Add markdown wiki with 473 pages and zk browser

Generate interlinked wiki from master inventory: 397 tool pages, 15 workflow pages, 27 recipe pages, 33 category pages, plus index. All pages use [[wiki-links]] for cross-navigation between tools, workflows, recipes, and categories (1782 links total). Install zk for interactive browsing with fzf search, tag filtering, and backlink discovery. Add 'fhelp wiki' command and Makefile target. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
@@ -44,6 +44,11 @@ RUN PIPX_HOME=/opt/pipx PIPX_BIN_DIR=/usr/local/bin pipx install --include-deps
 RUN curl -sL https://raw.githubusercontent.com/denisidoro/navi/master/scripts/install | BIN_DIR=/usr/local/bin bash 2>/dev/null \
    || echo "navi installation skipped (offline build)"

+# Install zk (wiki browser with [[wiki-links]], fzf search, backlinks)
+RUN curl -sL https://github.com/zk-org/zk/releases/latest/download/zk-linux-amd64.tar.gz \
+    | tar xz -C /usr/local/bin/ 2>/dev/null \
+    || echo "zk installation skipped (offline build)"
+
 # Create data directory and set permissions
 RUN mkdir -p /data \
    && chown remnux:remnux /data
@@ -67,6 +72,7 @@ ADD data/generated/tools.db /opt/remnux-docs/tools.db
 ADD data/generated/cheatsheets/ /opt/cheatsheets/personal/
 ADD data/generated/workflows/ /opt/remnux-docs/workflows/
 ADD cheatsheets/ /opt/cheatsheets/
+ADD data/generated/wiki/ /opt/wiki/

 # Install legacy help scripts (kept for compatibility)
 ADD scripts/create-offline-help-system.sh /usr/local/bin/create-offline-help-system.sh
@@ -1,4 +1,4 @@
-.PHONY: help build-upstream build-scratch build-kali build-all test clean push generate-data generate-master coverage-report
+.PHONY: help build-upstream build-scratch build-kali build-all test clean push generate-data generate-master generate-wiki coverage-report

 # Default target
 help:
@@ -18,6 +18,7 @@ help:
 	@echo "  coverage          Check help coverage"
 	@echo "  generate-data     Convert FOR610 YAML to JSON"
 	@echo "  generate-master   Build master inventory and all help artifacts"
+	@echo "  generate-wiki     Generate markdown wiki (473 pages)"
 	@echo "  coverage-report   Generate tool coverage gap report"
 	@echo ""

@@ -88,6 +89,11 @@ generate-master: generate-data
 	python3 scripts/generate-coverage-report.py
 	@echo "✓ Master inventory and all artifacts generated"

+# Generate markdown wiki with [[wiki-links]] for zk browser
+generate-wiki:
+	python3 scripts/generate-wiki.py
+	@echo "Wiki: data/generated/wiki/ (browse with: zk list --interactive)"
+
 # Generate coverage report only (requires tools-master.yaml to exist)
 coverage-report:
 	python3 scripts/generate-coverage-report.py
@@ -0,0 +1,10 @@
+[note]
+default-title = "untitled"
+filename = "{{slug title}}"
+extension = "md"
+
+[tool]
+fzf-preview = "cat {-1}"
+
+[format.markdown]
+link-format = "wiki"
@@ -0,0 +1,15 @@
+# Analyze Documents > Email Messages
+
+**4 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/emldump|emldump.py]] — Parse and analyze EML email message files
+- [[tools/mail-parser|mail-parser]] — Parse raw SMTP email messages and extract headers, body, and
+- [[tools/msg-extractor|msg-extractor]] — Extract emails and attachments from Microsoft Outlook MSG fi
+
+### Standard
+- [[tools/msgconvert|msgconvert]] — Convert MSG files to MBOX files.
+
+#analyze-documents-email-messages #category
@@ -0,0 +1,10 @@
+# Analyze Documents > General
+
+**1 tools** in this category.
+
+## Tools
+
+### Standard
+- [[tools/tesseract-ocr|tesseract-ocr]] — Examine images to identify and extract text using optical ch
+
+#analyze-documents-general #category
@@ -0,0 +1,27 @@
+# Analyze Documents > Microsoft Office
+
+**16 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/xlmmacrodeobfuscator|XLMMacroDeobfuscator]] — Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sh
+- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office
+- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a
+- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V
+- [[tools/olevba|olevba]] — Extract and analyze VBA macros from Office documents with de
+- [[tools/pcode2code|pcode2code]] — Decompile VBA p-code from Office documents — works even when
+- [[tools/rtfdump|rtfdump.py]] — Analyze RTF file structure, identify hex-encoded groups and 
+- [[tools/zipdump|zipdump.py]] — Parse and analyze ZIP archive structure
+
+### Standard
+- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents.
+- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume
+- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents.
+- [[tools/olefile|olefile]] — Python package to parse, read and write MS OLE2 files.
+- [[tools/onedump|onedump.py]] — Extract and analyze embedded files from OneNote documents.
+- [[tools/pcodedmp|pcodedmp]] — Disassemble VBA p-code.
+- [[tools/ssview|ssview]] — Analyze OLE2 Structured Storage files.
+- [[tools/xmldump|xmldump.py]] — Extract contents of XML files, in particular OOXML-formatted
+
+#analyze-documents-microsoft-office #category
@@ -0,0 +1,19 @@
+# Analyze Documents > PDF
+
+**8 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se
+- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op
+- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files
+- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e
+- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates
+- [[tools/peepdf|peepdf]] — Interactive PDF analysis framework with JavaScript detection
+- [[tools/qpdf|qpdf]] — Decrypt, linearize, and transform PDF files — useful for rem
+
+### Standard
+- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files.
+
+#analyze-documents-pdf #category
@@ -0,0 +1,10 @@
+# dotnet-analysis
+
+**1 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/ilspycmd|ilspycmd]] — Command-line .NET decompiler (CLI version of ILSpy)
+
+#dotnet-analysis #category
@@ -0,0 +1,12 @@
+# Dynamically Reverse-Engineer Code > General
+
+**3 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/frida|Frida]] — Dynamic instrumentation toolkit — hook and trace running pro
+- [[tools/wine|Wine]] — Windows compatibility layer — run Windows executables on Lin
+- [[tools/radare2|radare2]] — Open-source reverse engineering command-line framework
+
+#dynamically-reverse-engineer-code-general #category
@@ -0,0 +1,16 @@
+# Dynamically Reverse-Engineer Code > Scripts
+
+**5 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou
+- [[tools/box-js|box-js]] — JavaScript sandbox for analyzing malicious scripts by emulat
+
+### Standard
+- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat
+- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and 
+- [[tools/powershell|powershell]] — Run PowerShell scripts and commands.
+
+#dynamically-reverse-engineer-code-scripts #category
@@ -0,0 +1,16 @@
+# Dynamically Reverse-Engineer Code > Shellcode
+
+**5 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/runsc32|runsc32]] — Execute extracted shellcode for dynamic analysis
+- [[tools/scdbgc|scdbgc]] — Shellcode emulator — analyze shellcode behavior through API-
+- [[tools/shcode2exe|shcode2exe]] — Convert raw shellcode to a Windows PE executable for analysi
+
+### Standard
+- [[tools/libemu|libemu]] — A library for x86 code emulation and shellcode detection.
