diff --git a/Dockerfile b/Dockerfile index f6887be..bb94464 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,6 +44,11 @@ RUN PIPX_HOME=/opt/pipx PIPX_BIN_DIR=/usr/local/bin pipx install --include-deps RUN curl -sL https://raw.githubusercontent.com/denisidoro/navi/master/scripts/install | BIN_DIR=/usr/local/bin bash 2>/dev/null \ || echo "navi installation skipped (offline build)" +# Install zk (wiki browser with [[wiki-links]], fzf search, backlinks) +RUN curl -sL https://github.com/zk-org/zk/releases/latest/download/zk-linux-amd64.tar.gz \ + | tar xz -C /usr/local/bin/ 2>/dev/null \ + || echo "zk installation skipped (offline build)" + # Create data directory and set permissions RUN mkdir -p /data \ && chown remnux:remnux /data @@ -67,6 +72,7 @@ ADD data/generated/tools.db /opt/remnux-docs/tools.db ADD data/generated/cheatsheets/ /opt/cheatsheets/personal/ ADD data/generated/workflows/ /opt/remnux-docs/workflows/ ADD cheatsheets/ /opt/cheatsheets/ +ADD data/generated/wiki/ /opt/wiki/ # Install legacy help scripts (kept for compatibility) ADD scripts/create-offline-help-system.sh /usr/local/bin/create-offline-help-system.sh diff --git a/Makefile b/Makefile index 6a184ad..dc3661e 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: help build-upstream build-scratch build-kali build-all test clean push generate-data generate-master coverage-report +.PHONY: help build-upstream build-scratch build-kali build-all test clean push generate-data generate-master generate-wiki coverage-report # Default target help: @@ -18,6 +18,7 @@ help: @echo " coverage Check help coverage" @echo " generate-data Convert FOR610 YAML to JSON" @echo " generate-master Build master inventory and all help artifacts" + @echo " generate-wiki Generate markdown wiki (473 pages)" @echo " coverage-report Generate tool coverage gap report" @echo "" @@ -88,6 +89,11 @@ generate-master: generate-data python3 scripts/generate-coverage-report.py @echo "✓ Master inventory and all artifacts generated" +# Generate markdown wiki with [[wiki-links]] for zk browser +generate-wiki: + python3 scripts/generate-wiki.py + @echo "Wiki: data/generated/wiki/ (browse with: zk list --interactive)" + # Generate coverage report only (requires tools-master.yaml to exist) coverage-report: python3 scripts/generate-coverage-report.py diff --git a/data/generated/wiki/.zk/config.toml b/data/generated/wiki/.zk/config.toml new file mode 100644 index 0000000..80e324c --- /dev/null +++ b/data/generated/wiki/.zk/config.toml @@ -0,0 +1,10 @@ +[note] +default-title = "untitled" +filename = "{{slug title}}" +extension = "md" + +[tool] +fzf-preview = "cat {-1}" + +[format.markdown] +link-format = "wiki" diff --git a/data/generated/wiki/categories/analyze-documents-email-messages.md b/data/generated/wiki/categories/analyze-documents-email-messages.md new file mode 100644 index 0000000..0a49654 --- /dev/null +++ b/data/generated/wiki/categories/analyze-documents-email-messages.md @@ -0,0 +1,15 @@ +# Analyze Documents > Email Messages + +**4 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/emldump|emldump.py]] — Parse and analyze EML email message files +- [[tools/mail-parser|mail-parser]] — Parse raw SMTP email messages and extract headers, body, and +- [[tools/msg-extractor|msg-extractor]] — Extract emails and attachments from Microsoft Outlook MSG fi + +### Standard +- [[tools/msgconvert|msgconvert]] — Convert MSG files to MBOX files. + +#analyze-documents-email-messages #category diff --git a/data/generated/wiki/categories/analyze-documents-general.md b/data/generated/wiki/categories/analyze-documents-general.md new file mode 100644 index 0000000..5384d15 --- /dev/null +++ b/data/generated/wiki/categories/analyze-documents-general.md @@ -0,0 +1,10 @@ +# Analyze Documents > General + +**1 tools** in this category. + +## Tools + +### Standard +- [[tools/tesseract-ocr|tesseract-ocr]] — Examine images to identify and extract text using optical ch + +#analyze-documents-general #category diff --git a/data/generated/wiki/categories/analyze-documents-microsoft-office.md b/data/generated/wiki/categories/analyze-documents-microsoft-office.md new file mode 100644 index 0000000..a0bf5f8 --- /dev/null +++ b/data/generated/wiki/categories/analyze-documents-microsoft-office.md @@ -0,0 +1,27 @@ +# Analyze Documents > Microsoft Office + +**16 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/xlmmacrodeobfuscator|XLMMacroDeobfuscator]] — Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sh +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V +- [[tools/olevba|olevba]] — Extract and analyze VBA macros from Office documents with de +- [[tools/pcode2code|pcode2code]] — Decompile VBA p-code from Office documents — works even when +- [[tools/rtfdump|rtfdump.py]] — Analyze RTF file structure, identify hex-encoded groups and +- [[tools/zipdump|zipdump.py]] — Parse and analyze ZIP archive structure + +### Standard +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. +- [[tools/olefile|olefile]] — Python package to parse, read and write MS OLE2 files. +- [[tools/onedump|onedump.py]] — Extract and analyze embedded files from OneNote documents. +- [[tools/pcodedmp|pcodedmp]] — Disassemble VBA p-code. +- [[tools/ssview|ssview]] — Analyze OLE2 Structured Storage files. +- [[tools/xmldump|xmldump.py]] — Extract contents of XML files, in particular OOXML-formatted + +#analyze-documents-microsoft-office #category diff --git a/data/generated/wiki/categories/analyze-documents-pdf.md b/data/generated/wiki/categories/analyze-documents-pdf.md new file mode 100644 index 0000000..99c76b0 --- /dev/null +++ b/data/generated/wiki/categories/analyze-documents-pdf.md @@ -0,0 +1,19 @@ +# Analyze Documents > PDF + +**8 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e +- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates +- [[tools/peepdf|peepdf]] — Interactive PDF analysis framework with JavaScript detection +- [[tools/qpdf|qpdf]] — Decrypt, linearize, and transform PDF files — useful for rem + +### Standard +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. + +#analyze-documents-pdf #category diff --git a/data/generated/wiki/categories/dotnet-analysis.md b/data/generated/wiki/categories/dotnet-analysis.md new file mode 100644 index 0000000..1a75f57 --- /dev/null +++ b/data/generated/wiki/categories/dotnet-analysis.md @@ -0,0 +1,10 @@ +# dotnet-analysis + +**1 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/ilspycmd|ilspycmd]] — Command-line .NET decompiler (CLI version of ILSpy) + +#dotnet-analysis #category diff --git a/data/generated/wiki/categories/dynamically-reverse-engineer-code-general.md b/data/generated/wiki/categories/dynamically-reverse-engineer-code-general.md new file mode 100644 index 0000000..beeaf9f --- /dev/null +++ b/data/generated/wiki/categories/dynamically-reverse-engineer-code-general.md @@ -0,0 +1,12 @@ +# Dynamically Reverse-Engineer Code > General + +**3 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/frida|Frida]] — Dynamic instrumentation toolkit — hook and trace running pro +- [[tools/wine|Wine]] — Windows compatibility layer — run Windows executables on Lin +- [[tools/radare2|radare2]] — Open-source reverse engineering command-line framework + +#dynamically-reverse-engineer-code-general #category diff --git a/data/generated/wiki/categories/dynamically-reverse-engineer-code-scripts.md b/data/generated/wiki/categories/dynamically-reverse-engineer-code-scripts.md new file mode 100644 index 0000000..655b8a7 --- /dev/null +++ b/data/generated/wiki/categories/dynamically-reverse-engineer-code-scripts.md @@ -0,0 +1,16 @@ +# Dynamically Reverse-Engineer Code > Scripts + +**5 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou +- [[tools/box-js|box-js]] — JavaScript sandbox for analyzing malicious scripts by emulat + +### Standard +- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat +- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and +- [[tools/powershell|powershell]] — Run PowerShell scripts and commands. + +#dynamically-reverse-engineer-code-scripts #category diff --git a/data/generated/wiki/categories/dynamically-reverse-engineer-code-shellcode.md b/data/generated/wiki/categories/dynamically-reverse-engineer-code-shellcode.md new file mode 100644 index 0000000..993efec --- /dev/null +++ b/data/generated/wiki/categories/dynamically-reverse-engineer-code-shellcode.md @@ -0,0 +1,16 @@ +# Dynamically Reverse-Engineer Code > Shellcode + +**5 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/runsc32|runsc32]] — Execute extracted shellcode for dynamic analysis +- [[tools/scdbgc|scdbgc]] — Shellcode emulator — analyze shellcode behavior through API- +- [[tools/shcode2exe|shcode2exe]] — Convert raw shellcode to a Windows PE executable for analysi + +### Standard +- [[tools/libemu|libemu]] — A library for x86 code emulation and shellcode detection. +- [[tools/shellcode2exe-bat|shellcode2exe-bat]] — Convert 32 and 64-bit shellcode to a Windows executable file + +#dynamically-reverse-engineer-code-shellcode #category diff --git a/data/generated/wiki/categories/examine-static-properties-deobfuscation.md b/data/generated/wiki/categories/examine-static-properties-deobfuscation.md new file mode 100644 index 0000000..ef6f17b --- /dev/null +++ b/data/generated/wiki/categories/examine-static-properties-deobfuscation.md @@ -0,0 +1,39 @@ +# Examine Static Properties > Deobfuscation + +**28 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/cyberchef|CyberChef]] — Web-based data transformation tool — decode Base64, XOR, hex +- [[tools/floss|FLOSS]] — Automatically extract obfuscated strings from malware using +- [[tools/malchive|Malchive]] — Multi-purpose malware analysis library — config extraction, +- [[tools/xorsearch|XORSearch]] — Search for XOR/ROL/ROT/SHIFT-encoded patterns including shel +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/cs-analyze-processdump|cs-analyze-processdump.py]] — Analyze Cobalt Strike beacon process dumps for sleep mask en +- [[tools/cs-decrypt-metadata|cs-decrypt-metadata.py]] — Decrypt Cobalt Strike beacon metadata from network captures +- [[tools/cs-extract-key|cs-extract-key.py]] — Extract AES and HMAC encryption keys from Cobalt Strike beac +- [[tools/dc3-mwcp|dc3-mwcp]] — DC3 Malware Configuration Parser — extract C2 configs from k +- [[tools/strdeob|strdeob.pl]] — Automatically decode stack-built strings from disassembled m +- [[tools/translate|translate.py]] — Transform data using Python expressions (XOR, ADD, etc.) +- [[tools/xortool|xortool]] — Analyze XOR-encoded data — guess key length and probable key + +### Standard +- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons. +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to +- [[tools/cut-bytes|cut-bytes.py]] — Cut out a part of a data stream. +- [[tools/ex-pe-xor|ex-pe-xor]] — Search an XOR'ed file for indications of executable bin +- [[tools/format-bytes|format-bytes.py]] — Decompose structured binary data with format strings. +- [[tools/hex-to-bin|hex-to-bin.py]] — Convert hexadecimal text dumps to binary data. +- [[tools/nomorexor|nomorexor]] — Help guess a file's 256-byte XOR by using frequency ana +- [[tools/sets|sets.py]] — Perform set operations on lines or bytes in text files. +- [[tools/unicode|unicode]] — Display Unicode character properties. +- [[tools/unxor|unxor]] — Deobfuscate XOR'ed files. +- [[tools/xor-kpa|xor-kpa.py]] — Implement a XOR known plaintext attack. +- [[tools/xorbruteforcer|xorbruteforcer]] — Bruteforce an XOR-encoded file. +- [[tools/xorstrings|xorstrings]] — Search for XOR encoded strings in a file. + +#examine-static-properties-deobfuscation #category diff --git a/data/generated/wiki/categories/examine-static-properties-general.md b/data/generated/wiki/categories/examine-static-properties-general.md new file mode 100644 index 0000000..e3e1dca --- /dev/null +++ b/data/generated/wiki/categories/examine-static-properties-general.md @@ -0,0 +1,39 @@ +# Examine Static Properties > General + +**28 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab +- [[tools/exiftool|exiftool]] — Extract metadata from files (PDF, images, documents, executa +- [[tools/file|file]] — Determine file type and MIME type using magic bytes +- [[tools/numbers-to-string|numbers-to-string.py]] — Convert sequences of decimal numbers to readable characters +- [[tools/ssdeep|ssdeep]] — Compute fuzzy hashes (CTPH) for finding similar files — usef +- [[tools/strings|strings]] — Extract printable ASCII and Unicode strings from binary file +- [[tools/trid|trid]] — Identify file type by scanning binary signatures database +- [[tools/yara|yara]] — Pattern matching tool for identifying and classifying malwar + +### Standard +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/hachoir|Hachoir]] — View, edit, and carve contents of various binary file types. +- [[tools/hash-id|Hash ID]] — Identify different types of hashes. +- [[tools/malcat-lite|Malcat Lite]] — Analyze binary files using a hex editor, disassembler, and f +- [[tools/sleuth-kit|Sleuth Kit]] — Analyze disk images and recover files from them. +- [[tools/yara-forge-rules|YARA-Forge Rules]] — Scan files with curated YARA rules from 45+ sources for malw +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/disitool|disitool]] — Manipulate embedded digital signatures. +- [[tools/droidlysis|droidlysis]] — Perform static analysis of Android applications. +- [[tools/file-magic|file-magic.py]] — Identify file types using the Python magic module. +- [[tools/lief|lief]] — Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and D +- [[tools/magika|magika]] — Identify file type using signatures. +- [[tools/msitools|msitools]] — Create, inspect and extract Windows Installer (. +- [[tools/name-that-hash|name-that-hash]] — Identify dfferent types of hashes. +- [[tools/re-search|re-search.py]] — Search the file for built-in regular expressions of common s +- [[tools/signsrch|signsrch]] — Find patterns of common encryption, compression, or encoding +- [[tools/thefuzz|thefuzz]] — Fuzzy String Matching in Python. +- [[tools/wxhexeditor|wxhexeditor]] — Hex editor. + +#examine-static-properties-general #category diff --git a/data/generated/wiki/categories/examine-static-properties-go.md b/data/generated/wiki/categories/examine-static-properties-go.md new file mode 100644 index 0000000..ee4d278 --- /dev/null +++ b/data/generated/wiki/categories/examine-static-properties-go.md @@ -0,0 +1,11 @@ +# Examine Static Properties > Go + +**2 tools** in this category. + +## Tools + +### Standard +- [[tools/goresym|goresym]] — Extract metadata and symbols from Go binaries, including str +- [[tools/redress|redress]] — Analyze stripped Go binaries to recover symbols, types, sour + +#examine-static-properties-go #category diff --git a/data/generated/wiki/categories/examine-static-properties-net.md b/data/generated/wiki/categories/examine-static-properties-net.md new file mode 100644 index 0000000..3fc944c --- /dev/null +++ b/data/generated/wiki/categories/examine-static-properties-net.md @@ -0,0 +1,12 @@ +# Examine Static Properties > .NET + +**3 tools** in this category. + +## Tools + +### Standard +- [[tools/dnfile|dnfile]] — Analyze static properties of. +- [[tools/dotnetfile|dotnetfile]] — Analyze static properties of. +- [[tools/monodis|monodis]] — Disassemble and extract resources from. + +#examine-static-properties-net #category diff --git a/data/generated/wiki/categories/explore-network-interactions-connecting.md b/data/generated/wiki/categories/explore-network-interactions-connecting.md new file mode 100644 index 0000000..b1e5e38 --- /dev/null +++ b/data/generated/wiki/categories/explore-network-interactions-connecting.md @@ -0,0 +1,20 @@ +# Explore Network Interactions > Connecting + +**9 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites +- [[tools/unfurl|Unfurl]] — Deconstruct and decode URLs — reveal tracking parameters, en +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn + +### Standard +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/tor|tor]] — Obfuscate your origins by routing traffic through a network +- [[tools/zbarimg|zbarimg]] — Decode QR codes and barcodes from image files. + +#explore-network-interactions-connecting #category diff --git a/data/generated/wiki/categories/explore-network-interactions-monitoring.md b/data/generated/wiki/categories/explore-network-interactions-monitoring.md new file mode 100644 index 0000000..cb2bc23 --- /dev/null +++ b/data/generated/wiki/categories/explore-network-interactions-monitoring.md @@ -0,0 +1,23 @@ +# Explore Network Interactions > Monitoring + +**12 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/wireshark|Wireshark]] — GUI network protocol analyzer for capturing and inspecting p +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets +- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as +- [[tools/tcpdump|tcpdump]] — Command-line packet capture tool +- [[tools/tcpflow|tcpflow]] — Extract and reassemble TCP streams from PCAP files into indi +- [[tools/tcpxtract|tcpxtract]] — Carve files from network traffic using file signatures +- [[tools/tshark|tshark]] — Command-line interface to Wireshark for packet capture and a + +### Standard +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/tcpick|tcpick]] — Capture and analyze network traffic with this command-line s + +#explore-network-interactions-monitoring #category diff --git a/data/generated/wiki/categories/explore-network-interactions-services.md b/data/generated/wiki/categories/explore-network-interactions-services.md new file mode 100644 index 0000000..50e5f82 --- /dev/null +++ b/data/generated/wiki/categories/explore-network-interactions-services.md @@ -0,0 +1,19 @@ +# Explore Network Interactions > Services + +**8 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers + +### Standard +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/inspircd|inspircd]] — Examine IRC activity with this IRC server. +- [[tools/nginx|nginx]] — Web server. + +#explore-network-interactions-services #category diff --git a/data/generated/wiki/categories/gather-and-analyze-data.md b/data/generated/wiki/categories/gather-and-analyze-data.md new file mode 100644 index 0000000..8e67899 --- /dev/null +++ b/data/generated/wiki/categories/gather-and-analyze-data.md @@ -0,0 +1,24 @@ +# Gather and Analyze Data + +**13 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal + +### Standard +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. +- [[tools/nsrllookup|nsrllookup]] — Look up MD5 file hashes in the NIST National Software Refere +- [[tools/pdnstool|pdnstool]] — Query passive DNS databases for DNS data. +- [[tools/scalpel|scalpel]] — Carve contents out of binary files, such as partitions. +- [[tools/time-decode|time-decode]] — Decode and encode date and timestamps. +- [[tools/virustotal-search|virustotal-search]] — Search VirusTotal for file hashes. +- [[tools/virustotal-submit|virustotal-submit]] — Submit files to VirusTotal. +- [[tools/yara-x|yara-x]] — Scan files using YARA rules, the next generation of YARA wri + +#gather-and-analyze-data #category diff --git a/data/generated/wiki/categories/general-utilities.md b/data/generated/wiki/categories/general-utilities.md new file mode 100644 index 0000000..13c4ae2 --- /dev/null +++ b/data/generated/wiki/categories/general-utilities.md @@ -0,0 +1,28 @@ +# General Utilities + +**17 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/rar|rar]] — Extract RAR archives (including self-extracting RAR payloads +- [[tools/unzip|unzip]] — Extract ZIP archives containing malware samples + +### Standard +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. +- [[tools/remnux-installer|REMnux Installer]] — Install and update the REMnux distro. +- [[tools/sqlite|SQLite]] — Manage and interact with SQL database files. +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/ibus|ibus]] — Adjust input methods for the GUI. +- [[tools/myip|myip]] — Determine the IP address of the default network interface. +- [[tools/myjson-filter|myjson-filter.py]] — Filter data formatted using the JSON format used by Didier S +- [[tools/nasm|nasm]] — An x86-64 assembler. +- [[tools/nautilus|nautilus]] — Graphical file manager. +- [[tools/openssh|openssh]] — Initiate and receive SSH and SFTP connections. +- [[tools/sortcanon|sortcanon.py]] — Sort text files using canonicalization functions built into +- [[tools/texteditor|texteditor.py]] — Edit text files from the command line using search-and-repla + +#general-utilities #category diff --git a/data/generated/wiki/categories/investigate-system-interactions.md b/data/generated/wiki/categories/investigate-system-interactions.md new file mode 100644 index 0000000..6a542bc --- /dev/null +++ b/data/generated/wiki/categories/investigate-system-interactions.md @@ -0,0 +1,14 @@ +# Investigate System Interactions + +**3 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/procdot|ProcDOT]] — Visualize Process Monitor logs as interactive graphs for beh + +### Standard +- [[tools/sandfly-processdecloak|sandfly-processdecloak]] — Find hidden processes on the local Linux system. +- [[tools/unhide|unhide]] — Find hidden processes or connections on the local Linux syst + +#investigate-system-interactions #category diff --git a/data/generated/wiki/categories/network-analysis.md b/data/generated/wiki/categories/network-analysis.md new file mode 100644 index 0000000..2940557 --- /dev/null +++ b/data/generated/wiki/categories/network-analysis.md @@ -0,0 +1,12 @@ +# network-analysis + +**3 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/iptables|iptables]] — Linux firewall and NAT tool for redirecting IP-based malware +- [[tools/nslookup|nslookup]] — DNS query tool for testing name resolution +- [[tools/torsocks|torsocks]] — Route network traffic through the Tor anonymity network + +#network-analysis #category diff --git a/data/generated/wiki/categories/perform-memory-forensics.md b/data/generated/wiki/categories/perform-memory-forensics.md new file mode 100644 index 0000000..f44db69 --- /dev/null +++ b/data/generated/wiki/categories/perform-memory-forensics.md @@ -0,0 +1,14 @@ +# Perform Memory Forensics + +**3 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/volatility3|volatility3]] — Memory forensics framework — analyze RAM dumps to find malwa + +### Standard +- [[tools/aeskeyfinder|AESKeyFinder]] — Find 128-bit and 256-bit AES keys in a memory image. +- [[tools/rsakeyfinder|RSAKeyFinder]] — Find BER-encoded RSA private keys in a memory image. + +#perform-memory-forensics #category diff --git a/data/generated/wiki/categories/static-analysis-pe.md b/data/generated/wiki/categories/static-analysis-pe.md new file mode 100644 index 0000000..f9f44ff --- /dev/null +++ b/data/generated/wiki/categories/static-analysis-pe.md @@ -0,0 +1,11 @@ +# static-analysis-pe + +**2 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/peframe|peframe]] — Static analysis of PE files — extract properties, detect ano +- [[tools/pestr|pestr]] — Extract ASCII and Unicode strings from PE files + +#static-analysis-pe #category diff --git a/data/generated/wiki/categories/statically-analyze-code-android.md b/data/generated/wiki/categories/statically-analyze-code-android.md new file mode 100644 index 0000000..e33361e --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-android.md @@ -0,0 +1,18 @@ +# Statically Analyze Code > Android + +**7 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/jadx|jadx]] — Decompile Android DEX/APK to Java source code with a GUI or + +### Standard +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' +- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files. + +#statically-analyze-code-android #category diff --git a/data/generated/wiki/categories/statically-analyze-code-general.md b/data/generated/wiki/categories/statically-analyze-code-general.md new file mode 100644 index 0000000..9fda376 --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-general.md @@ -0,0 +1,16 @@ +# Statically Analyze Code > General + +**5 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/cutter|Cutter]] — Open-source reverse engineering platform — Qt-based GUI for +- [[tools/ghidra|Ghidra]] — Open-source disassembler and decompiler from NSA with script +- [[tools/vivisect|Vivisect]] — Binary analysis and emulation framework — static analysis wi +- [[tools/qiling|qiling]] — Multi-platform binary emulation framework — emulate PE, ELF, + +### Standard +- [[tools/objdump|objdump]] — Disassemble binary files. + +#statically-analyze-code-general #category diff --git a/data/generated/wiki/categories/statically-analyze-code-java.md b/data/generated/wiki/categories/statically-analyze-code-java.md new file mode 100644 index 0000000..30db026 --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-java.md @@ -0,0 +1,16 @@ +# Statically Analyze Code > Java + +**5 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/cfr|cfr]] — Modern Java decompiler — handles Java 8+ features including + +### Standard +- [[tools/jd-gui-java-decompiler|JD-GUI Java Decompiler]] — Java decompiler with GUI. +- [[tools/javassist|Javassist]] — Java bytecode engineering toolkit/library. +- [[tools/procyon|Procyon]] — Java decompiler. +- [[tools/java-idx-parser|java-idx-parser]] — Analyze Java IDX files. + +#statically-analyze-code-java #category diff --git a/data/generated/wiki/categories/statically-analyze-code-net.md b/data/generated/wiki/categories/statically-analyze-code-net.md new file mode 100644 index 0000000..8dbb650 --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-net.md @@ -0,0 +1,11 @@ +# Statically Analyze Code > .NET + +**2 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/ilspy|ILSpy]] — .NET assembly decompiler — view C#/VB.NET source from compil +- [[tools/de4dot|de4dot]] — .NET deobfuscator — remove obfuscation from .NET assemblies + +#statically-analyze-code-net #category diff --git a/data/generated/wiki/categories/statically-analyze-code-pe-files.md b/data/generated/wiki/categories/statically-analyze-code-pe-files.md new file mode 100644 index 0000000..47195a5 --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-pe-files.md @@ -0,0 +1,15 @@ +# Statically Analyze Code > PE Files + +**4 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/capa|capa]] — Identify malware capabilities mapped to MITRE ATT&CK framewo +- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw + +### Standard +- [[tools/binee-binary-emulation-environment|binee (Binary Emulation Environment)]] — Analyze I/O operations of a suspicious PE file by emulating +- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal + +#statically-analyze-code-pe-files #category diff --git a/data/generated/wiki/categories/statically-analyze-code-python.md b/data/generated/wiki/categories/statically-analyze-code-python.md new file mode 100644 index 0000000..c136a8f --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-python.md @@ -0,0 +1,15 @@ +# Statically Analyze Code > Python + +**4 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/pyinstxtractor-ng|pyinstxtractor-ng]] — Extract contents of PyInstaller-generated executables withou +- [[tools/uncompyle6|uncompyle6]] — Decompile Python bytecode (.pyc) back to source — supports P + +### Standard +- [[tools/decompyle|Decompyle++]] — Python bytecode disassembler and decompiler. +- [[tools/pyinstaller-extractor|pyinstaller-extractor]] — Extract contents of a PyInstaller-generated PE files. + +#statically-analyze-code-python #category diff --git a/data/generated/wiki/categories/statically-analyze-code-scripts.md b/data/generated/wiki/categories/statically-analyze-code-scripts.md new file mode 100644 index 0000000..6b965e6 --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-scripts.md @@ -0,0 +1,14 @@ +# Statically Analyze Code > Scripts + +**3 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/js-beautify|js-beautify]] — Format and beautify obfuscated JavaScript code for readabili + +### Standard +- [[tools/autoit-ripper|autoit-ripper]] — Extract AutoIt scripts embedded in PE binaries. +- [[tools/decode-vbe|decode-vbe.py]] — Decode encoded VBS scripts (VBE). + +#statically-analyze-code-scripts #category diff --git a/data/generated/wiki/categories/statically-analyze-code-unpacking.md b/data/generated/wiki/categories/statically-analyze-code-unpacking.md new file mode 100644 index 0000000..b9cd9b8 --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-unpacking.md @@ -0,0 +1,11 @@ +# Statically Analyze Code > Unpacking + +**2 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/bytehist|Bytehist]] — Generate byte-usage histograms to visually identify packed o +- [[tools/upx|UPX]] — Universal Packer for eXecutables — compress and decompress P + +#statically-analyze-code-unpacking #category diff --git a/data/generated/wiki/categories/string-deobfuscation.md b/data/generated/wiki/categories/string-deobfuscation.md new file mode 100644 index 0000000..d58e79e --- /dev/null +++ b/data/generated/wiki/categories/string-deobfuscation.md @@ -0,0 +1,10 @@ +# string-deobfuscation + +**1 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/bbcrack|bbcrack]] — Detect and decode strings obfuscated with XOR, ROL, and ADD + +#string-deobfuscation #category diff --git a/data/generated/wiki/categories/use-artificial-intelligence.md b/data/generated/wiki/categories/use-artificial-intelligence.md new file mode 100644 index 0000000..dc6fec6 --- /dev/null +++ b/data/generated/wiki/categories/use-artificial-intelligence.md @@ -0,0 +1,12 @@ +# Use Artificial Intelligence + +**3 tools** in this category. + +## Tools + +### Standard +- [[tools/ghidrassistmcp|GhidrAssistMCP]] — MCP server for AI-assisted reverse engineering in Ghidra. +- [[tools/opencode|opencode]] — Open-source AI coding agent for the terminal. +- [[tools/remnux-mcp-server|remnux-mcp-server]] — MCP server for using the REMnux malware analysis toolkit via + +#use-artificial-intelligence #category diff --git a/data/generated/wiki/categories/utilities.md b/data/generated/wiki/categories/utilities.md new file mode 100644 index 0000000..11a986e --- /dev/null +++ b/data/generated/wiki/categories/utilities.md @@ -0,0 +1,14 @@ +# utilities + +**5 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/gunzip|gunzip]] — Decompress gzip-compressed data (often used in multi-stage p +- [[tools/hexdump|hexdump]] — Display file content in hexadecimal format +- [[tools/jq|jq]] — Command-line JSON processor for extracting and transforming +- [[tools/wget|wget]] — Download files from HTTP/HTTPS/FTP servers +- [[tools/xxd|xxd]] — Create hex dump of a file or reverse a hex dump back to bina + +#utilities #category diff --git a/data/generated/wiki/categories/view-or-edit-files.md b/data/generated/wiki/categories/view-or-edit-files.md new file mode 100644 index 0000000..ed46f2e --- /dev/null +++ b/data/generated/wiki/categories/view-or-edit-files.md @@ -0,0 +1,18 @@ +# View or Edit Files + +**7 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/visual-studio-code|Visual Studio Code]] — Code editor used for viewing decompiled output, scripts, and +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d + +### Standard +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/scite|scite]] — Edit text files. +- [[tools/vbindiff|vbindiff]] — Compare binary files. + +#view-or-edit-files #category diff --git a/data/generated/wiki/index.md b/data/generated/wiki/index.md new file mode 100644 index 0000000..79173e9 --- /dev/null +++ b/data/generated/wiki/index.md @@ -0,0 +1,102 @@ +# REMnux Analysis Wiki + +> 397 tools | 15 workflows | 27 recipes + +## Browse by Category + +- [[categories/analyze-documents-email-messages|Analyze Documents > Email Messages]] (4 tools) +- [[categories/analyze-documents-general|Analyze Documents > General]] (1 tools) +- [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] (16 tools) +- [[categories/analyze-documents-pdf|Analyze Documents > PDF]] (8 tools) +- [[categories/dynamically-reverse-engineer-code-general|Dynamically Reverse-Engineer Code > General]] (3 tools) +- [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] (5 tools) +- [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] (5 tools) +- [[categories/examine-static-properties-net|Examine Static Properties > .NET]] (3 tools) +- [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] (28 tools) +- [[categories/examine-static-properties-general|Examine Static Properties > General]] (28 tools) +- [[categories/examine-static-properties-go|Examine Static Properties > Go]] (2 tools) +- [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] (9 tools) +- [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] (12 tools) +- [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] (8 tools) +- [[categories/gather-and-analyze-data|Gather and Analyze Data]] (13 tools) +- [[categories/general-utilities|General Utilities]] (17 tools) +- [[categories/investigate-system-interactions|Investigate System Interactions]] (3 tools) +- [[categories/perform-memory-forensics|Perform Memory Forensics]] (3 tools) +- [[categories/statically-analyze-code-net|Statically Analyze Code > .NET]] (2 tools) +- [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] (7 tools) +- [[categories/statically-analyze-code-general|Statically Analyze Code > General]] (5 tools) +- [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] (5 tools) +- [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] (4 tools) +- [[categories/statically-analyze-code-python|Statically Analyze Code > Python]] (4 tools) +- [[categories/statically-analyze-code-scripts|Statically Analyze Code > Scripts]] (3 tools) +- [[categories/statically-analyze-code-unpacking|Statically Analyze Code > Unpacking]] (2 tools) +- [[categories/use-artificial-intelligence|Use Artificial Intelligence]] (3 tools) +- [[categories/view-or-edit-files|View or Edit Files]] (7 tools) +- [[categories/dotnet-analysis|dotnet-analysis]] (1 tools) +- [[categories/network-analysis|network-analysis]] (3 tools) +- [[categories/static-analysis-pe|static-analysis-pe]] (2 tools) +- [[categories/string-deobfuscation|string-deobfuscation]] (1 tools) +- [[categories/utilities|utilities]] (5 tools) + +## Workflows + +- [[workflows/static-analysis-workflow|Static Properties Analysis]] +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] +- [[workflows/network-interception-workflow|Network Traffic Interception]] +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] +- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] +- [[workflows/code-injection-workflow|Code Injection Analysis]] +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] +- [[workflows/memory-forensics-workflow|Memory Forensics]] +- [[workflows/android-analysis-workflow|Android Malware Analysis]] +- [[workflows/java-analysis-workflow|Java Malware Analysis]] +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] + +## Recipes + +- [[recipes/extract-base64-ps-from-vba|Extract Base64 PowerShell from Office Macro]] +- [[recipes/vba-number-string-decode|Decode VBA Number Arrays to Strings]] +- [[recipes/multi-stage-base64-gzip|Decode Base64 + Gzip Payload]] +- [[recipes/base64-xor-shellcode|Decode Base64 + XOR Shellcode]] +- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]] +- [[recipes/password-protected-office|Decrypt Password-Protected Office Document]] +- [[recipes/excel-xlm-macros|Deobfuscate Excel 4.0 (XLM) Macros]] +- [[recipes/vba-pcode-decompile|Recover VBA from p-code (source removed)]] +- [[recipes/rtf-shellcode-extraction|Extract Shellcode from RTF Document]] +- [[recipes/pdf-object-extraction|Extract Embedded Object from PDF]] +- [[recipes/pdf-javascript-extraction|Extract JavaScript from PDF]] +- [[recipes/js-deobfuscation-spidermonkey|Deobfuscate JavaScript with SpiderMonkey]] +- [[recipes/js-null-byte-cleanup|Clean Null Bytes from UTF-16 JavaScript]] +- [[recipes/shellcode-emulate-with-offset|Emulate Shellcode at Specific Offset]] +- [[recipes/cobalt-strike-beacon-parse|Parse Cobalt Strike Beacon Configuration]] +- [[recipes/shellcode-to-exe|Convert Shellcode to Executable]] +- [[recipes/xor-key-brute-force|Brute-Force XOR Key]] +- [[recipes/stack-string-extraction|Extract Stack-Built Strings]] +- [[recipes/cyberchef-xor-decode|Visual XOR/Base64 Decode with CyberChef]] +- [[recipes/speakeasy-emulation-with-json|Emulate Malware and Extract API Calls]] +- [[recipes/capa-capability-filter|Filter