine from Google (V8) remnux-v8 (APT) https://code.google.com/p/v8/ +Examine Browser Malware: Websites Automater cd /opt/remnux-automater && ./Automater.py Look up URL/Domain, IP and MD5 hash details remnux-automater (APT) http://www.tekdefense.com/automater/ +Examine Browser Malware: Websites Burp Proxy Free Edition burpsuite Analyze and interact with websites in a controlled manner remnux-burpsuite-free (APT) http://portswigger.net/burp/ +Examine Browser Malware: Websites CapTipper cd /opt/remnux-captipper && sudo ./CapTipper.py Examine network traffic and carve PCAP capture files remnux-captipper (apt) https://github.com/omriher/CapTipper + YaraPcap yaraPcap.py Scan and carve PCAP files for contents that match your Yara signatures remnux-scripts (APT) https://github.com/kevthehermit/YaraPcap +Examine Browser Malware: Websites curl curl Command-line tool for retrieving website contents curl (APT) http://curl.haxx.se/ +Examine Browser Malware: Websites Firefox firefox Web browser firefox (APT) http://www.mozilla.org/firefox +Examine Browser Malware: Websites mitmproxy mitmproxy, mitmdump Intercept, modify, replay and save HTTP and HTTPS traffic mitmproxy (PIP) http://mitmproxy.org/ +Examine Browser Malware: Websites Network Miner Free Edition NetworkMiner Examine network traffic and carve PCAP capture files remnux-network-miner (APT) http://www.netresec.com/?page=NetworkMiner +Examine Browser Malware: Websites pdns passive.py Perform passive DNS lookups remnux-python-pdns (APT) https://github.com/REMnux/distro/blob/v6/passive.py +Examine Browser Malware: Websites pdnstool pdnstool Perform passive DNS lookups passivedns-client (Gem) https://github.com/chrislee35/passivedns-client +Examine Browser Malware: Websites QuickJava firefox, QJ button Toggle Firefox' support for risky web contents get-remnux https://addons.mozilla.org/en-US/firefox/addon/quickjava/ +Examine Browser Malware: Websites tcpflow tcpflow Examine network traffic and carve PCAP capture files tcpflow (APT) https://github.com/simsong/tcpflow +Examine Browser Malware: Websites tcpxtract tcpxtract Extract files from network traffic tcpxtract (APT) http://tcpxtract.sourceforge.net/ +Examine Browser Malware: Websites Thug thug.py Honeyclient for investigating suspicios websites remnux-thug (APT) https://github.com/buffer/thug +Examine Browser Malware: Websites Tor tor start Tools for directing network traffic through anonymizing proxies tor (APT) https://www.torproject.org/ + torsocks (APT) +Examine Browser Malware: Websites Wget wget Command-line tool for retrieving website contents wget (APT) https://www.gnu.org/software/wget/ +Examine Document Files: Microsoft Office emldump emldump.py Examine suspicious MIME files remnux-didier (APT) https://isc.sans.edu/diary/Malicious+Word+Document+This+Time+The+Maldoc+Is+A+MIME+File/19673/ + MSGConvert msgconvert Convert Microsoft email clients' .MSG files to mime/mbox (RFC822) .EML file format package libemail-outlook-message-perl (APT) http://www.matijs.net/software/msgconv/ +Examine Document Files: Microsoft Office libolecf olecfexport, olecfinfo, olecfmount Analyze OLE2 files libolecf-tools (APT) https://github.com/libyal/libolecf +Examine Document Files: Microsoft Office officeparser officeparser.py Extract embedded files and macros from office documents remnux-scripts (APT) https://github.com/unixfreak0037/officeparser +Examine Document Files: Microsoft Office oledump oledump.py Examine suspicious Microsoft Office files remnux-didier (APT) http://blog.didierstevens.com/programs/oledump-py/ +Examine Document Files: Microsoft Office oletools olevba, olebrowse, oletimes, rtfobj, pyxswf, etc. Analyze OLE2 files remnux-oletools (APT) http://www.decalage.info/python/oletools +Examine Document Files: Microsoft Office pyOLEScanner.py pyOLEScanner.py Examine suspicious Microsoft Office files remnux-scripts (APT) https://github.com/Evilcry/PythonScripts/raw/master/ +Examine Document