+- [[tools/shellcode2exe-bat|shellcode2exe-bat]] — Convert 32 and 64-bit shellcode to a Windows executable file
+
+#dynamically-reverse-engineer-code-shellcode #category
@@ -0,0 +1,39 @@
+# Examine Static Properties > Deobfuscation
+
+**28 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/cyberchef|CyberChef]] — Web-based data transformation tool — decode Base64, XOR, hex
+- [[tools/floss|FLOSS]] — Automatically extract obfuscated strings from malware using 
+- [[tools/malchive|Malchive]] — Multi-purpose malware analysis library — config extraction, 
+- [[tools/xorsearch|XORSearch]] — Search for XOR/ROL/ROT/SHIFT-encoded patterns including shel
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/cs-analyze-processdump|cs-analyze-processdump.py]] — Analyze Cobalt Strike beacon process dumps for sleep mask en
+- [[tools/cs-decrypt-metadata|cs-decrypt-metadata.py]] — Decrypt Cobalt Strike beacon metadata from network captures
+- [[tools/cs-extract-key|cs-extract-key.py]] — Extract AES and HMAC encryption keys from Cobalt Strike beac
+- [[tools/dc3-mwcp|dc3-mwcp]] — DC3 Malware Configuration Parser — extract C2 configs from k
+- [[tools/strdeob|strdeob.pl]] — Automatically decode stack-built strings from disassembled m
+- [[tools/translate|translate.py]] — Transform data using Python expressions (XOR, ADD, etc.)
+- [[tools/xortool|xortool]] — Analyze XOR-encoded data — guess key length and probable key
+
+### Standard
+- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons.
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+- [[tools/cut-bytes|cut-bytes.py]] — Cut out a part of a data stream.
+- [[tools/ex-pe-xor|ex-pe-xor]] — Search an XOR&#x27;ed file for indications of executable bin
+- [[tools/format-bytes|format-bytes.py]] — Decompose structured binary data with format strings.
+- [[tools/hex-to-bin|hex-to-bin.py]] — Convert hexadecimal text dumps to binary data.
+- [[tools/nomorexor|nomorexor]] — Help guess a file&#x27;s 256-byte XOR by using frequency ana
+- [[tools/sets|sets.py]] — Perform set operations on lines or bytes in text files.
+- [[tools/unicode|unicode]] — Display Unicode character properties.
+- [[tools/unxor|unxor]] — Deobfuscate XOR&#x27;ed files.
+- [[tools/xor-kpa|xor-kpa.py]] — Implement a XOR known plaintext attack.
+- [[tools/xorbruteforcer|xorbruteforcer]] — Bruteforce an XOR-encoded file.
+- [[tools/xorstrings|xorstrings]] — Search for XOR encoded strings in a file.
+
+#examine-static-properties-deobfuscation #category
@@ -0,0 +1,39 @@
+# Examine Static Properties > General
+
+**28 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+- [[tools/exiftool|exiftool]] — Extract metadata from files (PDF, images, documents, executa
+- [[tools/file|file]] — Determine file type and MIME type using magic bytes
+- [[tools/numbers-to-string|numbers-to-string.py]] — Convert sequences of decimal numbers to readable characters
+- [[tools/ssdeep|ssdeep]] — Compute fuzzy hashes (CTPH) for finding similar files — usef
+- [[tools/strings|strings]] — Extract printable ASCII and Unicode strings from binary file
+- [[tools/trid|trid]] — Identify file type by scanning binary signatures database
+- [[tools/yara|yara]] — Pattern matching tool for identifying and classifying malwar
+
+### Standard
+- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms.
+- [[tools/hachoir|Hachoir]] — View, edit, and carve contents of various binary file types.
+- [[tools/hash-id|Hash ID]] — Identify different types of hashes.
+- [[tools/malcat-lite|Malcat Lite]] — Analyze binary files using a hex editor, disassembler, and f
+- [[tools/sleuth-kit|Sleuth Kit]] — Analyze disk images and recover files from them.
+- [[tools/yara-forge-rules|YARA-Forge Rules]] — Scan files with curated YARA rules from 45+ sources for malw
+- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files.
+- [[tools/disitool|disitool]] — Manipulate embedded digital signatures.
+- [[tools/droidlysis|droidlysis]] — Perform static analysis of Android applications.
+- [[tools/file-magic|file-magic.py]] — Identify file types using the Python magic module.
+- [[tools/lief|lief]] — Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and D
+- [[tools/magika|magika]] — Identify file type using signatures.
+- [[tools/msitools|msitools]] — Create, inspect and extract Windows Installer (.
+- [[tools/name-that-hash|name-that-hash]] — Identify dfferent types of hashes.
+- [[tools/re-search|re-search.py]] — Search the file for built-in regular expressions of common s
+- [[tools/signsrch|signsrch]] — Find patterns of common encryption, compression, or encoding
+- [[tools/thefuzz|thefuzz]] — Fuzzy String Matching in Python.
+- [[tools/wxhexeditor|wxhexeditor]] — Hex editor.
+
+#examine-static-properties-general #category
@@ -0,0 +1,11 @@
+# Examine Static Properties > Go
+
+**2 tools** in this category.
+
+## Tools
+
+### Standard
+- [[tools/goresym|goresym]] — Extract metadata and symbols from Go binaries, including str
+- [[tools/redress|redress]] — Analyze stripped Go binaries to recover symbols, types, sour
+
+#examine-static-properties-go #category
@@ -0,0 +1,12 @@
+# Examine Static Properties > .NET
+
+**3 tools** in this category.
+
+## Tools
+
+### Standard
+- [[tools/dnfile|dnfile]] — Analyze static properties of.
+- [[tools/dotnetfile|dotnetfile]] — Analyze static properties of.
+- [[tools/monodis|monodis]] — Disassemble and extract resources from.
+
+#examine-static-properties-net #category
@@ -0,0 +1,20 @@
+# Explore Network Interactions > Connecting
+
+**9 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites
+- [[tools/unfurl|Unfurl]] — Deconstruct and decode URLs — reveal tracking parameters, en
+- [[tools/curl|curl]] — Transfer data to/from servers using various protocols
+- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn
+
+### Standard
+- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client.
+- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t
+- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t
+- [[tools/tor|tor]] — Obfuscate your origins by routing traffic through a network 
+- [[tools/zbarimg|zbarimg]] — Decode QR codes and barcodes from image files.
+
+#explore-network-interactions-connecting #category
@@ -0,0 +1,23 @@
+# Explore Network Interactions > Monitoring
+
+**12 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/wireshark|Wireshark]] — GUI network protocol analyzer for capturing and inspecting p
+- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using
+- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo
+- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets
+- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as 
+- [[tools/tcpdump|tcpdump]] — Command-line packet capture tool
+- [[tools/tcpflow|tcpflow]] — Extract and reassemble TCP streams from PCAP files into indi
+- [[tools/tcpxtract|tcpxtract]] — Carve files from network traffic using file signatures
+- [[tools/tshark|tshark]] — Command-line interface to Wireshark for packet capture and a
+
+### Standard
+- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy.
+- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files.