Capabilities by Technique]] +- [[recipes/pcap-file-carving|Extract Files from Network Capture]] +- [[recipes/dns-interception-setup|Set Up DNS + HTTP Interception]] +- [[recipes/dotnet-decompile-cli|Decompile .NET on Command Line]] +- [[recipes/volatility-quick-triage|Quick Memory Dump Triage]] +- [[recipes/apk-quick-triage|Quick APK Triage]] +- [[recipes/email-attachment-extraction|Extract and Triage Email Attachments]] + +## Quick Access + +```bash +# Browse interactively +zk list --interactive + +# Search by tag +zk list --tag pdf + +# Find what links to a tool +zk list --mention pdfid +``` + +#index #wiki diff --git a/data/generated/wiki/recipes/apk-quick-triage.md b/data/generated/wiki/recipes/apk-quick-triage.md new file mode 100644 index 0000000..7df3a6e --- /dev/null +++ b/data/generated/wiki/recipes/apk-quick-triage.md @@ -0,0 +1,18 @@ +# Quick APK Triage +> Fast initial assessment of a suspicious Android app + +**Tools:** [[tools/apkid|apkid]], [[tools/apktool|apktool]], [[tools/jadx|jadx]] + +## Commands +```bash +# Check for packers/obfuscators +apkid +# Decompile to smali + resources +apktool d -o output/ +# Check permissions +grep 'uses-permission' output/AndroidManifest.xml +# Decompile to Java source +jadx -d src/ +``` + +#recipe #apkid #apktool #jadx diff --git a/data/generated/wiki/recipes/base64-xor-shellcode.md b/data/generated/wiki/recipes/base64-xor-shellcode.md new file mode 100644 index 0000000..cbd637d --- /dev/null +++ b/data/generated/wiki/recipes/base64-xor-shellcode.md @@ -0,0 +1,15 @@ +# Decode Base64 + XOR Shellcode +> Extract shellcode encoded as Base64 with an XOR key + +**Tools:** [[tools/base64dump-py|base64dump-py]], [[tools/translate-py|translate-py]] +**FOR610 Lab:** 3.4 + +## Commands +```bash +# Find Base64 strings +base64dump.py -n 10 +# Decode Base64, then XOR with key +base64dump.py -s -d | translate.py 'byte ^ ' > shellcode.bin +``` + +#recipe #base64dump-py #translate-py diff --git a/data/generated/wiki/recipes/capa-capability-filter.md b/data/generated/wiki/recipes/capa-capability-filter.md new file mode 100644 index 0000000..9473069 --- /dev/null +++ b/data/generated/wiki/recipes/capa-capability-filter.md @@ -0,0 +1,19 @@ +# Filter Capabilities by Technique +> Find specific capabilities in capa output + +**Tools:** [[tools/capa|capa]] +**FOR610 Lab:** 1.4, 5.4 + +## Commands +```bash +# Full capabilities report +capa +# Verbose with rule matches +capa -vv +# Filter for specific technique +capa -vv | grep -A7 '' +# Find injection-related capabilities +capa -vv | grep -A7 'inject\|hollow\|suspend' +``` + +#recipe #capa diff --git a/data/generated/wiki/recipes/cobalt-strike-beacon-parse.md b/data/generated/wiki/recipes/cobalt-strike-beacon-parse.md new file mode 100644 index 0000000..6ff8f79 --- /dev/null +++ b/data/generated/wiki/recipes/cobalt-strike-beacon-parse.md @@ -0,0 +1,15 @@ +# Parse Cobalt Strike Beacon Configuration +> Extract C2 config from a Cobalt Strike beacon or shellcode + +**Tools:** [[tools/1768-py|1768-py]], [[tools/yara|yara]] +**FOR610 Lab:** 3.4 + +## Commands +```bash +# Scan with YARA for CS signatures +yara-rules +# Extract beacon configuration +1768.py +``` + +#recipe #1768-py #yara diff --git a/data/generated/wiki/recipes/cyberchef-xor-decode.md b/data/generated/wiki/recipes/cyberchef-xor-decode.md new file mode 100644 index 0000000..0a0e16e --- /dev/null +++ b/data/generated/wiki/recipes/cyberchef-xor-decode.md @@ -0,0 +1,14 @@ +# Visual XOR/Base64 Decode with CyberChef +> Use CyberChef's recipe builder for multi-step decoding + +**Tools:** [[tools/cyberchef|cyberchef]] + +## Commands +```bash +# Launch CyberChef +cyberchef +# Common recipe: From Hex → XOR (key) → extract strings +# Common recipe: From Base64 → Decode text UTF-16LE +``` + +#recipe #cyberchef diff --git a/data/generated/wiki/recipes/dns-interception-setup.md b/data/generated/wiki/recipes/dns-interception-setup.md new file mode 100644 index 0000000..ba0cf45 --- /dev/null +++ b/data/generated/wiki/recipes/dns-interception-setup.md @@ -0,0 +1,19 @@ +# Set Up DNS + HTTP Interception +> Redirect all malware DNS queries and serve fake HTTP responses + +**Tools:** [[tools/fakedns|fakedns]], [[tools/httpd|httpd]], [[tools/inetsim|inetsim]] + +## Commands +```bash +# Option A: Simple DNS + HTTP +fakedns & +httpd & +# Option B: Full service emulation (HTTP, HTTPS, DNS, FTP, SMTP) +inetsim +# Verify DNS is working +nslookup anything.com +# Redirect hardcoded IPs too +iptables -t nat -A PREROUTING -i eth0 -j REDIRECT +``` + +#recipe #fakedns #httpd #inetsim diff --git a/data/generated/wiki/recipes/dotnet-decompile-cli.md b/data/generated/wiki/recipes/dotnet-decompile-cli.md new file mode 100644 index 0000000..bc083a5 --- /dev/null +++ b/data/generated/wiki/recipes/dotnet-decompile-cli.md @@ -0,0 +1,18 @@ +# Decompile .NET on Command Line +> Decompile a .NET assembly to C# source on REMnux + +**Tools:** [[tools/ilspycmd|ilspycmd]], [[tools/de4dot|de4dot]] +**FOR610 Lab:** 4.8 + +## Commands +```bash +# Decompile to C# source +ilspycmd > source.cs +# Search for suspicious patterns +grep -n 'Assembly.Load\|WebClient\|Process.Start' source.cs +# If obfuscated, deobfuscate first +de4dot +ilspycmd > source_clean.cs +``` + +#recipe #ilspycmd #de4dot diff --git a/data/generated/wiki/recipes/email-attachment-extraction.md b/data/generated/wiki/recipes/email-attachment-extraction.md new file mode 100644 index 0000000..422d2d1 --- /dev/null +++ b/data/generated/wiki/recipes/email-attachment-extraction.md @@ -0,0 +1,18 @@ +# Extract and Triage Email Attachments +> Pull attachments from an email and identify their types + +**Tools:** [[tools/emldump-py|emldump-py]], [[tools/file|file]], [[tools/sha256sum|sha256sum]] + +## Commands +```bash +# List email structure +emldump.py +# Extract all attachments +emldump.py -d +# Identify file types +file attachment_* +# Compute hashes for lookup +sha256sum attachment_* +``` + +#recipe #emldump-py #file #sha256sum diff --git a/data/generated/wiki/recipes/excel-xlm-macros.md b/data/generated/wiki/recipes/excel-xlm-macros.md new file mode 100644 index 0000000..e6897bf --- /dev/null +++ b/data/generated/wiki/recipes/excel-xlm-macros.md @@ -0,0 +1,12 @@ +# Deobfuscate Excel 4.0 (XLM) Macros +> Extract and decode legacy Excel macros hidden in sheets + +**Tools:** [[tools/xlmmacrodeobfuscator|xlmmacrodeobfuscator]] + +## Commands +```bash +# Deobfuscate XLM macros +xlmdeobfuscator --file +``` + +#recipe #xlmmacrodeobfuscator diff --git a/data/generated/wiki/recipes/extract-base64-ps-from-vba.md b/data/generated/wiki/recipes/extract-base64-ps-from-vba.md new file mode 100644 index 0000000..b44b781 --- /dev/null +++ b/data/generated/wiki/recipes/extract-base64-ps-from-vba.md @@ -0,0 +1,19 @@ +# Extract Base64 PowerShell from Office Macro +> Get encoded PowerShell payload hidden in a VBA UserForm stream + +**Tools:** [[tools/oledump-py|oledump-py]], [[tools/base64dump-py|base64dump-py]] +**FOR610 Lab:** 3.4 + +## Commands +```bash +# List streams — find macro (M) and data streams +oledump.py +# Extract VBA source to understand what the macro does +oledump.py -s -v +# Scan data stream for Base64 strings +oledump.py -s -d | base64dump.py -n 10 +# Decode the longest Base64 hit to file +oledump.py -s -d | base64dump.py -s 1 -d > payload.ps1 +``` + +#recipe #oledump-py #base64dump-py diff --git a/data/generated/wiki/recipes/js-deobfuscation-spidermonkey.md b/data/generated/wiki/recipes/js-deobfuscation-spidermonkey.md new file mode 100644 index 0000000..91e87d0 --- /dev/null +++ b/data/generated/wiki/recipes/js-deobfuscation-spidermonkey.md @@ -0,0 +1,19 @@ +# Deobfuscate JavaScript with SpiderMonkey +> Execute obfuscated JS safely using SpiderMonkey with API simulation + +**Tools:** [[tools/js-beautify|js-beautify]], [[tools/spidermonkey|spidermonkey]] +**FOR610 Lab:** 3.6, 3.7 + +## Commands +```bash +# Beautify compressed JavaScript +js-beautify > readable.js +# Execute with objects.js to simulate browser/WScript APIs +js -f /usr/share/remnux/objects.js -f > decoded.js +# If script expects location.href, edit objects.js first: +cp /usr/share/remnux/objects.js . +# Edit objects.js to set: location = { href: 'http://expected-url' } +js -f objects.js -f > decoded.js +``` + +#recipe #js-beautify #spidermonkey diff --git a/data/generated/wiki/recipes/js-null-byte-cleanup.md b/data/generated/wiki/recipes/js-null-byte-cleanup.md new file mode 100644 index 0000000..6c61d32 --- /dev/null +++ b/data/generated/wiki/recipes/js-null-byte-cleanup.md @@ -0,0 +1,19 @@ +# Clean Null Bytes from UTF-16 JavaScript +> Remove null byte padding from UTF-16 encoded JavaScript before analysis + +**Tools:** [[tools/spidermonkey|spidermonkey]] +**FOR610 Lab:** 4.5 + +## Commands +```bash +# Check for null bytes (look for 00 in hex) +xxd | head -2 +# Remove null bytes +cat | tr -d '\00' > clean.js +# Then deobfuscate +js -f /usr/share/remnux/objects.js -f clean.js > decoded.js +# Beautify the result +js-beautify decoded.js > final.js +``` + +#recipe #spidermonkey diff --git a/data/generated/wiki/recipes/multi-stage-base64-gzip.md b/data/generated/wiki/recipes/multi-stage-base64-gzip.md new file mode 100644 index 0000000..903c47c --- /dev/null +++ b/data/generated/wiki/recipes/multi-stage-base64-gzip.md @@ -0,0 +1,15 @@ +# Decode Base64 + Gzip Payload +> Handle double-encoded payloads: Base64 wrapping gzip-compressed content + +**Tools:** [[tools/base64dump-py|base64dump-py]], [[tools/gunzip|gunzip]] +**FOR610 Lab:** 3.4 + +## Commands +```bash +# Find Base64 strings in the script +base64dump.py -n 10 +# Decode Base64 and decompress gzip in one chain +base64dump.py -s -d | gunzip > decoded.ps1 +``` + +#recipe #base64dump-py #gunzip diff --git a/data/generated/wiki/recipes/office-full-decode-chain.md b/data/generated/wiki/recipes/office-full-decode-chain.md new file mode 100644 index 0000000..fbf3378 --- /dev/null +++ b/data/generated/wiki/recipes/office-full-decode-chain.md @@ -0,0 +1,22 @@ +# Full Office Macro Decode Chain +> Complete pipeline: Office doc → VBA → Base64 → gunzip → XOR → shellcode + +**Tools:** [[tools/oledump-py|oledump-py]], [[tools/base64dump-py|base64dump-py]], [[tools/gunzip|gunzip]], [[tools/translate-py|translate-py]], [[tools/scdbgc|scdbgc]] +**FOR610 Lab:** 3.4 + +## Commands +```bash +# Step 1: List streams and extract VBA +oledump.py +oledump.py -s -v +# Step 2: Extract Base64 from data stream +oledump.py -s -d | base64dump.py -s 1 -d > stage1.ps1 +# Step 3: Decode second Base64 layer + decompress +base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1 +# Step 4: XOR decode the shellcode +base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin +# Step 5: Emulate the shellcode +scdbgc /f shellcode.bin /s -1 +``` + +#recipe #oledump-py #base64dump-py #gunzip #translate-py #scdbgc diff --git a/data/generated/wiki/recipes/password-protected-office.md b/data/generated/wiki/recipes/password-protected-office.md new file mode 100644 index 0000000..bcc6048 --- /dev/null +++ b/data/generated/wiki/recipes/password-protected-office.md @@ -0,0 +1,12 @@ +# Decrypt Password-Protected Office Document +> Remove password protection before analysis + +**Tools:** [[tools/msoffcrypto-tool|msoffcrypto-tool]] + +## Commands +```bash +# Common malware passwords: infected, malware, password, 123456 +msoffcrypto-tool -p infected +``` + +#recipe #msoffcrypto-tool diff --git a/data/generated/wiki/recipes/pcap-file-carving.md b/data/generated/wiki/recipes/pcap-file-carving.md new file mode 100644 index 0000000..4aaef10 --- /dev/null +++ b/data/generated/wiki/recipes/pcap-file-carving.md @@ -0,0 +1,16 @@ +# Extract Files from Network Capture +> Carve downloaded payloads and exfiltrated data from PCAP + +**Tools:** [[tools/tcpxtract|tcpxtract]], [[tools/tcpflow|tcpflow]], [[tools/networkminer|networkminer]] + +## Commands +```bash +# Carve files using signatures +tcpxtract -f -o carved/ +# Extract individual TCP streams +tcpflow -r -o streams/ +# Or use NetworkMiner for automated extraction +NetworkMiner --pcap +``` + +#recipe #tcpxtract #tcpflow #networkminer diff --git a/data/generated/wiki/recipes/pdf-javascript-extraction.md b/data/generated/wiki/recipes/pdf-javascript-extraction.md new file mode 100644 index 0000000..ab7546b --- /dev/null +++ b/data/generated/wiki/recipes/pdf-javascript-extraction.md @@ -0,0 +1,16 @@ +# Extract JavaScript from PDF +> Find and extract embedded JavaScript from a PDF file + +**Tools:** [[tools/pdfid-py|pdfid-py]], [[tools/pdf-parser-py|pdf-parser-py]], [[tools/peepdf|peepdf]] + +## Commands +```bash +# Check if PDF contains JavaScript +pdfid.py +# Find objects with JavaScript +pdf-parser.py -s /JavaScript +# Interactive analysis with peepdf +peepdf -i +``` + +#recipe #pdfid-py #pdf-parser-py #peepdf diff --git a/data/generated/wiki/recipes/pdf-object-extraction.md b/data/generated/wiki/recipes/pdf-object-extraction.md new file mode 100644 index 0000000..ecbc4cf --- /dev/null +++ b/data/generated/wiki/recipes/pdf-object-extraction.md @@ -0,0 +1,21 @@ +# Extract Embedded Object from PDF +> Pull out an embedded image, JavaScript, or file from a PDF object + +**Tools:** [[tools/pdfid-py|pdfid-py]], [[tools/pdf-parser-py|pdf-parser-py]], [[tools/feh|feh]] +**FOR610 Lab:** 3.1 + +## Commands +```bash +# Scan for suspicious keywords +pdfid.py +# Find objects containing the keyword +pdf-parser.py -s /URI +# Extract all values for that keyword +pdf-parser.py -k /URI +# Dump a specific object to file +pdf-parser.py -o -d extracted_object +# View extracted image +feh extracted_object & +``` + +#recipe #pdfid-py #pdf-parser-py #feh diff --git a/data/generated/wiki/recipes/rtf-shellcode-extraction.md b/data/generated/wiki/recipes/rtf-shellcode-extraction.md new file mode 100644 index 0000000..0dee9a1 --- /dev/null +++ b/data/generated/wiki/recipes/rtf-shellcode-extraction.md @@ -0,0 +1,19 @@ +# Extract Shellcode from RTF Document +> Find and extract embedded shellcode from a malicious RTF file + +**Tools:** [[tools/rtfdump-py|rtfdump-py]], [[tools/xorsearch|xorsearch]], [[tools/scdbgc|scdbgc]] +**FOR610 Lab:** 3.5 + +## Commands +```bash +# Scan RTF structure — look for groups with lots of hex data +rtfdump.py +# Extract the hex-heavy group as binary +rtfdump.py -s -H -d > extracted.bin +# Scan for shellcode patterns (even XOR-encoded) +XORSearch -W -d 3 extracted.bin +# Emulate shellcode at found offset +scdbgc /f extracted.bin /foff /s -1 +``` + +#recipe #rtfdump-py #xorsearch #scdbgc diff --git a/data/generated/wiki/recipes/shellcode-emulate-with-offset.md b/data/generated/wiki/recipes/shellcode-emulate-with-offset.md new file mode 100644 index 0000000..944e8b4 --- /dev/null +++ b/data/generated/wiki/recipes/shellcode-emulate-with-offset.md @@ -0,0 +1,17 @@ +# Emulate Shellcode at Specific Offset +> Run shellcode that starts at an offset within a larger binary + +**Tools:** [[tools/scdbgc|scdbgc]] +**FOR610 Lab:** 3.5, 4.6 + +## Commands +```bash +# Emulate from file start +scdbgc /f /s -1 +# Emulate from specific offset (hex) +scdbgc /f /foff /s -1 +# Emulate with a file handle pre-opened (for exploits) +scdbgc /f /foff /fopen /s -1 +``` + +#recipe #scdbgc diff --git a/data/generated/wiki/recipes/shellcode-to-exe.md b/data/generated/wiki/recipes/shellcode-to-exe.md new file mode 100644 index 0000000..dc70d87 --- /dev/null +++ b/data/generated/wiki/recipes/shellcode-to-exe.md @@ -0,0 +1,12 @@ +# Convert Shellcode to Executable +> Wrap raw shellcode in a PE for analysis in disassemblers + +**Tools:** [[tools/shcode2exe|shcode2exe]] + +## Commands +```bash +# Convert 32-bit shellcode to EXE +shcode2exe +``` + +#recipe #shcode2exe diff --git a/data/generated/wiki/recipes/speakeasy-emulation-with-json.md b/data/generated/wiki/recipes/speakeasy-emulation-with-json.md new file mode 100644 index 0000000..8ab7076 --- /dev/null +++ b/data/generated/wiki/recipes/speakeasy-emulation-with-json.md @@ -0,0 +1,17 @@ +# Emulate Malware and Extract API Calls +> Emulate a Windows binary on Linux and analyze its API usage + +**Tools:** [[tools/speakeasy|speakeasy]], [[tools/jq|jq]] +**FOR610 Lab:** 1.4 + +## Commands +```bash +# Emulate and capture both JSON report and text log +speakeasy -t -o report.json 2> report.txt +# Extract all API names called +jq '.entry_points[].apis[].api_name' report.json +# Extract unique API names +jq -r '.entry_points[].apis[].api_name' report.json | sort -u +``` + +#recipe #speakeasy #jq diff --git a/data/generated/wiki/recipes/stack-string-extraction.md b/data/generated/wiki/recipes/stack-string-extraction.md new file mode 100644 index 0000000..e85ae1a --- /dev/null +++ b/data/generated/wiki/recipes/stack-string-extraction.md @@ -0,0 +1,17 @@ +# Extract Stack-Built Strings +> Decode strings assembled byte-by-byte on the stack + +**Tools:** [[tools/strdeob-pl|strdeob-pl]], [[tools/floss|floss]] +**FOR610 Lab:** 5.2 + +## Commands +```bash +# Automatic stack string recovery +strdeob.pl +# FLOSS automatic deobfuscation (static + stack + decoded) +floss +# FLOSS skip static strings, only show decoded +floss --no-static -- +``` + +#recipe #strdeob-pl #floss diff --git a/data/generated/wiki/recipes/vba-number-string-decode.md b/data/generated/wiki/recipes/vba-number-string-decode.md new file mode 100644 index 0000000..30b02ff --- /dev/null +++ b/data/generated/wiki/recipes/vba-number-string-decode.md @@ -0,0 +1,15 @@ +# Decode VBA Number Arrays to Strings +> Convert VBA macros that use Chr() number sequences into readable text + +**Tools:** [[tools/oledump-py|oledump-py]], [[tools/numbers-to-string-py|numbers-to-string-py]] +**FOR610 Lab:** 3.3 + +## Commands +```bash +# Extract VBA and convert number sequences to text +oledump.py -s -v | numbers-to-string.py -j +# Same but with line-break formatting for readability +oledump.py -s -v | numbers-to-string.py -j | sed 's/;/;\n/g' +``` + +#recipe #oledump-py #numbers-to-string-py diff --git a/data/generated/wiki/recipes/vba-pcode-decompile.md b/data/generated/wiki/recipes/vba-pcode-decompile.md new file mode 100644 index 0000000..ecded77 --- /dev/null +++ b/data/generated/wiki/recipes/vba-pcode-decompile.md @@ -0,0 +1,14 @@ +# Recover VBA from p-code (source removed) +> Decompile VBA when source code has been stripped, only p-code remains + +**Tools:** [[tools/pcode2code|pcode2code]], [[tools/pcodedmp|pcodedmp]] + +## Commands +```bash +# Decompile p-code back to VBA source +pcode2code +# Or disassemble p-code to assembly +pcodedmp +``` + +#recipe #pcode2code #pcodedmp diff --git a/data/generated/wiki/recipes/volatility-quick-triage.md b/data/generated/wiki/recipes/volatility-quick-triage.md new file mode 100644 index 0000000..e0ab178 --- /dev/null +++ b/data/generated/wiki/recipes/volatility-quick-triage.md @@ -0,0 +1,18 @@ +# Quick Memory Dump Triage +> Fast initial assessment of a memory dump + +**Tools:** [[tools/volatility3|volatility3]] + +## Commands +```bash +# Identify OS +vol3 -f windows.info +# Process tree (spot anomalies) +vol3 -f windows.pstree +# Network connections +vol3 -f windows.netscan +# Injected code detection +vol3 -f windows.malfind +``` + +#recipe #volatility3 diff --git a/data/generated/wiki/recipes/xor-key-brute-force.md b/data/generated/wiki/recipes/xor-key-brute-force.md new file mode 100644 index 0000000..b38738b --- /dev/null +++ b/data/generated/wiki/recipes/xor-key-brute-force.md @@ -0,0 +1,21 @@ +# Brute-Force XOR Key +> Find the XOR key used to encode strings in a binary + +**Tools:** [[tools/brxor-py|brxor-py]], [[tools/bbcrack|bbcrack]], [[tools/xorsearch|xorsearch]], [[tools/xortool|xortool]] +**FOR610 Lab:** 5.2 + +## Commands +```bash +# Quick check for XOR-encoded URLs/PE headers +XORSearch http: +# Brute-force single-byte XOR keys +brxor.py +# Try XOR, ROL, ADD combinations +bbcrack -l 1 +# Guess multi-byte XOR key length and value +xortool +# Decode with known key +xortool-xor -s '' -i -o +``` + +#recipe #brxor-py #bbcrack #xorsearch #xortool diff --git a/data/generated/wiki/tools/1768.md b/data/generated/wiki/tools/1768.md new file mode 100644 index 0000000..0c7075a --- /dev/null +++ b/data/generated/wiki/tools/1768.md @@ -0,0 +1,31 @@ +# 1768.py +> Parse Cobalt Strike beacon configuration from shellcode or memory dumps + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +1768.py shellcode.bin +``` + +## Recipes +- [[recipes/cobalt-strike-beacon-parse|Parse Cobalt Strike Beacon Configuration]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 6: Embedded Object Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 4: Framework Identification +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 2: Configuration Extraction + +## Related Tools +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to +- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons. + +## FOR610 +**Labs:** 3.4 +**Sections:** 3 + +#cobalt-strike #beacon #c2-config #didier-stevens diff --git a/data/generated/wiki/tools/7-zip.md b/data/generated/wiki/tools/7-zip.md new file mode 100644 index 0000000..b8d43da --- /dev/null +++ b/data/generated/wiki/tools/7-zip.md @@ -0,0 +1,14 @@ +# 7-Zip +> Compress and decompress files using a variety of algorithms. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab +- [[tools/disitool|disitool]] — Manipulate embedded digital signatures. + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/7zip.md b/data/generated/wiki/tools/7zip.md new file mode 100644 index 0000000..5a46feb --- /dev/null +++ b/data/generated/wiki/tools/7zip.md @@ -0,0 +1,4 @@ +# 7zip + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/aeskeyfind.md b/data/generated/wiki/tools/aeskeyfind.md new file mode 100644 index 0000000..2f4fc4b --- /dev/null +++ b/data/generated/wiki/tools/aeskeyfind.md @@ -0,0 +1,4 @@ +# aeskeyfind + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/aeskeyfinder.md b/data/generated/wiki/tools/aeskeyfinder.md new file mode 100644 index 0000000..63cb755 --- /dev/null +++ b/data/generated/wiki/tools/aeskeyfinder.md @@ -0,0 +1,11 @@ +# AESKeyFinder +> Find 128-bit and 256-bit AES keys in a memory image. + +**Category:** [[categories/perform-memory-forensics|Perform Memory Forensics]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/perform+memory+forensics](https://docs.remnux.org/discover-the-tools/perform+memory+forensics) + +## Related Tools +- [[tools/rsakeyfinder|RSAKeyFinder]] — Find BER-encoded RSA private keys in a memory image. +- [[tools/volatility3|volatility3]] — Memory forensics framework — analyze RAM dumps to find malwa + +#perform-memory-forensics diff --git a/data/generated/wiki/tools/androguard.md b/data/generated/wiki/tools/androguard.md new file mode 100644 index 0000000..c92db73 --- /dev/null +++ b/data/generated/wiki/tools/androguard.md @@ -0,0 +1,24 @@ +# androguard +> Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Usage +```bash +androguard analyze +androguard decompile -o output/ +androgui.py +``` + +## Workflows +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 4: Static Analysis + +## Related Tools +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' +- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files. + +#android #apk #permissions #decompilation diff --git a/data/generated/wiki/tools/android-project-creator.md b/data/generated/wiki/tools/android-project-creator.md new file mode 100644 index 0000000..1806f7f --- /dev/null +++ b/data/generated/wiki/tools/android-project-creator.md @@ -0,0 +1,4 @@ +# android-project-creator + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/androidprojectcreator.md b/data/generated/wiki/tools/androidprojectcreator.md new file mode 100644 index 0000000..5bf7bd8 --- /dev/null +++ b/data/generated/wiki/tools/androidprojectcreator.md @@ -0,0 +1,14 @@ +# AndroidProjectCreator +> Convert an Android APK application file into an Android Studio project for easier analysis. + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Related Tools +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' +- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files. + +#statically-analyze-code-android diff --git a/data/generated/wiki/tools/anomy.md b/data/generated/wiki/tools/anomy.md new file mode 100644 index 0000000..5a52fd8 --- /dev/null +++ b/data/generated/wiki/tools/anomy.md @@ -0,0 +1,14 @@ +# anomy +> A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections through Tor to anonymize your traffic. + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Related Tools +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn +- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites + +#explore-network-interactions-connecting diff --git a/data/generated/wiki/tools/apkid.md b/data/generated/wiki/tools/apkid.md new file mode 100644 index 0000000..2a8afb5 --- /dev/null +++ b/data/generated/wiki/tools/apkid.md @@ -0,0 +1,20 @@ +# apkid +> Identify compilers, packers, and obfuscators used to protect Android APK and DEX files. + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Recipes +- [[recipes/apk-quick-triage|Quick APK Triage]] + +## Workflows +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 1: APK Triage + +## Related Tools +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' +- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files. + +#statically-analyze-code-android diff --git a/data/generated/wiki/tools/apktool.md b/data/generated/wiki/tools/apktool.md new file mode 100644 index 0000000..c4bee7a --- /dev/null +++ b/data/generated/wiki/tools/apktool.md @@ -0,0 +1,26 @@ +# apktool +> Decompile and recompile Android APK files — extract resources, smali code, and manifest + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Usage +```bash +apktool d -o output/ +apktool b output/ -o rebuilt.apk +``` + +## Recipes +- [[recipes/apk-quick-triage|Quick APK Triage]] + +## Workflows +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 2: Manifest Analysis + +## Related Tools +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' +- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files. + +#android #apk #decompilation #resources diff --git a/data/generated/wiki/tools/apt-utils.md b/data/generated/wiki/tools/apt-utils.md new file mode 100644 index 0000000..8158ec9 --- /dev/null +++ b/data/generated/wiki/tools/apt-utils.md @@ -0,0 +1,4 @@ +# apt-utils + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/archive-zip.md b/data/generated/wiki/tools/archive-zip.md new file mode 100644 index 0000000..1e99bf7 --- /dev/null +++ b/data/generated/wiki/tools/archive-zip.md @@ -0,0 +1,4 @@ +# archive-zip + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/autoconf.md b/data/generated/wiki/tools/autoconf.md new file mode 100644 index 0000000..ec52faa --- /dev/null +++ b/data/generated/wiki/tools/autoconf.md @@ -0,0 +1,4 @@ +# autoconf + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/autoit-ripper.md b/data/generated/wiki/tools/autoit-ripper.md new file mode 100644 index 0000000..9416324 --- /dev/null +++ b/data/generated/wiki/tools/autoit-ripper.md @@ -0,0 +1,11 @@ +# autoit-ripper +> Extract AutoIt scripts embedded in PE binaries. + +**Category:** [[categories/statically-analyze-code-scripts|Statically Analyze Code > Scripts]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts](https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts) + +## Related Tools +- [[tools/decode-vbe|decode-vbe.py]] — Decode encoded VBS scripts (VBE). +- [[tools/js-beautify|js-beautify]] — Format and beautify obfuscated JavaScript code for readabili + +#statically-analyze-code-scripts diff --git a/data/generated/wiki/tools/autologin.md b/data/generated/wiki/tools/autologin.md new file mode 100644 index 0000000..48c3411 --- /dev/null +++ b/data/generated/wiki/tools/autologin.md @@ -0,0 +1,4 @@ +# autologin + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/automake.md b/data/generated/wiki/tools/automake.md new file mode 100644 index 0000000..6482c90 --- /dev/null +++ b/data/generated/wiki/tools/automake.md @@ -0,0 +1,4 @@ +# automake + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/baksmali.md b/data/generated/wiki/tools/baksmali.md new file mode 100644 index 0000000..d7db08d --- /dev/null +++ b/data/generated/wiki/tools/baksmali.md @@ -0,0 +1,14 @@ +# baksmali +> Disassembler for the dex format used by Dalvik, Android's Java VM implementation. + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Related Tools +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files. + +#statically-analyze-code-android diff --git a/data/generated/wiki/tools/balbuzard.md b/data/generated/wiki/tools/balbuzard.md new file mode 100644 index 0000000..3f0218f --- /dev/null +++ b/data/generated/wiki/tools/balbuzard.md @@ -0,0 +1,14 @@ +# balbuzard +> Extract and deobfuscate patterns from suspicious files. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to +- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons. + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/base64dump.md b/data/generated/wiki/tools/base64dump.md new file mode 100644 index 0000000..d8724b0 --- /dev/null +++ b/data/generated/wiki/tools/base64dump.md @@ -0,0 +1,34 @@ +# base64dump.py +> Extract and decode Base64-encoded strings from files + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +base64dump.py file.txt +base64dump.py file.ps1 -n 10 +base64dump.py file.ps1 -s 2 -d +``` + +## Recipes +- [[recipes/extract-base64-ps-from-vba|Extract Base64 PowerShell from Office Macro]] +- [[recipes/multi-stage-base64-gzip|Decode Base64 + Gzip Payload]] +- [[recipes/base64-xor-shellcode|Decode Base64 + XOR Shellcode]] +- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to +- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons. + +## FOR610 +**Labs:** 3.4, 4.5 +**Sections:** 3, 4 + +#base64 #decoding #didier-stevens diff --git a/data/generated/wiki/tools/bash-history.md b/data/generated/wiki/tools/bash-history.md new file mode 100644 index 0000000..5fcd3ae --- /dev/null +++ b/data/generated/wiki/tools/bash-history.md @@ -0,0 +1,4 @@ +# bash-history + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/bash-rc.md b/data/generated/wiki/tools/bash-rc.md new file mode 100644 index 0000000..e1d01eb --- /dev/null +++ b/data/generated/wiki/tools/bash-rc.md @@ -0,0 +1,4 @@ +# bash-rc + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/bbcrack.md b/data/generated/wiki/tools/bbcrack.md new file mode 100644 index 0000000..b4d05e2 --- /dev/null +++ b/data/generated/wiki/tools/bbcrack.md @@ -0,0 +1,21 @@ +# bbcrack +> Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms + +**Category:** [[categories/string-deobfuscation|string-deobfuscation]] | **Tier:** Rich (FOR610) + +## Usage +```bash +bbcrack -l 1 specimen.dll +``` + +## Recipes +- [[recipes/xor-key-brute-force|Brute-Force XOR Key]] + +## Workflows +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 2: Encoding Detection + +## FOR610 +**Labs:** 5.2 +**Sections:** 5 + +#xor #rol #add #deobfuscation #balbuzard diff --git a/data/generated/wiki/tools/bearparser.md b/data/generated/wiki/tools/bearparser.md new file mode 100644 index 0000000..9b22f0c --- /dev/null +++ b/data/generated/wiki/tools/bearparser.md @@ -0,0 +1,4 @@ +# bearparser + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/binee-binary-emulation-environment.md b/data/generated/wiki/tools/binee-binary-emulation-environment.md new file mode 100644 index 0000000..2bb4b64 --- /dev/null +++ b/data/generated/wiki/tools/binee-binary-emulation-environment.md @@ -0,0 +1,12 @@ +# binee (Binary Emulation Environment) +> Analyze I/O operations of a suspicious PE file by emulating its execution. + +**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files) + +## Related Tools +- [[tools/capa|capa]] — Identify malware capabilities mapped to MITRE ATT&CK framewo +- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal +- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw + +#statically-analyze-code-pe-files diff --git a/data/generated/wiki/tools/binee.md b/data/generated/wiki/tools/binee.md new file mode 100644 index 0000000..6c31010 --- /dev/null +++ b/data/generated/wiki/tools/binee.md @@ -0,0 +1,4 @@ +# binee + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/binutils.md b/data/generated/wiki/tools/binutils.md new file mode 100644 index 0000000..1294287 --- /dev/null +++ b/data/generated/wiki/tools/binutils.md @@ -0,0 +1,4 @@ +# binutils + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/binwalk.md b/data/generated/wiki/tools/binwalk.md new file mode 100644 index 0000000..5a85356 --- /dev/null +++ b/data/generated/wiki/tools/binwalk.md @@ -0,0 +1,23 @@ +# binwalk +> Analyze and extract embedded files and firmware images + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +binwalk firmware.bin +binwalk -e firmware.bin +``` + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab +- [[tools/disitool|disitool]] — Manipulate embedded digital signatures. + +## FOR610 +**Sections:** 1 + +#firmware #extraction #embedded-files diff --git a/data/generated/wiki/tools/box-js.md b/data/generated/wiki/tools/box-js.md new file mode 100644 index 0000000..3960260 --- /dev/null +++ b/data/generated/wiki/tools/box-js.md @@ -0,0 +1,24 @@ +# box-js +> JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs + +**Category:** [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts) + +## Usage +```bash +box-js --output-dir=/tmp suspicious.js +``` + +## Workflows +- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] — Step 5: Alternative Analysis + +## Related Tools +- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat +- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and +- [[tools/powershell|powershell]] — Run PowerShell scripts and commands. +- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou + +## FOR610 +**Sections:** 3 + +#javascript #sandbox #emulation diff --git a/data/generated/wiki/tools/brxor.md b/data/generated/wiki/tools/brxor.md new file mode 100644 index 0000000..b843203 --- /dev/null +++ b/data/generated/wiki/tools/brxor.md @@ -0,0 +1,29 @@ +# brxor.py +> Brute-force XOR key detection for single-byte XOR-encoded strings + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +brxor.py specimen.dll +``` + +## Recipes +- [[recipes/xor-key-brute-force|Brute-Force XOR Key]] + +## Workflows +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 3: Single-Byte XOR Recovery + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to +- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons. + +## FOR610 +**Labs:** 5.2 +**Sections:** 5 + +#xor #brute-force #deobfuscation diff --git a/data/generated/wiki/tools/build-essential.md b/data/generated/wiki/tools/build-essential.md new file mode 100644 index 0000000..fbcd1f6 --- /dev/null +++ b/data/generated/wiki/tools/build-essential.md @@ -0,0 +1,4 @@ +# build-essential + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/bulk-extractor.md b/data/generated/wiki/tools/bulk-extractor.md new file mode 100644 index 0000000..aea5e96 --- /dev/null +++ b/data/generated/wiki/tools/bulk-extractor.md @@ -0,0 +1,14 @@ +# bulk-extractor +> Extract interesting strings from binary files. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab +- [[tools/disitool|disitool]] — Manipulate embedded digital signatures. + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/bundler.md b/data/generated/wiki/tools/bundler.md new file mode 100644 index 0000000..c8f77e7 --- /dev/null +++ b/data/generated/wiki/tools/bundler.md @@ -0,0 +1,4 @@ +# bundler + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/burp-suite-community-edition.md b/data/generated/wiki/tools/burp-suite-community-edition.md new file mode 100644 index 0000000..9c30c73 --- /dev/null +++ b/data/generated/wiki/tools/burp-suite-community-edition.md @@ -0,0 +1,14 @@ +# Burp Suite Community Edition +> Investigate website interactions using this web proxy. + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Related Tools +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets +- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as + +#explore-network-interactions-monitoring diff --git a/data/generated/wiki/tools/burpsuite-community.md b/data/generated/wiki/tools/burpsuite-community.md new file mode 100644 index 0000000..422b97a --- /dev/null +++ b/data/generated/wiki/tools/burpsuite-community.md @@ -0,0 +1,4 @@ +# burpsuite-community + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/bytehist.md b/data/generated/wiki/tools/bytehist.md new file mode 100644 index 0000000..2249abb --- /dev/null +++ b/data/generated/wiki/tools/bytehist.md @@ -0,0 +1,18 @@ +# Bytehist +> Generate byte-usage histograms to visually identify packed or encrypted sections in binaries + +**Category:** [[categories/statically-analyze-code-unpacking|Statically Analyze Code > Unpacking]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking](https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking) + +## Usage +```bash +bytehist specimen.exe +``` + +## Related Tools +- [[tools/upx|UPX]] — Universal Packer for eXecutables — compress and decompress P + +## FOR610 +**Sections:** 1, 4 + +#pe #entropy #packing-detection #histogram diff --git a/data/generated/wiki/tools/cabextract.md b/data/generated/wiki/tools/cabextract.md new file mode 100644 index 0000000..65294f8 --- /dev/null +++ b/data/generated/wiki/tools/cabextract.md @@ -0,0 +1,14 @@ +# cabextract +> Extract Microsoft cabinet (cab) files. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. +- [[tools/ibus|ibus]] — Adjust input methods for the GUI. + +#general-utilities diff --git a/data/generated/wiki/tools/capa.md b/data/generated/wiki/tools/capa.md new file mode 100644 index 0000000..1ab66fa --- /dev/null +++ b/data/generated/wiki/tools/capa.md @@ -0,0 +1,34 @@ +# capa +> Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog + +**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files) + +## Usage +```bash +capa specimen.exe +capa -vv specimen.exe +capa -vv specimen.exe | grep -A7 'Suspended Process' +``` + +## Recipes +- [[recipes/capa-capability-filter|Filter Capabilities by Technique]] + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 5: Capability Detection +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 4: Emulation (Safe Alternative) +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 8: Verification +- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 1: Capability Detection +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 1: Shellcode Detection +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 1: Beacon Detection + +## Related Tools +- [[tools/binee-binary-emulation-environment|binee (Binary Emulation Environment)]] — Analyze I/O operations of a suspicious PE file by emulating +- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal +- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw + +## FOR610 +**Labs:** 1.4, 5.4 +**Sections:** 1, 5 + +#capabilities #mitre-attack #automated-analysis diff --git a/data/generated/wiki/tools/cast.md b/data/generated/wiki/tools/cast.md new file mode 100644 index 0000000..4991aab --- /dev/null +++ b/data/generated/wiki/tools/cast.md @@ -0,0 +1,14 @@ +# cast +> Install and manage SaltStack-based Linux distributions. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. +- [[tools/ibus|ibus]] — Adjust input methods for the GUI. + +#general-utilities diff --git a/data/generated/wiki/tools/cffi.md b/data/generated/wiki/tools/cffi.md new file mode 100644 index 0000000..3fa2d72 --- /dev/null +++ b/data/generated/wiki/tools/cffi.md @@ -0,0 +1,4 @@ +# cffi + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/cfr.md b/data/generated/wiki/tools/cfr.md new file mode 100644 index 0000000..67f9c05 --- /dev/null +++ b/data/generated/wiki/tools/cfr.md @@ -0,0 +1,22 @@ +# cfr +> Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources + +**Category:** [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/java](https://docs.remnux.org/discover-the-tools/statically+analyze+code/java) + +## Usage +```bash +cfr --outputdir output/ +cfr +``` + +## Workflows +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 2: Decompilation + +## Related Tools +- [[tools/java-idx-parser|java-idx-parser]] — Analyze Java IDX files. +- [[tools/javassist|Javassist]] — Java bytecode engineering toolkit/library. +- [[tools/jd-gui-java-decompiler|JD-GUI Java Decompiler]] — Java decompiler with GUI. +- [[tools/procyon|Procyon]] — Java decompiler. + +#java #decompilation #jar diff --git a/data/generated/wiki/tools/chepy.md b/data/generated/wiki/tools/chepy.md new file mode 100644 index 0000000..e0cec53 --- /dev/null +++ b/data/generated/wiki/tools/chepy.md @@ -0,0 +1,14 @@ +# chepy +> Decode and otherwise analyze data using this command-line tool and Python library. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons. + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/clamav-daemon.md b/data/generated/wiki/tools/clamav-daemon.md new file mode 100644 index 0000000..0fe5764 --- /dev/null +++ b/data/generated/wiki/tools/clamav-daemon.md @@ -0,0 +1,4 @@ +# clamav-daemon + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/clamav.md b/data/generated/wiki/tools/clamav.md new file mode 100644 index 0000000..a226a9c --- /dev/null +++ b/data/generated/wiki/tools/clamav.md @@ -0,0 +1,21 @@ +# ClamAV +> Open-source antivirus — scan files for known malware signatures + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +clamscan +clamscan -r / +freshclam +``` + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab +- [[tools/disitool|disitool]] — Manipulate embedded digital signatures. + +#antivirus #scanning #signatures diff --git a/data/generated/wiki/tools/cobalt-strike-configuration-extractor-csce-and-parser.md b/data/generated/wiki/tools/cobalt-strike-configuration-extractor-csce-and-parser.md new file mode 100644 index 0000000..5f4625e --- /dev/null +++ b/data/generated/wiki/tools/cobalt-strike-configuration-extractor-csce-and-parser.md @@ -0,0 +1,14 @@ +# Cobalt Strike Configuration Extractor (CSCE) and Parser +> Analyze Cobalt Strike beacons. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/compatibility.md b/data/generated/wiki/tools/compatibility.md new file mode 100644 index 0000000..b0d43ec --- /dev/null +++ b/data/generated/wiki/tools/compatibility.md @@ -0,0 +1,4 @@ +# compatibility + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/cs-analyze-processdump.md b/data/generated/wiki/tools/cs-analyze-processdump.md new file mode 100644 index 0000000..0199dd0 --- /dev/null +++ b/data/generated/wiki/tools/cs-analyze-processdump.md @@ -0,0 +1,22 @@ +# cs-analyze-processdump.py +> Analyze Cobalt Strike beacon process dumps for sleep mask encoding + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +cs-analyze-processdump.py +``` + +## Workflows +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 6: Sleep Mask Analysis + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#cobalt-strike #sleep-mask #memory diff --git a/data/generated/wiki/tools/cs-decrypt-metadata.md b/data/generated/wiki/tools/cs-decrypt-metadata.md new file mode 100644 index 0000000..c5a696b --- /dev/null +++ b/data/generated/wiki/tools/cs-decrypt-metadata.md @@ -0,0 +1,22 @@ +# cs-decrypt-metadata.py +> Decrypt Cobalt Strike beacon metadata from network captures + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +cs-decrypt-metadata.py +``` + +## Workflows +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 3: Metadata Decryption + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#cobalt-strike #decryption #metadata diff --git a/data/generated/wiki/tools/cs-extract-key.md b/data/generated/wiki/tools/cs-extract-key.md new file mode 100644 index 0000000..9175733 --- /dev/null +++ b/data/generated/wiki/tools/cs-extract-key.md @@ -0,0 +1,22 @@ +# cs-extract-key.py +> Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +cs-extract-key.py -f +``` + +## Workflows +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 4: Key Extraction + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#cobalt-strike #encryption #key-extraction diff --git a/data/generated/wiki/tools/cs-parse-traffic.md b/data/generated/wiki/tools/cs-parse-traffic.md new file mode 100644 index 0000000..d41c051 --- /dev/null +++ b/data/generated/wiki/tools/cs-parse-traffic.md @@ -0,0 +1,22 @@ +# cs-parse-traffic.py +> Decrypt and parse Cobalt Strike beacon network traffic using extracted keys + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +cs-parse-traffic.py -f -k +``` + +## Workflows +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 5: Traffic Decryption + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets +- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as + +#cobalt-strike #traffic #decryption diff --git a/data/generated/wiki/tools/curl.md b/data/generated/wiki/tools/curl.md new file mode 100644 index 0000000..f3f2648 --- /dev/null +++ b/data/generated/wiki/tools/curl.md @@ -0,0 +1,23 @@ +# curl +> Transfer data to/from servers using various protocols + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Usage +```bash +curl -L http://example.com +curl -o output.bin http://example.com/file +``` + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn +- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites + +## FOR610 +**Sections:** 1 + +#download #http #transfer diff --git a/data/generated/wiki/tools/cut-bytes.md b/data/generated/wiki/tools/cut-bytes.md new file mode 100644 index 0000000..faa012e --- /dev/null +++ b/data/generated/wiki/tools/cut-bytes.md @@ -0,0 +1,14 @@ +# cut-bytes.py +> Cut out a part of a data stream. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/cutter.md b/data/generated/wiki/tools/cutter.md new file mode 100644 index 0000000..f290046 --- /dev/null +++ b/data/generated/wiki/tools/cutter.md @@ -0,0 +1,25 @@ +# Cutter +> Open-source reverse engineering platform — Qt-based GUI for radare2 + +**Category:** [[categories/statically-analyze-code-general|Statically Analyze Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/general](https://docs.remnux.org/discover-the-tools/statically+analyze+code/general) + +## Usage +```bash +cutter specimen.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 7: Disassembly (if needed) +- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 2: Injection Type Classification + +## Related Tools +- [[tools/ghidra|Ghidra]] — Open-source disassembler and decompiler from NSA with script +- [[tools/objdump|objdump]] — Disassemble binary files. +- [[tools/qiling|qiling]] — Multi-platform binary emulation framework — emulate PE, ELF, +- [[tools/vivisect|Vivisect]] — Binary analysis and emulation framework — static analysis wi + +## FOR610 +**Sections:** 2 + +#disassembly #radare2 #open-source diff --git a/data/generated/wiki/tools/cyberchef.md b/data/generated/wiki/tools/cyberchef.md new file mode 100644 index 0000000..40ea909 --- /dev/null +++ b/data/generated/wiki/tools/cyberchef.md @@ -0,0 +1,31 @@ +# CyberChef +> Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +cyberchef +``` + +## Recipes +- [[recipes/cyberchef-xor-decode|Visual XOR/Base64 Decode with CyberChef]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 6: String & IOC Extraction +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 4: Multi-Byte / Custom Decoding + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +## FOR610 +**Labs:** 1.5, 3.8, 3.12 +**Sections:** 1, 3 + +#decoding #encoding #transformation #web-based diff --git a/data/generated/wiki/tools/dc3-mwcp.md b/data/generated/wiki/tools/dc3-mwcp.md new file mode 100644 index 0000000..36c95d1 --- /dev/null +++ b/data/generated/wiki/tools/dc3-mwcp.md @@ -0,0 +1,20 @@ +# dc3-mwcp +> DC3 Malware Configuration Parser — extract C2 configs from known malware families + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +mwcp parse +mwcp parse -p Emotet +``` + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#malware #config-extraction #c2 diff --git a/data/generated/wiki/tools/de4dot.md b/data/generated/wiki/tools/de4dot.md new file mode 100644 index 0000000..a3c2406 --- /dev/null +++ b/data/generated/wiki/tools/de4dot.md @@ -0,0 +1,26 @@ +# de4dot +> .NET deobfuscator — remove obfuscation from .NET assemblies + +**Category:** [[categories/statically-analyze-code-net|Statically Analyze Code > .NET]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net](https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net) + +## Usage +```bash +de4dot obfuscated.exe +``` + +## Recipes +- [[recipes/dotnet-decompile-cli|Decompile .NET on Command Line]] + +## Workflows +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 2: Automated Unpacking +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 2: Obfuscator Detection + +## Related Tools +- [[tools/ilspy|ILSpy]] — .NET assembly decompiler — view C#/VB.NET source from compil + +## FOR610 +**Labs:** 4.8 +**Sections:** 4 + +#dotnet #deobfuscation diff --git a/data/generated/wiki/tools/decode-vbe.md b/data/generated/wiki/tools/decode-vbe.md new file mode 100644 index 0000000..e1042e3 --- /dev/null +++ b/data/generated/wiki/tools/decode-vbe.md @@ -0,0 +1,11 @@ +# decode-vbe.py +> Decode encoded VBS scripts (VBE). + +**Category:** [[categories/statically-analyze-code-scripts|Statically Analyze Code > Scripts]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts](https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts) + +## Related Tools +- [[tools/autoit-ripper|autoit-ripper]] — Extract AutoIt scripts embedded in PE binaries. +- [[tools/js-beautify|js-beautify]] — Format and beautify obfuscated JavaScript code for readabili + +#statically-analyze-code-scripts diff --git a/data/generated/wiki/tools/decompyle.md b/data/generated/wiki/tools/decompyle.md new file mode 100644 index 0000000..8fc12a5 --- /dev/null +++ b/data/generated/wiki/tools/decompyle.md @@ -0,0 +1,12 @@ +# Decompyle++ +> Python bytecode disassembler and decompiler. + +**Category:** [[categories/statically-analyze-code-python|Statically Analyze Code > Python]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/python](https://docs.remnux.org/discover-the-tools/statically+analyze+code/python) + +## Related Tools +- [[tools/pyinstaller-extractor|pyinstaller-extractor]] — Extract contents of a PyInstaller-generated PE files. +- [[tools/pyinstxtractor-ng|pyinstxtractor-ng]] — Extract contents of PyInstaller-generated executables withou +- [[tools/uncompyle6|uncompyle6]] — Decompile Python bytecode (.pyc) back to source — supports P + +#statically-analyze-code-python diff --git a/data/generated/wiki/tools/default-jdk.md b/data/generated/wiki/tools/default-jdk.md new file mode 100644 index 0000000..87dacc6 --- /dev/null +++ b/data/generated/wiki/tools/default-jdk.md @@ -0,0 +1,4 @@ +# default-jdk + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/default-jre.md b/data/generated/wiki/tools/default-jre.md new file mode 100644 index 0000000..b463c06 --- /dev/null +++ b/data/generated/wiki/tools/default-jre.md @@ -0,0 +1,4 @@ +# default-jre + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dex2jar.md b/data/generated/wiki/tools/dex2jar.md new file mode 100644 index 0000000..5a1cab2 --- /dev/null +++ b/data/generated/wiki/tools/dex2jar.md @@ -0,0 +1,14 @@ +# dex2jar +> Examine Dalvik Executable (dex) files. + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Related Tools +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' + +#statically-analyze-code-android diff --git a/data/generated/wiki/tools/dexray.md b/data/generated/wiki/tools/dexray.md new file mode 100644 index 0000000..3089f97 --- /dev/null +++ b/data/generated/wiki/tools/dexray.md @@ -0,0 +1,14 @@ +# dexray +> Extract and decode data from antivirus quarantine files. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. +- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/dialog.md b/data/generated/wiki/tools/dialog.md new file mode 100644 index 0000000..6416af3 --- /dev/null +++ b/data/generated/wiki/tools/dialog.md @@ -0,0 +1,4 @@ +# dialog + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/didier-stevens-scripts.md b/data/generated/wiki/tools/didier-stevens-scripts.md new file mode 100644 index 0000000..a2f1e25 --- /dev/null +++ b/data/generated/wiki/tools/didier-stevens-scripts.md @@ -0,0 +1,4 @@ +# didier-stevens-scripts + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/diec.md b/data/generated/wiki/tools/diec.md new file mode 100644 index 0000000..033603b --- /dev/null +++ b/data/generated/wiki/tools/diec.md @@ -0,0 +1,28 @@ +# diec +> Detect packers, compilers, and tools used to create executables + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +diec specimen.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 3: Packing & Entropy Check +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 1: Packing Identification +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 1: Identification & Metadata + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/disitool|disitool]] — Manipulate embedded digital signatures. + +## FOR610 +**Labs:** 4.1 +**Sections:** 1, 4 + +#pe #packer-detection #compiler-detection diff --git a/data/generated/wiki/tools/disitool.md b/data/generated/wiki/tools/disitool.md new file mode 100644 index 0000000..f78c2d1 --- /dev/null +++ b/data/generated/wiki/tools/disitool.md @@ -0,0 +1,14 @@ +# disitool +> Manipulate embedded digital signatures. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/display.md b/data/generated/wiki/tools/display.md new file mode 100644 index 0000000..e3a4ec5 --- /dev/null +++ b/data/generated/wiki/tools/display.md @@ -0,0 +1,4 @@ +# display + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dissect.md b/data/generated/wiki/tools/dissect.md new file mode 100644 index 0000000..04ce219 --- /dev/null +++ b/data/generated/wiki/tools/dissect.md @@ -0,0 +1,14 @@ +# dissect +> Perform a variety of forensics and incident response tasks using this DFIR framework and toolset. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. +- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/distro-info.md b/data/generated/wiki/tools/distro-info.md new file mode 100644 index 0000000..29d9d60 --- /dev/null +++ b/data/generated/wiki/tools/distro-info.md @@ -0,0 +1,4 @@ +# distro-info + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dllcharacteristics.md b/data/generated/wiki/tools/dllcharacteristics.md new file mode 100644 index 0000000..1faecb4 --- /dev/null +++ b/data/generated/wiki/tools/dllcharacteristics.md @@ -0,0 +1,4 @@ +# dllcharacteristics + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dnfile.md b/data/generated/wiki/tools/dnfile.md new file mode 100644 index 0000000..a450fbf --- /dev/null +++ b/data/generated/wiki/tools/dnfile.md @@ -0,0 +1,14 @@ +# dnfile +> Analyze static properties of. + +**Category:** [[categories/examine-static-properties-net|Examine Static Properties > .NET]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/.net](https://docs.remnux.org/discover-the-tools/examine+static+properties/.net) + +## Workflows +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 1: Identification & Metadata + +## Related Tools +- [[tools/dotnetfile|dotnetfile]] — Analyze static properties of. +- [[tools/monodis|monodis]] — Disassemble and extract resources from. + +#examine-static-properties-net diff --git a/data/generated/wiki/tools/dnslib.md b/data/generated/wiki/tools/dnslib.md new file mode 100644 index 0000000..7e6b1c4 --- /dev/null +++ b/data/generated/wiki/tools/dnslib.md @@ -0,0 +1,14 @@ +# dnslib +> Python library to encode/decode DNS wire-format packets. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. +- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/dnsresolver.md b/data/generated/wiki/tools/dnsresolver.md new file mode 100644 index 0000000..b33bef8 --- /dev/null +++ b/data/generated/wiki/tools/dnsresolver.md @@ -0,0 +1,14 @@ +# dnsresolver.py +> DNS resolver tool for dynamic analysis with wildcard and tracking support. + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Related Tools +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers +- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for + +#explore-network-interactions-services diff --git a/data/generated/wiki/tools/docker.md b/data/generated/wiki/tools/docker.md new file mode 100644 index 0000000..ffb9a3a --- /dev/null +++ b/data/generated/wiki/tools/docker.md @@ -0,0 +1,14 @@ +# docker +> Run and manage containers. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. +- [[tools/ibus|ibus]] — Adjust input methods for the GUI. + +#general-utilities diff --git a/data/generated/wiki/tools/dog.md b/data/generated/wiki/tools/dog.md new file mode 100644 index 0000000..a6ba0a7 --- /dev/null +++ b/data/generated/wiki/tools/dog.md @@ -0,0 +1,4 @@ +# dog + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dos2unix.md b/data/generated/wiki/tools/dos2unix.md new file mode 100644 index 0000000..4974808 --- /dev/null +++ b/data/generated/wiki/tools/dos2unix.md @@ -0,0 +1,14 @@ +# dos2unix +> Convert text files with Windows or macOS line breaks to Unix line breaks and vice versa. + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Related Tools +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/scite|scite]] — Edit text files. +- [[tools/vbindiff|vbindiff]] — Compare binary files. + +#view-or-edit-files diff --git a/data/generated/wiki/tools/dot-cache.md b/data/generated/wiki/tools/dot-cache.md new file mode 100644 index 0000000..3cc81a6 --- /dev/null +++ b/data/generated/wiki/tools/dot-cache.md @@ -0,0 +1,4 @@ +# dot-cache + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dot-config.md b/data/generated/wiki/tools/dot-config.md new file mode 100644 index 0000000..1c296cc --- /dev/null +++ b/data/generated/wiki/tools/dot-config.md @@ -0,0 +1,4 @@ +# dot-config + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dot-cpan.md b/data/generated/wiki/tools/dot-cpan.md new file mode 100644 index 0000000..57f3462 --- /dev/null +++ b/data/generated/wiki/tools/dot-cpan.md @@ -0,0 +1,4 @@ +# dot-cpan + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dot-dbus.md b/data/generated/wiki/tools/dot-dbus.md new file mode 100644 index 0000000..bcbed1a --- /dev/null +++ b/data/generated/wiki/tools/dot-dbus.md @@ -0,0 +1,4 @@ +# dot-dbus + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dot-local.md b/data/generated/wiki/tools/dot-local.md new file mode 100644 index 0000000..0e2f0d3 --- /dev/null +++ b/data/generated/wiki/tools/dot-local.md @@ -0,0 +1,4 @@ +# dot-local + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dotnet-runtime-3-1.md b/data/generated/wiki/tools/dotnet-runtime-3-1.md new file mode 100644 index 0000000..2a65170 --- /dev/null +++ b/data/generated/wiki/tools/dotnet-runtime-3-1.md @@ -0,0 +1,4 @@ +# dotnet-runtime-3-1 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dotnetfile.md b/data/generated/wiki/tools/dotnetfile.md new file mode 100644 index 0000000..0a9f33f --- /dev/null +++ b/data/generated/wiki/tools/dotnetfile.md @@ -0,0 +1,14 @@ +# dotnetfile +> Analyze static properties of. + +**Category:** [[categories/examine-static-properties-net|Examine Static Properties > .NET]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/.net](https://docs.remnux.org/discover-the-tools/examine+static+properties/.net) + +## Workflows +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 1: Identification & Metadata + +## Related Tools +- [[tools/dnfile|dnfile]] — Analyze static properties of. +- [[tools/monodis|monodis]] — Disassemble and extract resources from. + +#examine-static-properties-net diff --git a/data/generated/wiki/tools/droidlysis.md b/data/generated/wiki/tools/droidlysis.md new file mode 100644 index 0000000..8f86bf9 --- /dev/null +++ b/data/generated/wiki/tools/droidlysis.md @@ -0,0 +1,17 @@ +# droidlysis +> Perform static analysis of Android applications. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Workflows +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 4: Static Analysis + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/edb-debugger.md b/data/generated/wiki/tools/edb-debugger.md new file mode 100644 index 0000000..387ecb9 --- /dev/null +++ b/data/generated/wiki/tools/edb-debugger.md @@ -0,0 +1,4 @@ +# edb-debugger + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/emldump.md b/data/generated/wiki/tools/emldump.md new file mode 100644 index 0000000..cf5e61f --- /dev/null +++ b/data/generated/wiki/tools/emldump.md @@ -0,0 +1,26 @@ +# emldump.py +> Parse and analyze EML email message files + +**Category:** [[categories/analyze-documents-email-messages|Analyze Documents > Email Messages]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages](https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages) + +## Usage +```bash +emldump.py message.eml +``` + +## Recipes +- [[recipes/email-attachment-extraction|Extract and Triage Email Attachments]] + +## Workflows +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 1: Header Analysis + +## Related Tools +- [[tools/mail-parser|mail-parser]] — Parse raw SMTP email messages and extract headers, body, and +- [[tools/msg-extractor|msg-extractor]] — Extract emails and attachments from Microsoft Outlook MSG fi +- [[tools/msgconvert|msgconvert]] — Convert MSG files to MBOX files. + +## FOR610 +**Sections:** 3 + +#email #eml #didier-stevens diff --git a/data/generated/wiki/tools/enchant.md b/data/generated/wiki/tools/enchant.md new file mode 100644 index 0000000..2694024 --- /dev/null +++ b/data/generated/wiki/tools/enchant.md @@ -0,0 +1,4 @@ +# enchant + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/epic-irc-client.md b/data/generated/wiki/tools/epic-irc-client.md new file mode 100644 index 0000000..196d38e --- /dev/null +++ b/data/generated/wiki/tools/epic-irc-client.md @@ -0,0 +1,14 @@ +# EPIC IRC Client +> Examine IRC activities with this IRC client. + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn +- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites + +#explore-network-interactions-connecting diff --git a/data/generated/wiki/tools/epic5.md b/data/generated/wiki/tools/epic5.md new file mode 100644 index 0000000..78cd997 --- /dev/null +++ b/data/generated/wiki/tools/epic5.md @@ -0,0 +1,4 @@ +# epic5 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/evilclippy.md b/data/generated/wiki/tools/evilclippy.md new file mode 100644 index 0000000..d1fde99 --- /dev/null +++ b/data/generated/wiki/tools/evilclippy.md @@ -0,0 +1,22 @@ +# evilclippy +> Remove VBA project password protection and manipulate Office macro settings + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +evilclippy -uu document.docm +``` + +## Related Tools +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. +- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V + +## FOR610 +**Sections:** 3 + +#office #vba #password-removal diff --git a/data/generated/wiki/tools/evince.md b/data/generated/wiki/tools/evince.md new file mode 100644 index 0000000..d0d3eba --- /dev/null +++ b/data/generated/wiki/tools/evince.md @@ -0,0 +1,14 @@ +# evince +> View documents in a variety of formats, including PDF. + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Related Tools +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/scite|scite]] — Edit text files. +- [[tools/vbindiff|vbindiff]] — Compare binary files. + +#view-or-edit-files diff --git a/data/generated/wiki/tools/ex-pe-xor.md b/data/generated/wiki/tools/ex-pe-xor.md new file mode 100644 index 0000000..5c22096 --- /dev/null +++ b/data/generated/wiki/tools/ex-pe-xor.md @@ -0,0 +1,14 @@ +# ex-pe-xor +> Search an XOR'ed file for indications of executable binaries. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/exfat-utils.md b/data/generated/wiki/tools/exfat-utils.md new file mode 100644 index 0000000..f650907 --- /dev/null +++ b/data/generated/wiki/tools/exfat-utils.md @@ -0,0 +1,4 @@ +# exfat-utils + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/exiftool.md b/data/generated/wiki/tools/exiftool.md new file mode 100644 index 0000000..eb2e047 --- /dev/null +++ b/data/generated/wiki/tools/exiftool.md @@ -0,0 +1,26 @@ +# exiftool +> Extract metadata from files (PDF, images, documents, executables) + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +exiftool document.pdf +exiftool specimen.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 1: File Identification & Hashing + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +## FOR610 +**Sections:** 1 + +#metadata #triage diff --git a/data/generated/wiki/tools/fakedns.md b/data/generated/wiki/tools/fakedns.md new file mode 100644 index 0000000..48afc5b --- /dev/null +++ b/data/generated/wiki/tools/fakedns.md @@ -0,0 +1,30 @@ +# fakedns +> Fake DNS server that resolves all queries to a specified IP for traffic interception + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Usage +```bash +fakedns +``` + +## Recipes +- [[recipes/dns-interception-setup|Set Up DNS + HTTP Interception]] + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 2: Network Interception Setup +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 1: DNS Interception + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers +- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for + +## FOR610 +**Labs:** 1.3, 1.6, 1.7, 1.8 +**Sections:** 1 + +#dns #spoofing #interception #lab-setup diff --git a/data/generated/wiki/tools/fakemail.md b/data/generated/wiki/tools/fakemail.md new file mode 100644 index 0000000..41c05a6 --- /dev/null +++ b/data/generated/wiki/tools/fakemail.md @@ -0,0 +1,14 @@ +# fakemail +> Intercept and examine SMTP email activity with this fake SMTP server. + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers +- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for + +#explore-network-interactions-services diff --git a/data/generated/wiki/tools/fakenet-ng.md b/data/generated/wiki/tools/fakenet-ng.md new file mode 100644 index 0000000..f2eb8cd --- /dev/null +++ b/data/generated/wiki/tools/fakenet-ng.md @@ -0,0 +1,24 @@ +# fakenet-ng +> Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Usage +```bash +fakenet +fakenet -c custom_config.ini +``` + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 2: Network Interception Setup +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 2: Service Emulation + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers +- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for + +#network #emulation #dynamic-analysis #c2 diff --git a/data/generated/wiki/tools/feh.md b/data/generated/wiki/tools/feh.md new file mode 100644 index 0000000..295ce67 --- /dev/null +++ b/data/generated/wiki/tools/feh.md @@ -0,0 +1,26 @@ +# feh +> Lightweight image viewer for viewing extracted images from documents + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Usage +```bash +feh extracted_image.jpg +``` + +## Recipes +- [[recipes/pdf-object-extraction|Extract Embedded Object from PDF]] + +## Related Tools +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/scite|scite]] — Edit text files. +- [[tools/vbindiff|vbindiff]] — Compare binary files. + +## FOR610 +**Labs:** 3.1 +**Sections:** 3 + +#image-viewer diff --git a/data/generated/wiki/tools/file-magic.md b/data/generated/wiki/tools/file-magic.md new file mode 100644 index 0000000..11f4082 --- /dev/null +++ b/data/generated/wiki/tools/file-magic.md @@ -0,0 +1,14 @@ +# file-magic.py +> Identify file types using the Python magic module. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/file.md b/data/generated/wiki/tools/file.md new file mode 100644 index 0000000..4176208 --- /dev/null +++ b/data/generated/wiki/tools/file.md @@ -0,0 +1,34 @@ +# file +> Determine file type and MIME type using magic bytes + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +file specimen.exe +file document.doc +``` + +## Recipes +- [[recipes/email-attachment-extraction|Extract and Triage Email Attachments]] + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 1: File Identification & Hashing +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 1: Format Identification +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 1: APK Triage +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 1: Archive Inspection +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 3: Attachment Triage + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +## FOR610 +**Labs:** 3.4, 3.5 +**Sections:** 3 + +#file-identification #triage diff --git a/data/generated/wiki/tools/firefox.md b/data/generated/wiki/tools/firefox.md new file mode 100644 index 0000000..eb21cf1 --- /dev/null +++ b/data/generated/wiki/tools/firefox.md @@ -0,0 +1,14 @@ +# firefox +> Web browser. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. +- [[tools/ibus|ibus]] — Adjust input methods for the GUI. + +#general-utilities diff --git a/data/generated/wiki/tools/flare-floss.md b/data/generated/wiki/tools/flare-floss.md new file mode 100644 index 0000000..c3263b4 --- /dev/null +++ b/data/generated/wiki/tools/flare-floss.md @@ -0,0 +1,4 @@ +# flare-floss + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/flex.md b/data/generated/wiki/tools/flex.md new file mode 100644 index 0000000..f6a328b --- /dev/null +++ b/data/generated/wiki/tools/flex.md @@ -0,0 +1,4 @@ +# flex + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/floss.md b/data/generated/wiki/tools/floss.md new file mode 100644 index 0000000..155dfb2 --- /dev/null +++ b/data/generated/wiki/tools/floss.md @@ -0,0 +1,33 @@ +# FLOSS +> Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +floss specimen.exe +floss specimen.exe > strings-output.txt +floss --no-static -- specimen.exe +``` + +## Recipes +- [[recipes/stack-string-extraction|Extract Stack-Built Strings]] + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 4: String Extraction +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 6: String & IOC Extraction +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 1: Automated Extraction + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +## FOR610 +**Labs:** 5.2, 5.3 +**Sections:** 5 + +#strings #deobfuscation #automated diff --git a/data/generated/wiki/tools/format-bytes.md b/data/generated/wiki/tools/format-bytes.md new file mode 100644 index 0000000..c4c02de --- /dev/null +++ b/data/generated/wiki/tools/format-bytes.md @@ -0,0 +1,14 @@ +# format-bytes.py +> Decompose structured binary data with format strings. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/frida.md b/data/generated/wiki/tools/frida.md new file mode 100644 index 0000000..ea9e133 --- /dev/null +++ b/data/generated/wiki/tools/frida.md @@ -0,0 +1,21 @@ +# Frida +> Dynamic instrumentation toolkit — hook and trace running processes, intercept function calls in real time + +**Category:** [[categories/dynamically-reverse-engineer-code-general|Dynamically Reverse-Engineer Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general) + +## Usage +```bash +frida -l hook.js +frida-trace -i 'recv*' +frida-ps -U +``` + +## Workflows +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 6: Dynamic Instrumentation + +## Related Tools +- [[tools/radare2|radare2]] — Open-source reverse engineering command-line framework +- [[tools/wine|Wine]] — Windows compatibility layer — run Windows executables on Lin + +#dynamic #instrumentation #hooking #tracing diff --git a/data/generated/wiki/tools/galculator.md b/data/generated/wiki/tools/galculator.md new file mode 100644 index 0000000..8c4737f --- /dev/null +++ b/data/generated/wiki/tools/galculator.md @@ -0,0 +1,4 @@ +# galculator + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gdb.md b/data/generated/wiki/tools/gdb.md new file mode 100644 index 0000000..c836586 --- /dev/null +++ b/data/generated/wiki/tools/gdb.md @@ -0,0 +1,4 @@ +# gdb + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gdm3.md b/data/generated/wiki/tools/gdm3.md new file mode 100644 index 0000000..ae48ece --- /dev/null +++ b/data/generated/wiki/tools/gdm3.md @@ -0,0 +1,4 @@ +# gdm3 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ghidra.md b/data/generated/wiki/tools/ghidra.md new file mode 100644 index 0000000..21f9a07 --- /dev/null +++ b/data/generated/wiki/tools/ghidra.md @@ -0,0 +1,26 @@ +# Ghidra +> Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management + +**Category:** [[categories/statically-analyze-code-general|Statically Analyze Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/general](https://docs.remnux.org/discover-the-tools/statically+analyze+code/general) + +## Usage +```bash +ghidra +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 7: Disassembly (if needed) +- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 2: Injection Type Classification + +## Related Tools +- [[tools/cutter|Cutter]] — Open-source reverse engineering platform — Qt-based GUI for +- [[tools/objdump|objdump]] — Disassemble binary files. +- [[tools/qiling|qiling]] — Multi-platform binary emulation framework — emulate PE, ELF, +- [[tools/vivisect|Vivisect]] — Binary analysis and emulation framework — static analysis wi + +## FOR610 +**Labs:** 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 4.9, 5.2, 5.4, 5.5, 5.6, 5.7, 5.9 +**Sections:** 2, 4, 5 + +#disassembly #decompilation #code-analysis #function-graph diff --git a/data/generated/wiki/tools/ghidrassistmcp.md b/data/generated/wiki/tools/ghidrassistmcp.md new file mode 100644 index 0000000..18afaa9 --- /dev/null +++ b/data/generated/wiki/tools/ghidrassistmcp.md @@ -0,0 +1,11 @@ +# GhidrAssistMCP +> MCP server for AI-assisted reverse engineering in Ghidra. + +**Category:** [[categories/use-artificial-intelligence|Use Artificial Intelligence]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/use+artificial+intelligence](https://docs.remnux.org/discover-the-tools/use+artificial+intelligence) + +## Related Tools +- [[tools/opencode|opencode]] — Open-source AI coding agent for the terminal. +- [[tools/remnux-mcp-server|remnux-mcp-server]] — MCP server for using the REMnux malware analysis toolkit via + +#use-artificial-intelligence diff --git a/data/generated/wiki/tools/gift.md b/data/generated/wiki/tools/gift.md new file mode 100644 index 0000000..e387fcd --- /dev/null +++ b/data/generated/wiki/tools/gift.md @@ -0,0 +1,4 @@ +# gift + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/git.md b/data/generated/wiki/tools/git.md new file mode 100644 index 0000000..66496a8 --- /dev/null +++ b/data/generated/wiki/tools/git.md @@ -0,0 +1,4 @@ +# git + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gnome-calculator.md b/data/generated/wiki/tools/gnome-calculator.md new file mode 100644 index 0000000..1c5ef7c --- /dev/null +++ b/data/generated/wiki/tools/gnome-calculator.md @@ -0,0 +1,14 @@ +# GNOME Calculator +> Calculator. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/ibus|ibus]] — Adjust input methods for the GUI. + +#general-utilities diff --git a/data/generated/wiki/tools/gnome-session.md b/data/generated/wiki/tools/gnome-session.md new file mode 100644 index 0000000..f64765d --- /dev/null +++ b/data/generated/wiki/tools/gnome-session.md @@ -0,0 +1,4 @@ +# gnome-session + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gnome-shell-extensions.md b/data/generated/wiki/tools/gnome-shell-extensions.md new file mode 100644 index 0000000..94c10ba --- /dev/null +++ b/data/generated/wiki/tools/gnome-shell-extensions.md @@ -0,0 +1,4 @@ +# gnome-shell-extensions + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gnome-terminal.md b/data/generated/wiki/tools/gnome-terminal.md new file mode 100644 index 0000000..9211073 --- /dev/null +++ b/data/generated/wiki/tools/gnome-terminal.md @@ -0,0 +1,4 @@ +# gnome-terminal + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gnome-tweaks.md b/data/generated/wiki/tools/gnome-tweaks.md new file mode 100644 index 0000000..5bbf80f --- /dev/null +++ b/data/generated/wiki/tools/gnome-tweaks.md @@ -0,0 +1,4 @@ +# gnome-tweaks + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gnu-wget.md b/data/generated/wiki/tools/gnu-wget.md new file mode 100644 index 0000000..eb6bd8c --- /dev/null +++ b/data/generated/wiki/tools/gnu-wget.md @@ -0,0 +1,14 @@ +# GNU Wget +> Interact with servers via HTTP, HTTPS, FTP, and FTPS using this command-line tool. + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn +- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites + +#explore-network-interactions-connecting diff --git a/data/generated/wiki/tools/gnutls-bin.md b/data/generated/wiki/tools/gnutls-bin.md new file mode 100644 index 0000000..e44c8e2 --- /dev/null +++ b/data/generated/wiki/tools/gnutls-bin.md @@ -0,0 +1,4 @@ +# gnutls-bin + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/goresym.md b/data/generated/wiki/tools/goresym.md new file mode 100644 index 0000000..056bc3d --- /dev/null +++ b/data/generated/wiki/tools/goresym.md @@ -0,0 +1,10 @@ +# goresym +> Extract metadata and symbols from Go binaries, including stripped ones. + +**Category:** [[categories/examine-static-properties-go|Examine Static Properties > Go]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/go](https://docs.remnux.org/discover-the-tools/examine+static+properties/go) + +## Related Tools +- [[tools/redress|redress]] — Analyze stripped Go binaries to recover symbols, types, sour + +#examine-static-properties-go diff --git a/data/generated/wiki/tools/graphviz.md b/data/generated/wiki/tools/graphviz.md new file mode 100644 index 0000000..fedb80d --- /dev/null +++ b/data/generated/wiki/tools/graphviz.md @@ -0,0 +1,4 @@ +# graphviz + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/grub-kvm.md b/data/generated/wiki/tools/grub-kvm.md new file mode 100644 index 0000000..da050de --- /dev/null +++ b/data/generated/wiki/tools/grub-kvm.md @@ -0,0 +1,4 @@ +# grub-kvm + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/guest-tools.md b/data/generated/wiki/tools/guest-tools.md new file mode 100644 index 0000000..0c99b56 --- /dev/null +++ b/data/generated/wiki/tools/guest-tools.md @@ -0,0 +1,4 @@ +# guest-tools + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gunzip.md b/data/generated/wiki/tools/gunzip.md new file mode 100644 index 0000000..2b76d5b --- /dev/null +++ b/data/generated/wiki/tools/gunzip.md @@ -0,0 +1,28 @@ +# gunzip +> Decompress gzip-compressed data (often used in multi-stage payload extraction) + +**Category:** [[categories/utilities|utilities]] | **Tier:** Rich (FOR610) + +## Usage +```bash +gunzip -c compressed.gz > output.bin +``` + +## Recipes +- [[recipes/multi-stage-base64-gzip|Decode Base64 + Gzip Payload]] +- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding + +## Related Tools +- [[tools/hexdump|hexdump]] — Display file content in hexadecimal format +- [[tools/jq|jq]] — Command-line JSON processor for extracting and transforming +- [[tools/wget|wget]] — Download files from HTTP/HTTPS/FTP servers +- [[tools/xxd|xxd]] — Create hex dump of a file or reverse a hex dump back to bina + +## FOR610 +**Labs:** 3.4 +**Sections:** 3 + +#compression #extraction diff --git a/data/generated/wiki/tools/hachoir.md b/data/generated/wiki/tools/hachoir.md new file mode 100644 index 0000000..cf83b1d --- /dev/null +++ b/data/generated/wiki/tools/hachoir.md @@ -0,0 +1,14 @@ +# Hachoir +> View, edit, and carve contents of various binary file types. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/hash-id.md b/data/generated/wiki/tools/hash-id.md new file mode 100644 index 0000000..de9588c --- /dev/null +++ b/data/generated/wiki/tools/hash-id.md @@ -0,0 +1,14 @@ +# Hash ID +> Identify different types of hashes. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/hex-to-bin.md b/data/generated/wiki/tools/hex-to-bin.md new file mode 100644 index 0000000..84c1137 --- /dev/null +++ b/data/generated/wiki/tools/hex-to-bin.md @@ -0,0 +1,14 @@ +# hex-to-bin.py +> Convert hexadecimal text dumps to binary data. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/hexdump.md b/data/generated/wiki/tools/hexdump.md new file mode 100644 index 0000000..36e4228 --- /dev/null +++ b/data/generated/wiki/tools/hexdump.md @@ -0,0 +1,20 @@ +# hexdump +> Display file content in hexadecimal format + +**Category:** [[categories/utilities|utilities]] | **Tier:** Rich (FOR610) + +## Usage +```bash +hexdump -C binary.dat +``` + +## Related Tools +- [[tools/gunzip|gunzip]] — Decompress gzip-compressed data (often used in multi-stage p +- [[tools/jq|jq]] — Command-line JSON processor for extracting and transforming +- [[tools/wget|wget]] — Download files from HTTP/HTTPS/FTP servers +- [[tools/xxd|xxd]] — Create hex dump of a file or reverse a hex dump back to bina + +## FOR610 +**Sections:** 1 + +#hex #binary-viewing diff --git a/data/generated/wiki/tools/httpd.md b/data/generated/wiki/tools/httpd.md new file mode 100644 index 0000000..396c0db --- /dev/null +++ b/data/generated/wiki/tools/httpd.md @@ -0,0 +1,29 @@ +# httpd +> Simple HTTP server on REMnux for simulating C2 web servers + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Usage +```bash +httpd +``` + +## Recipes +- [[recipes/dns-interception-setup|Set Up DNS + HTTP Interception]] + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 2: Service Emulation + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for + +## FOR610 +**Labs:** 1.3, 1.6, 1.8 +**Sections:** 1 + +#http #web-server #c2-simulation #lab-setup diff --git a/data/generated/wiki/tools/i386-architecture.md b/data/generated/wiki/tools/i386-architecture.md new file mode 100644 index 0000000..17ba3f5 --- /dev/null +++ b/data/generated/wiki/tools/i386-architecture.md @@ -0,0 +1,4 @@ +# i386-architecture + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ibus.md b/data/generated/wiki/tools/ibus.md new file mode 100644 index 0000000..2f6cca9 --- /dev/null +++ b/data/generated/wiki/tools/ibus.md @@ -0,0 +1,14 @@ +# ibus +> Adjust input methods for the GUI. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/ilspy.md b/data/generated/wiki/tools/ilspy.md new file mode 100644 index 0000000..c55915f --- /dev/null +++ b/data/generated/wiki/tools/ilspy.md @@ -0,0 +1,19 @@ +# ILSpy +> .NET assembly decompiler — view C#/VB.NET source from compiled .NET binaries + +**Category:** [[categories/statically-analyze-code-net|Statically Analyze Code > .NET]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net](https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net) + +## Usage +```bash +ILSpy.exe assembly.exe +``` + +## Related Tools +- [[tools/de4dot|de4dot]] — .NET deobfuscator — remove obfuscation from .NET assemblies + +## FOR610 +**Labs:** 3.12, 4.8 +**Sections:** 3, 4 + +#dotnet #decompiler #csharp diff --git a/data/generated/wiki/tools/ilspycmd.md b/data/generated/wiki/tools/ilspycmd.md new file mode 100644 index 0000000..81d110a --- /dev/null +++ b/data/generated/wiki/tools/ilspycmd.md @@ -0,0 +1,21 @@ +# ilspycmd +> Command-line .NET decompiler (CLI version of ILSpy) + +**Category:** [[categories/dotnet-analysis|dotnet-analysis]] | **Tier:** Rich (FOR610) + +## Usage +```bash +ilspycmd assembly.exe > decompiled.cs +``` + +## Recipes +- [[recipes/dotnet-decompile-cli|Decompile .NET on Command Line]] + +## Workflows +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 3: Decompilation + +## FOR610 +**Labs:** 4.8 +**Sections:** 4 + +#dotnet #decompiler #cli diff --git a/data/generated/wiki/tools/imagemagick.md b/data/generated/wiki/tools/imagemagick.md new file mode 100644 index 0000000..bd4dd25 --- /dev/null +++ b/data/generated/wiki/tools/imagemagick.md @@ -0,0 +1,14 @@ +# imagemagick +> View and manipulate image and related files. + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Related Tools +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d +- [[tools/scite|scite]] — Edit text files. +- [[tools/vbindiff|vbindiff]] — Compare binary files. + +#view-or-edit-files diff --git a/data/generated/wiki/tools/inetsim.md b/data/generated/wiki/tools/inetsim.md new file mode 100644 index 0000000..ffa3f31 --- /dev/null +++ b/data/generated/wiki/tools/inetsim.md @@ -0,0 +1,30 @@ +# INetSim +> Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Usage +```bash +inetsim +``` + +## Recipes +- [[recipes/dns-interception-setup|Set Up DNS + HTTP Interception]] + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 2: Network Interception Setup +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 2: Service Emulation + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers + +## FOR610 +**Labs:** 1.7 +**Sections:** 1 + +#service-emulation #network-simulation #lab-setup diff --git a/data/generated/wiki/tools/inspircd.md b/data/generated/wiki/tools/inspircd.md new file mode 100644 index 0000000..1d69b72 --- /dev/null +++ b/data/generated/wiki/tools/inspircd.md @@ -0,0 +1,14 @@ +# inspircd +> Examine IRC activity with this IRC server. + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers + +#explore-network-interactions-services diff --git a/data/generated/wiki/tools/ioc-parser.md b/data/generated/wiki/tools/ioc-parser.md new file mode 100644 index 0000000..6189b1c --- /dev/null +++ b/data/generated/wiki/tools/ioc-parser.md @@ -0,0 +1,19 @@ +# ioc-parser +> Extract indicators of compromise (IOCs) from PDF reports and text files + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Usage +```bash +ioc_parser +``` + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. +- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal + +#ioc #extraction #threat-intel diff --git a/data/generated/wiki/tools/iproute2.md b/data/generated/wiki/tools/iproute2.md new file mode 100644 index 0000000..08e7392 --- /dev/null +++ b/data/generated/wiki/tools/iproute2.md @@ -0,0 +1,4 @@ +# iproute2 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/iptables.md b/data/generated/wiki/tools/iptables.md new file mode 100644 index 0000000..107827d --- /dev/null +++ b/data/generated/wiki/tools/iptables.md @@ -0,0 +1,22 @@ +# iptables +> Linux firewall and NAT tool for redirecting IP-based malware traffic + +**Category:** [[categories/network-analysis|network-analysis]] | **Tier:** Rich (FOR610) + +## Usage +```bash +iptables -t nat -A PREROUTING -i ens32 -j REDIRECT +``` + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 8: IP-Based Redirection (if needed) + +## Related Tools +- [[tools/nslookup|nslookup]] — DNS query tool for testing name resolution +- [[tools/torsocks|torsocks]] — Route network traffic through the Tor anonymity network + +## FOR610 +**Labs:** 1.8 +**Sections:** 1 + +#firewall #nat #traffic-redirection diff --git a/data/generated/wiki/tools/iputils-ping.md b/data/generated/wiki/tools/iputils-ping.md new file mode 100644 index 0000000..ce939f3 --- /dev/null +++ b/data/generated/wiki/tools/iputils-ping.md @@ -0,0 +1,4 @@ +# iputils-ping + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ipwhois.md b/data/generated/wiki/tools/ipwhois.md new file mode 100644 index 0000000..171f1a6 --- /dev/null +++ b/data/generated/wiki/tools/ipwhois.md @@ -0,0 +1,14 @@ +# ipwhois +> Retrieve and parse whois data for IP addresses. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/ipython3.md b/data/generated/wiki/tools/ipython3.md new file mode 100644 index 0000000..85f7260 --- /dev/null +++ b/data/generated/wiki/tools/ipython3.md @@ -0,0 +1,4 @@ +# ipython3 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/jadx.md b/data/generated/wiki/tools/jadx.md new file mode 100644 index 0000000..7789ee2 --- /dev/null +++ b/data/generated/wiki/tools/jadx.md @@ -0,0 +1,26 @@ +# jadx +> Decompile Android DEX/APK to Java source code with a GUI or command line + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Usage +```bash +jadx -d output/ +jadx-gui +``` + +## Recipes +- [[recipes/apk-quick-triage|Quick APK Triage]] + +## Workflows +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 3: Source Code Recovery + +## Related Tools +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' + +#android #dex #java #decompilation diff --git a/data/generated/wiki/tools/java-idx-parser.md b/data/generated/wiki/tools/java-idx-parser.md new file mode 100644 index 0000000..cb002c3 --- /dev/null +++ b/data/generated/wiki/tools/java-idx-parser.md @@ -0,0 +1,13 @@ +# java-idx-parser +> Analyze Java IDX files. + +**Category:** [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/java](https://docs.remnux.org/discover-the-tools/statically+analyze+code/java) + +## Related Tools +- [[tools/cfr|cfr]] — Modern Java decompiler — handles Java 8+ features including +- [[tools/javassist|Javassist]] — Java bytecode engineering toolkit/library. +- [[tools/jd-gui-java-decompiler|JD-GUI Java Decompiler]] — Java decompiler with GUI. +- [[tools/procyon|Procyon]] — Java decompiler. + +#statically-analyze-code-java diff --git a/data/generated/wiki/tools/javassist.md b/data/generated/wiki/tools/javassist.md new file mode 100644 index 0000000..1bff3c0 --- /dev/null +++ b/data/generated/wiki/tools/javassist.md @@ -0,0 +1,13 @@ +# Javassist +> Java bytecode engineering toolkit/library. + +**Category:** [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/java](https://docs.remnux.org/discover-the-tools/statically+analyze+code/java) + +## Related Tools +- [[tools/cfr|cfr]] — Modern Java decompiler — handles Java 8+ features including +- [[tools/java-idx-parser|java-idx-parser]] — Analyze Java IDX files. +- [[tools/jd-gui-java-decompiler|JD-GUI Java Decompiler]] — Java decompiler with GUI. +- [[tools/procyon|Procyon]] — Java decompiler. + +#statically-analyze-code-java diff --git a/data/generated/wiki/tools/jd-gui-java-decompiler.md b/data/generated/wiki/tools/jd-gui-java-decompiler.md new file mode 100644 index 0000000..29fa10e --- /dev/null +++ b/data/generated/wiki/tools/jd-gui-java-decompiler.md @@ -0,0 +1,13 @@ +# JD-GUI Java Decompiler +> Java decompiler with GUI. + +**Category:** [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/java](https://docs.remnux.org/discover-the-tools/statically+analyze+code/java) + +## Related Tools +- [[tools/cfr|cfr]] — Modern Java decompiler — handles Java 8+ features including +- [[tools/java-idx-parser|java-idx-parser]] — Analyze Java IDX files. +- [[tools/javassist|Javassist]] — Java bytecode engineering toolkit/library. +- [[tools/procyon|Procyon]] — Java decompiler. + +#statically-analyze-code-java diff --git a/data/generated/wiki/tools/jd-gui.md b/data/generated/wiki/tools/jd-gui.md new file mode 100644 index 0000000..afe9e45 --- /dev/null +++ b/data/generated/wiki/tools/jd-gui.md @@ -0,0 +1,14 @@ +# jd-gui +> Visual Java decompiler with GUI — browse and search decompiled JAR/class files + +**Tier:** Rich (FOR610) + +## Usage +```bash +jd-gui +``` + +## Workflows +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 2: Decompilation + +#java #decompilation #gui diff --git a/data/generated/wiki/tools/jq.md b/data/generated/wiki/tools/jq.md new file mode 100644 index 0000000..9b40dd5 --- /dev/null +++ b/data/generated/wiki/tools/jq.md @@ -0,0 +1,25 @@ +# jq +> Command-line JSON processor for extracting and transforming structured data + +**Category:** [[categories/utilities|utilities]] | **Tier:** Rich (FOR610) + +## Usage +```bash +cat report.json | jq '.apis' +jq -r '.entry' report.json +``` + +## Recipes +- [[recipes/speakeasy-emulation-with-json|Emulate Malware and Extract API Calls]] + +## Related Tools +- [[tools/gunzip|gunzip]] — Decompress gzip-compressed data (often used in multi-stage p +- [[tools/hexdump|hexdump]] — Display file content in hexadecimal format +- [[tools/wget|wget]] — Download files from HTTP/HTTPS/FTP servers +- [[tools/xxd|xxd]] — Create hex dump of a file or reverse a hex dump back to bina + +## FOR610 +**Labs:** 1.4 +**Sections:** 1 + +#json #data-processing diff --git a/data/generated/wiki/tools/js-beautify.md b/data/generated/wiki/tools/js-beautify.md new file mode 100644 index 0000000..64c8352 --- /dev/null +++ b/data/generated/wiki/tools/js-beautify.md @@ -0,0 +1,26 @@ +# js-beautify +> Format and beautify obfuscated JavaScript code for readability + +**Category:** [[categories/statically-analyze-code-scripts|Statically Analyze Code > Scripts]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts](https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts) + +## Usage +```bash +js-beautify malicious.js > beautified.js +``` + +## Recipes +- [[recipes/js-deobfuscation-spidermonkey|Deobfuscate JavaScript with SpiderMonkey]] + +## Workflows +- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] — Step 1: Beautification + +## Related Tools +- [[tools/autoit-ripper|autoit-ripper]] — Extract AutoIt scripts embedded in PE binaries. +- [[tools/decode-vbe|decode-vbe.py]] — Decode encoded VBS scripts (VBE). + +## FOR610 +**Labs:** 3.6, 4.5 +**Sections:** 3 + +#javascript #formatting #readability diff --git a/data/generated/wiki/tools/jstillery.md b/data/generated/wiki/tools/jstillery.md new file mode 100644 index 0000000..0646af3 --- /dev/null +++ b/data/generated/wiki/tools/jstillery.md @@ -0,0 +1,16 @@ +# jstillery +> Deobfuscate JavaScript scripts using AST and Partial Evaluation techniques. + +**Category:** [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts) + +## Workflows +- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] — Step 5: Alternative Analysis + +## Related Tools +- [[tools/box-js|box-js]] — JavaScript sandbox for analyzing malicious scripts by emulat +- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and +- [[tools/powershell|powershell]] — Run PowerShell scripts and commands. +- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou + +#dynamically-reverse-engineer-code-scripts diff --git a/data/generated/wiki/tools/lame.md b/data/generated/wiki/tools/lame.md new file mode 100644 index 0000000..f29ed88 --- /dev/null +++ b/data/generated/wiki/tools/lame.md @@ -0,0 +1,4 @@ +# lame + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libboost-dev.md b/data/generated/wiki/tools/libboost-dev.md new file mode 100644 index 0000000..5f16ba3 --- /dev/null +++ b/data/generated/wiki/tools/libboost-dev.md @@ -0,0 +1,4 @@ +# libboost-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libboost-python-dev.md b/data/generated/wiki/tools/libboost-python-dev.md new file mode 100644 index 0000000..af76fc6 --- /dev/null +++ b/data/generated/wiki/tools/libboost-python-dev.md @@ -0,0 +1,4 @@ +# libboost-python-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libboost-system-dev.md b/data/generated/wiki/tools/libboost-system-dev.md new file mode 100644 index 0000000..b451642 --- /dev/null +++ b/data/generated/wiki/tools/libboost-system-dev.md @@ -0,0 +1,4 @@ +# libboost-system-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libdpkg-perl.md b/data/generated/wiki/tools/libdpkg-perl.md new file mode 100644 index 0000000..5a29fac --- /dev/null +++ b/data/generated/wiki/tools/libdpkg-perl.md @@ -0,0 +1,4 @@ +# libdpkg-perl + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libemail-outlook-message-perl.md b/data/generated/wiki/tools/libemail-outlook-message-perl.md new file mode 100644 index 0000000..493e603 --- /dev/null +++ b/data/generated/wiki/tools/libemail-outlook-message-perl.md @@ -0,0 +1,4 @@ +# libemail-outlook-message-perl + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libemu.md b/data/generated/wiki/tools/libemu.md new file mode 100644 index 0000000..64da7c3 --- /dev/null +++ b/data/generated/wiki/tools/libemu.md @@ -0,0 +1,13 @@ +# libemu +> A library for x86 code emulation and shellcode detection. + +**Category:** [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode) + +## Related Tools +- [[tools/runsc32|runsc32]] — Execute extracted shellcode for dynamic analysis +- [[tools/scdbgc|scdbgc]] — Shellcode emulator — analyze shellcode behavior through API- +- [[tools/shcode2exe|shcode2exe]] — Convert raw shellcode to a Windows PE executable for analysi +- [[tools/shellcode2exe-bat|shellcode2exe-bat]] — Convert 32 and 64-bit shellcode to a Windows executable file + +#dynamically-reverse-engineer-code-shellcode diff --git a/data/generated/wiki/tools/libffi-dev.md b/data/generated/wiki/tools/libffi-dev.md new file mode 100644 index 0000000..1d5603b --- /dev/null +++ b/data/generated/wiki/tools/libffi-dev.md @@ -0,0 +1,4 @@ +# libffi-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libfuse2.md b/data/generated/wiki/tools/libfuse2.md new file mode 100644 index 0000000..861c80d --- /dev/null +++ b/data/generated/wiki/tools/libfuse2.md @@ -0,0 +1,4 @@ +# libfuse2 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libfuzzy-dev.md b/data/generated/wiki/tools/libfuzzy-dev.md new file mode 100644 index 0000000..ab24348 --- /dev/null +++ b/data/generated/wiki/tools/libfuzzy-dev.md @@ -0,0 +1,4 @@ +# libfuzzy-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libfuzzy2.md b/data/generated/wiki/tools/libfuzzy2.md new file mode 100644 index 0000000..2b4b43b --- /dev/null +++ b/data/generated/wiki/tools/libfuzzy2.md @@ -0,0 +1,4 @@ +# libfuzzy2 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libglib2.md b/data/generated/wiki/tools/libglib2.md new file mode 100644 index 0000000..872f12d --- /dev/null +++ b/data/generated/wiki/tools/libglib2.md @@ -0,0 +1,4 @@ +# libglib2 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libglu1-mesa-dev.md b/data/generated/wiki/tools/libglu1-mesa-dev.md new file mode 100644 index 0000000..6d9117c --- /dev/null +++ b/data/generated/wiki/tools/libglu1-mesa-dev.md @@ -0,0 +1,4 @@ +# libglu1-mesa-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libgraphviz-dev.md b/data/generated/wiki/tools/libgraphviz-dev.md new file mode 100644 index 0000000..fcbaea4 --- /dev/null +++ b/data/generated/wiki/tools/libgraphviz-dev.md @@ -0,0 +1,4 @@ +# libgraphviz-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libgtk-3-0.md b/data/generated/wiki/tools/libgtk-3-0.md new file mode 100644 index 0000000..5240ccf --- /dev/null +++ b/data/generated/wiki/tools/libgtk-3-0.md @@ -0,0 +1,4 @@ +# libgtk-3-0 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libjavassist-java.md b/data/generated/wiki/tools/libjavassist-java.md new file mode 100644 index 0000000..e973cb7 --- /dev/null +++ b/data/generated/wiki/tools/libjavassist-java.md @@ -0,0 +1,4 @@ +# libjavassist-java + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libjpeg-dev.md b/data/generated/wiki/tools/libjpeg-dev.md new file mode 100644 index 0000000..424d020 --- /dev/null +++ b/data/generated/wiki/tools/libjpeg-dev.md @@ -0,0 +1,4 @@ +# libjpeg-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libjpeg8-dev.md b/data/generated/wiki/tools/libjpeg8-dev.md new file mode 100644 index 0000000..25d1a27 --- /dev/null +++ b/data/generated/wiki/tools/libjpeg8-dev.md @@ -0,0 +1,4 @@ +# libjpeg8-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/liblzma-dev.md b/data/generated/wiki/tools/liblzma-dev.md new file mode 100644 index 0000000..de6c8ba --- /dev/null +++ b/data/generated/wiki/tools/liblzma-dev.md @@ -0,0 +1,4 @@ +# liblzma-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/liblzo2-dev.md b/data/generated/wiki/tools/liblzo2-dev.md new file mode 100644 index 0000000..27ed1ed --- /dev/null +++ b/data/generated/wiki/tools/liblzo2-dev.md @@ -0,0 +1,4 @@ +# liblzo2-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libmagic-dev.md b/data/generated/wiki/tools/libmagic-dev.md new file mode 100644 index 0000000..096e48c --- /dev/null +++ b/data/generated/wiki/tools/libmagic-dev.md @@ -0,0 +1,4 @@ +# libmagic-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libmysqlclient21.md b/data/generated/wiki/tools/libmysqlclient21.md new file mode 100644 index 0000000..6f8d45f --- /dev/null +++ b/data/generated/wiki/tools/libmysqlclient21.md @@ -0,0 +1,4 @@ +# libmysqlclient21 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libncurses.md b/data/generated/wiki/tools/libncurses.md new file mode 100644 index 0000000..deea444 --- /dev/null +++ b/data/generated/wiki/tools/libncurses.md @@ -0,0 +1,4 @@ +# libncurses + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libnetfilter-queue-dev.md b/data/generated/wiki/tools/libnetfilter-queue-dev.md new file mode 100644 index 0000000..c24fd66 --- /dev/null +++ b/data/generated/wiki/tools/libnetfilter-queue-dev.md @@ -0,0 +1,4 @@ +# libnetfilter-queue-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libnfnetlink-dev.md b/data/generated/wiki/tools/libnfnetlink-dev.md new file mode 100644 index 0000000..f5a2fd0 --- /dev/null +++ b/data/generated/wiki/tools/libnfnetlink-dev.md @@ -0,0 +1,4 @@ +# libnfnetlink-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libolecf.md b/data/generated/wiki/tools/libolecf.md new file mode 100644 index 0000000..16c5920 --- /dev/null +++ b/data/generated/wiki/tools/libolecf.md @@ -0,0 +1,14 @@ +# libolecf +> Microsoft Office OLE2 compound documents. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. +- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/libpq5.md b/data/generated/wiki/tools/libpq5.md new file mode 100644 index 0000000..2acbdfd --- /dev/null +++ b/data/generated/wiki/tools/libpq5.md @@ -0,0 +1,4 @@ +# libpq5 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libqt5scripttools5.md b/data/generated/wiki/tools/libqt5scripttools5.md new file mode 100644 index 0000000..07d074b --- /dev/null +++ b/data/generated/wiki/tools/libqt5scripttools5.md @@ -0,0 +1,4 @@ +# libqt5scripttools5 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libre2.md b/data/generated/wiki/tools/libre2.md new file mode 100644 index 0000000..f8f9edd --- /dev/null +++ b/data/generated/wiki/tools/libre2.md @@ -0,0 +1,4 @@ +# libre2 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libsm6.md b/data/generated/wiki/tools/libsm6.md new file mode 100644 index 0000000..eee4e9b --- /dev/null +++ b/data/generated/wiki/tools/libsm6.md @@ -0,0 +1,4 @@ +# libsm6 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libsqlite3-dev.md b/data/generated/wiki/tools/libsqlite3-dev.md new file mode 100644 index 0000000..d464309 --- /dev/null +++ b/data/generated/wiki/tools/libsqlite3-dev.md @@ -0,0 +1,4 @@ +# libsqlite3-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libssl-dev.md b/data/generated/wiki/tools/libssl-dev.md new file mode 100644 index 0000000..376a62c --- /dev/null +++ b/data/generated/wiki/tools/libssl-dev.md @@ -0,0 +1,4 @@ +# libssl-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libtool.md b/data/generated/wiki/tools/libtool.md new file mode 100644 index 0000000..58c8e2a --- /dev/null +++ b/data/generated/wiki/tools/libtool.md @@ -0,0 +1,4 @@ +# libtool + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libtre5.md b/data/generated/wiki/tools/libtre5.md new file mode 100644 index 0000000..ee9c996 --- /dev/null +++ b/data/generated/wiki/tools/libtre5.md @@ -0,0 +1,4 @@ +# libtre5 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libusb-1.md b/data/generated/wiki/tools/libusb-1.md new file mode 100644 index 0000000..774a6bb --- /dev/null +++ b/data/generated/wiki/tools/libusb-1.md @@ -0,0 +1,4 @@ +# libusb-1 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libxml2-dev.md b/data/generated/wiki/tools/libxml2-dev.md new file mode 100644 index 0000000..55aaba2 --- /dev/null +++ b/data/generated/wiki/tools/libxml2-dev.md @@ -0,0 +1,4 @@ +# libxml2-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libxslt1-dev.md b/data/generated/wiki/tools/libxslt1-dev.md new file mode 100644 index 0000000..c814194 --- /dev/null +++ b/data/generated/wiki/tools/libxslt1-dev.md @@ -0,0 +1,4 @@ +# libxslt1-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/lief.md b/data/generated/wiki/tools/lief.md new file mode 100644 index 0000000..a36018c --- /dev/null +++ b/data/generated/wiki/tools/lief.md @@ -0,0 +1,14 @@ +# lief +> Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and DWARF executable formats. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/linux-headers.md b/data/generated/wiki/tools/linux-headers.md new file mode 100644 index 0000000..4d1dc18 --- /dev/null +++ b/data/generated/wiki/tools/linux-headers.md @@ -0,0 +1,4 @@ +# linux-headers + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ltrace.md b/data/generated/wiki/tools/ltrace.md new file mode 100644 index 0000000..11cc544 --- /dev/null +++ b/data/generated/wiki/tools/ltrace.md @@ -0,0 +1,4 @@ +# ltrace + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/magika.md b/data/generated/wiki/tools/magika.md new file mode 100644 index 0000000..3c07327 --- /dev/null +++ b/data/generated/wiki/tools/magika.md @@ -0,0 +1,14 @@ +# magika +> Identify file type using signatures. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/mail-parser.md b/data/generated/wiki/tools/mail-parser.md new file mode 100644 index 0000000..4715c98 --- /dev/null +++ b/data/generated/wiki/tools/mail-parser.md @@ -0,0 +1,20 @@ +# mail-parser +> Parse raw SMTP email messages and extract headers, body, and attachments + +**Category:** [[categories/analyze-documents-email-messages|Analyze Documents > Email Messages]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages](https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages) + +## Usage +```bash +python3 -c "import mailparser; mail = mailparser.parse_from_file(''); print(mail.subject)" +``` + +## Workflows +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 1: Header Analysis + +## Related Tools +- [[tools/emldump|emldump.py]] — Parse and analyze EML email message files +- [[tools/msg-extractor|msg-extractor]] — Extract emails and attachments from Microsoft Outlook MSG fi +- [[tools/msgconvert|msgconvert]] — Convert MSG files to MBOX files. + +#email #parsing #attachments diff --git a/data/generated/wiki/tools/malcat-lite.md b/data/generated/wiki/tools/malcat-lite.md new file mode 100644 index 0000000..389f325 --- /dev/null +++ b/data/generated/wiki/tools/malcat-lite.md @@ -0,0 +1,14 @@ +# Malcat Lite +> Analyze binary files using a hex editor, disassembler, and file dissector. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/malcat.md b/data/generated/wiki/tools/malcat.md new file mode 100644 index 0000000..619467a --- /dev/null +++ b/data/generated/wiki/tools/malcat.md @@ -0,0 +1,4 @@ +# malcat + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/malchive.md b/data/generated/wiki/tools/malchive.md new file mode 100644 index 0000000..fcb9103 --- /dev/null +++ b/data/generated/wiki/tools/malchive.md @@ -0,0 +1,19 @@ +# Malchive +> Multi-purpose malware analysis library — config extraction, deobfuscation, and static analysis + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +malchive +``` + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#malware #config-extraction #deobfuscation diff --git a/data/generated/wiki/tools/malwoverview.md b/data/generated/wiki/tools/malwoverview.md new file mode 100644 index 0000000..80bac25 --- /dev/null +++ b/data/generated/wiki/tools/malwoverview.md @@ -0,0 +1,23 @@ +# malwoverview +> Query VirusTotal, Hybrid Analysis, and MalwareBazaar for malware intelligence + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Usage +```bash +malwoverview -v +malwoverview -f +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 2: Reputation Check + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#threat-intel #virustotal #malware-bazaar diff --git a/data/generated/wiki/tools/manalyze.md b/data/generated/wiki/tools/manalyze.md new file mode 100644 index 0000000..d50ab8c --- /dev/null +++ b/data/generated/wiki/tools/manalyze.md @@ -0,0 +1,4 @@ +# manalyze + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/mbcscan.md b/data/generated/wiki/tools/mbcscan.md new file mode 100644 index 0000000..bec421e --- /dev/null +++ b/data/generated/wiki/tools/mbcscan.md @@ -0,0 +1,12 @@ +# mbcscan +> Scan a PE file to list the associated Malware Behavior Catalog (MBC) details. + +**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files) + +## Related Tools +- [[tools/binee-binary-emulation-environment|binee (Binary Emulation Environment)]] — Analyze I/O operations of a suspicious PE file by emulating +- [[tools/capa|capa]] — Identify malware capabilities mapped to MITRE ATT&CK framewo +- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw + +#statically-analyze-code-pe-files diff --git a/data/generated/wiki/tools/mercurial.md b/data/generated/wiki/tools/mercurial.md new file mode 100644 index 0000000..6eb1c62 --- /dev/null +++ b/data/generated/wiki/tools/mercurial.md @@ -0,0 +1,4 @@ +# mercurial + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/microsoft-vscode.md b/data/generated/wiki/tools/microsoft-vscode.md new file mode 100644 index 0000000..cda4efb --- /dev/null +++ b/data/generated/wiki/tools/microsoft-vscode.md @@ -0,0 +1,4 @@ +# microsoft-vscode + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/microsoft.md b/data/generated/wiki/tools/microsoft.md new file mode 100644 index 0000000..37111c5 --- /dev/null +++ b/data/generated/wiki/tools/microsoft.md @@ -0,0 +1,4 @@ +# microsoft + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/mitmproxy.md b/data/generated/wiki/tools/mitmproxy.md new file mode 100644 index 0000000..bde8529 --- /dev/null +++ b/data/generated/wiki/tools/mitmproxy.md @@ -0,0 +1,24 @@ +# mitmproxy +> Interactive HTTPS proxy for intercepting, inspecting, and modifying encrypted web traffic + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +mitmproxy +mitmdump -w capture.flow +mitmproxy --mode transparent +``` + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 3: TLS/HTTPS Interception (if needed) + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets +- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as + +#network #https #proxy #tls #interception diff --git a/data/generated/wiki/tools/mono-devel.md b/data/generated/wiki/tools/mono-devel.md new file mode 100644 index 0000000..6f5143f --- /dev/null +++ b/data/generated/wiki/tools/mono-devel.md @@ -0,0 +1,4 @@ +# mono-devel + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/mono-utils.md b/data/generated/wiki/tools/mono-utils.md new file mode 100644 index 0000000..bb79c15 --- /dev/null +++ b/data/generated/wiki/tools/mono-utils.md @@ -0,0 +1,4 @@ +# mono-utils + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/mono.md b/data/generated/wiki/tools/mono.md new file mode 100644 index 0000000..48f737c --- /dev/null +++ b/data/generated/wiki/tools/mono.md @@ -0,0 +1,4 @@ +# mono + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/monodis.md b/data/generated/wiki/tools/monodis.md new file mode 100644 index 0000000..cd48ba3 --- /dev/null +++ b/data/generated/wiki/tools/monodis.md @@ -0,0 +1,14 @@ +# monodis +> Disassemble and extract resources from. + +**Category:** [[categories/examine-static-properties-net|Examine Static Properties > .NET]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/.net](https://docs.remnux.org/discover-the-tools/examine+static+properties/.net) + +## Workflows +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 3: Decompilation + +## Related Tools +- [[tools/dnfile|dnfile]] — Analyze static properties of. +- [[tools/dotnetfile|dotnetfile]] — Analyze static properties of. + +#examine-static-properties-net diff --git a/data/generated/wiki/tools/msg-extractor.md b/data/generated/wiki/tools/msg-extractor.md new file mode 100644 index 0000000..05b61bd --- /dev/null +++ b/data/generated/wiki/tools/msg-extractor.md @@ -0,0 +1,21 @@ +# msg-extractor +> Extract emails and attachments from Microsoft Outlook MSG files + +**Category:** [[categories/analyze-documents-email-messages|Analyze Documents > Email Messages]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages](https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages) + +## Usage +```bash +extract_msg +extract_msg --out-dir output/ +``` + +## Workflows +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 2: Attachment Extraction + +## Related Tools +- [[tools/emldump|emldump.py]] — Parse and analyze EML email message files +- [[tools/mail-parser|mail-parser]] — Parse raw SMTP email messages and extract headers, body, and +- [[tools/msgconvert|msgconvert]] — Convert MSG files to MBOX files. + +#email #msg #outlook #attachments diff --git a/data/generated/wiki/tools/msgconvert.md b/data/generated/wiki/tools/msgconvert.md new file mode 100644 index 0000000..0bbc7bf --- /dev/null +++ b/data/generated/wiki/tools/msgconvert.md @@ -0,0 +1,12 @@ +# msgconvert +> Convert MSG files to MBOX files. + +**Category:** [[categories/analyze-documents-email-messages|Analyze Documents > Email Messages]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages](https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages) + +## Related Tools +- [[tools/emldump|emldump.py]] — Parse and analyze EML email message files +- [[tools/mail-parser|mail-parser]] — Parse raw SMTP email messages and extract headers, body, and +- [[tools/msg-extractor|msg-extractor]] — Extract emails and attachments from Microsoft Outlook MSG fi + +#analyze-documents-email-messages diff --git a/data/generated/wiki/tools/msitools.md b/data/generated/wiki/tools/msitools.md new file mode 100644 index 0000000..ee8dbc6 --- /dev/null +++ b/data/generated/wiki/tools/msitools.md @@ -0,0 +1,14 @@ +# msitools +> Create, inspect and extract Windows Installer (. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/msoffcrypto-crack.md b/data/generated/wiki/tools/msoffcrypto-crack.md new file mode 100644 index 0000000..4e22acd --- /dev/null +++ b/data/generated/wiki/tools/msoffcrypto-crack.md @@ -0,0 +1,14 @@ +# msoffcrypto-crack.py +> Recover the password of an encrypted Microsoft Office document. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. +- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/msoffcrypto-tool.md b/data/generated/wiki/tools/msoffcrypto-tool.md new file mode 100644 index 0000000..8c05037 --- /dev/null +++ b/data/generated/wiki/tools/msoffcrypto-tool.md @@ -0,0 +1,26 @@ +# msoffcrypto-tool +> Decrypt password-protected Microsoft Office documents (OLE and OOXML) + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +msoffcrypto-tool -p infected +msoffcrypto-tool -p password +``` + +## Recipes +- [[recipes/password-protected-office|Decrypt Password-Protected Office Document]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 3: Password Handling (if encrypted) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. +- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V + +#office #decryption #password diff --git a/data/generated/wiki/tools/msoffice-crypt.md b/data/generated/wiki/tools/msoffice-crypt.md new file mode 100644 index 0000000..77afb8b --- /dev/null +++ b/data/generated/wiki/tools/msoffice-crypt.md @@ -0,0 +1,14 @@ +# msoffice-crypt +> Encrypt and decrypt OOXML Microsoft Office documents. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/myip.md b/data/generated/wiki/tools/myip.md new file mode 100644 index 0000000..1b68e38 --- /dev/null +++ b/data/generated/wiki/tools/myip.md @@ -0,0 +1,14 @@ +# myip +> Determine the IP address of the default network interface. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/myjson-filter.md b/data/generated/wiki/tools/myjson-filter.md new file mode 100644 index 0000000..223e456 --- /dev/null +++ b/data/generated/wiki/tools/myjson-filter.md @@ -0,0 +1,14 @@ +# myjson-filter.py +> Filter data formatted using the JSON format used by Didier Stevens' tools. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/mynic.md b/data/generated/wiki/tools/mynic.md new file mode 100644 index 0000000..79a00f0 --- /dev/null +++ b/data/generated/wiki/tools/mynic.md @@ -0,0 +1,4 @@ +# mynic + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/name-that-hash.md b/data/generated/wiki/tools/name-that-hash.md new file mode 100644 index 0000000..8ef24e0 --- /dev/null +++ b/data/generated/wiki/tools/name-that-hash.md @@ -0,0 +1,14 @@ +# name-that-hash +> Identify dfferent types of hashes. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/nano.md b/data/generated/wiki/tools/nano.md new file mode 100644 index 0000000..2450131 --- /dev/null +++ b/data/generated/wiki/tools/nano.md @@ -0,0 +1,4 @@ +# nano + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/nasm.md b/data/generated/wiki/tools/nasm.md new file mode 100644 index 0000000..608bc34 --- /dev/null +++ b/data/generated/wiki/tools/nasm.md @@ -0,0 +1,14 @@ +# nasm +> An x86-64 assembler. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/nautilus.md b/data/generated/wiki/tools/nautilus.md new file mode 100644 index 0000000..f849666 --- /dev/null +++ b/data/generated/wiki/tools/nautilus.md @@ -0,0 +1,14 @@ +# nautilus +> Graphical file manager. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/nc.md b/data/generated/wiki/tools/nc.md new file mode 100644 index 0000000..0d6e4a1 --- /dev/null +++ b/data/generated/wiki/tools/nc.md @@ -0,0 +1,23 @@ +# nc +> Network utility for reading/writing data across TCP/UDP connections + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Usage +```bash +nc -l -p 3127 +nc target_ip 80 +``` + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites + +## FOR610 +**Sections:** 1 + +#network #tcp #listener diff --git a/data/generated/wiki/tools/ndg-httpsclient.md b/data/generated/wiki/tools/ndg-httpsclient.md new file mode 100644 index 0000000..8440af1 --- /dev/null +++ b/data/generated/wiki/tools/ndg-httpsclient.md @@ -0,0 +1,4 @@ +# ndg-httpsclient + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/net-tools.md b/data/generated/wiki/tools/net-tools.md new file mode 100644 index 0000000..307e963 --- /dev/null +++ b/data/generated/wiki/tools/net-tools.md @@ -0,0 +1,4 @@ +# net-tools + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/network-miner-free-edition.md b/data/generated/wiki/tools/network-miner-free-edition.md new file mode 100644 index 0000000..4b36d15 --- /dev/null +++ b/data/generated/wiki/tools/network-miner-free-edition.md @@ -0,0 +1,14 @@ +# Network Miner Free Edition +> Examine network traffic and carve PCAP capture files. + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets +- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as + +#explore-network-interactions-monitoring diff --git a/data/generated/wiki/tools/networkminer.md b/data/generated/wiki/tools/networkminer.md new file mode 100644 index 0000000..2afb649 --- /dev/null +++ b/data/generated/wiki/tools/networkminer.md @@ -0,0 +1,17 @@ +# networkminer +> Passive network traffic analyzer — extracts files, images, credentials from PCAP captures + +**Tier:** Rich (FOR610) + +## Usage +```bash +NetworkMiner --pcap +``` + +## Recipes +- [[recipes/pcap-file-carving|Extract Files from Network Capture]] + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 7: File Extraction + +#network #pcap #file-carving #passive diff --git a/data/generated/wiki/tools/nginx.md b/data/generated/wiki/tools/nginx.md new file mode 100644 index 0000000..cf9541d --- /dev/null +++ b/data/generated/wiki/tools/nginx.md @@ -0,0 +1,14 @@ +# nginx +> Web server. + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers + +#explore-network-interactions-services diff --git a/data/generated/wiki/tools/ngrep.md b/data/generated/wiki/tools/ngrep.md new file mode 100644 index 0000000..c181ca7 --- /dev/null +++ b/data/generated/wiki/tools/ngrep.md @@ -0,0 +1,23 @@ +# ngrep +> Search network traffic for patterns — like grep for packets + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +ngrep -I 'password' +ngrep -d eth0 'GET|POST' 'tcp port 80' +``` + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 6: Traffic Analysis + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as + +#network #search #pattern-matching diff --git a/data/generated/wiki/tools/nodejs.md b/data/generated/wiki/tools/nodejs.md new file mode 100644 index 0000000..59f21f3 --- /dev/null +++ b/data/generated/wiki/tools/nodejs.md @@ -0,0 +1,4 @@ +# nodejs + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/nomorexor.md b/data/generated/wiki/tools/nomorexor.md new file mode 100644 index 0000000..268c2d2 --- /dev/null +++ b/data/generated/wiki/tools/nomorexor.md @@ -0,0 +1,14 @@ +# nomorexor +> Help guess a file's 256-byte XOR by using frequency analysis. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/nslookup.md b/data/generated/wiki/tools/nslookup.md new file mode 100644 index 0000000..8f0c06d --- /dev/null +++ b/data/generated/wiki/tools/nslookup.md @@ -0,0 +1,19 @@ +# nslookup +> DNS query tool for testing name resolution + +**Category:** [[categories/network-analysis|network-analysis]] | **Tier:** Rich (FOR610) + +## Usage +```bash +nslookup domain.com +``` + +## Related Tools +- [[tools/iptables|iptables]] — Linux firewall and NAT tool for redirecting IP-based malware +- [[tools/torsocks|torsocks]] — Route network traffic through the Tor anonymity network + +## FOR610 +**Labs:** 1.3 +**Sections:** 1 + +#dns #testing diff --git a/data/generated/wiki/tools/nsrllookup.md b/data/generated/wiki/tools/nsrllookup.md new file mode 100644 index 0000000..5aed864 --- /dev/null +++ b/data/generated/wiki/tools/nsrllookup.md @@ -0,0 +1,14 @@ +# nsrllookup +> Look up MD5 file hashes in the NIST National Software Reference Library (NSRL). + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/numbers-to-string.md b/data/generated/wiki/tools/numbers-to-string.md new file mode 100644 index 0000000..37145e1 --- /dev/null +++ b/data/generated/wiki/tools/numbers-to-string.md @@ -0,0 +1,29 @@ +# numbers-to-string.py +> Convert sequences of decimal numbers to readable characters + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +oledump.py doc.docm -s A3 -v | numbers-to-string.py -j +``` + +## Recipes +- [[recipes/vba-number-string-decode|Decode VBA Number Arrays to Strings]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +## FOR610 +**Labs:** 3.3 +**Sections:** 3 + +#decoding #deobfuscation #didier-stevens diff --git a/data/generated/wiki/tools/objdump.md b/data/generated/wiki/tools/objdump.md new file mode 100644 index 0000000..6c69863 --- /dev/null +++ b/data/generated/wiki/tools/objdump.md @@ -0,0 +1,13 @@ +# objdump +> Disassemble binary files. + +**Category:** [[categories/statically-analyze-code-general|Statically Analyze Code > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/general](https://docs.remnux.org/discover-the-tools/statically+analyze+code/general) + +## Related Tools +- [[tools/cutter|Cutter]] — Open-source reverse engineering platform — Qt-based GUI for +- [[tools/ghidra|Ghidra]] — Open-source disassembler and decompiler from NSA with script +- [[tools/qiling|qiling]] — Multi-platform binary emulation framework — emulate PE, ELF, +- [[tools/vivisect|Vivisect]] — Binary analysis and emulation framework — static analysis wi + +#statically-analyze-code-general diff --git a/data/generated/wiki/tools/objects-js.md b/data/generated/wiki/tools/objects-js.md new file mode 100644 index 0000000..6d8541c --- /dev/null +++ b/data/generated/wiki/tools/objects-js.md @@ -0,0 +1,13 @@ +# objects.js +> Emulate common browser and PDF viewer objects, methods, and properties when deobfuscating JavaScript. + +**Category:** [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts) + +## Related Tools +- [[tools/box-js|box-js]] — JavaScript sandbox for analyzing malicious scripts by emulat +- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat +- [[tools/powershell|powershell]] — Run PowerShell scripts and commands. +- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou + +#dynamically-reverse-engineer-code-scripts diff --git a/data/generated/wiki/tools/oledump.md b/data/generated/wiki/tools/oledump.md new file mode 100644 index 0000000..f78df02 --- /dev/null +++ b/data/generated/wiki/tools/oledump.md @@ -0,0 +1,34 @@ +# oledump.py +> Analyze OLE2 files (Office documents), extract streams and VBA macros + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +oledump.py document.docm +oledump.py document.docm -s A3 -v +oledump.py document.docm -i +``` + +## Recipes +- [[recipes/extract-base64-ps-from-vba|Extract Base64 PowerShell from Office Macro]] +- [[recipes/vba-number-string-decode|Decode VBA Number Arrays to Strings]] +- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 2: Structure Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 2: Extraction + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +## FOR610 +**Labs:** 3.3, 3.4, 4.5 +**Sections:** 3, 4 + +#office #vba #macro #ole #didier-stevens diff --git a/data/generated/wiki/tools/olefile.md b/data/generated/wiki/tools/olefile.md new file mode 100644 index 0000000..fa1fd80 --- /dev/null +++ b/data/generated/wiki/tools/olefile.md @@ -0,0 +1,14 @@ +# olefile +> Python package to parse, read and write MS OLE2 files. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/olevba.md b/data/generated/wiki/tools/olevba.md new file mode 100644 index 0000000..190afad --- /dev/null +++ b/data/generated/wiki/tools/olevba.md @@ -0,0 +1,26 @@ +# olevba +> Extract and analyze VBA macros from Office documents with deobfuscation + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +olevba document.docm +olevba --deobf document.docm +``` + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 4: Macro/Script Extraction + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +## FOR610 +**Sections:** 3 + +#office #vba #macro #deobfuscation diff --git a/data/generated/wiki/tools/onedump.md b/data/generated/wiki/tools/onedump.md new file mode 100644 index 0000000..08006d2 --- /dev/null +++ b/data/generated/wiki/tools/onedump.md @@ -0,0 +1,17 @@ +# onedump.py +> Extract and analyze embedded files from OneNote documents. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 2: Structure Analysis + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/opencode.md b/data/generated/wiki/tools/opencode.md new file mode 100644 index 0000000..dcf2614 --- /dev/null +++ b/data/generated/wiki/tools/opencode.md @@ -0,0 +1,11 @@ +# opencode +> Open-source AI coding agent for the terminal. + +**Category:** [[categories/use-artificial-intelligence|Use Artificial Intelligence]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/use+artificial+intelligence](https://docs.remnux.org/discover-the-tools/use+artificial+intelligence) + +## Related Tools +- [[tools/ghidrassistmcp|GhidrAssistMCP]] — MCP server for AI-assisted reverse engineering in Ghidra. +- [[tools/remnux-mcp-server|remnux-mcp-server]] — MCP server for using the REMnux malware analysis toolkit via + +#use-artificial-intelligence diff --git a/data/generated/wiki/tools/openjdk.md b/data/generated/wiki/tools/openjdk.md new file mode 100644 index 0000000..5e56d6b --- /dev/null +++ b/data/generated/wiki/tools/openjdk.md @@ -0,0 +1,4 @@ +# openjdk + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/openssh.md b/data/generated/wiki/tools/openssh.md new file mode 100644 index 0000000..5300519 --- /dev/null +++ b/data/generated/wiki/tools/openssh.md @@ -0,0 +1,14 @@ +# openssh +> Initiate and receive SSH and SFTP connections. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/openssl.md b/data/generated/wiki/tools/openssl.md new file mode 100644 index 0000000..8c42bbc --- /dev/null +++ b/data/generated/wiki/tools/openssl.md @@ -0,0 +1,4 @@ +# openssl + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/origamindee.md b/data/generated/wiki/tools/origamindee.md new file mode 100644 index 0000000..e2f435b --- /dev/null +++ b/data/generated/wiki/tools/origamindee.md @@ -0,0 +1,14 @@ +# origamindee +> Parse, modify, generate PDF files. + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Related Tools +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e +- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates + +#analyze-documents-pdf diff --git a/data/generated/wiki/tools/osarch.md b/data/generated/wiki/tools/osarch.md new file mode 100644 index 0000000..6493e19 --- /dev/null +++ b/data/generated/wiki/tools/osarch.md @@ -0,0 +1,4 @@ +# osarch + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pcode2code.md b/data/generated/wiki/tools/pcode2code.md new file mode 100644 index 0000000..dda5880 --- /dev/null +++ b/data/generated/wiki/tools/pcode2code.md @@ -0,0 +1,25 @@ +# pcode2code +> Decompile VBA p-code from Office documents — works even when VBA source is removed + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +pcode2code +``` + +## Recipes +- [[recipes/vba-pcode-decompile|Recover VBA from p-code (source removed)]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 4: Macro/Script Extraction + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#office #vba #p-code #decompilation diff --git a/data/generated/wiki/tools/pcodedmp.md b/data/generated/wiki/tools/pcodedmp.md new file mode 100644 index 0000000..4ac032d --- /dev/null +++ b/data/generated/wiki/tools/pcodedmp.md @@ -0,0 +1,17 @@ +# pcodedmp +> Disassemble VBA p-code. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Recipes +- [[recipes/vba-pcode-decompile|Recover VBA from p-code (source removed)]] + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/pdf-parser.md b/data/generated/wiki/tools/pdf-parser.md new file mode 100644 index 0000000..9639e2f --- /dev/null +++ b/data/generated/wiki/tools/pdf-parser.md @@ -0,0 +1,34 @@ +# pdf-parser.py +> Parse PDF structure, locate objects, extract content, and search for strings + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +pdf-parser.py document.pdf -a +pdf-parser.py document.pdf -s /URI +pdf-parser.py document.pdf -k /URI +pdf-parser.py document.pdf -o 6 -d object6.jpg +``` + +## Recipes +- [[recipes/pdf-object-extraction|Extract Embedded Object from PDF]] +- [[recipes/pdf-javascript-extraction|Extract JavaScript from PDF]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 2: Structure Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 2: Extraction + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e +- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates + +## FOR610 +**Labs:** 3.1 +**Sections:** 1, 3 + +#pdf #static-analysis #object-extraction #didier-stevens diff --git a/data/generated/wiki/tools/pdfid.md b/data/generated/wiki/tools/pdfid.md new file mode 100644 index 0000000..a5368f1 --- /dev/null +++ b/data/generated/wiki/tools/pdfid.md @@ -0,0 +1,31 @@ +# pdfid.py +> Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +pdfid.py document.pdf +pdfid.py -n document.pdf +``` + +## Recipes +- [[recipes/pdf-object-extraction|Extract Embedded Object from PDF]] +- [[recipes/pdf-javascript-extraction|Extract JavaScript from PDF]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 2: Structure Analysis + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e +- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates + +## FOR610 +**Labs:** 3.1 +**Sections:** 1, 3 + +#pdf #static-analysis #triage #didier-stevens diff --git a/data/generated/wiki/tools/pdfresurrect.md b/data/generated/wiki/tools/pdfresurrect.md new file mode 100644 index 0000000..8ce6dee --- /dev/null +++ b/data/generated/wiki/tools/pdfresurrect.md @@ -0,0 +1,22 @@ +# pdfresurrect +> Extract and analyze previous versions from PDF files + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +pdfresurrect document.pdf +``` + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e +- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates + +## FOR610 +**Sections:** 1 + +#pdf #versioning diff --git a/data/generated/wiki/tools/pdftk.md b/data/generated/wiki/tools/pdftk.md new file mode 100644 index 0000000..ab9bdc7 --- /dev/null +++ b/data/generated/wiki/tools/pdftk.md @@ -0,0 +1,23 @@ +# pdftk +> Manipulate PDF files — merge, split, flatten, encrypt, and extract embedded content + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +pdftk input.pdf cat output output.pdf flatten +pdftk input.pdf unpack_files +``` + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates + +## FOR610 +**Sections:** 3 + +#pdf #manipulation #extraction diff --git a/data/generated/wiki/tools/pdftool.md b/data/generated/wiki/tools/pdftool.md new file mode 100644 index 0000000..c803460 --- /dev/null +++ b/data/generated/wiki/tools/pdftool.md @@ -0,0 +1,22 @@ +# pdftool.py +> Analyze PDF incremental updates + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +pdftool.py document.pdf +``` + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e + +## FOR610 +**Sections:** 1 + +#pdf #didier-stevens diff --git a/data/generated/wiki/tools/pdnstool.md b/data/generated/wiki/tools/pdnstool.md new file mode 100644 index 0000000..5c8181f --- /dev/null +++ b/data/generated/wiki/tools/pdnstool.md @@ -0,0 +1,14 @@ +# pdnstool +> Query passive DNS databases for DNS data. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/pe-tree.md b/data/generated/wiki/tools/pe-tree.md new file mode 100644 index 0000000..bb685d8 --- /dev/null +++ b/data/generated/wiki/tools/pe-tree.md @@ -0,0 +1,4 @@ +# pe-tree + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pedump.md b/data/generated/wiki/tools/pedump.md new file mode 100644 index 0000000..b0f1d98 --- /dev/null +++ b/data/generated/wiki/tools/pedump.md @@ -0,0 +1,4 @@ +# pedump + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/peepdf.md b/data/generated/wiki/tools/peepdf.md new file mode 100644 index 0000000..ab8b1c1 --- /dev/null +++ b/data/generated/wiki/tools/peepdf.md @@ -0,0 +1,26 @@ +# peepdf +> Interactive PDF analysis framework with JavaScript detection and exploitation capabilities + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +peepdf -i malicious.pdf +peepdf -f -i malicious.pdf +``` + +## Recipes +- [[recipes/pdf-javascript-extraction|Extract JavaScript from PDF]] + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e + +## FOR610 +**Sections:** 1 + +#pdf #interactive #javascript-detection diff --git a/data/generated/wiki/tools/peframe.md b/data/generated/wiki/tools/peframe.md new file mode 100644 index 0000000..15eb3b2 --- /dev/null +++ b/data/generated/wiki/tools/peframe.md @@ -0,0 +1,24 @@ +# peframe +> Static analysis of PE files — extract properties, detect anomalies, identify packers + +**Category:** [[categories/static-analysis-pe|static-analysis-pe]] | **Tier:** Rich (FOR610) + +## Usage +```bash +peframe specimen.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 3: Packing & Entropy Check +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 1: Packing Identification +- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 7: Extracted Payload Analysis +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 1: Identification & Metadata + +## Related Tools +- [[tools/pestr|pestr]] — Extract ASCII and Unicode strings from PE files + +## FOR610 +**Labs:** 1.1, 4.8 +**Sections:** 1, 4 + +#pe #static-analysis #triage diff --git a/data/generated/wiki/tools/perl.md b/data/generated/wiki/tools/perl.md new file mode 100644 index 0000000..e376cdb --- /dev/null +++ b/data/generated/wiki/tools/perl.md @@ -0,0 +1,4 @@ +# perl + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pestr.md b/data/generated/wiki/tools/pestr.md new file mode 100644 index 0000000..7dd2f84 --- /dev/null +++ b/data/generated/wiki/tools/pestr.md @@ -0,0 +1,21 @@ +# pestr +> Extract ASCII and Unicode strings from PE files + +**Category:** [[categories/static-analysis-pe|static-analysis-pe]] | **Tier:** Rich (FOR610) + +## Usage +```bash +pestr specimen.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 4: String Extraction + +## Related Tools +- [[tools/peframe|peframe]] — Static analysis of PE files — extract properties, detect ano + +## FOR610 +**Labs:** 1.1, 4.8 +**Sections:** 1, 4 + +#pe #strings #static-analysis diff --git a/data/generated/wiki/tools/pev.md b/data/generated/wiki/tools/pev.md new file mode 100644 index 0000000..3c5b01f --- /dev/null +++ b/data/generated/wiki/tools/pev.md @@ -0,0 +1,4 @@ +# pev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pgadmin.md b/data/generated/wiki/tools/pgadmin.md new file mode 100644 index 0000000..8e9f409 --- /dev/null +++ b/data/generated/wiki/tools/pgadmin.md @@ -0,0 +1,4 @@ +# pgadmin + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pip.md b/data/generated/wiki/tools/pip.md new file mode 100644 index 0000000..98533a7 --- /dev/null +++ b/data/generated/wiki/tools/pip.md @@ -0,0 +1,4 @@ +# pip + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pkg-config.md b/data/generated/wiki/tools/pkg-config.md new file mode 100644 index 0000000..5b301c5 --- /dev/null +++ b/data/generated/wiki/tools/pkg-config.md @@ -0,0 +1,4 @@ +# pkg-config + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/polarproxy.md b/data/generated/wiki/tools/polarproxy.md new file mode 100644 index 0000000..602150e --- /dev/null +++ b/data/generated/wiki/tools/polarproxy.md @@ -0,0 +1,22 @@ +# polarproxy +> Transparent TLS proxy that decrypts traffic and saves it as PCAP for analysis in Wireshark + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +PolarProxy -p 443,80 -w captured.pcap +``` + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 3: TLS/HTTPS Interception (if needed) + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +#network #tls #decryption #pcap diff --git a/data/generated/wiki/tools/portex.md b/data/generated/wiki/tools/portex.md new file mode 100644 index 0000000..5180303 --- /dev/null +++ b/data/generated/wiki/tools/portex.md @@ -0,0 +1,4 @@ +# portex + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/powershell.md b/data/generated/wiki/tools/powershell.md new file mode 100644 index 0000000..acb414c --- /dev/null +++ b/data/generated/wiki/tools/powershell.md @@ -0,0 +1,13 @@ +# powershell +> Run PowerShell scripts and commands. + +**Category:** [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts) + +## Related Tools +- [[tools/box-js|box-js]] — JavaScript sandbox for analyzing malicious scripts by emulat +- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat +- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and +- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou + +#dynamically-reverse-engineer-code-scripts diff --git a/data/generated/wiki/tools/prefer-ipv4.md b/data/generated/wiki/tools/prefer-ipv4.md new file mode 100644 index 0000000..b4266e6 --- /dev/null +++ b/data/generated/wiki/tools/prefer-ipv4.md @@ -0,0 +1,4 @@ +# prefer-ipv4 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/procdot.md b/data/generated/wiki/tools/procdot.md new file mode 100644 index 0000000..a527bc2 --- /dev/null +++ b/data/generated/wiki/tools/procdot.md @@ -0,0 +1,23 @@ +# ProcDOT +> Visualize Process Monitor logs as interactive graphs for behavioral analysis + +**Category:** [[categories/investigate-system-interactions|Investigate System Interactions]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/investigate+system+interactions](https://docs.remnux.org/discover-the-tools/investigate+system+interactions) + +## Usage +```bash +procdot +``` + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 6: Analyze Results + +## Related Tools +- [[tools/sandfly-processdecloak|sandfly-processdecloak]] — Find hidden processes on the local Linux system. +- [[tools/unhide|unhide]] — Find hidden processes or connections on the local Linux syst + +## FOR610 +**Labs:** 1.2, 4.5 +**Sections:** 1, 4 + +#visualization #process-monitor #behavioral diff --git a/data/generated/wiki/tools/procyon-decompiler.md b/data/generated/wiki/tools/procyon-decompiler.md new file mode 100644 index 0000000..db1fcb5 --- /dev/null +++ b/data/generated/wiki/tools/procyon-decompiler.md @@ -0,0 +1,4 @@ +# procyon-decompiler + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/procyon.md b/data/generated/wiki/tools/procyon.md new file mode 100644 index 0000000..252371b --- /dev/null +++ b/data/generated/wiki/tools/procyon.md @@ -0,0 +1,16 @@ +# Procyon +> Java decompiler. + +**Category:** [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/java](https://docs.remnux.org/discover-the-tools/statically+analyze+code/java) + +## Workflows +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 3: Multi-Decompiler Comparison + +## Related Tools +- [[tools/cfr|cfr]] — Modern Java decompiler — handles Java 8+ features including +- [[tools/java-idx-parser|java-idx-parser]] — Analyze Java IDX files. +- [[tools/javassist|Javassist]] — Java bytecode engineering toolkit/library. +- [[tools/jd-gui-java-decompiler|JD-GUI Java Decompiler]] — Java decompiler with GUI. + +#statically-analyze-code-java diff --git a/data/generated/wiki/tools/protobuf.md b/data/generated/wiki/tools/protobuf.md new file mode 100644 index 0000000..79211ae --- /dev/null +++ b/data/generated/wiki/tools/protobuf.md @@ -0,0 +1,4 @@ +# protobuf + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pycdc.md b/data/generated/wiki/tools/pycdc.md new file mode 100644 index 0000000..1e1f0a8 --- /dev/null +++ b/data/generated/wiki/tools/pycdc.md @@ -0,0 +1,4 @@ +# pycdc + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pyelftools.md b/data/generated/wiki/tools/pyelftools.md new file mode 100644 index 0000000..ae549c5 --- /dev/null +++ b/data/generated/wiki/tools/pyelftools.md @@ -0,0 +1,4 @@ +# pyelftools + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pyinstaller-extractor.md b/data/generated/wiki/tools/pyinstaller-extractor.md new file mode 100644 index 0000000..338d17f --- /dev/null +++ b/data/generated/wiki/tools/pyinstaller-extractor.md @@ -0,0 +1,12 @@ +# pyinstaller-extractor +> Extract contents of a PyInstaller-generated PE files. + +**Category:** [[categories/statically-analyze-code-python|Statically Analyze Code > Python]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/python](https://docs.remnux.org/discover-the-tools/statically+analyze+code/python) + +## Related Tools +- [[tools/decompyle|Decompyle++]] — Python bytecode disassembler and decompiler. +- [[tools/pyinstxtractor-ng|pyinstxtractor-ng]] — Extract contents of PyInstaller-generated executables withou +- [[tools/uncompyle6|uncompyle6]] — Decompile Python bytecode (.pyc) back to source — supports P + +#statically-analyze-code-python diff --git a/data/generated/wiki/tools/pyinstxtractor-ng.md b/data/generated/wiki/tools/pyinstxtractor-ng.md new file mode 100644 index 0000000..647b7b3 --- /dev/null +++ b/data/generated/wiki/tools/pyinstxtractor-ng.md @@ -0,0 +1,17 @@ +# pyinstxtractor-ng +> Extract contents of PyInstaller-generated executables without needing matching Python version + +**Category:** [[categories/statically-analyze-code-python|Statically Analyze Code > Python]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/python](https://docs.remnux.org/discover-the-tools/statically+analyze+code/python) + +## Usage +```bash +pyinstxtractor-ng +``` + +## Related Tools +- [[tools/decompyle|Decompyle++]] — Python bytecode disassembler and decompiler. +- [[tools/pyinstaller-extractor|pyinstaller-extractor]] — Extract contents of a PyInstaller-generated PE files. +- [[tools/uncompyle6|uncompyle6]] — Decompile Python bytecode (.pyc) back to source — supports P + +#python #pyinstaller #extraction diff --git a/data/generated/wiki/tools/python-debian.md b/data/generated/wiki/tools/python-debian.md new file mode 100644 index 0000000..19c9adb --- /dev/null +++ b/data/generated/wiki/tools/python-debian.md @@ -0,0 +1,4 @@ +# python-debian + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-cryptography.md b/data/generated/wiki/tools/python3-cryptography.md new file mode 100644 index 0000000..55098b3 --- /dev/null +++ b/data/generated/wiki/tools/python3-cryptography.md @@ -0,0 +1,4 @@ +# python3-cryptography + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-dev.md b/data/generated/wiki/tools/python3-dev.md new file mode 100644 index 0000000..ff82add --- /dev/null +++ b/data/generated/wiki/tools/python3-dev.md @@ -0,0 +1,4 @@ +# python3-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-dnspython.md b/data/generated/wiki/tools/python3-dnspython.md new file mode 100644 index 0000000..61cfb27 --- /dev/null +++ b/data/generated/wiki/tools/python3-dnspython.md @@ -0,0 +1,4 @@ +# python3-dnspython + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-magic.md b/data/generated/wiki/tools/python3-magic.md new file mode 100644 index 0000000..e241598 --- /dev/null +++ b/data/generated/wiki/tools/python3-magic.md @@ -0,0 +1,4 @@ +# python3-magic + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-netifaces.md b/data/generated/wiki/tools/python3-netifaces.md new file mode 100644 index 0000000..49edb4e --- /dev/null +++ b/data/generated/wiki/tools/python3-netifaces.md @@ -0,0 +1,4 @@ +# python3-netifaces + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-numpy.md b/data/generated/wiki/tools/python3-numpy.md new file mode 100644 index 0000000..532ef42 --- /dev/null +++ b/data/generated/wiki/tools/python3-numpy.md @@ -0,0 +1,4 @@ +# python3-numpy + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-pil.md b/data/generated/wiki/tools/python3-pil.md new file mode 100644 index 0000000..f7dd626 --- /dev/null +++ b/data/generated/wiki/tools/python3-pil.md @@ -0,0 +1,4 @@ +# python3-pil + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-pip.md b/data/generated/wiki/tools/python3-pip.md new file mode 100644 index 0000000..d8cc57c --- /dev/null +++ b/data/generated/wiki/tools/python3-pip.md @@ -0,0 +1,4 @@ +# python3-pip + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-pyasn1.md b/data/generated/wiki/tools/python3-pyasn1.md new file mode 100644 index 0000000..f82d5e9 --- /dev/null +++ b/data/generated/wiki/tools/python3-pyasn1.md @@ -0,0 +1,4 @@ +# python3-pyasn1 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-pyqt5.md b/data/generated/wiki/tools/python3-pyqt5.md new file mode 100644 index 0000000..2194fdf --- /dev/null +++ b/data/generated/wiki/tools/python3-pyqt5.md @@ -0,0 +1,4 @@ +# python3-pyqt5 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-requests.md b/data/generated/wiki/tools/python3-requests.md new file mode 100644 index 0000000..9f35d34 --- /dev/null +++ b/data/generated/wiki/tools/python3-requests.md @@ -0,0 +1,4 @@ +# python3-requests + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-setuptools.md b/data/generated/wiki/tools/python3-setuptools.md new file mode 100644 index 0000000..5dd4436 --- /dev/null +++ b/data/generated/wiki/tools/python3-setuptools.md @@ -0,0 +1,4 @@ +# python3-setuptools + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-ssdeep.md b/data/generated/wiki/tools/python3-ssdeep.md new file mode 100644 index 0000000..04115d8 --- /dev/null +++ b/data/generated/wiki/tools/python3-ssdeep.md @@ -0,0 +1,4 @@ +# python3-ssdeep + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-tk.md b/data/generated/wiki/tools/python3-tk.md new file mode 100644 index 0000000..df3779f --- /dev/null +++ b/data/generated/wiki/tools/python3-tk.md @@ -0,0 +1,4 @@ +# python3-tk + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-venv.md b/data/generated/wiki/tools/python3-venv.md new file mode 100644 index 0000000..aef5379 --- /dev/null +++ b/data/generated/wiki/tools/python3-venv.md @@ -0,0 +1,4 @@ +# python3-venv + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-virtualenv.md b/data/generated/wiki/tools/python3-virtualenv.md new file mode 100644 index 0000000..95f3fe1 --- /dev/null +++ b/data/generated/wiki/tools/python3-virtualenv.md @@ -0,0 +1,4 @@ +# python3-virtualenv + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-wheel.md b/data/generated/wiki/tools/python3-wheel.md new file mode 100644 index 0000000..9372231 --- /dev/null +++ b/data/generated/wiki/tools/python3-wheel.md @@ -0,0 +1,4 @@ +# python3-wheel + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3.md b/data/generated/wiki/tools/python3.md new file mode 100644 index 0000000..9038bac --- /dev/null +++ b/data/generated/wiki/tools/python3.md @@ -0,0 +1,4 @@ +# python3 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/qiling.md b/data/generated/wiki/tools/qiling.md new file mode 100644 index 0000000..ee3a896 --- /dev/null +++ b/data/generated/wiki/tools/qiling.md @@ -0,0 +1,21 @@ +# qiling +> Multi-platform binary emulation framework — emulate PE, ELF, shellcode across OS/arch combinations + +**Category:** [[categories/statically-analyze-code-general|Statically Analyze Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/general](https://docs.remnux.org/discover-the-tools/statically+analyze+code/general) + +## Usage +```bash +python3 -c "from qiling import Qiling; ql = Qiling([''], '/path/to/rootfs')" +``` + +## Workflows +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 3: Emulation-Based Unpacking + +## Related Tools +- [[tools/cutter|Cutter]] — Open-source reverse engineering platform — Qt-based GUI for +- [[tools/ghidra|Ghidra]] — Open-source disassembler and decompiler from NSA with script +- [[tools/objdump|objdump]] — Disassemble binary files. +- [[tools/vivisect|Vivisect]] — Binary analysis and emulation framework — static analysis wi + +#emulation #multi-platform #binary-analysis diff --git a/data/generated/wiki/tools/qpdf.md b/data/generated/wiki/tools/qpdf.md new file mode 100644 index 0000000..5174f45 --- /dev/null +++ b/data/generated/wiki/tools/qpdf.md @@ -0,0 +1,22 @@ +# qpdf +> Decrypt, linearize, and transform PDF files — useful for removing password protection + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +qpdf --decrypt encrypted.pdf output.pdf +``` + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e + +## FOR610 +**Sections:** 3 + +#pdf #decryption #transformation diff --git a/data/generated/wiki/tools/qtbase5-dev.md b/data/generated/wiki/tools/qtbase5-dev.md new file mode 100644 index 0000000..313d2de --- /dev/null +++ b/data/generated/wiki/tools/qtbase5-dev.md @@ -0,0 +1,4 @@ +# qtbase5-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/radare2.md b/data/generated/wiki/tools/radare2.md new file mode 100644 index 0000000..e2c4dda --- /dev/null +++ b/data/generated/wiki/tools/radare2.md @@ -0,0 +1,23 @@ +# radare2 +> Open-source reverse engineering command-line framework + +**Category:** [[categories/dynamically-reverse-engineer-code-general|Dynamically Reverse-Engineer Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general) + +## Usage +```bash +r2 specimen.