Files: PDF AnalyzePDF AnalyzePDF.py Examine a malicious PDF file remnux-scripts (APT) https://github.com/hiddenillusion/AnalyzePDF +Examine Document Files: PDF Origami pdfwalker, pdfextract, pdfcop, etc. Framework for examining, creating and modifying PDF files origami (Gem) https://code.google.com/p/origami-pdf/ +Examine Document Files: PDF PDF X-RAY Lite pdfxray_lite.py Examine the PDF document structure and contents remnux-pdfxray-lite (APT) https://github.com/9b/pdfxray_lite +Examine Document Files: PDF pdfid pdfid Locate common suspicious artifacts in a PDF file remnux-didier (APT) http://blog.didierstevens.com/programs/pdf-tools/ +Examine Document Files: PDF Pdfobjflow pdf-parser.py | pdfobjflow.py Visualizes the output from pdf-parser remnux-scripts (APT) http://www.aldeid.com/wiki/Pdfobjflow +Examine Document Files: PDF pdf-parser pdf-parser.py Examine a suspicious PDF file remnux-didier (APT) http://blog.didierstevens.com/programs/pdf-tools/ +Examine Document Files: PDF PDFtk pdftk Edit PDF files pdftk (APT) http://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/ +Examine Document Files: PDF peepdf peepdf Analyze suspicious PDF files remnux-peepdf (APT) http://eternal-todo.com/tools/peepdf-pdf-analysis-tool#releases +Examine Document Files: PDF swf_mastah swf_mastah Extract Flash SWF objects from PDF files remnux-pdfxray-lite (APT) http://blog.9bplus.com/snatching-swf-from-pdfs-made-easier/ +Examine Document Files: Shellcode dism-this dism-this.py Analyze disassembled data within file objects remnux-scripts (APT) http://hooked-on-mnemonics.blogspot.com/2012/10/dism-thispy.html +Examine Document Files: Shellcode sctest sctest Emulate shellcode execution libemu2 (APT) http://libemu.carnivore.it/ +Examine Document Files: Shellcode shellcode2exe.py shellcode2exe.py Create a Windows executable file out of shellcode remnux-scripts (APT) https://github.com/MarioVilas/shellcode_tools/blob/master/shellcode2exe.py +Examine Document Files: Shellcode unicode2hex-escaped unicode2hex-escaped Clean up and convert Unicode to hex remnux-config (APT) +Examine Document Files: Shellcode unicode2raw unicode2raw Clean up and convert Unicode to raw remnux-config (APT) +Examine FIle Properties and Contents: Define Autorule autorule.py Automatically define Yara signatures for a set of files remnux-scripts (APT) http://joxeankoret.com/blog/2012/04/29/extracting-binary-patterns-in-malware-sets-and-generating-yara-rules/ +Examine FIle Properties and Contents: Define IOCextractor IOCextractor.py Extract IOCs from a text report file remnux-scripts (APT) https://github.com/stephenbrannon/IOCextractor +Examine FIle Properties and Contents: Define Rule Editor rule-editor Edit IOC Yara, Snort and OpenIOC rules remnux-rule-editor (APT) https://github.com/ifontarensky/RuleEditor +Examine FIle Properties and Contents: Define YaraGenerator yaraGenerator.py Generate Yara rules for designated files remnux-scripts (APT) https://github.com/Xen0ph0n/YaraGenerator +Examine File Properties and Contents: Hashes Hash Identifier hash_id Identify the different types of hashes used to encrypt data and especially passwords remnux-scripts (APT) https://code.google.com/p/hash-identifier/ +Examine File Properties and Contents: Hashes nsrllookup nsrllookup Look up file hashes on an NSRL database server remnux-nsrllookup (APT) https://github.com/rjhansen/nsrllookup +Examine File Properties and Contents: Hashes ssdeep ssdeep Define and scan for a "fuzzy" signature of a file ssdeep (APT) http://ssdeep.sourceforge.net/ +Examine File Properties and Contents: Hashes totalhash totalhash.py Look up a suspicious file hash in the totalhash.com database remnux-scripts (APT) https://gist.github.com/malc0de/10270150 +Examine File Properties and Contents: Hashes virustotal-search virustotal-search.py Look up a suspicious file hash in the virustotal.com database remnux-didier (APT) http://blog.didierstevens.com/programs/virustotal-tools/ + VirusTotalApi vt Interact with VirusTotal from the command-line remnux-virustotalapi (APT) https://github.com/doomedraven/VirusTotalApi +Examine File Properties and Contents: Scan ClamAV clamscan Clam antivirus engine clamav-daemon (APT) http://www.clamav.net/ +Examine file properties and contents: Scan Disitool disitool.py Manipulate digital signatures of Windows executables remnux-didier (APT) http://blog.didierstevens.com/programs/disitool/ +Examine File Properties and Contents: Scan ExifTool exiftool Extract file properties libimage-exiftool-perl (APT) http://www.sno.phy.queensu.ca/~phil/exiftool/ +Examine File Properties and Contents: Scan TrID trid, tridupdate Identify file types remnux-trid (APT) http://mark0.net/soft-trid-e.html +Examine File Properties and Contents: Scan virustotal-submit virustotal-submit.py Submit samples to VirusTotal remnux-didier (APT) http://blog.didierstevens.com/programs/virustotal-tools/ +Examine File Properties and Contents: Scan Yara yara Identify and classify malware samples yara (APT) http://plusvic.github.io/yara/ +Examine Memory Snapshots AESKeyFinder aeskeyfind Locate embedded AES keys aeskeyfind (APT) +Examine Memory Snapshots findaes findaes Locate embedded AES keys remnux-findaes (APT) http://jessekornblum.livejournal.com/269749.html +Examine Memory Snapshots Rekall rekall Memory forensics tool and framework rekall (PIP) http://www.rekall-forensic.com/ +Examine Memory Snapshots RSAKeyFinder rsakeyfind Locate embedded RSA keys rsakeyfind (APT) +Examine Memory Snapshots Volatility Framework vol.py Memory forensics tool and framework python-volatility (APT) https://github.com/volatilityfoundation/volatility +Examine Memory Snapshots VolDiff VolDiff.py Spot changes in memory images using Volatility remnux-scripts (APT) https://github.com/aim4r/VolDiff +Extract and Decode Artifacts: Carving bulk_extractor bulk_extractor, then BBViewer Scan a disk image, a file, or a directory of files and extracts useful information bulk-extractor (APT) https://github.com/simsong/bulk_extractor/ +Extract and Decode Artifacts: Carving Foremost foremost Carve contents of files foremost (APT) http://foremost.sourceforge.net/ +Extract and Decode Artifacts: Carving Hachoir hachoir-subfile, hachoir-metadata, hachoir-urwid View, edit and carve contents of various binary file types python-hachoir-* (APT) https://bitbucket.org/haypo/hachoir +Extract and Decode Artifacts: Carving pe-carv.py pe-carv.py Carve out PE files remnux-scripts (APT) http://hooked-on-mnemonics.blogspot.com/2013/03/pe-carvpy-ascii-hex-and-overlays.html +Extract and Decode Artifacts: Carving Scalpel scalpel Carve contents of files scalpel (APT) http://www.forensicswiki.org/wiki/Scalpel +Extract and Decode Artifacts: Deobfuscate Balbuzard balbuzard.py Extract and decode suspicious patterns from malicious files remnux-balbuzard (APT) https://bitbucket.org/decalage/balbuzard/wiki/Home + bbcrack.py + bbharvest.py + bbtrans.py +Extract and Decode Artifacts: Deobfuscate brxor.py brxor.py Bruteforce all possible 1-byte XOR keys and show the resulting strings that include an English word. remnux-scripts (APT) https://github.com/REMnux/distro/blob/v6/brxor.py +Extract and Decode Artifacts: Deobfuscate ex_pe_xor ex_pe_xor.py Carve out single-byte XOR encoded executables from files remnux-scripts (APT) http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html +Extract and Decode Artifacts: Deobfuscate NoMoreXOR NoMoreXOR.py Guess 256-byte XOR keys by using frequency analysis remnux-scripts (APT) https://github.com/hiddenillusion/NoMoreXOR +Extract and Decode Artifacts: Deobfuscate unXOR unxor.py Guess a XOR key via known-plaintext attacks remnux-scripts (APT) https://github.com/tomchop/unxor/ +Extract and Decode Artifacts: Deobfuscate XORBruteForcer xorBruteForcer.py implements a XOR bruteforcing of a given file remnux-scripts (APT) http://eternal-todo.com/category/bruteforce +Extract and Decode