+- [[tools/tcpick|tcpick]] — Capture and analyze network traffic with this command-line s
+
+#explore-network-interactions-monitoring #category
@@ -0,0 +1,19 @@
+# Explore Network Interactions > Services
+
+**8 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for 
+- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP 
+- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept
+- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers
+
+### Standard
+- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra
+- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT
+- [[tools/inspircd|inspircd]] — Examine IRC activity with this IRC server.
+- [[tools/nginx|nginx]] — Web server.
+
+#explore-network-interactions-services #category
@@ -0,0 +1,24 @@
+# Gather and Analyze Data
+
+**13 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and
+- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal
+
+### Standard
+- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files.
+- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u
+- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets.
+- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses.
+- [[tools/nsrllookup|nsrllookup]] — Look up MD5 file hashes in the NIST National Software Refere
+- [[tools/pdnstool|pdnstool]] — Query passive DNS databases for DNS data.
+- [[tools/scalpel|scalpel]] — Carve contents out of binary files, such as partitions.
+- [[tools/time-decode|time-decode]] — Decode and encode date and timestamps.
+- [[tools/virustotal-search|virustotal-search]] — Search VirusTotal for file hashes.
+- [[tools/virustotal-submit|virustotal-submit]] — Submit files to VirusTotal.
+- [[tools/yara-x|yara-x]] — Scan files using YARA rules, the next generation of YARA wri
+
+#gather-and-analyze-data #category
@@ -0,0 +1,28 @@
+# General Utilities
+
+**17 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/rar|rar]] — Extract RAR archives (including self-extracting RAR payloads
+- [[tools/unzip|unzip]] — Extract ZIP archives containing malware samples
+
+### Standard
+- [[tools/gnome-calculator|GNOME Calculator]] — Calculator.
+- [[tools/remnux-installer|REMnux Installer]] — Install and update the REMnux distro.
+- [[tools/sqlite|SQLite]] — Manage and interact with SQL database files.
+- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files.
+- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions.
+- [[tools/docker|docker]] — Run and manage containers.
+- [[tools/firefox|firefox]] — Web browser.
+- [[tools/ibus|ibus]] — Adjust input methods for the GUI.
+- [[tools/myip|myip]] — Determine the IP address of the default network interface.
+- [[tools/myjson-filter|myjson-filter.py]] — Filter data formatted using the JSON format used by Didier S
+- [[tools/nasm|nasm]] — An x86-64 assembler.
+- [[tools/nautilus|nautilus]] — Graphical file manager.
+- [[tools/openssh|openssh]] — Initiate and receive SSH and SFTP connections.
+- [[tools/sortcanon|sortcanon.py]] — Sort text files using canonicalization functions built into 
+- [[tools/texteditor|texteditor.py]] — Edit text files from the command line using search-and-repla
+
+#general-utilities #category
@@ -0,0 +1,14 @@
+# Investigate System Interactions
+
+**3 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/procdot|ProcDOT]] — Visualize Process Monitor logs as interactive graphs for beh
+
+### Standard
+- [[tools/sandfly-processdecloak|sandfly-processdecloak]] — Find hidden processes on the local Linux system.
+- [[tools/unhide|unhide]] — Find hidden processes or connections on the local Linux syst
+
+#investigate-system-interactions #category
@@ -0,0 +1,12 @@
+# network-analysis
+
+**3 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/iptables|iptables]] — Linux firewall and NAT tool for redirecting IP-based malware
+- [[tools/nslookup|nslookup]] — DNS query tool for testing name resolution
+- [[tools/torsocks|torsocks]] — Route network traffic through the Tor anonymity network
+
+#network-analysis #category
@@ -0,0 +1,14 @@
+# Perform Memory Forensics
+
+**3 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/volatility3|volatility3]] — Memory forensics framework — analyze RAM dumps to find malwa
+
+### Standard
+- [[tools/aeskeyfinder|AESKeyFinder]] — Find 128-bit and 256-bit AES keys in a memory image.
+- [[tools/rsakeyfinder|RSAKeyFinder]] — Find BER-encoded RSA private keys in a memory image.
+
+#perform-memory-forensics #category
@@ -0,0 +1,11 @@
+# static-analysis-pe
+
+**2 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/peframe|peframe]] — Static analysis of PE files — extract properties, detect ano
+- [[tools/pestr|pestr]] — Extract ASCII and Unicode strings from PE files
+
+#static-analysis-pe #category
@@ -0,0 +1,18 @@
+# Statically Analyze Code > Android
+
+**7 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities,
+- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource
+- [[tools/jadx|jadx]] — Decompile Android DEX/APK to Java source code with a GUI or 
+
+### Standard
+- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud
+- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect
+- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android&#x27
+- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files.
+
+#statically-analyze-code-android #category
@@ -0,0 +1,16 @@
+# Statically Analyze Code > General
+
+**5 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/cutter|Cutter]] — Open-source reverse engineering platform — Qt-based GUI for 
+- [[tools/ghidra|Ghidra]] — Open-source disassembler and decompiler from NSA with script
+- [[tools/vivisect|Vivisect]] — Binary analysis and emulation framework — static analysis wi
+- [[tools/qiling|qiling]] — Multi-platform binary emulation framework — emulate PE, ELF,
+
+### Standard
+- [[tools/objdump|objdump]] — Disassemble binary files.
+
+#statically-analyze-code-general #category
@@ -0,0 +1,16 @@
+# Statically Analyze Code > Java
+
+**5 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/cfr|cfr]] — Modern Java decompiler — handles Java 8+ features including 
+
+### Standard
+- [[tools/jd-gui-java-decompiler|JD-GUI Java Decompiler]] — Java decompiler with GUI.
+- [[tools/javassist|Javassist]] — Java bytecode engineering toolkit/library.
+- [[tools/procyon|Procyon]] — Java decompiler.
+- [[tools/java-idx-parser|java-idx-parser]] — Analyze Java IDX files.
+
+#statically-analyze-code-java #category
@@ -0,0 +1,11 @@
+# Statically Analyze Code > .NET
+
+**2 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/ilspy|ILSpy]] — .NET assembly decompiler — view C#/VB.NET source from compil
+- [[tools/de4dot|de4dot]] — .NET deobfuscator — remove obfuscation from .NET assemblies
+
+#statically-analyze-code-net #category
@@ -0,0 +1,15 @@
+# Statically Analyze Code > PE Files
+
+**4 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/capa|capa]] — Identify malware capabilities mapped to MITRE ATT&CK framewo
+- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw
+
+### Standard
+- [[tools/binee-binary-emulation-environment|binee (Binary Emulation Environment)]] — Analyze I/O operations of a suspicious PE file by emulating 
+- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal
+
+#statically-analyze-code-pe-files #category
@@ -0,0 +1,15 @@
+# Statically Analyze Code > Python
+
+**4 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/pyinstxtractor-ng|pyinstxtractor-ng]] — Extract contents of PyInstaller-generated executables withou
+- [[tools/uncompyle6|uncompyle6]] — Decompile Python bytecode (.pyc) back to source — supports P
+
+### Standard
+- [[tools/decompyle|Decompyle++]] — Python bytecode disassembler and decompiler.
+- [[tools/pyinstaller-extractor|pyinstaller-extractor]] — Extract contents of a PyInstaller-generated PE files.