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 7: Disassembly (if needed) +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 5: Native Library Analysis + +## Related Tools +- [[tools/frida|Frida]] — Dynamic instrumentation toolkit — hook and trace running pro +- [[tools/wine|Wine]] — Windows compatibility layer — run Windows executables on Lin + +## FOR610 +**Sections:** 2 + +#disassembly #cli #open-source diff --git a/data/generated/wiki/tools/rar.md b/data/generated/wiki/tools/rar.md new file mode 100644 index 0000000..3de09b6 --- /dev/null +++ b/data/generated/wiki/tools/rar.md @@ -0,0 +1,23 @@ +# rar +> Extract RAR archives (including self-extracting RAR payloads) + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Usage +```bash +rar x archive.rar +``` + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +## FOR610 +**Labs:** 3.5 +**Sections:** 3 + +#archive #extraction diff --git a/data/generated/wiki/tools/re-search.md b/data/generated/wiki/tools/re-search.md new file mode 100644 index 0000000..81ca6d0 --- /dev/null +++ b/data/generated/wiki/tools/re-search.md @@ -0,0 +1,14 @@ +# re-search.py +> Search the file for built-in regular expressions of common suspicious artifacts. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/redress.md b/data/generated/wiki/tools/redress.md new file mode 100644 index 0000000..aee71be --- /dev/null +++ b/data/generated/wiki/tools/redress.md @@ -0,0 +1,10 @@ +# redress +> Analyze stripped Go binaries to recover symbols, types, source structure, and integrate with Radare2. + +**Category:** [[categories/examine-static-properties-go|Examine Static Properties > Go]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/go](https://docs.remnux.org/discover-the-tools/examine+static+properties/go) + +## Related Tools +- [[tools/goresym|goresym]] — Extract metadata and symbols from Go binaries, including str + +#examine-static-properties-go diff --git a/data/generated/wiki/tools/refresh.md b/data/generated/wiki/tools/refresh.md new file mode 100644 index 0000000..5fd223a --- /dev/null +++ b/data/generated/wiki/tools/refresh.md @@ -0,0 +1,4 @@ +# refresh + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/remnux-installer.md b/data/generated/wiki/tools/remnux-installer.md new file mode 100644 index 0000000..17f65b1 --- /dev/null +++ b/data/generated/wiki/tools/remnux-installer.md @@ -0,0 +1,14 @@ +# REMnux Installer +> Install and update the REMnux distro. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/remnux-mcp-server.md b/data/generated/wiki/tools/remnux-mcp-server.md new file mode 100644 index 0000000..c20e153 --- /dev/null +++ b/data/generated/wiki/tools/remnux-mcp-server.md @@ -0,0 +1,11 @@ +# remnux-mcp-server +> MCP server for using the REMnux malware analysis toolkit via AI assistants. + +**Category:** [[categories/use-artificial-intelligence|Use Artificial Intelligence]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/use+artificial+intelligence](https://docs.remnux.org/discover-the-tools/use+artificial+intelligence) + +## Related Tools +- [[tools/ghidrassistmcp|GhidrAssistMCP]] — MCP server for AI-assisted reverse engineering in Ghidra. +- [[tools/opencode|opencode]] — Open-source AI coding agent for the terminal. + +#use-artificial-intelligence diff --git a/data/generated/wiki/tools/remnux.md b/data/generated/wiki/tools/remnux.md new file mode 100644 index 0000000..11f43e0 --- /dev/null +++ b/data/generated/wiki/tools/remnux.md @@ -0,0 +1,4 @@ +# remnux + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/remove-app-icons.md b/data/generated/wiki/tools/remove-app-icons.md new file mode 100644 index 0000000..8072825 --- /dev/null +++ b/data/generated/wiki/tools/remove-app-icons.md @@ -0,0 +1,4 @@ +# remove-app-icons + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/rhino.md b/data/generated/wiki/tools/rhino.md new file mode 100644 index 0000000..8d307bd --- /dev/null +++ b/data/generated/wiki/tools/rhino.md @@ -0,0 +1,4 @@ +# rhino + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/rsakeyfind.md b/data/generated/wiki/tools/rsakeyfind.md new file mode 100644 index 0000000..27a87a3 --- /dev/null +++ b/data/generated/wiki/tools/rsakeyfind.md @@ -0,0 +1,4 @@ +# rsakeyfind + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/rsakeyfinder.md b/data/generated/wiki/tools/rsakeyfinder.md new file mode 100644 index 0000000..f70cb24 --- /dev/null +++ b/data/generated/wiki/tools/rsakeyfinder.md @@ -0,0 +1,11 @@ +# RSAKeyFinder +> Find BER-encoded RSA private keys in a memory image. + +**Category:** [[categories/perform-memory-forensics|Perform Memory Forensics]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/perform+memory+forensics](https://docs.remnux.org/discover-the-tools/perform+memory+forensics) + +## Related Tools +- [[tools/aeskeyfinder|AESKeyFinder]] — Find 128-bit and 256-bit AES keys in a memory image. +- [[tools/volatility3|volatility3]] — Memory forensics framework — analyze RAM dumps to find malwa + +#perform-memory-forensics diff --git a/data/generated/wiki/tools/rtfdump.md b/data/generated/wiki/tools/rtfdump.md new file mode 100644 index 0000000..929d030 --- /dev/null +++ b/data/generated/wiki/tools/rtfdump.md @@ -0,0 +1,31 @@ +# rtfdump.py +> Analyze RTF file structure, identify hex-encoded groups and embedded objects + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +rtfdump.py document.rtf +rtfdump.py document.rtf -s 5 -H -d > extracted.bin +``` + +## Recipes +- [[recipes/rtf-shellcode-extraction|Extract Shellcode from RTF Document]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 2: Structure Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 2: Extraction + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +## FOR610 +**Labs:** 3.5 +**Sections:** 3 + +#rtf #document #didier-stevens diff --git a/data/generated/wiki/tools/ruby-dev.md b/data/generated/wiki/tools/ruby-dev.md new file mode 100644 index 0000000..346e95b --- /dev/null +++ b/data/generated/wiki/tools/ruby-dev.md @@ -0,0 +1,4 @@ +# ruby-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ruby.md b/data/generated/wiki/tools/ruby.md new file mode 100644 index 0000000..7b49372 --- /dev/null +++ b/data/generated/wiki/tools/ruby.md @@ -0,0 +1,4 @@ +# ruby + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/runsc32.md b/data/generated/wiki/tools/runsc32.md new file mode 100644 index 0000000..f384f07 --- /dev/null +++ b/data/generated/wiki/tools/runsc32.md @@ -0,0 +1,22 @@ +# runsc32 +> Execute extracted shellcode for dynamic analysis + +**Category:** [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode) + +## Usage +```bash +runsc32 -f shellcode.bin -o 0x3B -d qa.doc +``` + +## Related Tools +- [[tools/libemu|libemu]] — A library for x86 code emulation and shellcode detection. +- [[tools/scdbgc|scdbgc]] — Shellcode emulator — analyze shellcode behavior through API- +- [[tools/shcode2exe|shcode2exe]] — Convert raw shellcode to a Windows PE executable for analysi +- [[tools/shellcode2exe-bat|shellcode2exe-bat]] — Convert 32 and 64-bit shellcode to a Windows executable file + +## FOR610 +**Labs:** 3.5, 4.6 +**Sections:** 3, 4 + +#shellcode #execution #dynamic-analysis diff --git a/data/generated/wiki/tools/salt-minion.md b/data/generated/wiki/tools/salt-minion.md new file mode 100644 index 0000000..ff24e85 --- /dev/null +++ b/data/generated/wiki/tools/salt-minion.md @@ -0,0 +1,4 @@ +# salt-minion + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/sandfly-processdecloak.md b/data/generated/wiki/tools/sandfly-processdecloak.md new file mode 100644 index 0000000..b8db137 --- /dev/null +++ b/data/generated/wiki/tools/sandfly-processdecloak.md @@ -0,0 +1,11 @@ +# sandfly-processdecloak +> Find hidden processes on the local Linux system. + +**Category:** [[categories/investigate-system-interactions|Investigate System Interactions]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/investigate+system+interactions](https://docs.remnux.org/discover-the-tools/investigate+system+interactions) + +## Related Tools +- [[tools/procdot|ProcDOT]] — Visualize Process Monitor logs as interactive graphs for beh +- [[tools/unhide|unhide]] — Find hidden processes or connections on the local Linux syst + +#investigate-system-interactions diff --git a/data/generated/wiki/tools/scalpel.md b/data/generated/wiki/tools/scalpel.md new file mode 100644 index 0000000..7a45179 --- /dev/null +++ b/data/generated/wiki/tools/scalpel.md @@ -0,0 +1,14 @@ +# scalpel +> Carve contents out of binary files, such as partitions. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/scdbgc.md b/data/generated/wiki/tools/scdbgc.md new file mode 100644 index 0000000..a5cd2aa --- /dev/null +++ b/data/generated/wiki/tools/scdbgc.md @@ -0,0 +1,33 @@ +# scdbgc +> Shellcode emulator — analyze shellcode behavior through API-level emulation + +**Category:** [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode) + +## Usage +```bash +scdbgc /f shellcode.bin /s -1 +scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc +scdbgc /f shellcode.bin /s -1 /norw +``` + +## Recipes +- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]] +- [[recipes/rtf-shellcode-extraction|Extract Shellcode from RTF Document]] +- [[recipes/shellcode-emulate-with-offset|Emulate Shellcode at Specific Offset]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 6: Embedded Object Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 3: Emulation + +## Related Tools +- [[tools/libemu|libemu]] — A library for x86 code emulation and shellcode detection. +- [[tools/runsc32|runsc32]] — Execute extracted shellcode for dynamic analysis +- [[tools/shcode2exe|shcode2exe]] — Convert raw shellcode to a Windows PE executable for analysi +- [[tools/shellcode2exe-bat|shellcode2exe-bat]] — Convert 32 and 64-bit shellcode to a Windows executable file + +## FOR610 +**Labs:** 3.4, 3.5, 4.6 +**Sections:** 3, 4 + +#shellcode #emulation #api-calls diff --git a/data/generated/wiki/tools/scite.md b/data/generated/wiki/tools/scite.md new file mode 100644 index 0000000..f901f87 --- /dev/null +++ b/data/generated/wiki/tools/scite.md @@ -0,0 +1,14 @@ +# scite +> Edit text files. + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Related Tools +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/vbindiff|vbindiff]] — Compare binary files. + +#view-or-edit-files diff --git a/data/generated/wiki/tools/sets.md b/data/generated/wiki/tools/sets.md new file mode 100644 index 0000000..8bbf87e --- /dev/null +++ b/data/generated/wiki/tools/sets.md @@ -0,0 +1,14 @@ +# sets.py +> Perform set operations on lines or bytes in text files. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/sharutils.md b/data/generated/wiki/tools/sharutils.md new file mode 100644 index 0000000..dd84b21 --- /dev/null +++ b/data/generated/wiki/tools/sharutils.md @@ -0,0 +1,4 @@ +# sharutils + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/shcode2exe.md b/data/generated/wiki/tools/shcode2exe.md new file mode 100644 index 0000000..1b03ed5 --- /dev/null +++ b/data/generated/wiki/tools/shcode2exe.md @@ -0,0 +1,24 @@ +# shcode2exe +> Convert raw shellcode to a Windows PE executable for analysis in disassemblers + +**Category:** [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode) + +## Usage +```bash +shcode2exe +``` + +## Recipes +- [[recipes/shellcode-to-exe|Convert Shellcode to Executable]] + +## Workflows +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 5: Conversion to EXE + +## Related Tools +- [[tools/libemu|libemu]] — A library for x86 code emulation and shellcode detection. +- [[tools/runsc32|runsc32]] — Execute extracted shellcode for dynamic analysis +- [[tools/scdbgc|scdbgc]] — Shellcode emulator — analyze shellcode behavior through API- +- [[tools/shellcode2exe-bat|shellcode2exe-bat]] — Convert 32 and 64-bit shellcode to a Windows executable file + +#shellcode #conversion #pe diff --git a/data/generated/wiki/tools/shellcode2exe-bat.md b/data/generated/wiki/tools/shellcode2exe-bat.md new file mode 100644 index 0000000..7f2b315 --- /dev/null +++ b/data/generated/wiki/tools/shellcode2exe-bat.md @@ -0,0 +1,13 @@ +# shellcode2exe-bat +> Convert 32 and 64-bit shellcode to a Windows executable file. + +**Category:** [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode) + +## Related Tools +- [[tools/libemu|libemu]] — A library for x86 code emulation and shellcode detection. +- [[tools/runsc32|runsc32]] — Execute extracted shellcode for dynamic analysis +- [[tools/scdbgc|scdbgc]] — Shellcode emulator — analyze shellcode behavior through API- +- [[tools/shcode2exe|shcode2exe]] — Convert raw shellcode to a Windows PE executable for analysi + +#dynamically-reverse-engineer-code-shellcode diff --git a/data/generated/wiki/tools/sift.md b/data/generated/wiki/tools/sift.md new file mode 100644 index 0000000..4366454 --- /dev/null +++ b/data/generated/wiki/tools/sift.md @@ -0,0 +1,4 @@ +# sift + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/signsrch.md b/data/generated/wiki/tools/signsrch.md new file mode 100644 index 0000000..3739ada --- /dev/null +++ b/data/generated/wiki/tools/signsrch.md @@ -0,0 +1,14 @@ +# signsrch +> Find patterns of common encryption, compression, or encoding algorithms. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/sleuth-kit.md b/data/generated/wiki/tools/sleuth-kit.md new file mode 100644 index 0000000..d3c3f4c --- /dev/null +++ b/data/generated/wiki/tools/sleuth-kit.md @@ -0,0 +1,14 @@ +# Sleuth Kit +> Analyze disk images and recover files from them. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/sleuthkit.md b/data/generated/wiki/tools/sleuthkit.md new file mode 100644 index 0000000..6d89535 --- /dev/null +++ b/data/generated/wiki/tools/sleuthkit.md @@ -0,0 +1,4 @@ +# sleuthkit + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/snap.md b/data/generated/wiki/tools/snap.md new file mode 100644 index 0000000..28e5525 --- /dev/null +++ b/data/generated/wiki/tools/snap.md @@ -0,0 +1,4 @@ +# snap + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/snapd.md b/data/generated/wiki/tools/snapd.md new file mode 100644 index 0000000..f74770e --- /dev/null +++ b/data/generated/wiki/tools/snapd.md @@ -0,0 +1,4 @@ +# snapd + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/software-properties-common.md b/data/generated/wiki/tools/software-properties-common.md new file mode 100644 index 0000000..7f8d802 --- /dev/null +++ b/data/generated/wiki/tools/software-properties-common.md @@ -0,0 +1,4 @@ +# software-properties-common + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/sortcanon.md b/data/generated/wiki/tools/sortcanon.md new file mode 100644 index 0000000..b13033c --- /dev/null +++ b/data/generated/wiki/tools/sortcanon.md @@ -0,0 +1,14 @@ +# sortcanon.py +> Sort text files using canonicalization functions built into this tool. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/speakeasy.md b/data/generated/wiki/tools/speakeasy.md new file mode 100644 index 0000000..b81ca7a --- /dev/null +++ b/data/generated/wiki/tools/speakeasy.md @@ -0,0 +1,30 @@ +# speakeasy +> Windows binary emulator — emulates API calls to analyze malware behavior without native execution + +**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files) + +## Usage +```bash +speakeasy -t specimen.exe -o report.json 2> report.txt +speakeasy -t shellcode.bin -r -a x86 +``` + +## Recipes +- [[recipes/speakeasy-emulation-with-json|Emulate Malware and Extract API Calls]] + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 4: Emulation (Safe Alternative) +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 3: Emulation-Based Unpacking +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 3: Emulation + +## Related Tools +- [[tools/binee-binary-emulation-environment|binee (Binary Emulation Environment)]] — Analyze I/O operations of a suspicious PE file by emulating +- [[tools/capa|capa]] — Identify malware capabilities mapped to MITRE ATT&CK framewo +- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal + +## FOR610 +**Labs:** 1.4 +**Sections:** 1 + +#emulation #api-calls #behavioral-analysis diff --git a/data/generated/wiki/tools/spidermonkey.md b/data/generated/wiki/tools/spidermonkey.md new file mode 100644 index 0000000..62cba31 --- /dev/null +++ b/data/generated/wiki/tools/spidermonkey.md @@ -0,0 +1,30 @@ +# SpiderMonkey +> Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript outside a browser + +**Category:** [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts) + +## Usage +```bash +js -f malicious.js +js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js +``` + +## Recipes +- [[recipes/js-deobfuscation-spidermonkey|Deobfuscate JavaScript with SpiderMonkey]] +- [[recipes/js-null-byte-cleanup|Clean Null Bytes from UTF-16 JavaScript]] + +## Workflows +- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] — Step 3: Safe Execution (SpiderMonkey) + +## Related Tools +- [[tools/box-js|box-js]] — JavaScript sandbox for analyzing malicious scripts by emulat +- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat +- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and +- [[tools/powershell|powershell]] — Run PowerShell scripts and commands. + +## FOR610 +**Labs:** 3.6, 3.7, 4.5 +**Sections:** 3, 4 + +#javascript #deobfuscation #execution diff --git a/data/generated/wiki/tools/sqlite.md b/data/generated/wiki/tools/sqlite.md new file mode 100644 index 0000000..0865e72 --- /dev/null +++ b/data/generated/wiki/tools/sqlite.md @@ -0,0 +1,14 @@ +# SQLite +> Manage and interact with SQL database files. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/ssdeep.md b/data/generated/wiki/tools/ssdeep.md new file mode 100644 index 0000000..32f4cef --- /dev/null +++ b/data/generated/wiki/tools/ssdeep.md @@ -0,0 +1,21 @@ +# ssdeep +> Compute fuzzy hashes (CTPH) for finding similar files — useful for malware variant clustering + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +ssdeep +ssdeep -m +ssdeep -d +``` + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#hashing #fuzzy #similarity #clustering diff --git a/data/generated/wiki/tools/ssh.md b/data/generated/wiki/tools/ssh.md new file mode 100644 index 0000000..45706a0 --- /dev/null +++ b/data/generated/wiki/tools/ssh.md @@ -0,0 +1,4 @@ +# ssh + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ssview.md b/data/generated/wiki/tools/ssview.md new file mode 100644 index 0000000..1a8bce5 --- /dev/null +++ b/data/generated/wiki/tools/ssview.md @@ -0,0 +1,14 @@ +# ssview +> Analyze OLE2 Structured Storage files. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/strace.md b/data/generated/wiki/tools/strace.md new file mode 100644 index 0000000..9ce3a5f --- /dev/null +++ b/data/generated/wiki/tools/strace.md @@ -0,0 +1,7 @@ +# strace + +**Tier:** Basic + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 3: Monitoring Setup + diff --git a/data/generated/wiki/tools/strdeob.md b/data/generated/wiki/tools/strdeob.md new file mode 100644 index 0000000..ae46e70 --- /dev/null +++ b/data/generated/wiki/tools/strdeob.md @@ -0,0 +1,29 @@ +# strdeob.pl +> Automatically decode stack-built strings from disassembled malware + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +strdeob.pl specimen.exe +``` + +## Recipes +- [[recipes/stack-string-extraction|Extract Stack-Built Strings]] + +## Workflows +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 5: Stack String Recovery + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +## FOR610 +**Labs:** 5.2 +**Sections:** 5 + +#stack-strings #deobfuscation diff --git a/data/generated/wiki/tools/strings.md b/data/generated/wiki/tools/strings.md new file mode 100644 index 0000000..577e1eb --- /dev/null +++ b/data/generated/wiki/tools/strings.md @@ -0,0 +1,35 @@ +# strings +> Extract printable ASCII and Unicode strings from binary files + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +strings binary.exe +strings -n 10 binary.exe +strings --encoding=l binary.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 4: String Extraction +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 8: Verification +- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 7: Extracted Payload Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 6: String & IOC Extraction +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 1: Automated Extraction +- [[workflows/memory-forensics-workflow|Memory Forensics]] — Step 6: String Search +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 5: Native Library Analysis +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 5: Resource Extraction + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +## FOR610 +**Labs:** 3.4, 5.2 +**Sections:** 1, 3 + +#strings #static-analysis #triage diff --git a/data/generated/wiki/tools/subversion.md b/data/generated/wiki/tools/subversion.md new file mode 100644 index 0000000..558dcc8 --- /dev/null +++ b/data/generated/wiki/tools/subversion.md @@ -0,0 +1,4 @@ +# subversion + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/sudo.md b/data/generated/wiki/tools/sudo.md new file mode 100644 index 0000000..6d26f2f --- /dev/null +++ b/data/generated/wiki/tools/sudo.md @@ -0,0 +1,4 @@ +# sudo + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/sudoers.md b/data/generated/wiki/tools/sudoers.md new file mode 100644 index 0000000..99d4586 --- /dev/null +++ b/data/generated/wiki/tools/sudoers.md @@ -0,0 +1,4 @@ +# sudoers + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/tcpdump.md b/data/generated/wiki/tools/tcpdump.md new file mode 100644 index 0000000..9540e89 --- /dev/null +++ b/data/generated/wiki/tools/tcpdump.md @@ -0,0 +1,27 @@ +# tcpdump +> Command-line packet capture tool + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +tcpdump -i eth0 -w capture.pcap +tcpdump -r capture.pcap +``` + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 3: Monitoring Setup +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 4: Packet Capture + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +## FOR610 +**Sections:** 1 + +#packet-capture #cli #network diff --git a/data/generated/wiki/tools/tcpflow.md b/data/generated/wiki/tools/tcpflow.md new file mode 100644 index 0000000..0c9fb23 --- /dev/null +++ b/data/generated/wiki/tools/tcpflow.md @@ -0,0 +1,25 @@ +# tcpflow +> Extract and reassemble TCP streams from PCAP files into individual files + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +tcpflow -r -o output/ +``` + +## Recipes +- [[recipes/pcap-file-carving|Extract Files from Network Capture]] + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 6: Traffic Analysis + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +#network #tcp #stream-extraction diff --git a/data/generated/wiki/tools/tcpick.md b/data/generated/wiki/tools/tcpick.md new file mode 100644 index 0000000..b6c739d --- /dev/null +++ b/data/generated/wiki/tools/tcpick.md @@ -0,0 +1,14 @@ +# tcpick +> Capture and analyze network traffic with this command-line sniffer. + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +#explore-network-interactions-monitoring diff --git a/data/generated/wiki/tools/tcpxtract.md b/data/generated/wiki/tools/tcpxtract.md new file mode 100644 index 0000000..063d2e9 --- /dev/null +++ b/data/generated/wiki/tools/tcpxtract.md @@ -0,0 +1,25 @@ +# tcpxtract +> Carve files from network traffic using file signatures + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +tcpxtract -f -o output/ +``` + +## Recipes +- [[recipes/pcap-file-carving|Extract Files from Network Capture]] + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 7: File Extraction + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +#network #file-carving #pcap diff --git a/data/generated/wiki/tools/tesseract-ocr.md b/data/generated/wiki/tools/tesseract-ocr.md new file mode 100644 index 0000000..3d4e809 --- /dev/null +++ b/data/generated/wiki/tools/tesseract-ocr.md @@ -0,0 +1,7 @@ +# tesseract-ocr +> Examine images to identify and extract text using optical character recognition (OCR). + +**Category:** [[categories/analyze-documents-general|Analyze Documents > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/general](https://docs.remnux.org/discover-the-tools/analyze+documents/general) + +#analyze-documents-general diff --git a/data/generated/wiki/tools/texteditor.md b/data/generated/wiki/tools/texteditor.md new file mode 100644 index 0000000..5a5e811 --- /dev/null +++ b/data/generated/wiki/tools/texteditor.md @@ -0,0 +1,14 @@ +# texteditor.py +> Edit text files from the command line using search-and-replace commands. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/thefuzz.md b/data/generated/wiki/tools/thefuzz.md new file mode 100644 index 0000000..fcd9793 --- /dev/null +++ b/data/generated/wiki/tools/thefuzz.md @@ -0,0 +1,14 @@ +# thefuzz +> Fuzzy String Matching in Python. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/thug.md b/data/generated/wiki/tools/thug.md new file mode 100644 index 0000000..4810585 --- /dev/null +++ b/data/generated/wiki/tools/thug.md @@ -0,0 +1,22 @@ +# Thug +> Low-interaction honeyclient for analyzing malicious websites and drive-by downloads + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Usage +```bash +thug -u win7chrome49 http://suspicious-site.com +``` + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn + +## FOR610 +**Sections:** 3 + +#honeyclient #web-analysis #drive-by diff --git a/data/generated/wiki/tools/time-decode.md b/data/generated/wiki/tools/time-decode.md new file mode 100644 index 0000000..a2dfab5 --- /dev/null +++ b/data/generated/wiki/tools/time-decode.md @@ -0,0 +1,14 @@ +# time-decode +> Decode and encode date and timestamps. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/tor.md b/data/generated/wiki/tools/tor.md new file mode 100644 index 0000000..2ebdada --- /dev/null +++ b/data/generated/wiki/tools/tor.md @@ -0,0 +1,14 @@ +# tor +> Obfuscate your origins by routing traffic through a network of anonymizing nodes. + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn + +#explore-network-interactions-connecting diff --git a/data/generated/wiki/tools/torsocks.md b/data/generated/wiki/tools/torsocks.md new file mode 100644 index 0000000..a3b55e5 --- /dev/null +++ b/data/generated/wiki/tools/torsocks.md @@ -0,0 +1,18 @@ +# torsocks +> Route network traffic through the Tor anonymity network + +**Category:** [[categories/network-analysis|network-analysis]] | **Tier:** Rich (FOR610) + +## Usage +```bash +torsocks curl http://example.onion +``` + +## Related Tools +- [[tools/iptables|iptables]] — Linux firewall and NAT tool for redirecting IP-based malware +- [[tools/nslookup|nslookup]] — DNS query tool for testing name resolution + +## FOR610 +**Sections:** 1 + +#tor #anonymity #network-routing diff --git a/data/generated/wiki/tools/translate.md b/data/generated/wiki/tools/translate.md new file mode 100644 index 0000000..7b0ef5e --- /dev/null +++ b/data/generated/wiki/tools/translate.md @@ -0,0 +1,31 @@ +# translate.py +> Transform data using Python expressions (XOR, ADD, etc.) + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +translate.py "byte ^ 35" < input.bin > output.bin +``` + +## Recipes +- [[recipes/base64-xor-shellcode|Decode Base64 + XOR Shellcode]] +- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 4: Multi-Byte / Custom Decoding + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +## FOR610 +**Labs:** 3.4 +**Sections:** 3 + +#xor #transformation #decoding #didier-stevens diff --git a/data/generated/wiki/tools/trid.md b/data/generated/wiki/tools/trid.md new file mode 100644 index 0000000..e0a20c1 --- /dev/null +++ b/data/generated/wiki/tools/trid.md @@ -0,0 +1,28 @@ +# trid +> Identify file type by scanning binary signatures database + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +trid document.doc +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 1: File Identification & Hashing +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 1: Format Identification +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 3: Attachment Triage + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +## FOR610 +**Labs:** 3.3, 3.4 +**Sections:** 3 + +#file-identification #triage diff --git a/data/generated/wiki/tools/tshark.md b/data/generated/wiki/tools/tshark.md new file mode 100644 index 0000000..0de0794 --- /dev/null +++ b/data/generated/wiki/tools/tshark.md @@ -0,0 +1,26 @@ +# tshark +> Command-line interface to Wireshark for packet capture and analysis + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +tshark -r capture.pcap +tshark -i eth0 -w capture.pcap +``` + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 6: Traffic Analysis + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +## FOR610 +**Sections:** 1 + +#packet-capture #cli #network diff --git a/data/generated/wiki/tools/tzdata.md b/data/generated/wiki/tools/tzdata.md new file mode 100644 index 0000000..de15ed1 --- /dev/null +++ b/data/generated/wiki/tools/tzdata.md @@ -0,0 +1,4 @@ +# tzdata + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ubuntu-universe.md b/data/generated/wiki/tools/ubuntu-universe.md new file mode 100644 index 0000000..ed63645 --- /dev/null +++ b/data/generated/wiki/tools/ubuntu-universe.md @@ -0,0 +1,4 @@ +# ubuntu-universe + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ubuntu.md b/data/generated/wiki/tools/ubuntu.md new file mode 100644 index 0000000..61a5279 --- /dev/null +++ b/data/generated/wiki/tools/ubuntu.md @@ -0,0 +1,4 @@ +# ubuntu + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/uncompyle6.md b/data/generated/wiki/tools/uncompyle6.md new file mode 100644 index 0000000..c1274bd --- /dev/null +++ b/data/generated/wiki/tools/uncompyle6.md @@ -0,0 +1,18 @@ +# uncompyle6 +> Decompile Python bytecode (.pyc) back to source — supports Python 1.0 through 3.8 + +**Category:** [[categories/statically-analyze-code-python|Statically Analyze Code > Python]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/python](https://docs.remnux.org/discover-the-tools/statically+analyze+code/python) + +## Usage +```bash +uncompyle6 +uncompyle6 -o output/ +``` + +## Related Tools +- [[tools/decompyle|Decompyle++]] — Python bytecode disassembler and decompiler. +- [[tools/pyinstaller-extractor|pyinstaller-extractor]] — Extract contents of a PyInstaller-generated PE files. +- [[tools/pyinstxtractor-ng|pyinstxtractor-ng]] — Extract contents of PyInstaller-generated executables withou + +#python #decompilation #bytecode diff --git a/data/generated/wiki/tools/unfurl.md b/data/generated/wiki/tools/unfurl.md new file mode 100644 index 0000000..82fa8b8 --- /dev/null +++ b/data/generated/wiki/tools/unfurl.md @@ -0,0 +1,22 @@ +# Unfurl +> Deconstruct and decode URLs — reveal tracking parameters, encoded data, and redirect chains + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Usage +```bash +unfurl parse +``` + +## Workflows +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 4: Link Analysis + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn + +#url #decoding #phishing #tracking diff --git a/data/generated/wiki/tools/unhide.md b/data/generated/wiki/tools/unhide.md new file mode 100644 index 0000000..9eb794b --- /dev/null +++ b/data/generated/wiki/tools/unhide.md @@ -0,0 +1,11 @@ +# unhide +> Find hidden processes or connections on the local Linux system. + +**Category:** [[categories/investigate-system-interactions|Investigate System Interactions]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/investigate+system+interactions](https://docs.remnux.org/discover-the-tools/investigate+system+interactions) + +## Related Tools +- [[tools/procdot|ProcDOT]] — Visualize Process Monitor logs as interactive graphs for beh +- [[tools/sandfly-processdecloak|sandfly-processdecloak]] — Find hidden processes on the local Linux system. + +#investigate-system-interactions diff --git a/data/generated/wiki/tools/unicode.md b/data/generated/wiki/tools/unicode.md new file mode 100644 index 0000000..8e586aa --- /dev/null +++ b/data/generated/wiki/tools/unicode.md @@ -0,0 +1,14 @@ +# unicode +> Display Unicode character properties. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/unxor.md b/data/generated/wiki/tools/unxor.md new file mode 100644 index 0000000..f1d9870 --- /dev/null +++ b/data/generated/wiki/tools/unxor.md @@ -0,0 +1,14 @@ +# unxor +> Deobfuscate XOR'ed files. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/unzip.md b/data/generated/wiki/tools/unzip.md new file mode 100644 index 0000000..e1a582d --- /dev/null +++ b/data/generated/wiki/tools/unzip.md @@ -0,0 +1,26 @@ +# unzip +> Extract ZIP archives containing malware samples + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Usage +```bash +unzip -P infected sample.zip +``` + +## Workflows +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 1: Archive Inspection + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +## FOR610 +**Labs:** 1.1, 3.1, 3.3, 3.4, 3.5, 3.6, 3.7, 4.1, 4.8, 5.2, 5.3, 5.4 +**Sections:** 1, 3, 4, 5 + +#archive #extraction diff --git a/data/generated/wiki/tools/upx.md b/data/generated/wiki/tools/upx.md new file mode 100644 index 0000000..4069292 --- /dev/null +++ b/data/generated/wiki/tools/upx.md @@ -0,0 +1,23 @@ +# UPX +> Universal Packer for eXecutables — compress and decompress PE files + +**Category:** [[categories/statically-analyze-code-unpacking|Statically Analyze Code > Unpacking]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking](https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking) + +## Usage +```bash +upx -d packed.exe +upx -d packed.exe -o unpacked.exe +``` + +## Workflows +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 2: Automated Unpacking + +## Related Tools +- [[tools/bytehist|Bytehist]] — Generate byte-usage histograms to visually identify packed o + +## FOR610 +**Labs:** 4.2 +**Sections:** 4 + +#packer #unpacker #compression diff --git a/data/generated/wiki/tools/user.md b/data/generated/wiki/tools/user.md new file mode 100644 index 0000000..5c07d51 --- /dev/null +++ b/data/generated/wiki/tools/user.md @@ -0,0 +1,4 @@ +# user + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/vbindiff.md b/data/generated/wiki/tools/vbindiff.md new file mode 100644 index 0000000..df578e7 --- /dev/null +++ b/data/generated/wiki/tools/vbindiff.md @@ -0,0 +1,14 @@ +# vbindiff +> Compare binary files. + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Related Tools +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/scite|scite]] — Edit text files. + +#view-or-edit-files diff --git a/data/generated/wiki/tools/vim.md b/data/generated/wiki/tools/vim.md new file mode 100644 index 0000000..45c460b --- /dev/null +++ b/data/generated/wiki/tools/vim.md @@ -0,0 +1,4 @@ +# vim + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/virustotal-search.md b/data/generated/wiki/tools/virustotal-search.md new file mode 100644 index 0000000..ac45d97 --- /dev/null +++ b/data/generated/wiki/tools/virustotal-search.md @@ -0,0 +1,17 @@ +# virustotal-search +> Search VirusTotal for file hashes. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 2: Reputation Check + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/virustotal-submit.md b/data/generated/wiki/tools/virustotal-submit.md new file mode 100644 index 0000000..89ad1f7 --- /dev/null +++ b/data/generated/wiki/tools/virustotal-submit.md @@ -0,0 +1,14 @@ +# virustotal-submit +> Submit files to VirusTotal. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/visual-studio-code.md b/data/generated/wiki/tools/visual-studio-code.md new file mode 100644 index 0000000..9837a1b --- /dev/null +++ b/data/generated/wiki/tools/visual-studio-code.md @@ -0,0 +1,28 @@ +# Visual Studio Code +> Code editor used for viewing decompiled output, scripts, and analysis results + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Usage +```bash +code filename.js +``` + +## Workflows +- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] — Step 2: Static Review +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 4: Dynamic Loading Detection +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 4: Code Analysis + +## Related Tools +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/scite|scite]] — Edit text files. + +## FOR610 +**Labs:** 1.3, 1.4, 1.5, 3.3, 3.6, 3.7, 4.5, 4.8, 5.2, 5.3 +**Sections:** 1, 3, 4, 5 + +#editor #code-viewer diff --git a/data/generated/wiki/tools/vivisect.md b/data/generated/wiki/tools/vivisect.md new file mode 100644 index 0000000..a094ef3 --- /dev/null +++ b/data/generated/wiki/tools/vivisect.md @@ -0,0 +1,19 @@ +# Vivisect +> Binary analysis and emulation framework — static analysis with emulation capabilities + +**Category:** [[categories/statically-analyze-code-general|Statically Analyze Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/general](https://docs.remnux.org/discover-the-tools/statically+analyze+code/general) + +## Usage +```bash +vivbin +python3 -c "import vivisect; vw = vivisect.VivWorkspace(); vw.loadFromFile('')" +``` + +## Related Tools +- [[tools/cutter|Cutter]] — Open-source reverse engineering platform — Qt-based GUI for +- [[tools/ghidra|Ghidra]] — Open-source disassembler and decompiler from NSA with script +- [[tools/objdump|objdump]] — Disassemble binary files. +- [[tools/qiling|qiling]] — Multi-platform binary emulation framework — emulate PE, ELF, + +#emulation #static-analysis #binary-analysis diff --git a/data/generated/wiki/tools/volatility3.md b/data/generated/wiki/tools/volatility3.md new file mode 100644 index 0000000..f9a0ade --- /dev/null +++ b/data/generated/wiki/tools/volatility3.md @@ -0,0 +1,28 @@ +# volatility3 +> Memory forensics framework — analyze RAM dumps to find malware, hidden processes, network connections, and injected code + +**Category:** [[categories/perform-memory-forensics|Perform Memory Forensics]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/perform+memory+forensics](https://docs.remnux.org/discover-the-tools/perform+memory+forensics) + +## Usage +```bash +vol3 -f windows.info +vol3 -f windows.pslist +vol3 -f windows.pstree +vol3 -f windows.netscan +vol3 -f windows.malfind +vol3 -f windows.dlllist --pid +vol3 -f windows.dumpfiles --pid +``` + +## Recipes +- [[recipes/volatility-quick-triage|Quick Memory Dump Triage]] + +## Workflows +- [[workflows/memory-forensics-workflow|Memory Forensics]] — Step 1: Image Identification + +## Related Tools +- [[tools/aeskeyfinder|AESKeyFinder]] — Find 128-bit and 256-bit AES keys in a memory image. +- [[tools/rsakeyfinder|RSAKeyFinder]] — Find BER-encoded RSA private keys in a memory image. + +#memory #forensics #volatility #incident-response diff --git a/data/generated/wiki/tools/vscode.md b/data/generated/wiki/tools/vscode.md new file mode 100644 index 0000000..73a84c7 --- /dev/null +++ b/data/generated/wiki/tools/vscode.md @@ -0,0 +1,4 @@ +# vscode + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/wget.md b/data/generated/wiki/tools/wget.md new file mode 100644 index 0000000..2e4de43 --- /dev/null +++ b/data/generated/wiki/tools/wget.md @@ -0,0 +1,20 @@ +# wget +> Download files from HTTP/HTTPS/FTP servers + +**Category:** [[categories/utilities|utilities]] | **Tier:** Rich (FOR610) + +## Usage +```bash +wget http://example.com/file.bin +``` + +## Related Tools +- [[tools/gunzip|gunzip]] — Decompress gzip-compressed data (often used in multi-stage p +- [[tools/hexdump|hexdump]] — Display file content in hexadecimal format +- [[tools/jq|jq]] — Command-line JSON processor for extracting and transforming +- [[tools/xxd|xxd]] — Create hex dump of a file or reverse a hex dump back to bina + +## FOR610 +**Sections:** 1 + +#download #http diff --git a/data/generated/wiki/tools/wine.md b/data/generated/wiki/tools/wine.md new file mode 100644 index 0000000..8e40531 --- /dev/null +++ b/data/generated/wiki/tools/wine.md @@ -0,0 +1,20 @@ +# Wine +> Windows compatibility layer — run Windows executables on Linux + +**Category:** [[categories/dynamically-reverse-engineer-code-general|Dynamically Reverse-Engineer Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general) + +## Usage +```bash +wine program.exe +``` + +## Related Tools +- [[tools/frida|Frida]] — Dynamic instrumentation toolkit — hook and trace running pro +- [[tools/radare2|radare2]] — Open-source reverse engineering command-line framework + +## FOR610 +**Labs:** 3.5 +**Sections:** 3 + +#windows-compat #execution diff --git a/data/generated/wiki/tools/wireshark-dev.md b/data/generated/wiki/tools/wireshark-dev.md new file mode 100644 index 0000000..932f243 --- /dev/null +++ b/data/generated/wiki/tools/wireshark-dev.md @@ -0,0 +1,4 @@ +# wireshark-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/wireshark.md b/data/generated/wiki/tools/wireshark.md new file mode 100644 index 0000000..4610c87 --- /dev/null +++ b/data/generated/wiki/tools/wireshark.md @@ -0,0 +1,28 @@ +# Wireshark +> GUI network protocol analyzer for capturing and inspecting packet-level traffic + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +wireshark +wireshark -r capture.pcap +``` + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 3: Monitoring Setup +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 4: Packet Capture + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +## FOR610 +**Labs:** 1.2, 1.3, 1.6, 1.7, 1.8, 5.1 +**Sections:** 1, 5 + +#packet-capture #protocol-analysis #network diff --git a/data/generated/wiki/tools/wxhexeditor.md b/data/generated/wiki/tools/wxhexeditor.md new file mode 100644 index 0000000..1fd3f09 --- /dev/null +++ b/data/generated/wiki/tools/wxhexeditor.md @@ -0,0 +1,14 @@ +# wxhexeditor +> Hex editor. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/xdg-utils.md b/data/generated/wiki/tools/xdg-utils.md new file mode 100644 index 0000000..34b4a59 --- /dev/null +++ b/data/generated/wiki/tools/xdg-utils.md @@ -0,0 +1,4 @@ +# xdg-utils + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/xlmmacrodeobfuscator.md b/data/generated/wiki/tools/xlmmacrodeobfuscator.md new file mode 100644 index 0000000..1c4decd --- /dev/null +++ b/data/generated/wiki/tools/xlmmacrodeobfuscator.md @@ -0,0 +1,23 @@ +# XLMMacroDeobfuscator +> Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sheets and are hard to detect + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +xlmdeobfuscator --file +xlmdeobfuscator --file --no-indent +``` + +## Recipes +- [[recipes/excel-xlm-macros|Deobfuscate Excel 4.0 (XLM) Macros]] + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#office #excel #xlm #macro #deobfuscation diff --git a/data/generated/wiki/tools/xmldump.md b/data/generated/wiki/tools/xmldump.md new file mode 100644 index 0000000..03f36f4 --- /dev/null +++ b/data/generated/wiki/tools/xmldump.md @@ -0,0 +1,14 @@ +# xmldump.py +> Extract contents of XML files, in particular OOXML-formatted Microsoft Office documents. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/xmlstarlet.md b/data/generated/wiki/tools/xmlstarlet.md new file mode 100644 index 0000000..611d879 --- /dev/null +++ b/data/generated/wiki/tools/xmlstarlet.md @@ -0,0 +1,4 @@ +# xmlstarlet + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/xor-kpa.md b/data/generated/wiki/tools/xor-kpa.md new file mode 100644 index 0000000..4eb7d21 --- /dev/null +++ b/data/generated/wiki/tools/xor-kpa.md @@ -0,0 +1,14 @@ +# xor-kpa.py +> Implement a XOR known plaintext attack. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/xorbruteforcer.md b/data/generated/wiki/tools/xorbruteforcer.md new file mode 100644 index 0000000..323285e --- /dev/null +++ b/data/generated/wiki/tools/xorbruteforcer.md @@ -0,0 +1,14 @@ +# xorbruteforcer +> Bruteforce an XOR-encoded file. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/xorsearch.md b/data/generated/wiki/tools/xorsearch.md new file mode 100644 index 0000000..32cb5a3 --- /dev/null +++ b/data/generated/wiki/tools/xorsearch.md @@ -0,0 +1,33 @@ +# XORSearch +> Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +XORSearch -W -d 3 file.bin +XORSearch -i -s specimen.exe http: +``` + +## Recipes +- [[recipes/rtf-shellcode-extraction|Extract Shellcode from RTF Document]] +- [[recipes/xor-key-brute-force|Brute-Force XOR Key]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 6: Embedded Object Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 1: Shellcode Detection +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 2: Encoding Detection + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +## FOR610 +**Labs:** 3.5, 5.2 +**Sections:** 3, 5 + +#xor #shellcode-detection #pattern-search #didier-stevens diff --git a/data/generated/wiki/tools/xorstrings.md b/data/generated/wiki/tools/xorstrings.md new file mode 100644 index 0000000..04b4edb --- /dev/null +++ b/data/generated/wiki/tools/xorstrings.md @@ -0,0 +1,14 @@ +# xorstrings +> Search for XOR encoded strings in a file. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/xortool.md b/data/generated/wiki/tools/xortool.md new file mode 100644 index 0000000..f44a382 --- /dev/null +++ b/data/generated/wiki/tools/xortool.md @@ -0,0 +1,26 @@ +# xortool +> Analyze XOR-encoded data — guess key length and probable key bytes + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +xortool +xortool-xor -s 'key' -i -o +``` + +## Recipes +- [[recipes/xor-key-brute-force|Brute-Force XOR Key]] + +## Workflows +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 3: Single-Byte XOR Recovery + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#xor #deobfuscation #key-recovery diff --git a/data/generated/wiki/tools/xterm.md b/data/generated/wiki/tools/xterm.md new file mode 100644 index 0000000..ba73c3a --- /dev/null +++ b/data/generated/wiki/tools/xterm.md @@ -0,0 +1,4 @@ +# xterm + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/xxd.md b/data/generated/wiki/tools/xxd.md new file mode 100644 index 0000000..a11ffa1 --- /dev/null +++ b/data/generated/wiki/tools/xxd.md @@ -0,0 +1,21 @@ +# xxd +> Create hex dump of a file or reverse a hex dump back to binary + +**Category:** [[categories/utilities|utilities]] | **Tier:** Rich (FOR610) + +## Usage +```bash +xxd binary.exe +xxd -r hexdump.txt > binary.exe +``` + +## Related Tools +- [[tools/gunzip|gunzip]] — Decompress gzip-compressed data (often used in multi-stage p +- [[tools/hexdump|hexdump]] — Display file content in hexadecimal format +- [[tools/jq|jq]] — Command-line JSON processor for extracting and transforming +- [[tools/wget|wget]] — Download files from HTTP/HTTPS/FTP servers + +## FOR610 +**Sections:** 1 + +#hex #binary-conversion diff --git a/data/generated/wiki/tools/yara-forge-rules.md b/data/generated/wiki/tools/yara-forge-rules.md new file mode 100644 index 0000000..94fa2c4 --- /dev/null +++ b/data/generated/wiki/tools/yara-forge-rules.md @@ -0,0 +1,14 @@ +# YARA-Forge Rules +> Scan files with curated YARA rules from 45+ sources for malware family identification. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/yara-x.md b/data/generated/wiki/tools/yara-x.md new file mode 100644 index 0000000..943ba35 --- /dev/null +++ b/data/generated/wiki/tools/yara-x.md @@ -0,0 +1,14 @@ +# yara-x +> Scan files using YARA rules, the next generation of YARA written in Rust. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/yara.md b/data/generated/wiki/tools/yara.md new file mode 100644 index 0000000..315354f --- /dev/null +++ b/data/generated/wiki/tools/yara.md @@ -0,0 +1,34 @@ +# yara +> Pattern matching tool for identifying and classifying malware using custom rules + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +yara-rules specimen.bin +yara rule.yar specimen.exe +``` + +## Recipes +- [[recipes/cobalt-strike-beacon-parse|Parse Cobalt Strike Beacon Configuration]] + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 5: Capability Detection +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 6: Embedded Object Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 1: Shellcode Detection +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 3: Attachment Triage +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 1: Beacon Detection + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +## FOR610 +**Labs:** 3.4 +**Sections:** 3 + +#pattern-matching #classification #rules diff --git a/data/generated/wiki/tools/zbar-tools.md b/data/generated/wiki/tools/zbar-tools.md new file mode 100644 index 0000000..bfd4e93 --- /dev/null +++ b/data/generated/wiki/tools/zbar-tools.md @@ -0,0 +1,4 @@ +# zbar-tools + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/zbarimg.md b/data/generated/wiki/tools/zbarimg.md new file mode 100644 index 0000000..fe98855 --- /dev/null +++ b/data/generated/wiki/tools/zbarimg.md @@ -0,0 +1,14 @@ +# zbarimg +> Decode QR codes and barcodes from image files. + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn + +#explore-network-interactions-connecting diff --git a/data/generated/wiki/tools/zipdump.md b/data/generated/wiki/tools/zipdump.md new file mode 100644 index 0000000..6b292aa --- /dev/null +++ b/data/generated/wiki/tools/zipdump.md @@ -0,0 +1,22 @@ +# zipdump.py +> Parse and analyze ZIP archive structure + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +zipdump.py archive.zip +``` + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +## FOR610 +**Sections:** 3 + +#zip #archive #didier-stevens diff --git a/data/generated/wiki/tools/zlib1g-dev.md b/data/generated/wiki/tools/zlib1g-dev.md new file mode 100644 index 0000000..6ef04b2 --- /dev/null +++ b/data/generated/wiki/tools/zlib1g-dev.md @@ -0,0 +1,4 @@ +# zlib1g-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/workflows/android-analysis-workflow.md b/data/generated/wiki/workflows/android-analysis-workflow.md new file mode 100644 index 0000000..c082ad9 --- /dev/null +++ b/data/generated/wiki/workflows/android-analysis-workflow.md @@ -0,0 +1,65 @@ +# Android Malware Analysis +> Analyze suspicious Android APK files using static and dynamic techniques available in REMnux. + +## Steps + +### Step 1: APK Triage +**Tools:** [[tools/file|file]], [[tools/apkid|apkid]] + +Verify file type and check for packers/obfuscators. APKiD detects: known packers (DexGuard, Bangcle), obfuscators, anti-debug techniques. + +```bash +file specimen.exe +``` + +### Step 2: Manifest Analysis +**Tools:** [[tools/apktool|apktool]] + +Decompile APK: apktool d -o output/. Examine AndroidManifest.xml for: excessive permissions, receivers, services, exported components, intent filters. + +```bash +apktool d -o output/ +``` + +### Step 3: Source Code Recovery +**Tools:** [[tools/jadx|jadx]] + +Decompile DEX to Java: jadx -d output/. Review source code for: C2 URLs, crypto operations, SMS interception, data exfiltration, root checks. + +```bash +jadx -d output/ +``` + +### Step 4: Static Analysis +**Tools:** [[tools/androguard|androguard]], [[tools/droidlysis|droidlysis]] + +androguard: analyze APK structure, permissions, activities. droidlysis: automated static analysis with IOC extraction. Check for: hardcoded keys, URLs, suspicious API usage. + +```bash +androguard analyze +``` + +### Step 5: Native Library Analysis +**Tools:** [[tools/strings|strings]], [[tools/radare2|radare2]] + +If APK contains .so libraries: extract from lib/ directory. Analyze with strings and radare2. Native code often hides C2 logic and crypto. + +```bash +strings binary.exe +r2 specimen.exe +``` + +### Step 6: Dynamic Instrumentation +**Tools:** [[tools/frida|frida]] + +Hook suspicious functions at runtime: frida -U -l hook.js . Intercept: crypto operations, network calls, file access, SMS operations. + +```bash +frida -l hook.js +``` + +### Step 7: Document Findings + +Record: package name, permissions abused, C2 infrastructure, data exfiltrated, persistence mechanism, targeted user data (SMS, contacts, location). + +#android #apk #mobile #frida #jadx #apktool #workflow diff --git a/data/generated/wiki/workflows/behavioral-analysis-workflow.md b/data/generated/wiki/workflows/behavioral-analysis-workflow.md new file mode 100644 index 0000000..f3fa55d --- /dev/null +++ b/data/generated/wiki/workflows/behavioral-analysis-workflow.md @@ -0,0 +1,61 @@ +# Behavioral Analysis +> Monitor runtime behavior in an isolated environment. Applicable to any executable or script on Linux (REMnux) or Windows. + +**FOR610 Labs:** 1.2, 1.4, 1.6, 4.5 + +## Steps + +### Step 1: Environment Preparation + +Revert to clean snapshot. Disconnect from production network. Verify isolation (host-only networking). Set max execution time (2-5 minutes). + +### Step 2: Network Interception Setup +**Tools:** [[tools/fakedns|fakedns]], [[tools/inetsim|inetsim]], [[tools/fakenet-ng|fakenet-ng]] + +Start fake DNS and service emulation so malware gets responses. On REMnux: fakedns for DNS, INetSim or FakeNet-NG for HTTP/HTTPS/SMTP/FTP. + +```bash +fakedns +inetsim +fakenet +``` + +### Step 3: Monitoring Setup +**Tools:** [[tools/wireshark|wireshark]], [[tools/tcpdump|tcpdump]], [[tools/strace|strace]] + +Start packet capture (wireshark or tcpdump). On Linux: strace/ltrace for syscalls. Start filesystem monitoring. + +```bash +wireshark +tcpdump -i eth0 -w capture.pcap +``` + +### Step 4: Emulation (Safe Alternative) +**Tools:** [[tools/speakeasy|speakeasy]], [[tools/capa|capa]] + +Before live execution, try emulation: speakeasy emulates Windows API calls on Linux safely. Use capa -vv for capability overview. + +```bash +speakeasy -t specimen.exe -o report.json 2> report.txt +capa specimen.exe +``` + +### Step 5: Execute & Monitor + +Run the sample with a timeout. Monitor for: new processes spawned, files created/modified, network connections, DNS queries. Kill after 2-5 minutes. + +### Step 6: Analyze Results +**Tools:** [[tools/wireshark|wireshark]], [[tools/procdot|procdot]] + +Review network capture: follow TCP streams, extract payloads, identify C2 patterns. Analyze process activity logs. Map filesystem changes. + +```bash +wireshark +procdot +``` + +### Step 7: Extract IOCs + +Document: contacted domains/IPs, created files/registry keys, spawned processes, persistence mechanisms. Classify behavior: downloader, backdoor, ransomware, etc. + +#behavioral #dynamic #monitoring #emulation #workflow diff --git a/data/generated/wiki/workflows/cobalt-strike-workflow.md b/data/generated/wiki/workflows/cobalt-strike-workflow.md new file mode 100644 index 0000000..1ae6fc9 --- /dev/null +++ b/data/generated/wiki/workflows/cobalt-strike-workflow.md @@ -0,0 +1,67 @@ +# Cobalt Strike Analysis +> Analyze Cobalt Strike beacons, configurations, and network traffic using Didier Stevens' CS toolkit on REMnux. + +**FOR610 Labs:** 3.4 + +## Steps + +### Step 1: Beacon Detection +**Tools:** [[tools/yara|yara]], [[tools/capa|capa]] + +Scan suspect file with YARA rules for CS signatures. capa detects 'receive data from C2' and beacon-like capabilities. Check for: characteristic 200KB+ size, sleep patterns. + +```bash +yara-rules specimen.bin +capa specimen.exe +``` + +### Step 2: Configuration Extraction +**Tools:** [[tools/1768-py|1768-py]] + +Parse beacon config: 1768.py . Extracts: C2 URLs, user-agent, beacon interval, watermark, spawn-to process, named pipes, proxy config. + +```bash +1768.py shellcode.bin +``` + +### Step 3: Metadata Decryption +**Tools:** [[tools/cs-decrypt-metadata-py|cs-decrypt-metadata-py]] + +Decrypt beacon metadata from network captures: cs-decrypt-metadata.py . Reveals: computer name, user, process info sent to team server. + +```bash +cs-decrypt-metadata.py +``` + +### Step 4: Key Extraction +**Tools:** [[tools/cs-extract-key-py|cs-extract-key-py]] + +Extract encryption keys: cs-extract-key.py -f . Recovers AES and HMAC keys used for C2 communication encryption. + +```bash +cs-extract-key.py -f +``` + +### Step 5: Traffic Decryption +**Tools:** [[tools/cs-parse-traffic-py|cs-parse-traffic-py]] + +Decrypt C2 traffic: cs-parse-traffic.py -f -k . Reveals: tasking commands, downloaded payloads, exfiltrated data. + +```bash +cs-parse-traffic.py -f -k +``` + +### Step 6: Sleep Mask Analysis +**Tools:** [[tools/cs-analyze-processdump-py|cs-analyze-processdump-py]] + +Analyze sleep mask: cs-analyze-processdump.py . Detects if beacon encrypts itself in memory during sleep. Useful for memory forensics. + +```bash +cs-analyze-processdump.py +``` + +### Step 7: Document Findings + +Record: C2 domains/IPs, beacon interval, watermark (operator ID), user-agent strings, named pipe patterns, spawn-to process, malleable C2 profile indicators. + +#cobalt-strike #c2 #beacon #didier-stevens #threat-intel #workflow diff --git a/data/generated/wiki/workflows/code-injection-workflow.md b/data/generated/wiki/workflows/code-injection-workflow.md new file mode 100644 index 0000000..47e5dea --- /dev/null +++ b/data/generated/wiki/workflows/code-injection-workflow.md @@ -0,0 +1,74 @@ +# Code Injection Analysis +> Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading. + +**FOR610 Labs:** 4.9, 5.4 + +## Steps + +### Step 1: Capability Detection +**Tools:** [[tools/capa|capa]] + +Run capa to identify injection techniques. Look for: 'inject code', 'create suspended process', 'allocate RWX memory'. Note MITRE ATT&CK technique IDs. + +```bash +capa specimen.exe +``` + +### Step 2: Injection Type Classification +**Tools:** [[tools/ghidra|ghidra]], [[tools/cutter|cutter]] + +Identify which technique: Classic DLL injection (LoadLibrary), Process Hollowing (CreateProcess SUSPENDED + NtUnmapViewOfSection), Reflective DLL (manual PE loading), APC injection (QueueUserAPC). + +```bash +ghidra +cutter specimen.exe +``` + +### Step 3: Target Process Analysis +**Tools:** [[tools/ghidra|ghidra]] + +How does malware choose its target? Look for: CreateToolhelp32Snapshot + Process32First/Next (enumeration), hardcoded process names (svchost.exe, explorer.exe), OpenProcess calls. + +```bash +ghidra +``` + +### Step 4: Payload Identification +**Tools:** [[tools/ghidra|ghidra]] + +What gets injected? Trace data flow to WriteProcessMemory or NtWriteVirtualMemory. Is it: embedded PE, shellcode, encrypted blob? Check size and content. + +```bash +ghidra +``` + +### Step 5: Memory Allocation Analysis +**Tools:** [[tools/ghidra|ghidra]] + +Examine VirtualAllocEx parameters: size (hints at payload type), protection flags (PAGE_EXECUTE_READWRITE = 0x40 = suspicious). Allocation address for base relocation. + +```bash +ghidra +``` + +### Step 6: Injection Verification [W] +**Tools:** [[tools/x32dbg|x32dbg]], [[tools/x64dbg|x64dbg]] + +Set breakpoint on WriteProcessMemory. When hit: examine lpBuffer (injected data), nSize (payload size). Dump the buffer to file for separate analysis. + +### Step 7: Extracted Payload Analysis +**Tools:** [[tools/peframe|peframe]], [[tools/capa|capa]], [[tools/strings|strings]] + +Analyze the injected payload as standalone file. Route to: Static Analysis Workflow (if PE), Shellcode Workflow (if shellcode), .NET Workflow (if .NET assembly). + +```bash +peframe specimen.exe +capa specimen.exe +strings binary.exe +``` + +### Step 8: Document Technique + +Record: injection technique, target process criteria, payload type and hash, API call sequence, memory protection flags. Map to MITRE ATT&CK (T1055.x). + +#code-injection #process-hollowing #dll-injection #reflective-loading #workflow diff --git a/data/generated/wiki/workflows/document-analysis-workflow.md b/data/generated/wiki/workflows/document-analysis-workflow.md new file mode 100644 index 0000000..2055264 --- /dev/null +++ b/data/generated/wiki/workflows/document-analysis-workflow.md @@ -0,0 +1,75 @@ +# Malicious Document Analysis +> Analyze suspicious documents (PDF, Office, RTF, OneNote) for embedded malware, macros, and exploits. Follows Zeltser's 6-step methodology. + +**FOR610 Labs:** 3.1, 3.3, 3.4, 3.5 + +## Steps + +### Step 1: Format Identification +**Tools:** [[tools/file|file]], [[tools/trid|trid]] + +Identify true format: OLE2 (legacy Office), OOXML (modern Office), RTF, PDF, OneNote. Don't trust the file extension — use magic bytes. + +```bash +file specimen.exe +trid document.doc +``` + +### Step 2: Structure Analysis +**Tools:** [[tools/oledump-py|oledump-py]], [[tools/rtfdump-py|rtfdump-py]], [[tools/pdfid-py|pdfid-py]], [[tools/pdf-parser-py|pdf-parser-py]], [[tools/onedump-py|onedump-py]] + +Parse document internals. For Office: oledump.py to list streams (M = macro). For PDF: pdfid.py for risky keywords (/JavaScript, /OpenAction). For RTF: rtfdump.py for hex-heavy groups. + +```bash +oledump.py document.docm +rtfdump.py document.rtf +pdfid.py document.pdf +``` + +### Step 3: Password Handling (if encrypted) +**Tools:** [[tools/msoffcrypto-tool|msoffcrypto-tool]] + +If document is password-protected: msoffcrypto-tool -p . Common passwords: infected, malware, password, 123456. + +```bash +msoffcrypto-tool -p infected +``` + +### Step 4: Macro/Script Extraction +**Tools:** [[tools/oledump-py|oledump-py]], [[tools/olevba|olevba]], [[tools/pcode2code|pcode2code]], [[tools/xlmmacrodeobfuscator|XLMMacroDeobfuscator]] + +Extract VBA: oledump.py -s -v. For p-code: pcode2code. For Excel 4.0 macros: XLMMacroDeobfuscator. Check olevba for auto-execute triggers (AutoOpen, Document_Open). + +```bash +oledump.py document.docm +olevba document.docm +pcode2code +``` + +### Step 5: Payload Decoding +**Tools:** [[tools/base64dump-py|base64dump-py]], [[tools/translate-py|translate-py]], [[tools/gunzip|gunzip]], [[tools/numbers-to-string-py|numbers-to-string-py]], [[tools/cyberchef|cyberchef]] + +Decode embedded payloads. Common chains: Base64 → gunzip → XOR. Use CyberChef for visual multi-step decoding. translate.py for byte-level transforms (byte ^ key). + +```bash +base64dump.py file.txt +translate.py "byte ^ 35" < input.bin > output.bin +gunzip -c compressed.gz > output.bin +``` + +### Step 6: Embedded Object Analysis +**Tools:** [[tools/scdbgc|scdbgc]], [[tools/xorsearch|xorsearch]], [[tools/yara|yara]], [[tools/1768-py|1768-py]] + +If shellcode found: emulate with scdbgc. Scan for known patterns (YARA). Check for Cobalt Strike beacons (1768.py). Route PE payloads to Static Analysis Workflow. + +```bash +scdbgc /f shellcode.bin /s -1 +XORSearch -W -d 3 file.bin +yara-rules specimen.bin +``` + +### Step 7: Document IOCs + +Record: embedded URLs, downloaded payload hashes, C2 addresses, macro behavior (what APIs called), exploit type (CVE if applicable). + +#documents #office #pdf #rtf #macro #onenote #workflow diff --git a/data/generated/wiki/workflows/dotnet-analysis-workflow.md b/data/generated/wiki/workflows/dotnet-analysis-workflow.md new file mode 100644 index 0000000..d6cdb82 --- /dev/null +++ b/data/generated/wiki/workflows/dotnet-analysis-workflow.md @@ -0,0 +1,74 @@ +# .NET Malware Analysis +> Analyze .NET malware using decompilation, debugging, and deobfuscation. Works for .NET Framework, .NET Core, and mixed-mode assemblies. + +**FOR610 Labs:** 3.12, 4.8 + +## Steps + +### Step 1: Identification & Metadata +**Tools:** [[tools/peframe|peframe]], [[tools/diec|diec]], [[tools/dnfile|dnfile]], [[tools/dotnetfile|dotnetfile]] + +Confirm .NET binary (peframe shows 'CLR'). Check runtime version (.NET 2/4/Core). Use dnfile or dotnetfile for .NET-specific metadata. Note entry point and referenced assemblies. + +```bash +peframe specimen.exe +diec specimen.exe +``` + +### Step 2: Obfuscator Detection +**Tools:** [[tools/diec|diec]], [[tools/de4dot|de4dot]] + +Detect obfuscator: DIE identifies ConfuserEx, Eziriz .NET Reactor, Babel, etc. de4dot -d reports detected obfuscator without modifying the file. + +```bash +diec specimen.exe +de4dot obfuscated.exe +``` + +### Step 3: Decompilation +**Tools:** [[tools/ilspycmd|ilspycmd]], [[tools/monodis|monodis]] + +Decompile to C# source: ilspycmd > output.cs. On REMnux use ilspycmd (CLI). Examine: Main() entry, suspicious class/method names, embedded resources. + +```bash +ilspycmd assembly.exe > decompiled.cs +``` + +### Step 4: Dynamic Loading Detection +**Tools:** [[tools/visual-studio-code|visual-studio-code]] + +Search decompiled code for: Assembly.Load(byte[]), Assembly.LoadFrom(), Activator.CreateInstance(), MethodInfo.Invoke(), CSharpCodeProvider. These indicate runtime code loading. + +```bash +code filename.js +``` + +### Step 5: Deobfuscation +**Tools:** [[tools/de4dot|de4dot]] + +Run: de4dot -o . If de4dot fails: try with --dont-rename flag, or manually rename obfuscated symbols. For ConfuserEx: de4dot handles most variants. + +```bash +de4dot obfuscated.exe +``` + +### Step 6: Dynamic Debugging [W] +**Tools:** [[tools/dnspyex|dnspyex]] + +If static analysis insufficient: load in dnSpyEx, set breakpoint on Assembly.Load or suspicious method. Run and inspect Locals window for decrypted payloads. Save byte[] arrays to disk. + +### Step 7: Extracted Payload Analysis +**Tools:** [[tools/ilspycmd|ilspycmd]], [[tools/peframe|peframe]] + +Analyze extracted payload: is it another .NET assembly? (recurse this workflow). Is it a PE file? (route to Static Analysis). Document the unpacking chain. + +```bash +ilspycmd assembly.exe > decompiled.cs +peframe specimen.exe +``` + +### Step 8: Document Findings + +Record: obfuscator type, .NET version, loading mechanism, payload hashes, C2 endpoints found in decompiled code, encryption keys/algorithms. + +#dotnet #decompilation #deobfuscation #ilspy #de4dot #workflow diff --git a/data/generated/wiki/workflows/email-analysis-workflow.md b/data/generated/wiki/workflows/email-analysis-workflow.md new file mode 100644 index 0000000..ccf90d1 --- /dev/null +++ b/data/generated/wiki/workflows/email-analysis-workflow.md @@ -0,0 +1,54 @@ +# Email & Phishing Analysis +> Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links. + +## Steps + +### Step 1: Header Analysis +**Tools:** [[tools/emldump-py|emldump-py]], [[tools/mail-parser|mail-parser]] + +Parse SMTP headers: emldump.py . Check: Received headers (delivery path), Return-Path vs From (spoofing), SPF/DKIM results, X-Mailer. + +```bash +emldump.py message.eml +python3 -c "import mailparser; mail = mailparser.parse_from_file(''); print(mail.subject)" +``` + +### Step 2: Attachment Extraction +**Tools:** [[tools/emldump-py|emldump-py]], [[tools/msg-extractor|msg-extractor]] + +Extract attachments: emldump.py -d. For MSG format: msg-extractor . List all attachments with types and sizes. + +```bash +emldump.py message.eml +extract_msg +``` + +### Step 3: Attachment Triage +**Tools:** [[tools/file|file]], [[tools/trid|trid]], [[tools/yara|yara]], [[tools/sha256sum|sha256sum]] + +For each attachment: identify type, compute hash, scan with YARA. Route to appropriate workflow: Document Analysis (Office/PDF), Static Analysis (PE), JavaScript Deobfuscation (JS/HTML). + +```bash +file specimen.exe +trid document.doc +yara-rules specimen.bin +``` + +### Step 4: Link Analysis +**Tools:** [[tools/unfurl|unfurl]] + +Extract all URLs from email body and headers. Use Unfurl to decompose URLs (reveal tracking pixels, redirect chains, encoded parameters). + +```bash +unfurl parse +``` + +### Step 5: Payload Analysis + +Analyze extracted attachments using the appropriate workflow. Common patterns: Office doc with macro → downloads PE, PDF with link → credential harvester, HTML attachment → phishing page. + +### Step 6: Document IOCs + +Record: sender address and IP, subject line, attachment names and hashes, all URLs, C2/phishing domains, email infrastructure (mail server names). + +#email #phishing #eml #msg #attachments #headers #workflow diff --git a/data/generated/wiki/workflows/java-analysis-workflow.md b/data/generated/wiki/workflows/java-analysis-workflow.md new file mode 100644 index 0000000..4e0e7eb --- /dev/null +++ b/data/generated/wiki/workflows/java-analysis-workflow.md @@ -0,0 +1,57 @@ +# Java Malware Analysis +> Analyze malicious Java archives (JAR), applets, and compiled classes. Covers decompilation and code analysis. + +## Steps + +### Step 1: Archive Inspection +**Tools:** [[tools/unzip|unzip]], [[tools/file|file]] + +Extract JAR contents: unzip -d output/. Examine META-INF/MANIFEST.MF for Main-Class entry point. List all .class files. + +```bash +unzip -P infected sample.zip +file specimen.exe +``` + +### Step 2: Decompilation +**Tools:** [[tools/cfr|cfr]], [[tools/jd-gui|jd-gui]] + +Decompile with CFR: cfr --outputdir output/. Or use JD-GUI for visual browsing. CFR handles modern Java (lambdas, try-with-resources) better. + +```bash +cfr --outputdir output/ +jd-gui +``` + +### Step 3: Multi-Decompiler Comparison +**Tools:** [[tools/cfr|cfr]], [[tools/procyon|procyon]] + +If one decompiler fails on a class: try Procyon. Compare outputs. Some obfuscators break specific decompilers while others handle them fine. + +```bash +cfr --outputdir output/ +``` + +### Step 4: Code Analysis +**Tools:** [[tools/visual-studio-code|visual-studio-code]] + +Review decompiled source. Search for: Runtime.exec() (command execution), URLConnection (network), Cipher (crypto), File I/O operations, reflection (Class.forName). + +```bash +code filename.js +``` + +### Step 5: Resource Extraction +**Tools:** [[tools/strings|strings]] + +Extract embedded resources and strings. Check for: encoded payloads in resources, config files, embedded binaries. Base64-encoded content is common. + +```bash +strings binary.exe +``` + +### Step 6: Document Findings + +Record: entry point class, malicious methods, URLs/IPs, downloaded payloads, commands executed, Java version requirements. + +#java #jar #decompilation #cfr #jd-gui #workflow diff --git a/data/generated/wiki/workflows/javascript-deobfuscation-workflow.md b/data/generated/wiki/workflows/javascript-deobfuscation-workflow.md new file mode 100644 index 0000000..5ffa2fb --- /dev/null +++ b/data/generated/wiki/workflows/javascript-deobfuscation-workflow.md @@ -0,0 +1,57 @@ +# JavaScript Deobfuscation +> Deobfuscate and analyze malicious JavaScript from web pages, email attachments, or document macros. + +**FOR610 Labs:** 3.6, 3.7 + +## Steps + +### Step 1: Beautification +**Tools:** [[tools/js-beautify|js-beautify]] + +Format minified/compressed JavaScript for readability. Look for: eval() calls, document.write(), String.fromCharCode(), unescape(), atob(). + +```bash +js-beautify malicious.js > beautified.js +``` + +### Step 2: Static Review +**Tools:** [[tools/visual-studio-code|visual-studio-code]] + +Identify obfuscation layers. Search for: eval/Function constructor (code execution), long encoded strings, variable name patterns (single chars = likely obfuscated). + +```bash +code filename.js +``` + +### Step 3: Safe Execution (SpiderMonkey) +**Tools:** [[tools/spidermonkey|spidermonkey]] + +Execute outside browser with objects.js to simulate browser/WScript APIs. Command: js -f /usr/share/remnux/objects.js -f . Captures eval'd code without running it. + +```bash +js -f malicious.js +``` + +### Step 4: Environment Tuning +**Tools:** [[tools/visual-studio-code|visual-studio-code]] + +If script expects specific environment (location.href, navigator.userAgent): edit objects.js to provide expected values. Re-run SpiderMonkey. + +```bash +code filename.js +``` + +### Step 5: Alternative Analysis +**Tools:** [[tools/box-js|box-js]], [[tools/jstillery|jstillery]] + +box-js: Node.js sandbox with WScript emulation. JStillery: AST-based deobfuscation. Use when SpiderMonkey can't handle the obfuscation. + +```bash +box-js --output-dir=/tmp suspicious.js +``` + +### Step 6: Payload Identification + +What does the deobfuscated JS do? Common patterns: download & execute (dropper), redirect to exploit kit, credential harvesting. Extract all URLs, IPs, file paths. + +#javascript #deobfuscation #spidermonkey #box-js #web #workflow diff --git a/data/generated/wiki/workflows/memory-forensics-workflow.md b/data/generated/wiki/workflows/memory-forensics-workflow.md new file mode 100644 index 0000000..f242e04 --- /dev/null +++ b/data/generated/wiki/workflows/memory-forensics-workflow.md @@ -0,0 +1,79 @@ +# Memory Forensics +> Analyze memory dumps to find malware artifacts, injected code, and hidden processes. Uses Volatility 3 framework on REMnux. + +## Steps + +### Step 1: Image Identification +**Tools:** [[tools/volatility3|volatility3]] + +Determine OS and profile: vol3 -f windows.info (or linux.info). Verify image is valid and identify OS version, build, architecture. + +```bash +vol3 -f windows.info +``` + +### Step 2: Process Analysis +**Tools:** [[tools/volatility3|volatility3]] + +List processes: vol3 -f windows.pslist / windows.pstree. Look for: suspicious names, unusual parent-child relationships, processes with no window title, duplicate system processes. + +```bash +vol3 -f windows.info +``` + +### Step 3: Network Connections +**Tools:** [[tools/volatility3|volatility3]] + +List connections: vol3 -f windows.netscan. Identify: C2 connections, unusual ports, connections to known-bad IPs. Cross-reference with process PIDs. + +```bash +vol3 -f windows.info +``` + +### Step 4: Injection Detection +**Tools:** [[tools/volatility3|volatility3]] + +Detect injected code: vol3 -f windows.malfind. Shows: processes with executable memory not backed by a file. Dump suspicious regions for further analysis. + +```bash +vol3 -f windows.info +``` + +### Step 5: DLL Analysis +**Tools:** [[tools/volatility3|volatility3]] + +List loaded DLLs: vol3 -f windows.dlllist --pid . Look for: DLLs loaded from unusual paths (temp, appdata), unsigned DLLs, DLLs not in known-good baseline. + +```bash +vol3 -f windows.info +``` + +### Step 6: String Search +**Tools:** [[tools/volatility3|volatility3]], [[tools/strings|strings]] + +Search for known IOCs in memory: vol3 -f windows.strings. Also: strings | grep -i ''. Look for URLs, domains, file paths, commands. + +```bash +vol3 -f windows.info +strings binary.exe +``` + +### Step 7: Process & Code Dumping +**Tools:** [[tools/volatility3|volatility3]] + +Extract suspicious processes: vol3 -f windows.dumpfiles --pid . Extract injected code regions from malfind results. Analyze dumped files with Static Analysis Workflow. + +```bash +vol3 -f windows.info +``` + +### Step 8: Timeline Reconstruction +**Tools:** [[tools/volatility3|volatility3]] + +Build timeline: vol3 -f timeliner.Timeliner. Reconstruct: when malware started, what it did, lateral movement. Correlate with process tree and network data. + +```bash +vol3 -f windows.info +``` + +#memory #forensics #volatility #injection #incident-response #workflow diff --git a/data/generated/wiki/workflows/network-interception-workflow.md b/data/generated/wiki/workflows/network-interception-workflow.md new file mode 100644 index 0000000..8217c53 --- /dev/null +++ b/data/generated/wiki/workflows/network-interception-workflow.md @@ -0,0 +1,86 @@ +# Network Traffic Interception +> Redirect and analyze malware network traffic in an isolated REMnux environment. Covers DNS, HTTP, HTTPS, and raw IP interception. + +**FOR610 Labs:** 1.3, 1.7, 1.8 + +## Steps + +### Step 1: DNS Interception +**Tools:** [[tools/fakedns|fakedns]] + +Start fakedns to resolve ALL domains to REMnux IP. Verify: nslookup any-domain.com should return your REMnux IP. + +```bash +fakedns +``` + +### Step 2: Service Emulation +**Tools:** [[tools/inetsim|inetsim]], [[tools/fakenet-ng|fakenet-ng]], [[tools/httpd|httpd]] + +Choose emulator based on needed protocols. INetSim: HTTP, HTTPS, DNS, FTP, SMTP (most complete). FakeNet-NG: similar but different engine. httpd: simple HTTP only. + +```bash +inetsim +fakenet +httpd +``` + +### Step 3: TLS/HTTPS Interception (if needed) +**Tools:** [[tools/mitmproxy|mitmproxy]], [[tools/polarproxy|polarproxy]] + +For HTTPS C2: mitmproxy as transparent proxy, or PolarProxy for TLS decryption. Install proxy CA cert on analysis machine if needed. + +```bash +mitmproxy +PolarProxy -p 443,80 -w captured.pcap +``` + +### Step 4: Packet Capture +**Tools:** [[tools/wireshark|wireshark]], [[tools/tcpdump|tcpdump]] + +Start capture before executing malware. Filter: not arp and not broadcast. Save to PCAP for later analysis. + +```bash +wireshark +tcpdump -i eth0 -w capture.pcap +``` + +### Step 5: Execute & Observe + +Run malware on analysis VM. Watch for: DNS queries (domain names), HTTP requests (URLs, user-agents), raw TCP connections (IP:port). + +### Step 6: Traffic Analysis +**Tools:** [[tools/wireshark|wireshark]], [[tools/tshark|tshark]], [[tools/ngrep|ngrep]], [[tools/tcpflow|tcpflow]] + +Follow TCP streams for full request/response. Use ngrep for pattern search across packets. Use tcpflow to extract individual streams. Identify beaconing (regular intervals). + +```bash +wireshark +tshark -r capture.pcap +ngrep -I 'password' +``` + +### Step 7: File Extraction +**Tools:** [[tools/tcpxtract|tcpxtract]], [[tools/networkminer|networkminer]] + +Carve files from PCAP: downloaded payloads, exfiltrated data, second-stage malware. NetworkMiner does this automatically. + +```bash +tcpxtract -f -o output/ +NetworkMiner --pcap +``` + +### Step 8: IP-Based Redirection (if needed) +**Tools:** [[tools/iptables|iptables]] + +If malware uses hardcoded IPs (no DNS): iptables -t nat -A PREROUTING -i eth0 -j REDIRECT. This redirects ALL traffic to local services. + +```bash +iptables -t nat -A PREROUTING -i ens32 -j REDIRECT +``` + +### Step 9: Document Network IOCs + +Record: C2 domains/IPs, URI paths, user-agent strings, beacon intervals, downloaded file hashes, TLS certificate details. + +#network #interception #c2 #dns #https #pcap #workflow diff --git a/data/generated/wiki/workflows/shellcode-analysis-workflow.md b/data/generated/wiki/workflows/shellcode-analysis-workflow.md new file mode 100644 index 0000000..aaec6ad --- /dev/null +++ b/data/generated/wiki/workflows/shellcode-analysis-workflow.md @@ -0,0 +1,74 @@ +# Shellcode Analysis +> Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification. + +**FOR610 Labs:** 3.4, 3.5, 4.6, 4.7 + +## Steps + +### Step 1: Shellcode Detection +**Tools:** [[tools/xorsearch|xorsearch]], [[tools/yara|yara]], [[tools/capa|capa]] + +Scan carrier file for shellcode patterns. XORSearch -W -d 3 detects common shellcode signatures even when XOR-encoded. YARA rules catch known frameworks. + +```bash +XORSearch -W -d 3 file.bin +yara-rules specimen.bin +capa specimen.exe +``` + +### Step 2: Extraction +**Tools:** [[tools/rtfdump-py|rtfdump-py]], [[tools/oledump-py|oledump-py]], [[tools/pdf-parser-py|pdf-parser-py]] + +Extract shellcode from carrier. For RTF: rtfdump.py -s -H -d > sc.bin. For OLE: oledump.py -s -d > sc.bin. For PDF: pdf-parser.py -o -d sc.bin. + +```bash +rtfdump.py document.rtf +oledump.py document.docm +pdf-parser.py document.pdf -a +``` + +### Step 3: Emulation +**Tools:** [[tools/scdbgc|scdbgc]], [[tools/speakeasy|speakeasy]] + +Emulate without execution. scdbgc /f sc.bin /s -1 shows API calls. speakeasy -t sc.bin -r -a x86 for deeper emulation. Look for: URL downloads, file writes, process creation. + +```bash +scdbgc /f shellcode.bin /s -1 +speakeasy -t specimen.exe -o report.json 2> report.txt +``` + +### Step 4: Framework Identification +**Tools:** [[tools/yara|yara]], [[tools/1768-py|1768-py]] + +Check for known frameworks. 1768.py identifies Cobalt Strike beacons. YARA rules detect Metasploit, Cobalt Strike, custom frameworks. Document beacon config if found. + +```bash +yara-rules specimen.bin +1768.py shellcode.bin +``` + +### Step 5: Conversion to EXE +**Tools:** [[tools/shcode2exe|shcode2exe]] + +Convert shellcode to executable for static analysis: shcode2exe sc.bin sc.exe. Then analyze with peframe, strings, ghidra. + +```bash +shcode2exe +``` + +### Step 6: String & IOC Extraction +**Tools:** [[tools/strings|strings]], [[tools/floss|floss]], [[tools/cyberchef|cyberchef]] + +Extract strings from shellcode. Look for: C2 URLs, download paths, filename markers, encryption keys. Use CyberChef for encoded content. + +```bash +strings binary.exe +floss specimen.exe +cyberchef +``` + +### Step 7: Document Findings + +Record: shellcode offset in carrier, size, encoding/XOR key, framework (Metasploit/CS/custom), C2 address, downloaded payload URL, technique (staged/stageless). + +#shellcode #emulation #cobalt-strike #metasploit #scdbg #workflow diff --git a/data/generated/wiki/workflows/static-analysis-workflow.md b/data/generated/wiki/workflows/static-analysis-workflow.md new file mode 100644 index 0000000..b706c6f --- /dev/null +++ b/data/generated/wiki/workflows/static-analysis-workflow.md @@ -0,0 +1,84 @@ +# Static Properties Analysis +> Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents. + +**FOR610 Labs:** 1.1, 2.1, 4.1 + +## Steps + +### Step 1: File Identification & Hashing +**Tools:** [[tools/file|file]], [[tools/trid|trid]], [[tools/exiftool|exiftool]], [[tools/sha256sum|sha256sum]] + +Determine file type using magic bytes. Compute hashes (MD5, SHA256) for lookup and documentation. Record file size and timestamps. + +```bash +file specimen.exe +trid document.doc +exiftool document.pdf +``` + +### Step 2: Reputation Check +**Tools:** [[tools/malwoverview|malwoverview]], [[tools/virustotal-search|virustotal-search]] + +Look up hash on VirusTotal/MalwareBazaar. If known malware, note family name and detection rate. If clean or unknown, continue analysis. + +```bash +malwoverview -v +``` + +### Step 3: Packing & Entropy Check +**Tools:** [[tools/diec|diec]], [[tools/peframe|peframe]] + +Check for packing indicators and high entropy sections. Look for: unusual section names, small import table, high entropy (>7.0). If packed, consider the Unpacking Workflow. + +```bash +diec specimen.exe +peframe specimen.exe +``` + +### Step 4: String Extraction +**Tools:** [[tools/strings|strings]], [[tools/floss|floss]], [[tools/pestr|pestr]] + +Extract readable strings. Use FLOSS for obfuscated/stack strings. Look for: URLs, IPs, domains, registry keys, file paths, error messages, API names. + +```bash +strings binary.exe +floss specimen.exe +pestr specimen.exe +``` + +### Step 5: Capability Detection +**Tools:** [[tools/capa|capa]], [[tools/yara|yara]] + +Identify capabilities mapped to MITRE ATT&CK. Scan with YARA rules for known malware families. Look for: persistence, C2, evasion, lateral movement capabilities. + +```bash +capa specimen.exe +yara-rules specimen.bin +``` + +### Step 6: Import & Export Analysis +**Tools:** [[tools/peframe|peframe]], [[tools/capa|capa]] + +Examine imported DLLs and functions. Map imports to behavior categories: networking (ws2_32), crypto (advapi32), process manipulation (kernel32). Check exports for DLL functionality. + +```bash +peframe specimen.exe +capa specimen.exe +``` + +### Step 7: Disassembly (if needed) +**Tools:** [[tools/ghidra|ghidra]], [[tools/cutter|cutter]], [[tools/radare2|radare2]] + +Load into disassembler for code-level analysis. Start at entry point, trace key functions. Use decompiler for C-like view. + +```bash +ghidra +cutter specimen.exe +r2 specimen.exe +``` + +### Step 8: Document Findings + +Record IOCs: hashes, IPs, domains, file paths, registry keys, mutexes. Classify: malware family, capabilities, confidence level. Decide: continue to behavioral analysis? + +#static #triage #pe-analysis #elf-analysis #workflow diff --git a/data/generated/wiki/workflows/string-deobfuscation-workflow.md b/data/generated/wiki/workflows/string-deobfuscation-workflow.md new file mode 100644 index 0000000..db1872e --- /dev/null +++ b/data/generated/wiki/workflows/string-deobfuscation-workflow.md @@ -0,0 +1,62 @@ +# String & Data Deobfuscation +> Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding. + +**FOR610 Labs:** 1.5, 5.2 + +## Steps + +### Step 1: Automated Extraction +**Tools:** [[tools/floss|floss]], [[tools/strings|strings]] + +Start with FLOSS for automatic deobfuscation (static + stack + decoded strings). Compare against plain strings output. FLOSS --no-static for only decoded strings. + +```bash +floss specimen.exe +strings binary.exe +``` + +### Step 2: Encoding Detection +**Tools:** [[tools/xorsearch|xorsearch]], [[tools/bbcrack|bbcrack]] + +Identify encoding algorithm. XORSearch: detect XOR with known plaintext (http:, MZ, This program). bbcrack: brute-force XOR, ROL, ADD at multiple levels. + +```bash +XORSearch -W -d 3 file.bin +bbcrack -l 1 specimen.dll +``` + +### Step 3: Single-Byte XOR Recovery +**Tools:** [[tools/brxor-py|brxor-py]], [[tools/xortool|xortool]] + +For single-byte XOR: brxor.py finds English words. xortool guesses key length and probable key. xortool-xor -s -i -o decoded.bin to decode. + +```bash +brxor.py specimen.dll +xortool +``` + +### Step 4: Multi-Byte / Custom Decoding +**Tools:** [[tools/translate-py|translate-py]], [[tools/cyberchef|cyberchef]] + +For custom algorithms: translate.py 'byte ^ key' or complex expressions. CyberChef for visual recipe building (XOR → Base64 → Gunzip chains). Document the recipe. + +```bash +translate.py "byte ^ 35" < input.bin > output.bin +cyberchef +``` + +### Step 5: Stack String Recovery +**Tools:** [[tools/strdeob-pl|strdeob-pl]], [[tools/floss|floss]] + +For strings built on the stack (MOV byte-by-byte): strdeob.pl or FLOSS stack string detection. Common in evasive malware to avoid string extraction. + +```bash +strdeob.pl specimen.exe +floss specimen.exe +``` + +### Step 6: Validation & IOC Extraction + +Review decoded strings. Extract IOCs: C2 addresses, registry keys, file paths, API names, credentials. Compare against known malware family patterns. + +#strings #xor #deobfuscation #floss #cyberchef #encoding #workflow diff --git a/data/generated/wiki/workflows/unpacking-workflow.md b/data/generated/wiki/workflows/unpacking-workflow.md new file mode 100644 index 0000000..f426647 --- /dev/null +++ b/data/generated/wiki/workflows/unpacking-workflow.md @@ -0,0 +1,69 @@ +# Unpacking Packed Executables +> Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques. + +**FOR610 Labs:** 4.1, 4.2, 4.3, 5.3, 5.8, 5.10 + +## Steps + +### Step 1: Packing Identification +**Tools:** [[tools/diec|diec]], [[tools/peframe|peframe]] + +Identify packer: DIE detects UPX, ASPack, PECompact, Themida, etc. Check entropy (>7.0 suggests packing). Look for: few imports, unusual section names (.UPX, .packed). + +```bash +diec specimen.exe +peframe specimen.exe +``` + +### Step 2: Automated Unpacking +**Tools:** [[tools/upx|upx]], [[tools/de4dot|de4dot]] + +Try known unpackers first. UPX: upx -d . .NET: de4dot . If automated unpacking fails (modified packer), proceed to manual. + +```bash +upx -d packed.exe +de4dot obfuscated.exe +``` + +### Step 3: Emulation-Based Unpacking +**Tools:** [[tools/speakeasy|speakeasy]], [[tools/qiling|qiling]] + +Emulate execution to let the unpacker run. Speakeasy and Qiling can trace API calls during unpacking without a debugger. Look for VirtualAlloc followed by memcpy patterns. + +```bash +speakeasy -t specimen.exe -o report.json 2> report.txt +python3 -c "from qiling import Qiling; ql = Qiling([''], '/path/to/rootfs')" +``` + +### Step 4: Debugger-Based Unpacking [W] +**Tools:** [[tools/x64dbg|x64dbg]], [[tools/x32dbg|x32dbg]] + +Set breakpoints on: VirtualAlloc/VirtualProtect (memory allocation), tail JMP to OEP (end of unpacker), or stack breakpoint (ESP trick). Step to OEP. + +### Step 5: Anti-Debug Bypass [W] +**Tools:** [[tools/scyllahide|scyllahide]] + +If malware detects debugger: enable ScyllaHide. Handles IsDebuggerPresent, NtQueryInformationProcess, timing checks. + +### Step 6: Memory Dumping [W] +**Tools:** [[tools/ollydumpex|ollydumpex]], [[tools/scylla|scylla]] + +At OEP: dump process with OllyDumpEx. Fix IAT with Scylla (IAT Autosearch → Get Imports → Fix Dump). + +### Step 7: PE Fixup [W] +**Tools:** [[tools/pe-unmapper|pe-unmapper]] + +If dump has virtual alignment: pe_unmapper /in /base 400000 /out . Only needed if sections have wrong raw sizes. + +### Step 8: Verification +**Tools:** [[tools/strings|strings]], [[tools/peframe|peframe]], [[tools/capa|capa]] + +Verify: strings are now visible, imports are reasonable, capa detects capabilities. If good, route to Static Analysis Workflow for full analysis. + +```bash +strings binary.exe +peframe specimen.exe +capa specimen.exe +``` + +#unpacking #packing #iat #memory-dump #oep #workflow diff --git a/scripts/fhelp b/scripts/fhelp index 44d8444..5125b24 100755 --- a/scripts/fhelp +++ b/scripts/fhelp @@ -13,10 +13,11 @@ MAGENTA='\033[0;35m' NC='\033[0m' # Help system paths -TOOLS_DB="/opt/remnux-docs/tools.db" -CHEAT_DIR="/opt/cheatsheets" -WORKFLOW_DIR="/opt/remnux-docs/workflows" -TLDR_CACHE="/home/remnux/.local/share/tldr" +TOOLS_DB="${TOOLS_DB:-/opt/remnux-docs/tools.db}" +CHEAT_DIR="${CHEAT_DIR:-/opt/cheatsheets}" +WORKFLOW_DIR="${WORKFLOW_DIR:-/opt/remnux-docs/workflows}" +TLDR_CACHE="${TLDR_CACHE:-/home/remnux/.local/share/tldr}" +WIKI_DIR="${WIKI_DIR:-/opt/wiki}" # Resolve cheat file names from a user-provided tool name # Tries several variants: exact, without .py, with .py, hyphen/underscore alternatives @@ -72,6 +73,10 @@ show_main_help() { echo " fhelp workflow - List all 8 analysis workflows" echo " fhelp workflow - Show step-by-step workflow" echo "" + echo -e "${GREEN}Wiki:${NC}" + echo " fhelp wiki - Browse the analysis wiki (zk)" + echo " fhelp wiki - Open a specific wiki page" + echo "" echo -e "${GREEN}Other:${NC}" echo " fhelp coverage - Help coverage statistics" echo " fhelp examples - Browse all cheat sheets" @@ -440,6 +445,60 @@ show_offline_status() { echo -e "${GREEN}Offline help system ready!${NC}" } +show_wiki() { + local query="$1" + + if [[ ! -d "$WIKI_DIR" ]]; then + echo -e "${RED}Wiki not installed at $WIKI_DIR${NC}" + return 1 + fi + + if [[ -z "$query" ]]; then + # Interactive browse + if command -v zk >/dev/null 2>&1; then + cd "$WIKI_DIR" && zk list --interactive + elif command -v fzf >/dev/null 2>&1; then + local selected + selected=$(find "$WIKI_DIR" -name '*.md' -not -path '*/.zk/*' | sort | fzf --preview "cat {}") + if [[ -n "$selected" ]]; then + cat "$selected" + fi + else + echo -e "${CYAN}Wiki pages:${NC}" + find "$WIKI_DIR" -name '*.md' -not -path '*/.zk/*' | sort | sed "s|$WIKI_DIR/||" | sed 's/^/ /' + fi + else + # Search for specific page + local found="" + local search_slug=$(echo "$query" | tr '[:upper:]' '[:lower:]' | sed 's/\.py$//' | sed 's/[^a-z0-9]/-/g' | sed 's/-$//') + + # Try exact matches + for dir in tools workflows recipes categories; do + if [[ -f "$WIKI_DIR/$dir/$search_slug.md" ]]; then + found="$WIKI_DIR/$dir/$search_slug.md" + break + fi + done + + # Try fuzzy match + if [[ -z "$found" ]]; then + found=$(find "$WIKI_DIR" -name "*${search_slug}*" -name '*.md' -not -path '*/.zk/*' | head -1) + fi + + if [[ -n "$found" && -f "$found" ]]; then + echo -e "${CYAN}Wiki: ${YELLOW}$(basename "$found" .md)${NC}" + echo "$(printf '=%.0s' $(seq 1 60))" + echo "" + cat "$found" + else + echo -e "${YELLOW}No wiki page found for '$query'${NC}" + if command -v zk >/dev/null 2>&1; then + echo "Try: fhelp wiki (interactive browse)" + fi + fi + fi +} + show_all() { echo -e "${CYAN}Complete Help System Overview${NC}" echo "=================================" @@ -485,6 +544,10 @@ case "${1:-}" in "forensics") show_workflow "behavioral-analysis" ;; + "wiki") + shift + show_wiki "$@" + ;; "coverage") show_coverage ;; diff --git a/scripts/generate-wiki.py b/scripts/generate-wiki.py new file mode 100644 index 0000000..9757ed7 --- /dev/null +++ b/scripts/generate-wiki.py @@ -0,0 +1,500 @@ +#!/usr/bin/env python3 +"""Generate a markdown wiki with [[wiki-links]] from the master tool inventory. + +Produces interlinked markdown pages for tools, workflows, recipes, and categories. +Designed for browsing with zk (https://github.com/zk-org/zk). + +Output: data/generated/wiki/ +""" + +import os +import re +import yaml + +BASE_DIR = os.path.join(os.path.dirname(__file__), "..") +MASTER = os.path.join(BASE_DIR, "data", "remnux", "tools-master.yaml") +WORKFLOWS_SRC = os.path.join(BASE_DIR, "data", "for610", "workflows.yaml") +RECIPES_SRC = os.path.join(BASE_DIR, "data", "for610", "recipes.yaml") +CATEGORIES_SRC = os.path.join(BASE_DIR, "data", "remnux", "categories-master.yaml") +WIKI_DIR = os.path.join(BASE_DIR, "data", "generated", "wiki") + + +def slug(name): + """Convert a name to a wiki-safe filename slug.""" + s = name.lower().strip() + s = re.sub(r'\.py$', '', s) + s = re.sub(r'\.pl$', '', s) + s = re.sub(r'[^a-z0-9]+', '-', s) + return s.strip('-') + + +def wiki_link(path, label=None): + """Create a [[wiki-link]].""" + if label: + return f"[[{path}|{label}]]" + return f"[[{path}]]" + + +def load_yaml(path): + if not os.path.exists(path): + return {} + with open(path) as f: + return yaml.safe_load(f) or {} + + +# ============================================================ +# Build cross-reference indexes +# ============================================================ + +def build_indexes(tools, workflows, recipes): + """Build lookup indexes for cross-referencing.""" + # Tool ID → list of workflow IDs where it appears + tool_to_workflows = {} + for wf in workflows: + for step in wf.get("steps", []): + for tool_name in step.get("tools", []): + tool_to_workflows.setdefault(tool_name, []).append({ + "workflow_id": wf["id"], + "workflow_name": wf["name"], + "step_order": step["order"], + "step_name": step["name"], + }) + + # Tool ID → list of recipe IDs where it appears + tool_to_recipes = {} + for recipe in recipes: + for tool_id in recipe.get("tools", []): + tool_to_recipes.setdefault(tool_id, []).append({ + "recipe_id": recipe["id"], + "recipe_name": recipe["name"], + }) + + # Category → list of tool IDs + category_to_tools = {} + for t in tools: + cat = "" + if t["sources"]["remnux_docs"].get("covered"): + cat = t["sources"]["remnux_docs"].get("category", "") + elif t["sources"]["for610"].get("covered"): + cat = t["sources"]["for610"].get("category", "") + if cat: + category_to_tools.setdefault(cat, []).append(t) + + # Build related tools index (same category) + tool_related = {} + for cat, cat_tools in category_to_tools.items(): + for t in cat_tools: + related = [rt for rt in cat_tools if rt["id"] != t["id"]][:5] + tool_related[t["id"]] = related + + return tool_to_workflows, tool_to_recipes, category_to_tools, tool_related + + +# ============================================================ +# Generate tool pages +# ============================================================ + +def generate_tool_page(t, tool_to_workflows, tool_to_recipes, tool_related): + """Generate a wiki page for a single tool.""" + name = t["name"] + desc = t.get("description", "") + tier = t.get("help_tier", "basic") + tid = t["id"] + + # Determine category + cat = "" + cat_slug_val = "" + if t["sources"]["remnux_docs"].get("covered"): + cat = t["sources"]["remnux_docs"].get("category", "") + elif t["sources"]["for610"].get("covered"): + cat = t["sources"]["for610"].get("category", "") + if cat: + cat_slug_val = slug(cat) + + # Determine tier label + tier_label = {"rich": "Rich (FOR610)", "standard": "Standard (docs)", "basic": "Basic"}.get(tier, tier) + + lines = [f"# {name}"] + if desc: + lines.append(f"> {desc}") + lines.append("") + + # Metadata + meta_parts = [] + if cat: + meta_parts.append(f"**Category:** {wiki_link(f'categories/{cat_slug_val}', cat)}") + meta_parts.append(f"**Tier:** {tier_label}") + if t["sources"]["for610"].get("author"): + meta_parts.append(f"**Author:** {t['sources']['for610']['author']}") + lines.append(" | ".join(meta_parts)) + + # Docs link + if t["sources"]["remnux_docs"].get("docs_url"): + lines.append(f"**Docs:** [{t['sources']['remnux_docs']['docs_url']}]({t['sources']['remnux_docs']['docs_url']})") + lines.append("") + + # Usage examples + usages = t["sources"]["for610"].get("typical_usage", []) + if usages: + lines.append("## Usage") + lines.append("```bash") + for u in usages: + lines.append(u) + lines.append("```") + lines.append("") + + # Recipes + recipe_refs = tool_to_recipes.get(tid, []) + if recipe_refs: + lines.append("## Recipes") + seen = set() + for r in recipe_refs: + rid = r["recipe_id"] + rname = r["recipe_name"] + if rid not in seen: + seen.add(rid) + rslug = slug(rid) + lines.append(f"- {wiki_link(f'recipes/{rslug}', rname)}") + lines.append("") + + # Workflows + wf_refs = tool_to_workflows.get(tid, []) + if wf_refs: + lines.append("## Workflows") + seen = set() + for w in wf_refs: + if w["workflow_id"] not in seen: + seen.add(w["workflow_id"]) + wf_slug = w["workflow_id"].replace("_", "-") + lines.append(f"- {wiki_link(f'workflows/{wf_slug}', w['workflow_name'])} — Step {w['step_order']}: {w['step_name']}") + lines.append("") + + # Related tools + related = tool_related.get(tid, []) + if related: + lines.append("## Related Tools") + for rt in related: + rt_desc = rt.get("description", "")[:60] + rt_name = rt["name"] + rt_slug = slug(rt_name) + lines.append(f"- {wiki_link(f'tools/{rt_slug}', rt_name)} — {rt_desc}") + lines.append("") + + # FOR610 labs + labs = t["sources"]["for610"].get("labs", []) + sections = t["sources"]["for610"].get("sections", []) + if labs or sections: + lines.append("## FOR610") + if labs: + lines.append(f"**Labs:** {', '.join(labs)}") + if sections: + lines.append(f"**Sections:** {', '.join(str(s) for s in sections)}") + lines.append("") + + # Tags + tags = t["sources"]["for610"].get("tags", []) + if tags: + lines.append(" ".join(f"#{tag}" for tag in tags)) + elif cat: + lines.append(f"#{slug(cat)}") + lines.append("") + + return "\n".join(lines) + + +# ============================================================ +# Generate workflow pages +# ============================================================ + +def generate_workflow_page(wf, tools_by_id): + """Generate a wiki page for a workflow.""" + name = wf["name"] + desc = wf.get("description", "") + steps = wf.get("steps", []) + related_labs = wf.get("related_labs", []) + tags = wf.get("tags", []) + + lines = [ + f"# {name}", + f"> {desc}", + "", + ] + + if related_labs: + lines.append(f"**FOR610 Labs:** {', '.join(related_labs)}") + lines.append("") + + lines.append("## Steps") + lines.append("") + + for step in steps: + order = step.get("order", "?") + step_name = step.get("name", "") + step_desc = step.get("description", "") + step_tools = step.get("tools", []) + + lines.append(f"### Step {order}: {step_name}") + + if step_tools: + tool_links = [] + for tool_name in step_tools: + tool_links.append(wiki_link(f"tools/{slug(tool_name)}", tool_name)) + lines.append(f"**Tools:** {', '.join(tool_links)}") + + if step_desc: + lines.append(f"\n{step_desc}") + + # Add inline examples + if step_tools: + examples = [] + for tool_name in step_tools: + tool = tools_by_id.get(tool_name) or tools_by_id.get(slug(tool_name)) + if tool: + usages = tool["sources"]["for610"].get("typical_usage", []) + if usages: + examples.append(usages[0]) + if examples: + lines.append("\n```bash") + for ex in examples[:3]: + lines.append(ex) + lines.append("```") + + lines.append("") + + if tags: + lines.append(" ".join(f"#{tag}" for tag in tags) + " #workflow") + lines.append("") + + return "\n".join(lines) + + +# ============================================================ +# Generate recipe pages +# ============================================================ + +def generate_recipe_page(recipe): + """Generate a wiki page for a recipe.""" + name = recipe["name"] + task = recipe.get("task", "") + tools = recipe.get("tools", []) + commands = recipe.get("commands", []) + lab = recipe.get("lab", "") + + lines = [ + f"# {name}", + f"> {task}", + "", + ] + + if tools: + tool_links = [wiki_link(f"tools/{slug(t)}", t) for t in tools] + lines.append(f"**Tools:** {', '.join(tool_links)}") + if lab: + lines.append(f"**FOR610 Lab:** {lab}") + lines.append("") + + lines.append("## Commands") + lines.append("```bash") + for cmd in commands: + lines.append(cmd) + lines.append("```") + lines.append("") + + lines.append("#recipe " + " ".join(f"#{slug(t)}" for t in tools)) + lines.append("") + + return "\n".join(lines) + + +# ============================================================ +# Generate category pages +# ============================================================ + +def generate_category_page(cat_name, cat_tools): + """Generate a wiki page for a category.""" + lines = [ + f"# {cat_name}", + "", + f"**{len(cat_tools)} tools** in this category.", + "", + "## Tools", + "", + ] + + # Group by tier + for tier_name, tier_label in [("rich", "Rich (FOR610)"), ("standard", "Standard"), ("basic", "Basic")]: + tier_tools = [t for t in cat_tools if t.get("help_tier") == tier_name] + if tier_tools: + lines.append(f"### {tier_label}") + for t in sorted(tier_tools, key=lambda x: x["name"]): + desc = t.get("description", "")[:60] + tname = t["name"] + tslug = slug(tname) + lines.append(f"- {wiki_link(f'tools/{tslug}', tname)} — {desc}") + lines.append("") + + lines.append(f"#{slug(cat_name)} #category") + lines.append("") + + return "\n".join(lines) + + +# ============================================================ +# Generate index page +# ============================================================ + +def generate_index_page(category_to_tools, workflows, recipes, total_tools): + """Generate the wiki landing page.""" + lines = [ + "# REMnux Analysis Wiki", + "", + f"> {total_tools} tools | {len(workflows)} workflows | {len(recipes)} recipes", + "", + "## Browse by Category", + "", + ] + + for cat_name in sorted(category_to_tools.keys()): + count = len(category_to_tools[cat_name]) + lines.append(f"- {wiki_link(f'categories/{slug(cat_name)}', cat_name)} ({count} tools)") + lines.append("") + + lines.append("## Workflows") + lines.append("") + for wf in workflows: + wf_slug = wf["id"].replace("_", "-") + lines.append(f"- {wiki_link(f'workflows/{wf_slug}', wf['name'])}") + lines.append("") + + lines.append("## Recipes") + lines.append("") + for recipe in recipes: + rec_id = recipe["id"] + rec_name = recipe["name"] + rec_slug = slug(rec_id) + lines.append(f"- {wiki_link(f'recipes/{rec_slug}', rec_name)}") + lines.append("") + + lines.append("## Quick Access") + lines.append("") + lines.append("```bash") + lines.append("# Browse interactively") + lines.append("zk list --interactive") + lines.append("") + lines.append("# Search by tag") + lines.append("zk list --tag pdf") + lines.append("") + lines.append("# Find what links to a tool") + lines.append("zk list --mention pdfid") + lines.append("```") + lines.append("") + lines.append("#index #wiki") + lines.append("") + + return "\n".join(lines) + + +# ============================================================ +# Main +# ============================================================ + +def main(): + print("Generating wiki pages...") + + # Load data + master = load_yaml(MASTER) + tools = master.get("tools", []) + remnux_tools = [t for t in tools if t.get("in_remnux")] + + workflows_data = load_yaml(WORKFLOWS_SRC) + workflows = workflows_data.get("workflows", []) + + recipes_data = load_yaml(RECIPES_SRC) + recipes = recipes_data.get("recipes", []) + + print(f" Input: {len(remnux_tools)} tools, {len(workflows)} workflows, {len(recipes)} recipes") + + # Build indexes + tool_to_workflows, tool_to_recipes, category_to_tools, tool_related = \ + build_indexes(remnux_tools, workflows, recipes) + + # Build tool lookup by id and name variants + tools_by_id = {} + for t in remnux_tools: + tools_by_id[t["id"]] = t + tools_by_id[slug(t["name"])] = t + for alias in t.get("aliases", []): + tools_by_id[slug(alias)] = t + + # Create output directories + for d in ["tools", "workflows", "recipes", "categories", ".zk"]: + os.makedirs(os.path.join(WIKI_DIR, d), exist_ok=True) + + # Generate tool pages + tool_count = 0 + for t in remnux_tools: + filename = slug(t["name"]) + ".md" + content = generate_tool_page(t, tool_to_workflows, tool_to_recipes, tool_related) + with open(os.path.join(WIKI_DIR, "tools", filename), "w") as f: + f.write(content) + tool_count += 1 + + # Generate workflow pages + wf_count = 0 + for wf in workflows: + filename = wf["id"].replace("_", "-") + ".md" + content = generate_workflow_page(wf, tools_by_id) + with open(os.path.join(WIKI_DIR, "workflows", filename), "w") as f: + f.write(content) + wf_count += 1 + + # Generate recipe pages + recipe_count = 0 + for recipe in recipes: + filename = slug(recipe["id"]) + ".md" + content = generate_recipe_page(recipe) + with open(os.path.join(WIKI_DIR, "recipes", filename), "w") as f: + f.write(content) + recipe_count += 1 + + # Generate category pages + cat_count = 0 + for cat_name, cat_tools in category_to_tools.items(): + filename = slug(cat_name) + ".md" + content = generate_category_page(cat_name, cat_tools) + with open(os.path.join(WIKI_DIR, "categories", filename), "w") as f: + f.write(content) + cat_count += 1 + + # Generate index page + content = generate_index_page(category_to_tools, workflows, recipes, len(remnux_tools)) + with open(os.path.join(WIKI_DIR, "index.md"), "w") as f: + f.write(content) + + # Generate zk config + zk_config = """[note] +default-title = "untitled" +filename = "{{slug title}}" +extension = "md" + +[tool] +fzf-preview = "cat {-1}" + +[format.markdown] +link-format = "wiki" +""" + with open(os.path.join(WIKI_DIR, ".zk", "config.toml"), "w") as f: + f.write(zk_config) + + total = tool_count + wf_count + recipe_count + cat_count + 1 # +1 for index + print(f"\nWiki generated: {total} pages") + print(f" tools: {tool_count}") + print(f" workflows: {wf_count}") + print(f" recipes: {recipe_count}") + print(f" categories: {cat_count}") + print(f" index: 1") + print(f"\nOutput: {WIKI_DIR}/") + + +if __name__ == "__main__": + main()