Artifacts: Deobfuscate XORSearch xorsearch Locate and decode strings obfuscated using common techniques remnux-didier (APT) http://blog.didierstevens.com/programs/xorsearch/ +Extract and Decode Artifacts: Deobfuscate XORStrings xorstrings Locate and decode XOR-obfuscated strings remnux-didier (APT) http://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/ +Extract and Decode Artifacts: Deobfuscate xortool xortool Locate and deobuscate contents encoded using a multi-byte XOR cipher xortool (PIP) https://github.com/hellman/xortool + xortool-xor +Extract and Decode Artifacts: Extract Strings pestr pestr Extract strings from a PE file remnux-pev (APT) http://pev.sourceforge.net/ +Extract and Decode Artifacts: Extract Strings strdeobj strdeobj.pl Extract and decode strings defined as arrays remnux-scripts (APT) http://totalhash.com/download/strdeob.pl.txt +Investigate Linux Malware: Debug Evan's Debugger (EDB) edb Debug EFL binary files remnux-edb-debugger (APT) http://codef00.com/projects#debugger +Investigate Linux Malware: Debug GDB gdb A powerful debugger gdb-minimal (APT) http://www.sourceware.org/gdb/ +Investigate Linux Malware: Investigate m2elf m2elf.pl Create an ELF binary file out of shellcode remnux-scripts (APT) https://github.com/XlogicX/m2elf +Investigate Linux Malware: System Sysdig sysdig Track and examine local system activities on a Linux system sysdig (APT) http://www.sysdig.org/ +Investigate Linux Malware: System Unhide unhide Find local hidden processes or connections on a Linux system unhide (APT) http://www.unhide-forensics.info/ +Investigate Linux Malware: Trace ltrace ltrace Trace library calls ltrace (APT) http://ltrace.org/ +Investigate Linux Malware: Trace strace strace Trace system calls and signals strace (APT) http://sourceforge.net/projects/strace/ +Investigate Mobile Malware AndroGuard androlyze.py, androdiff.py, androrisk.py, apkviewer.py, etc. Analyze Android applications remnux-androguard (APT) https://github.com/androguard/androguard +Investigate Mobile Malware Androwarn cd /opt/remnux-androwarn && ./androwarn.py Android static code analyzer remnux-androwarn (APT) https://github.com/maaaaz/androwarn +Library Capstone from capstone import * Multi-architecture disassembly framework python-capstone (APT) http://www.capstone-engine.org/ +Library Cybox import cybox Python library for parsing, manipulating, and generating CybOX content cybox (PIP) https://github.com/CybOXProject/python-cybox +Library Disass from disass.Disass32 import Disass32 Binary analysis library for Python https://bitbucket.org/cybertools/disass +Library diStorm3 import distorm3 Library for disassembling binary files distorm3 (PIP),  https://code.google.com/p/distorm/ + libdistorm64-1 (APT) +Library IOC Writer from ioc_writer import?/td> Python library for creating and editing OpenIOC objects remnux-ioc-writer https://github.com/mandiant/ioc_writer +Library Javassist Import /usr/share/java/javassist.jar Analyze Java bytecode libjavassist-java (APT) http://www.javassist.org +Library OfficeDissector import officedissector Examine suspicious Microsoft Office XML-based files remnux-officedissector (APT) https://github.com/grierforensics/officedissector +Library olefile import olefile Python library to read/write MS OLE2 files olefile (PIP) http://www.decalage.info/olefile +Library pefile import pefile A library for examining PE file contents remnux-pefile (APT) https://code.google.com/p/pefile/ +Library pyexiftool import exiftool Python wrapper library for the ExifTool remnux-pyexiftool (APT) http://smarnach.github.io/pyexiftool/ +Library pylibemu import pylibemu Library for accessing Libemu functionality remnux-pylibemu (APT) https://github.com/buffer/pylibemu +Library pyssdeep from ssdeep import ssdeep Python wrapper library for the ssdeep tool remnux-python-ssdeep (APT) https://code.google.com/p/pyssdeep/ +Library PyV8 import PyV8 Python wrapper library for the Google V8 engine remnux-pyv8 (APT) https://code.google.com/p/pyv8/ +Library xortools from xortools import rolling_xor Library for decoding XOR-obfuscated contents remnux-scripts (APT) https://github.com/hiddenillusion/yara-goodies/blob/master/xortools.py +Library Yara Library import yara Python library to identify and classify malware samples libyara3, python-yara, libyara-dev (APT) http://plusvic.github.io/yara/ +Library Yara Rules yara /opt/remnux-rules/ ?