+
+#statically-analyze-code-python #category
@@ -0,0 +1,14 @@
+# Statically Analyze Code > Scripts
+
+**3 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/js-beautify|js-beautify]] — Format and beautify obfuscated JavaScript code for readabili
+
+### Standard
+- [[tools/autoit-ripper|autoit-ripper]] — Extract AutoIt scripts embedded in PE binaries.
+- [[tools/decode-vbe|decode-vbe.py]] — Decode encoded VBS scripts (VBE).
+
+#statically-analyze-code-scripts #category
@@ -0,0 +1,11 @@
+# Statically Analyze Code > Unpacking
+
+**2 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/bytehist|Bytehist]] — Generate byte-usage histograms to visually identify packed o
+- [[tools/upx|UPX]] — Universal Packer for eXecutables — compress and decompress P
+
+#statically-analyze-code-unpacking #category
@@ -0,0 +1,10 @@
+# string-deobfuscation
+
+**1 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/bbcrack|bbcrack]] — Detect and decode strings obfuscated with XOR, ROL, and ADD 
+
+#string-deobfuscation #category
@@ -0,0 +1,12 @@
+# Use Artificial Intelligence
+
+**3 tools** in this category.
+
+## Tools
+
+### Standard
+- [[tools/ghidrassistmcp|GhidrAssistMCP]] — MCP server for AI-assisted reverse engineering in Ghidra.
+- [[tools/opencode|opencode]] — Open-source AI coding agent for the terminal.
+- [[tools/remnux-mcp-server|remnux-mcp-server]] — MCP server for using the REMnux malware analysis toolkit via
+
+#use-artificial-intelligence #category
@@ -0,0 +1,14 @@
+# utilities
+
+**5 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/gunzip|gunzip]] — Decompress gzip-compressed data (often used in multi-stage p
+- [[tools/hexdump|hexdump]] — Display file content in hexadecimal format
+- [[tools/jq|jq]] — Command-line JSON processor for extracting and transforming 
+- [[tools/wget|wget]] — Download files from HTTP/HTTPS/FTP servers
+- [[tools/xxd|xxd]] — Create hex dump of a file or reverse a hex dump back to bina
+
+#utilities #category
@@ -0,0 +1,18 @@
+# View or Edit Files
+
+**7 tools** in this category.
+
+## Tools
+
+### Rich (FOR610)
+- [[tools/visual-studio-code|Visual Studio Code]] — Code editor used for viewing decompiled output, scripts, and
+- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d
+
+### Standard
+- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix
+- [[tools/evince|evince]] — View documents in a variety of formats, including PDF.
+- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files.
+- [[tools/scite|scite]] — Edit text files.
+- [[tools/vbindiff|vbindiff]] — Compare binary files.
+
+#view-or-edit-files #category
@@ -0,0 +1,102 @@
+# REMnux Analysis Wiki
+
+> 397 tools | 15 workflows | 27 recipes
+
+## Browse by Category
+
+- [[categories/analyze-documents-email-messages|Analyze Documents > Email Messages]] (4 tools)
+- [[categories/analyze-documents-general|Analyze Documents > General]] (1 tools)
+- [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] (16 tools)
+- [[categories/analyze-documents-pdf|Analyze Documents > PDF]] (8 tools)
+- [[categories/dynamically-reverse-engineer-code-general|Dynamically Reverse-Engineer Code > General]] (3 tools)
+- [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] (5 tools)
+- [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] (5 tools)
+- [[categories/examine-static-properties-net|Examine Static Properties > .NET]] (3 tools)
+- [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] (28 tools)
+- [[categories/examine-static-properties-general|Examine Static Properties > General]] (28 tools)
+- [[categories/examine-static-properties-go|Examine Static Properties > Go]] (2 tools)
+- [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] (9 tools)
+- [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] (12 tools)
+- [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] (8 tools)
+- [[categories/gather-and-analyze-data|Gather and Analyze Data]] (13 tools)
+- [[categories/general-utilities|General Utilities]] (17 tools)
+- [[categories/investigate-system-interactions|Investigate System Interactions]] (3 tools)
+- [[categories/perform-memory-forensics|Perform Memory Forensics]] (3 tools)
+- [[categories/statically-analyze-code-net|Statically Analyze Code > .NET]] (2 tools)
+- [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] (7 tools)
+- [[categories/statically-analyze-code-general|Statically Analyze Code > General]] (5 tools)
+- [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] (5 tools)
+- [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] (4 tools)
+- [[categories/statically-analyze-code-python|Statically Analyze Code > Python]] (4 tools)
+- [[categories/statically-analyze-code-scripts|Statically Analyze Code > Scripts]] (3 tools)
+- [[categories/statically-analyze-code-unpacking|Statically Analyze Code > Unpacking]] (2 tools)
+- [[categories/use-artificial-intelligence|Use Artificial Intelligence]] (3 tools)
+- [[categories/view-or-edit-files|View or Edit Files]] (7 tools)
+- [[categories/dotnet-analysis|dotnet-analysis]] (1 tools)
+- [[categories/network-analysis|network-analysis]] (3 tools)
+- [[categories/static-analysis-pe|static-analysis-pe]] (2 tools)
+- [[categories/string-deobfuscation|string-deobfuscation]] (1 tools)
+- [[categories/utilities|utilities]] (5 tools)
+
+## Workflows
+
+- [[workflows/static-analysis-workflow|Static Properties Analysis]]
+- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]]
+- [[workflows/network-interception-workflow|Network Traffic Interception]]
+- [[workflows/document-analysis-workflow|Malicious Document Analysis]]
+- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]]
+- [[workflows/unpacking-workflow|Unpacking Packed Executables]]
+- [[workflows/code-injection-workflow|Code Injection Analysis]]
+- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]]
+- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]]
+- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]]
+- [[workflows/memory-forensics-workflow|Memory Forensics]]
+- [[workflows/android-analysis-workflow|Android Malware Analysis]]
+- [[workflows/java-analysis-workflow|Java Malware Analysis]]
+- [[workflows/email-analysis-workflow|Email & Phishing Analysis]]
+- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]]
+
+## Recipes
+
+- [[recipes/extract-base64-ps-from-vba|Extract Base64 PowerShell from Office Macro]]
+- [[recipes/vba-number-string-decode|Decode VBA Number Arrays to Strings]]
+- [[recipes/multi-stage-base64-gzip|Decode Base64 + Gzip Payload]]
+- [[recipes/base64-xor-shellcode|Decode Base64 + XOR Shellcode]]
+- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]]
+- [[recipes/password-protected-office|Decrypt Password-Protected Office Document]]
+- [[recipes/excel-xlm-macros|Deobfuscate Excel 4.0 (XLM) Macros]]
+- [[recipes/vba-pcode-decompile|Recover VBA from p-code (source removed)]]
