linux - reverse engineering tool

Examine Browser Malware

• Website analysis: Thug, mitmproxy, Network Miner Free Edition, curl, Wget, Burp Proxy Free Edition, Automater, pdnstool, Tor, tcpextract, tcpflow, passive.py, CapTipper, yaraPcap.py
• Flash: xxxswf, SWF Tools, RABCDAsm, extract_swf, Flare
• Java: Java Cache IDX Parser, JD-GUI Java Decompiler, JAD Java Decompiler, Javassist, CFR
• JavaScript: Rhino Debugger, ExtractScripts, SpiderMonkey, V8, JS Beautifier

Examine Document Files

• PDF: AnalyzePDF, Pdfobjflow, pdfid, pdf-parser, peepdf, Origami, PDF X-RAY Lite, PDFtk, swf_mastah, qpdf, pdfresurrect
• Microsoft Office: officeparser, pyOLEScanner.py, oletools, libolecf, oledump, emldump, MSGConvert, base64dump.py, unicode
• Shellcode: sctest, unicode2hex-escaped, unicode2raw, dism-this, shellcode2exe

Extract and Decode Artifacts

• Deobfuscate: unXOR, XORStrings, ex_pe_xor, XORSearch, brxor.py, xortool, NoMoreXOR, XORBruteForcer, Balbuzard, FLOSS
• Extract strings: strdeobj, pestr, strings
• Carving: Foremost, Scalpel, bulk_extractor, Hachoir

Handle Network Interactions

• Sniffing: Wireshark, ngrep, TCPDump, tcpick
• Services: FakeDNS, Nginx, fakeMail, Honeyd, INetSim, Inspire IRCd, OpenSSH, accept-all-ips
• Miscellaneous network: prettyping.sh, set-static-ip, renew-dhcp, Netcat, EPIC IRC Client, stunnel, Just-Metadata

Process Multiple Samples

• Maltrieve, Ragpicker, Viper, MASTIFF, Density Scout

Examine File Properties and Contents

• Define signatures: YaraGenerator, IOCextractor, Autorule, Rule Editor, ioc-parser
• Scan: Yara, ClamAV, TrID, ExifTool, virustotal-submit, Disitool
• Hashes: nsrllookup, Automater, Hash Identifier, totalhash, ssdeep, virustotal-search, VirusTotalApi

Investigate Linux Malware

• System: Sysdig, Unhide
• Disassemble: Vivisect, Udis86, objdump
• Debug: Evan’s Debugger (EDB), GNU Project Debugger (GDB)
• Trace: strace, ltrace
• Investigate: Radare 2, Pyew, Bokken, m2elf, ELF Parser

Edit and View Files

• Text: SciTE, Geany, Vim
• Images: feh, ImageMagick
• Binary: wxHexEditor, VBinDiff
• Documents: Xpdf

Examine Memory Snapshots

• Volatility Framework, findaes, AESKeyFinder, RSAKeyFinder, VolDiff, Rekall, linux_mem_diff_tool

Statically Examine PE Files

• Unpacking: UPX, Bytehist, Density Scout, PackerID
• Disassemble: objdump, Udis86, Vivisect
• Find anomalies: Signsrch, pescanner, ExeScan, pev, Peframe, pedump
• Investigate: Bokken, RATDecoders, Pyew, readpe.py, PyInstaller Extractor, DC3-MWCP

Investigate Mobile Malware

• Androwarn, AndroGuard

Perform Other Tasks

• ProcDOT, bashhacks, Docker, vtTool, REMnux Updater, Decompyle++

Install Additional Tools

• Metasploit Framework is not installed on REMnux; however, you can run it as a Docker container if the need arises.
  
• WIPSTER offers a web-based interface to several REMnux tools. You can easily install WIPSTER on REMnux by running the command install-wipster.
  
• BinNavi is a tool for statically examining disassembled code. You can install it on REMnux by running the command install-binnavi.