/td> Rules/signatures for spotting malicious characteristics in files remnux-rules (APT) https://github.com/Yara-Rules/rules +Network: Misc. EPIC IRC Client irc IRC client epic5 (APT) http://www.epicsol.org/ +Network: Misc. Netcat nc Flexible network client and server netcat (APT) http://netcat.sourceforge.net/ +Network: Misc. prettyping.sh pping Ping a host while looking pretty remnux-scripts (APT) https://bitbucket.org/denilsonsa/small_scripts/src/3ec16014c839ea0852fae492813ad2293bd61155/prettyping.sh +Network: Misc. set-static-ip set-static-ip Temporarily assign a static IP remnux-config (APT) +Network: Misc. stunnel stunnel SSL encryption wrapper stunnel (APT) https://www.stunnel.org/ +Network: Services accept-all-ips accept-all-ips Accept and redirect network traffic to all IPs remnux-scripts (APT) +Network: Services FakeDNS fakedns Respond to DNS queries with a specified IP address remnux-scripts (APT) http://code.activestate.com/recipes/491264-mini-fake-dns-server/ +Network: Services fakeMail fakemail Fake mail server that captures emails messages sent through it without retransmitting them remnux-scripts (APT) http://sourceforge.net/projects/fakemail/ +Network: Services INetSim inetsim Emulate common network services inetsim (APT) http://www.inetsim.org/ +Network: Services Inspire IRCd ircd start IRC server inspircd (APT) http://www.inspircd.org/ +Network: Services Nginx httpd start A web server nginx (APT) http://nginx.org/ +Network: Services OpenSSH sshd start SSH server openssh-server (APT) http://www.openssh.com/ +Network: Sniffing ngrep ngrep Sniff the network while looking for patterns that match the specified regular expressions ngrep (APT) http://ngrep.sourceforge.net/ +Network: Sniffing TCPDump tcpdump Command-line network sniffer tcpdump (APT) http://www.tcpdump.org/ +Network: Sniffing tcpick tcpick Sniffer that reassembles TCP streams tcpick (APT) http://tcpick.sourceforge.net/ +Network: Sniffing Wireshark wireshark Network sniffer wireshark (APT) http://www.wireshark.org/ +Other tasks bashacks See "man bashacks" Useful Bash shell functions remnux-bashacks (APT) https://github.com/merces/bashacks +Other tasks Docker docker, docker-update-images Run applications as isolated containers on the local host docker.io (APT) http://www.docker.com/ +Other tasks ProcDOT procdot Visualize and examine the output of Process Monitor and network sniffer logs remnux-procdot (APT) http://www.procdot.com/ +Other tasks REMnux Updater update-remnux Update or upgrade the REMnux distro on the local host remnux-scripts (APT) https://REMnux.org +Other tasks vtTool vtTool.py Determine malware name by querying VirusTotal remnux-vttool (APT) https://code.google.com/p/malware-crawler/wiki/vtTool +Other tasks Decompyle++ pycdas, pycdc Python bytecode disassembler and decompiler remnux-pycdc (APT) https://github.com/zrax/pycdc +Process Multiple Samples Maltrieve maltrieve Retrieve malware from malicious sites remnux/maltrieve (Docker) https://github.com/technoskald/maltrieve +Process Multiple Samples MASTIFF mas Perform static analysis of suspicious files remnux-mastiff (APT) https://git.korelogic.com/mastiff.git/ +Process Multiple Samples Ragpicker cd /opt/remnux-ragpicker && ./ragpicker.py Plugin based malware crawler and downloader with pre-analysis and reporting functionalities remnux-ragpicker (APT) https://code.google.com/p/malware-crawler/ +Process Multiple Samples Viper viper Store, classify and investigate suspicious binary files remnux-viper (APT) https://github.com/botherder/viper +Process Multiple Samples WIPSTER Installer install-wipster Install web interface for MASTIFF and other tools remnux-scripts (APT) https://github.com/TheDr1ver/WIPSTER +Statically Examine PE files: Disassemble objdump objdump Disassemble binary files binutils (APT) http://en.wikipedia.org/wiki/Objdump + +Investigate Linux Malware: Disassemble +Statically Examine PE files: Disassemble Udis86 udcli Disassemble binary files remnux-udis86 (APT) http://udis86.sourceforge.net/ + +Investigate Linux Malware: Disassemble +Statically Examine PE files: Disassemble Vivisect vivbin, vdbbin Statically examine and emulate binary files remnux-vivisect (APT) http://visi.kenshoto.com/viki/Vivisect + +Investigate Linux Malware: Disassemble +Statically Examine PE files: Find Anomalies ExeScan exescan.py Statically examine a PE file and detect suspicious characteristics remnux-scripts (APT) http://securityxploded.com/exe-scan.php +Statically Examine PE files: Find Anomalies pedump pedump Statically examine a PE file pedump (Gem) http://pedump.me/ +Statically Examine PE files: Find Anomalies Peframe peframe Statically Examine PE files remnux-peframe (APT) https://github.com/guelfoweb/peframe +Statically Examine PE files: Find Anomalies pescanner pescanner Statically examine a PE file remnux-scripts (APT) https://code.google.com/p/malwarecookbook/source/browse/trunk/3/8/pescanner.py +Statically Examine PE files: Find Anomalies pev pepack, pescan, pestr, pehash, readpe, etc. PE file analysis toolkit remnux-pev (APT) http://pev.sourceforge.net/ +Statically Examine PE files: Find Anomalies Signsrch signsrch Locate common code patterns remnux-signsrch (APT) http://aluigi.altervista.org/mytoolz.htm +Statically Examine PE files: Investigate RATDecoders See /opt/remnux-ratdecoders Extract and decode configuration details from common RAT samples remnux-ratdecoders (APT) https://github.com/kevthehermit/RATDecoders +Statically Examine PE files: Investigate DC3-MWCP mwcp-tool.py and "import malwareconfigreporter" A framework for parsing configuration information from malware. remnux-dc3-mwcp (APT) https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP +Library +Statically Examine PE files: Investigate readpe.py readpe.py Extract contents of PE file headers remnux-pype32 (APT) https://github.com/crackinglandia/pype32 +Statically Examine PE files: Investigate PyInstaller Extractor pyinstxtractor.py Extract contents of a Windows executable file generated using PyInstaller remnux-scripts (APT) https://sourceforge.net/projects/pyinstallerextractor/ +Statically Examine PE files: Investigate Bokken bokken Interactive static malware analysis tool remnux-bokken (APT) https://inguma.eu/projects/bokken +Investigate Linux Malware: Investigate +Statically Examine PE files: Investigate Pyew pyew Statically examine suspicious files pyew (APT) https://code.google.com/p/pyew/ +Investigate Linux Malware: Investigate +Statically Examine PE files: Investigate Radare 2 radare2 Framework for examining binary files radare2 (APT) https://github.com/radare/radare2 +Investigate Linux Malware: Investigate +Edit and View Files: Binary +Statically Examine PE files: Unpacking Bytehist bytehist Generate byte-usage-histograms for all types of files with a focus PE files remnux-bytehist (APT) https://www.cert.at/downloads/software/bytehist_en.html +Statically Examine PE files: Unpacking Density Scout densityscout Calculates density (like entropy) of files in the specified location, useful for finding packed programs remnux-densityscout (APT) http://www.cert.at/downloads/software/densityscout_en.html +Statically Examine PE files: Unpacking PackerID packerid Help determine which packer was used to protect a PE file remnux-scripts (APT) https://github.com/sooshie/packerid +Statically Examine PE files: Unpacking UPX upx A popular tool for packing and unpacking executable files upx-ucl (APT) http://upx.sourceforge.net/