+- [[recipes/rtf-shellcode-extraction|Extract Shellcode from RTF Document]]
+- [[recipes/pdf-object-extraction|Extract Embedded Object from PDF]]
+- [[recipes/pdf-javascript-extraction|Extract JavaScript from PDF]]
+- [[recipes/js-deobfuscation-spidermonkey|Deobfuscate JavaScript with SpiderMonkey]]
+- [[recipes/js-null-byte-cleanup|Clean Null Bytes from UTF-16 JavaScript]]
+- [[recipes/shellcode-emulate-with-offset|Emulate Shellcode at Specific Offset]]
+- [[recipes/cobalt-strike-beacon-parse|Parse Cobalt Strike Beacon Configuration]]
+- [[recipes/shellcode-to-exe|Convert Shellcode to Executable]]
+- [[recipes/xor-key-brute-force|Brute-Force XOR Key]]
+- [[recipes/stack-string-extraction|Extract Stack-Built Strings]]
+- [[recipes/cyberchef-xor-decode|Visual XOR/Base64 Decode with CyberChef]]
+- [[recipes/speakeasy-emulation-with-json|Emulate Malware and Extract API Calls]]
+- [[recipes/capa-capability-filter|Filter Capabilities by Technique]]
+- [[recipes/pcap-file-carving|Extract Files from Network Capture]]
+- [[recipes/dns-interception-setup|Set Up DNS + HTTP Interception]]
+- [[recipes/dotnet-decompile-cli|Decompile .NET on Command Line]]
+- [[recipes/volatility-quick-triage|Quick Memory Dump Triage]]
+- [[recipes/apk-quick-triage|Quick APK Triage]]
+- [[recipes/email-attachment-extraction|Extract and Triage Email Attachments]]
+
+## Quick Access
+
+```bash
+# Browse interactively
+zk list --interactive
+
+# Search by tag
+zk list --tag pdf
+
+# Find what links to a tool
+zk list --mention pdfid
+```
+
+#index #wiki
@@ -0,0 +1,18 @@
+# Quick APK Triage
+> Fast initial assessment of a suspicious Android app
+
+**Tools:** [[tools/apkid|apkid]], [[tools/apktool|apktool]], [[tools/jadx|jadx]]
+
+## Commands
+```bash
+# Check for packers/obfuscators
+apkid <app.apk>
+# Decompile to smali + resources
+apktool d <app.apk> -o output/
+# Check permissions
+grep 'uses-permission' output/AndroidManifest.xml
+# Decompile to Java source
+jadx <app.apk> -d src/
+```
+
+#recipe #apkid #apktool #jadx
@@ -0,0 +1,15 @@
+# Decode Base64 + XOR Shellcode
+> Extract shellcode encoded as Base64 with an XOR key
+
+**Tools:** [[tools/base64dump-py|base64dump-py]], [[tools/translate-py|translate-py]]
+**FOR610 Lab:** 3.4
+
+## Commands
+```bash
+# Find Base64 strings
+base64dump.py <script.ps1> -n 10
+# Decode Base64, then XOR with key
+base64dump.py <script.ps1> -s <selection> -d | translate.py 'byte ^ <key>' > shellcode.bin
+```
+
+#recipe #base64dump-py #translate-py
@@ -0,0 +1,19 @@
+# Filter Capabilities by Technique
+> Find specific capabilities in capa output
+
+**Tools:** [[tools/capa|capa]]
+**FOR610 Lab:** 1.4, 5.4
+
+## Commands
+```bash
+# Full capabilities report
+capa <sample>
+# Verbose with rule matches
+capa -vv <sample>
+# Filter for specific technique
+capa -vv <sample> | grep -A7 '<technique_name>'
+# Find injection-related capabilities
+capa -vv <sample> | grep -A7 'inject\|hollow\|suspend'
+```
+
+#recipe #capa
@@ -0,0 +1,15 @@
+# Parse Cobalt Strike Beacon Configuration
+> Extract C2 config from a Cobalt Strike beacon or shellcode
+
+**Tools:** [[tools/1768-py|1768-py]], [[tools/yara|yara]]
+**FOR610 Lab:** 3.4
+
+## Commands
+```bash
+# Scan with YARA for CS signatures
+yara-rules <sample>
+# Extract beacon configuration
+1768.py <sample_or_shellcode.bin>
+```
+
+#recipe #1768-py #yara
@@ -0,0 +1,14 @@
+# Visual XOR/Base64 Decode with CyberChef
+> Use CyberChef's recipe builder for multi-step decoding
+
+**Tools:** [[tools/cyberchef|cyberchef]]
+
+## Commands
+```bash
+# Launch CyberChef
+cyberchef
+# Common recipe: From Hex → XOR (key) → extract strings
+# Common recipe: From Base64 → Decode text UTF-16LE
+```
+
+#recipe #cyberchef
@@ -0,0 +1,19 @@
+# Set Up DNS + HTTP Interception
+> Redirect all malware DNS queries and serve fake HTTP responses
+
+**Tools:** [[tools/fakedns|fakedns]], [[tools/httpd|httpd]], [[tools/inetsim|inetsim]]
+
+## Commands
+```bash
+# Option A: Simple DNS + HTTP
+fakedns &
+httpd &
+# Option B: Full service emulation (HTTP, HTTPS, DNS, FTP, SMTP)
+inetsim
+# Verify DNS is working
+nslookup anything.com
+# Redirect hardcoded IPs too
+iptables -t nat -A PREROUTING -i eth0 -j REDIRECT
+```
+
+#recipe #fakedns #httpd #inetsim
@@ -0,0 +1,18 @@
+# Decompile .NET on Command Line
+> Decompile a .NET assembly to C# source on REMnux
+
+**Tools:** [[tools/ilspycmd|ilspycmd]], [[tools/de4dot|de4dot]]
+**FOR610 Lab:** 4.8
+
+## Commands
+```bash
+# Decompile to C# source
+ilspycmd <assembly.exe> > source.cs
+# Search for suspicious patterns
+grep -n 'Assembly.Load\|WebClient\|Process.Start' source.cs
+# If obfuscated, deobfuscate first
+de4dot <assembly.exe>
+ilspycmd <assembly-cleaned.exe> > source_clean.cs
+```
+
+#recipe #ilspycmd #de4dot
@@ -0,0 +1,18 @@
+# Extract and Triage Email Attachments
+> Pull attachments from an email and identify their types
+
+**Tools:** [[tools/emldump-py|emldump-py]], [[tools/file|file]], [[tools/sha256sum|sha256sum]]
+
+## Commands
+```bash
+# List email structure
+emldump.py <email.eml>
+# Extract all attachments
+emldump.py <email.eml> -d
+# Identify file types
+file attachment_*
+# Compute hashes for lookup
+sha256sum attachment_*
+```
+
+#recipe #emldump-py #file #sha256sum
@@ -0,0 +1,12 @@
+# Deobfuscate Excel 4.0 (XLM) Macros
+> Extract and decode legacy Excel macros hidden in sheets
+
+**Tools:** [[tools/xlmmacrodeobfuscator|xlmmacrodeobfuscator]]
+
+## Commands
+```bash
+# Deobfuscate XLM macros
+xlmdeobfuscator --file <spreadsheet.xlsm>
+```
+
+#recipe #xlmmacrodeobfuscator
@@ -0,0 +1,19 @@
+# Extract Base64 PowerShell from Office Macro
+> Get encoded PowerShell payload hidden in a VBA UserForm stream
+
+**Tools:** [[tools/oledump-py|oledump-py]], [[tools/base64dump-py|base64dump-py]]
+**FOR610 Lab:** 3.4
+
+## Commands
+```bash
+# List streams — find macro (M) and data streams
+oledump.py <document>
+# Extract VBA source to understand what the macro does
+oledump.py <document> -s <macro_stream> -v
+# Scan data stream for Base64 strings
+oledump.py <document> -s <data_stream> -d | base64dump.py -n 10
+# Decode the longest Base64 hit to file
+oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > payload.ps1
+```
+
+#recipe #oledump-py #base64dump-py
@@ -0,0 +1,19 @@
+# Deobfuscate JavaScript with SpiderMonkey
+> Execute obfuscated JS safely using SpiderMonkey with API simulation
+
+**Tools:** [[tools/js-beautify|js-beautify]], [[tools/spidermonkey|spidermonkey]]
+**FOR610 Lab:** 3.6, 3.7
+
+## Commands
+```bash
+# Beautify compressed JavaScript
+js-beautify <malicious.js> > readable.js
+# Execute with objects.js to simulate browser/WScript APIs
+js -f /usr/share/remnux/objects.js -f <malicious.js> > decoded.js
+# If script expects location.href, edit objects.js first:
+cp /usr/share/remnux/objects.js .
