Skip to main content
linux - reverse engineering tool
Examine Browser Malware
- Website analysis: Thug, mitmproxy, Network Miner Free Edition, curl, Wget, Burp Proxy Free Edition, Automater, pdnstool, Tor, tcpextract, tcpflow, passive.py, CapTipper, yaraPcap.py
- Flash: xxxswf, SWF Tools, RABCDAsm, extract_swf, Flare
- Java: Java Cache IDX Parser, JD-GUI Java Decompiler, JAD Java Decompiler, Javassist, CFR
- JavaScript: Rhino Debugger, ExtractScripts, SpiderMonkey, V8, JS Beautifier
Examine Document Files
- PDF: AnalyzePDF, Pdfobjflow, pdfid, pdf-parser, peepdf, Origami, PDF X-RAY Lite, PDFtk, swf_mastah, qpdf, pdfresurrect
- Microsoft Office: officeparser, pyOLEScanner.py, oletools, libolecf, oledump, emldump, MSGConvert, base64dump.py, unicode
- Shellcode: sctest, unicode2hex-escaped, unicode2raw, dism-this, shellcode2exe
Extract and Decode Artifacts
- Deobfuscate: unXOR, XORStrings, ex_pe_xor, XORSearch, brxor.py, xortool, NoMoreXOR, XORBruteForcer, Balbuzard, FLOSS
- Extract strings: strdeobj, pestr, strings
- Carving: Foremost, Scalpel, bulk_extractor, Hachoir
Handle Network Interactions
- Sniffing: Wireshark, ngrep, TCPDump, tcpick
- Services: FakeDNS, Nginx, fakeMail, Honeyd, INetSim, Inspire IRCd, OpenSSH, accept-all-ips
- Miscellaneous network: prettyping.sh, set-static-ip, renew-dhcp, Netcat, EPIC IRC Client, stunnel, Just-Metadata
Process Multiple Samples
Examine File Properties and Contents
- Define signatures: YaraGenerator, IOCextractor, Autorule, Rule Editor, ioc-parser
- Scan: Yara, ClamAV, TrID, ExifTool, virustotal-submit, Disitool
- Hashes: nsrllookup, Automater, Hash Identifier, totalhash, ssdeep, virustotal-search, VirusTotalApi
Investigate Linux Malware
Edit and View Files
Examine Memory Snapshots
Statically Examine PE Files
- Unpacking: UPX, Bytehist, Density Scout, PackerID
- Disassemble: objdump, Udis86, Vivisect
- Find anomalies: Signsrch, pescanner, ExeScan, pev, Peframe, pedump
- Investigate: Bokken, RATDecoders, Pyew, readpe.py, PyInstaller Extractor, DC3-MWCP
Investigate Mobile Malware
-
Metasploit Framework is not installed on REMnux; however, you can run it as a Docker container if the need arises.
-
WIPSTER offers a web-based interface to several REMnux tools. You can easily install WIPSTER on REMnux by running the command
install-wipster
.
-
BinNavi is a tool for statically examining disassembled code. You can install it on REMnux by running the command
install-binnavi
.