+# Edit objects.js to set: location = { href: 'http://expected-url' }
+js -f objects.js -f <malicious.js> > decoded.js
+```
+
+#recipe #js-beautify #spidermonkey
@@ -0,0 +1,19 @@
+# Clean Null Bytes from UTF-16 JavaScript
+> Remove null byte padding from UTF-16 encoded JavaScript before analysis
+
+**Tools:** [[tools/spidermonkey|spidermonkey]]
+**FOR610 Lab:** 4.5
+
+## Commands
+```bash
+# Check for null bytes (look for 00 in hex)
+xxd <script.js> | head -2
+# Remove null bytes
+cat <script.js> | tr -d '\00' > clean.js
+# Then deobfuscate
+js -f /usr/share/remnux/objects.js -f clean.js > decoded.js
+# Beautify the result
+js-beautify decoded.js > final.js
+```
+
+#recipe #spidermonkey
@@ -0,0 +1,15 @@
+# Decode Base64 + Gzip Payload
+> Handle double-encoded payloads: Base64 wrapping gzip-compressed content
+
+**Tools:** [[tools/base64dump-py|base64dump-py]], [[tools/gunzip|gunzip]]
+**FOR610 Lab:** 3.4
+
+## Commands
+```bash
+# Find Base64 strings in the script
+base64dump.py <script.ps1> -n 10
+# Decode Base64 and decompress gzip in one chain
+base64dump.py <script.ps1> -s <selection> -d | gunzip > decoded.ps1
+```
+
+#recipe #base64dump-py #gunzip
@@ -0,0 +1,22 @@
+# Full Office Macro Decode Chain
+> Complete pipeline: Office doc → VBA → Base64 → gunzip → XOR → shellcode
+
+**Tools:** [[tools/oledump-py|oledump-py]], [[tools/base64dump-py|base64dump-py]], [[tools/gunzip|gunzip]], [[tools/translate-py|translate-py]], [[tools/scdbgc|scdbgc]]
+**FOR610 Lab:** 3.4
+
+## Commands
+```bash
+# Step 1: List streams and extract VBA
+oledump.py <document>
+oledump.py <document> -s <macro_stream> -v
+# Step 2: Extract Base64 from data stream
+oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > stage1.ps1
+# Step 3: Decode second Base64 layer + decompress
+base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1
+# Step 4: XOR decode the shellcode
+base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin
+# Step 5: Emulate the shellcode
+scdbgc /f shellcode.bin /s -1
+```
+
+#recipe #oledump-py #base64dump-py #gunzip #translate-py #scdbgc
@@ -0,0 +1,12 @@
+# Decrypt Password-Protected Office Document
+> Remove password protection before analysis
+
+**Tools:** [[tools/msoffcrypto-tool|msoffcrypto-tool]]
+
+## Commands
+```bash
+# Common malware passwords: infected, malware, password, 123456
+msoffcrypto-tool -p infected <encrypted.docx> <decrypted.docx>
+```
+
+#recipe #msoffcrypto-tool
@@ -0,0 +1,16 @@
+# Extract Files from Network Capture
+> Carve downloaded payloads and exfiltrated data from PCAP
+
+**Tools:** [[tools/tcpxtract|tcpxtract]], [[tools/tcpflow|tcpflow]], [[tools/networkminer|networkminer]]
+
+## Commands
+```bash
+# Carve files using signatures
+tcpxtract -f <capture.pcap> -o carved/
+# Extract individual TCP streams
+tcpflow -r <capture.pcap> -o streams/
+# Or use NetworkMiner for automated extraction
+NetworkMiner --pcap <capture.pcap>
+```
+
+#recipe #tcpxtract #tcpflow #networkminer
@@ -0,0 +1,16 @@
+# Extract JavaScript from PDF
+> Find and extract embedded JavaScript from a PDF file
+
+**Tools:** [[tools/pdfid-py|pdfid-py]], [[tools/pdf-parser-py|pdf-parser-py]], [[tools/peepdf|peepdf]]
+
+## Commands
+```bash
+# Check if PDF contains JavaScript
+pdfid.py <document.pdf>
+# Find objects with JavaScript
+pdf-parser.py <document.pdf> -s /JavaScript
+# Interactive analysis with peepdf
+peepdf -i <document.pdf>
+```
+
+#recipe #pdfid-py #pdf-parser-py #peepdf
@@ -0,0 +1,21 @@
+# Extract Embedded Object from PDF
+> Pull out an embedded image, JavaScript, or file from a PDF object
+
+**Tools:** [[tools/pdfid-py|pdfid-py]], [[tools/pdf-parser-py|pdf-parser-py]], [[tools/feh|feh]]
+**FOR610 Lab:** 3.1
+
+## Commands
+```bash
+# Scan for suspicious keywords
+pdfid.py <document.pdf>
+# Find objects containing the keyword
+pdf-parser.py <document.pdf> -s /URI
+# Extract all values for that keyword
+pdf-parser.py <document.pdf> -k /URI
+# Dump a specific object to file
+pdf-parser.py <document.pdf> -o <obj_id> -d extracted_object
+# View extracted image
+feh extracted_object &
+```
+
+#recipe #pdfid-py #pdf-parser-py #feh
@@ -0,0 +1,19 @@
+# Extract Shellcode from RTF Document
+> Find and extract embedded shellcode from a malicious RTF file
+
+**Tools:** [[tools/rtfdump-py|rtfdump-py]], [[tools/xorsearch|xorsearch]], [[tools/scdbgc|scdbgc]]
+**FOR610 Lab:** 3.5
+
+## Commands
+```bash
+# Scan RTF structure — look for groups with lots of hex data
+rtfdump.py <document.rtf>
+# Extract the hex-heavy group as binary
+rtfdump.py <document.rtf> -s <group_num> -H -d > extracted.bin
+# Scan for shellcode patterns (even XOR-encoded)
+XORSearch -W -d 3 extracted.bin
+# Emulate shellcode at found offset
+scdbgc /f extracted.bin /foff <offset> /s -1
+```
+
+#recipe #rtfdump-py #xorsearch #scdbgc
@@ -0,0 +1,17 @@
+# Emulate Shellcode at Specific Offset
+> Run shellcode that starts at an offset within a larger binary
+
+**Tools:** [[tools/scdbgc|scdbgc]]
+**FOR610 Lab:** 3.5, 4.6
+
+## Commands
+```bash
+# Emulate from file start
+scdbgc /f <shellcode.bin> /s -1
+# Emulate from specific offset (hex)
+scdbgc /f <shellcode.bin> /foff <hex_offset> /s -1
+# Emulate with a file handle pre-opened (for exploits)
+scdbgc /f <shellcode.bin> /foff <offset> /fopen <carrier.doc> /s -1
+```
+
+#recipe #scdbgc
@@ -0,0 +1,12 @@
+# Convert Shellcode to Executable
+> Wrap raw shellcode in a PE for analysis in disassemblers
+
+**Tools:** [[tools/shcode2exe|shcode2exe]]
+
+## Commands
+```bash
+# Convert 32-bit shellcode to EXE
+shcode2exe <shellcode.bin> <output.exe>
+```
+
+#recipe #shcode2exe
@@ -0,0 +1,17 @@
+# Emulate Malware and Extract API Calls
+> Emulate a Windows binary on Linux and analyze its API usage
+
+**Tools:** [[tools/speakeasy|speakeasy]], [[tools/jq|jq]]
+**FOR610 Lab:** 1.4
+
+## Commands
+```bash
+# Emulate and capture both JSON report and text log
+speakeasy -t <sample> -o report.json 2> report.txt
+# Extract all API names called
+jq '.entry_points[].apis[].api_name' report.json
+# Extract unique API names
+jq -r '.entry_points[].apis[].api_name' report.json | sort -u
+```
+
+#recipe #speakeasy #jq
@@ -0,0 +1,17 @@
+# Extract Stack-Built Strings
+> Decode strings assembled byte-by-byte on the stack
+
+**Tools:** [[tools/strdeob-pl|strdeob-pl]], [[tools/floss|floss]]
+**FOR610 Lab:** 5.2
+
+## Commands
+```bash
+# Automatic stack string recovery
+strdeob.pl <sample>
+# FLOSS automatic deobfuscation (static + stack + decoded)
+floss <sample>
+# FLOSS skip static strings, only show decoded
+floss --no-static -- <sample>
+```
+
+#recipe #strdeob-pl #floss
@@ -0,0 +1,15 @@
+# Decode VBA Number Arrays to Strings
+> Convert VBA macros that use Chr() number sequences into readable text
+
+**Tools:** [[tools/oledump-py|oledump-py]], [[tools/numbers-to-string-py|numbers-to-string-py]]
+**FOR610 Lab:** 3.3
+
+## Commands
+```bash
+# Extract VBA and convert number sequences to text
+oledump.py <document> -s <stream> -v | numbers-to-string.py -j
+# Same but with line-break formatting for readability
+oledump.py <document> -s <stream> -v | numbers-to-string.py -j | sed 's/;/;\n/g'
+```
+
+#recipe #oledump-py #numbers-to-string-py
@@ -0,0 +1,14 @@
+# Recover VBA from p-code (source removed)
+> Decompile VBA when source code has been stripped, only p-code remains
+
+**Tools:** [[tools/pcode2code|pcode2code]], [[tools/pcodedmp|pcodedmp]]
+
+## Commands
+```bash
+# Decompile p-code back to VBA source
+pcode2code <document.docm>
+# Or disassemble p-code to assembly
+pcodedmp <document.docm>
+```
+
+#recipe #pcode2code #pcodedmp
@@ -0,0 +1,18 @@
+# Quick Memory Dump Triage
+> Fast initial assessment of a memory dump
+
+**Tools:** [[tools/volatility3|volatility3]]
+
+## Commands
+```bash
+# Identify OS
+vol3 -f <dump> windows.info
+# Process tree (spot anomalies)
+vol3 -f <dump> windows.pstree
+# Network connections
+vol3 -f <dump> windows.netscan
+# Injected code detection
+vol3 -f <dump> windows.malfind
+```
+
+#recipe #volatility3
@@ -0,0 +1,21 @@
+# Brute-Force XOR Key
+> Find the XOR key used to encode strings in a binary
+
+**Tools:** [[tools/brxor-py|brxor-py]], [[tools/bbcrack|bbcrack]], [[tools/xorsearch|xorsearch]], [[tools/xortool|xortool]]
+**FOR610 Lab:** 5.2
+
+## Commands
+```bash
+# Quick check for XOR-encoded URLs/PE headers
+XORSearch <file> http:
+# Brute-force single-byte XOR keys
+brxor.py <file>
+# Try XOR, ROL, ADD combinations
+bbcrack -l 1 <file>
+# Guess multi-byte XOR key length and value
+xortool <file>
+# Decode with known key
+xortool-xor -s '<key>' -i <encoded> -o <decoded>
+```
+
+#recipe #brxor-py #bbcrack #xorsearch #xortool
@@ -0,0 +1,31 @@
+# 1768.py
+> Parse Cobalt Strike beacon configuration from shellcode or memory dumps
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Usage
+```bash
+1768.py shellcode.bin
+```
+
+## Recipes
+- [[recipes/cobalt-strike-beacon-parse|Parse Cobalt Strike Beacon Configuration]]
+
+## Workflows
+- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 6: Embedded Object Analysis
+- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 4: Framework Identification
+- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 2: Configuration Extraction
+
+## Related Tools
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons.
+
+## FOR610
+**Labs:** 3.4
+**Sections:** 3
+
+#cobalt-strike #beacon #c2-config #didier-stevens
@@ -0,0 +1,14 @@
+# 7-Zip
+> Compress and decompress files using a variety of algorithms.
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Related Tools
+- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images
+- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files.
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+- [[tools/disitool|disitool]] — Manipulate embedded digital signatures.
+
+#examine-static-properties-general
@@ -0,0 +1,4 @@
+# 7zip
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# aeskeyfind
+
+**Tier:** Basic
+
@@ -0,0 +1,11 @@
+# AESKeyFinder
+> Find 128-bit and 256-bit AES keys in a memory image.
+
+**Category:** [[categories/perform-memory-forensics|Perform Memory Forensics]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/perform+memory+forensics](https://docs.remnux.org/discover-the-tools/perform+memory+forensics)
+
+## Related Tools
+- [[tools/rsakeyfinder|RSAKeyFinder]] — Find BER-encoded RSA private keys in a memory image.
+- [[tools/volatility3|volatility3]] — Memory forensics framework — analyze RAM dumps to find malwa
+
+#perform-memory-forensics
@@ -0,0 +1,24 @@
+# androguard
+> Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code
+
+**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android)
+
+## Usage
+```bash
+androguard analyze <app.apk>
+androguard decompile -o output/ <app.apk>
+androgui.py <app.apk>
+```
+
+## Workflows
+- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 4: Static Analysis
+
+## Related Tools
+- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud
+- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect
+- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource
+- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android&#x27
+- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files.
+
+#android #apk #permissions #decompilation
@@ -0,0 +1,4 @@
+# android-project-creator
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# AndroidProjectCreator
+> Convert an Android APK application file into an Android Studio project for easier analysis.
+
+**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android)
+
+## Related Tools
+- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities,
+- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect
+- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource
+- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android&#x27
+- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files.
+
+#statically-analyze-code-android
@@ -0,0 +1,14 @@
+# anomy
+> A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections through Tor to anonymize your traffic.
+
+**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting)
+
+## Related Tools
+- [[tools/curl|curl]] — Transfer data to/from servers using various protocols
+- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client.
+- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t
+- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn
+- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites
+
+#explore-network-interactions-connecting
@@ -0,0 +1,20 @@
+# apkid
+> Identify compilers, packers, and obfuscators used to protect Android APK and DEX files.
+
+**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android)
+
+## Recipes
+- [[recipes/apk-quick-triage|Quick APK Triage]]
+
+## Workflows
+- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 1: APK Triage
+
+## Related Tools
+- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities,
+- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud
+- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource
+- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android&#x27
+- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files.
+
+#statically-analyze-code-android
@@ -0,0 +1,26 @@
+# apktool
+> Decompile and recompile Android APK files — extract resources, smali code, and manifest
+
+**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android)
+
+## Usage
+```bash
+apktool d <app.apk> -o output/
+apktool b output/ -o rebuilt.apk
+```
+
+## Recipes
+- [[recipes/apk-quick-triage|Quick APK Triage]]
+
+## Workflows
+- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 2: Manifest Analysis
+
+## Related Tools
+- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities,
+- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud
+- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect
+- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android&#x27
+- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files.
+
+#android #apk #decompilation #resources
@@ -0,0 +1,4 @@
+# apt-utils
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# archive-zip
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# autoconf
+
+**Tier:** Basic
+
@@ -0,0 +1,11 @@
+# autoit-ripper
+> Extract AutoIt scripts embedded in PE binaries.
+
+**Category:** [[categories/statically-analyze-code-scripts|Statically Analyze Code > Scripts]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts](https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts)
+
+## Related Tools
+- [[tools/decode-vbe|decode-vbe.py]] — Decode encoded VBS scripts (VBE).
+- [[tools/js-beautify|js-beautify]] — Format and beautify obfuscated JavaScript code for readabili
+
+#statically-analyze-code-scripts
@@ -0,0 +1,4 @@
+# autologin
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# automake
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# baksmali
+> Disassembler for the dex format used by Dalvik, Android&#x27;s Java VM implementation.
+
+**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android)
+
+## Related Tools
+- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities,
+- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud
+- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect
+- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource
+- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files.
+
+#statically-analyze-code-android
@@ -0,0 +1,14 @@
+# balbuzard
+> Extract and deobfuscate patterns from suspicious files.
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons.
+
+#examine-static-properties-deobfuscation
@@ -0,0 +1,34 @@
+# base64dump.py
+> Extract and decode Base64-encoded strings from files
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Usage
+```bash
+base64dump.py file.txt
+base64dump.py file.ps1 -n 10
+base64dump.py file.ps1 -s 2 -d
+```
+
+## Recipes
+- [[recipes/extract-base64-ps-from-vba|Extract Base64 PowerShell from Office Macro]]
+- [[recipes/multi-stage-base64-gzip|Decode Base64 + Gzip Payload]]
+- [[recipes/base64-xor-shellcode|Decode Base64 + XOR Shellcode]]
+- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]]
+
+## Workflows
+- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons.
+
+## FOR610
+**Labs:** 3.4, 4.5
+**Sections:** 3, 4
+
+#base64 #decoding #didier-stevens
@@ -0,0 +1,4 @@
+# bash-history
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# bash-rc
+
+**Tier:** Basic
+
@@ -0,0 +1,21 @@
+# bbcrack
+> Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms
+
+**Category:** [[categories/string-deobfuscation|string-deobfuscation]] | **Tier:** Rich (FOR610)
+
+## Usage
+```bash
+bbcrack -l 1 specimen.dll
+```
+
+## Recipes
+- [[recipes/xor-key-brute-force|Brute-Force XOR Key]]
+
+## Workflows
+- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 2: Encoding Detection
+
+## FOR610
+**Labs:** 5.2
+**Sections:** 5
+
+#xor #rol #add #deobfuscation #balbuzard
@@ -0,0 +1,4 @@
+# bearparser
+
+**Tier:** Basic
+
@@ -0,0 +1,12 @@
+# binee (Binary Emulation Environment)
+> Analyze I/O operations of a suspicious PE file by emulating its execution.
+
+**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files)
+
+## Related Tools
+- [[tools/capa|capa]] — Identify malware capabilities mapped to MITRE ATT&CK framewo
+- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal
+- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw
+
+#statically-analyze-code-pe-files
@@ -0,0 +1,4 @@
+# binee
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# binutils
+
+**Tier:** Basic
+
@@ -0,0 +1,23 @@
+# binwalk
+> Analyze and extract embedded files and firmware images
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Usage
+```bash
+binwalk firmware.bin
+binwalk -e firmware.bin
+```
+
+## Related Tools
+- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms.
+- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files.
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+- [[tools/disitool|disitool]] — Manipulate embedded digital signatures.
+
+## FOR610
+**Sections:** 1
+
+#firmware #extraction #embedded-files
@@ -0,0 +1,24 @@
+# box-js
+> JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs
+
+**Category:** [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts)
+
+## Usage
+```bash
+box-js --output-dir=/tmp suspicious.js
+```
+
+## Workflows
+- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] — Step 5: Alternative Analysis
+
+## Related Tools
+- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat
+- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and 
+- [[tools/powershell|powershell]] — Run PowerShell scripts and commands.
+- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou
+
+## FOR610
+**Sections:** 3
+
+#javascript #sandbox #emulation
@@ -0,0 +1,29 @@
+# brxor.py
+> Brute-force XOR key detection for single-byte XOR-encoded strings
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Usage
+```bash
+brxor.py specimen.dll
+```
+
+## Recipes
+- [[recipes/xor-key-brute-force|Brute-Force XOR Key]]
+
+## Workflows
+- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 3: Single-Byte XOR Recovery
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons.
+
+## FOR610
+**Labs:** 5.2
+**Sections:** 5
+
+#xor #brute-force #deobfuscation
@@ -0,0 +1,4 @@
+# build-essential
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# bulk-extractor
+> Extract interesting strings from binary files.
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Related Tools
+- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms.
+- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+- [[tools/disitool|disitool]] — Manipulate embedded digital signatures.
+
+#examine-static-properties-general
@@ -0,0 +1,4 @@
+# bundler
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# Burp Suite Community Edition
+> Investigate website interactions using this web proxy.
+
+**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring)
+
+## Related Tools
+- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using
+- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo
+- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files.
+- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets
+- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as 
+
+#explore-network-interactions-monitoring
@@ -0,0 +1,4 @@
+# burpsuite-community
+
+**Tier:** Basic
+
@@ -0,0 +1,18 @@
+# Bytehist
+> Generate byte-usage histograms to visually identify packed or encrypted sections in binaries
+
+**Category:** [[categories/statically-analyze-code-unpacking|Statically Analyze Code > Unpacking]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking](https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking)
+
+## Usage
+```bash
+bytehist specimen.exe
+```
+
+## Related Tools
+- [[tools/upx|UPX]] — Universal Packer for eXecutables — compress and decompress P
+
+## FOR610
+**Sections:** 1, 4
+
+#pe #entropy #packing-detection #histogram
--- a/Show More
+++ b/Show More