From e62a14dafcfc5b5d8fea1babc97fea756f17f76e Mon Sep 17 00:00:00 2001 From: tobias Date: Sat, 28 Mar 2026 19:50:36 +0100 Subject: [PATCH] Add markdown wiki with 473 pages and zk browser Generate interlinked wiki from master inventory: 397 tool pages, 15 workflow pages, 27 recipe pages, 33 category pages, plus index. All pages use [[wiki-links]] for cross-navigation between tools, workflows, recipes, and categories (1782 links total). Install zk for interactive browsing with fzf search, tag filtering, and backlink discovery. Add 'fhelp wiki' command and Makefile target. Co-Authored-By: Claude Opus 4.6 (1M context) --- Dockerfile | 6 + Makefile | 8 +- data/generated/wiki/.zk/config.toml | 10 + .../analyze-documents-email-messages.md | 15 + .../categories/analyze-documents-general.md | 10 + .../analyze-documents-microsoft-office.md | 27 + .../wiki/categories/analyze-documents-pdf.md | 19 + .../wiki/categories/dotnet-analysis.md | 10 + ...namically-reverse-engineer-code-general.md | 12 + ...namically-reverse-engineer-code-scripts.md | 16 + ...mically-reverse-engineer-code-shellcode.md | 16 + ...examine-static-properties-deobfuscation.md | 39 ++ .../examine-static-properties-general.md | 39 ++ .../examine-static-properties-go.md | 11 + .../examine-static-properties-net.md | 12 + ...explore-network-interactions-connecting.md | 20 + ...explore-network-interactions-monitoring.md | 23 + .../explore-network-interactions-services.md | 19 + .../categories/gather-and-analyze-data.md | 24 + .../wiki/categories/general-utilities.md | 28 + .../investigate-system-interactions.md | 14 + .../wiki/categories/network-analysis.md | 12 + .../categories/perform-memory-forensics.md | 14 + .../wiki/categories/static-analysis-pe.md | 11 + .../statically-analyze-code-android.md | 18 + .../statically-analyze-code-general.md | 16 + .../statically-analyze-code-java.md | 16 + .../categories/statically-analyze-code-net.md | 11 + .../statically-analyze-code-pe-files.md | 15 + .../statically-analyze-code-python.md | 15 + .../statically-analyze-code-scripts.md | 14 + .../statically-analyze-code-unpacking.md | 11 + .../wiki/categories/string-deobfuscation.md | 10 + .../categories/use-artificial-intelligence.md | 12 + data/generated/wiki/categories/utilities.md | 14 + .../wiki/categories/view-or-edit-files.md | 18 + data/generated/wiki/index.md | 102 ++++ .../wiki/recipes/apk-quick-triage.md | 18 + .../wiki/recipes/base64-xor-shellcode.md | 15 + .../wiki/recipes/capa-capability-filter.md | 19 + .../recipes/cobalt-strike-beacon-parse.md | 15 + .../wiki/recipes/cyberchef-xor-decode.md | 14 + .../wiki/recipes/dns-interception-setup.md | 19 + .../wiki/recipes/dotnet-decompile-cli.md | 18 + .../recipes/email-attachment-extraction.md | 18 + .../wiki/recipes/excel-xlm-macros.md | 12 + .../recipes/extract-base64-ps-from-vba.md | 19 + .../recipes/js-deobfuscation-spidermonkey.md | 19 + .../wiki/recipes/js-null-byte-cleanup.md | 19 + .../wiki/recipes/multi-stage-base64-gzip.md | 15 + .../wiki/recipes/office-full-decode-chain.md | 22 + .../wiki/recipes/password-protected-office.md | 12 + .../wiki/recipes/pcap-file-carving.md | 16 + .../wiki/recipes/pdf-javascript-extraction.md | 16 + .../wiki/recipes/pdf-object-extraction.md | 21 + .../wiki/recipes/rtf-shellcode-extraction.md | 19 + .../recipes/shellcode-emulate-with-offset.md | 17 + .../wiki/recipes/shellcode-to-exe.md | 12 + .../recipes/speakeasy-emulation-with-json.md | 17 + .../wiki/recipes/stack-string-extraction.md | 17 + .../wiki/recipes/vba-number-string-decode.md | 15 + .../wiki/recipes/vba-pcode-decompile.md | 14 + .../wiki/recipes/volatility-quick-triage.md | 18 + .../wiki/recipes/xor-key-brute-force.md | 21 + data/generated/wiki/tools/1768.md | 31 ++ data/generated/wiki/tools/7-zip.md | 14 + data/generated/wiki/tools/7zip.md | 4 + data/generated/wiki/tools/aeskeyfind.md | 4 + data/generated/wiki/tools/aeskeyfinder.md | 11 + data/generated/wiki/tools/androguard.md | 24 + .../wiki/tools/android-project-creator.md | 4 + .../wiki/tools/androidprojectcreator.md | 14 + data/generated/wiki/tools/anomy.md | 14 + data/generated/wiki/tools/apkid.md | 20 + data/generated/wiki/tools/apktool.md | 26 + data/generated/wiki/tools/apt-utils.md | 4 + data/generated/wiki/tools/archive-zip.md | 4 + data/generated/wiki/tools/autoconf.md | 4 + data/generated/wiki/tools/autoit-ripper.md | 11 + data/generated/wiki/tools/autologin.md | 4 + data/generated/wiki/tools/automake.md | 4 + data/generated/wiki/tools/baksmali.md | 14 + data/generated/wiki/tools/balbuzard.md | 14 + data/generated/wiki/tools/base64dump.md | 34 ++ data/generated/wiki/tools/bash-history.md | 4 + data/generated/wiki/tools/bash-rc.md | 4 + data/generated/wiki/tools/bbcrack.md | 21 + data/generated/wiki/tools/bearparser.md | 4 + .../binee-binary-emulation-environment.md | 12 + data/generated/wiki/tools/binee.md | 4 + data/generated/wiki/tools/binutils.md | 4 + data/generated/wiki/tools/binwalk.md | 23 + data/generated/wiki/tools/box-js.md | 24 + data/generated/wiki/tools/brxor.md | 29 + data/generated/wiki/tools/build-essential.md | 4 + data/generated/wiki/tools/bulk-extractor.md | 14 + data/generated/wiki/tools/bundler.md | 4 + .../tools/burp-suite-community-edition.md | 14 + .../wiki/tools/burpsuite-community.md | 4 + data/generated/wiki/tools/bytehist.md | 18 + data/generated/wiki/tools/cabextract.md | 14 + data/generated/wiki/tools/capa.md | 34 ++ data/generated/wiki/tools/cast.md | 14 + data/generated/wiki/tools/cffi.md | 4 + data/generated/wiki/tools/cfr.md | 22 + data/generated/wiki/tools/chepy.md | 14 + data/generated/wiki/tools/clamav-daemon.md | 4 + data/generated/wiki/tools/clamav.md | 21 + ...configuration-extractor-csce-and-parser.md | 14 + data/generated/wiki/tools/compatibility.md | 4 + .../wiki/tools/cs-analyze-processdump.md | 22 + .../wiki/tools/cs-decrypt-metadata.md | 22 + data/generated/wiki/tools/cs-extract-key.md | 22 + data/generated/wiki/tools/cs-parse-traffic.md | 22 + data/generated/wiki/tools/curl.md | 23 + data/generated/wiki/tools/cut-bytes.md | 14 + data/generated/wiki/tools/cutter.md | 25 + data/generated/wiki/tools/cyberchef.md | 31 ++ data/generated/wiki/tools/dc3-mwcp.md | 20 + data/generated/wiki/tools/de4dot.md | 26 + data/generated/wiki/tools/decode-vbe.md | 11 + data/generated/wiki/tools/decompyle.md | 12 + data/generated/wiki/tools/default-jdk.md | 4 + data/generated/wiki/tools/default-jre.md | 4 + data/generated/wiki/tools/dex2jar.md | 14 + data/generated/wiki/tools/dexray.md | 14 + data/generated/wiki/tools/dialog.md | 4 + .../wiki/tools/didier-stevens-scripts.md | 4 + data/generated/wiki/tools/diec.md | 28 + data/generated/wiki/tools/disitool.md | 14 + data/generated/wiki/tools/display.md | 4 + data/generated/wiki/tools/dissect.md | 14 + data/generated/wiki/tools/distro-info.md | 4 + .../wiki/tools/dllcharacteristics.md | 4 + data/generated/wiki/tools/dnfile.md | 14 + data/generated/wiki/tools/dnslib.md | 14 + data/generated/wiki/tools/dnsresolver.md | 14 + data/generated/wiki/tools/docker.md | 14 + data/generated/wiki/tools/dog.md | 4 + data/generated/wiki/tools/dos2unix.md | 14 + data/generated/wiki/tools/dot-cache.md | 4 + data/generated/wiki/tools/dot-config.md | 4 + data/generated/wiki/tools/dot-cpan.md | 4 + data/generated/wiki/tools/dot-dbus.md | 4 + data/generated/wiki/tools/dot-local.md | 4 + .../wiki/tools/dotnet-runtime-3-1.md | 4 + data/generated/wiki/tools/dotnetfile.md | 14 + data/generated/wiki/tools/droidlysis.md | 17 + data/generated/wiki/tools/edb-debugger.md | 4 + data/generated/wiki/tools/emldump.md | 26 + data/generated/wiki/tools/enchant.md | 4 + data/generated/wiki/tools/epic-irc-client.md | 14 + data/generated/wiki/tools/epic5.md | 4 + data/generated/wiki/tools/evilclippy.md | 22 + data/generated/wiki/tools/evince.md | 14 + data/generated/wiki/tools/ex-pe-xor.md | 14 + data/generated/wiki/tools/exfat-utils.md | 4 + data/generated/wiki/tools/exiftool.md | 26 + data/generated/wiki/tools/fakedns.md | 30 ++ data/generated/wiki/tools/fakemail.md | 14 + data/generated/wiki/tools/fakenet-ng.md | 24 + data/generated/wiki/tools/feh.md | 26 + data/generated/wiki/tools/file-magic.md | 14 + data/generated/wiki/tools/file.md | 34 ++ data/generated/wiki/tools/firefox.md | 14 + data/generated/wiki/tools/flare-floss.md | 4 + data/generated/wiki/tools/flex.md | 4 + data/generated/wiki/tools/floss.md | 33 ++ data/generated/wiki/tools/format-bytes.md | 14 + data/generated/wiki/tools/frida.md | 21 + data/generated/wiki/tools/galculator.md | 4 + data/generated/wiki/tools/gdb.md | 4 + data/generated/wiki/tools/gdm3.md | 4 + data/generated/wiki/tools/ghidra.md | 26 + data/generated/wiki/tools/ghidrassistmcp.md | 11 + data/generated/wiki/tools/gift.md | 4 + data/generated/wiki/tools/git.md | 4 + data/generated/wiki/tools/gnome-calculator.md | 14 + data/generated/wiki/tools/gnome-session.md | 4 + .../wiki/tools/gnome-shell-extensions.md | 4 + data/generated/wiki/tools/gnome-terminal.md | 4 + data/generated/wiki/tools/gnome-tweaks.md | 4 + data/generated/wiki/tools/gnu-wget.md | 14 + data/generated/wiki/tools/gnutls-bin.md | 4 + data/generated/wiki/tools/goresym.md | 10 + data/generated/wiki/tools/graphviz.md | 4 + data/generated/wiki/tools/grub-kvm.md | 4 + data/generated/wiki/tools/guest-tools.md | 4 + data/generated/wiki/tools/gunzip.md | 28 + data/generated/wiki/tools/hachoir.md | 14 + data/generated/wiki/tools/hash-id.md | 14 + data/generated/wiki/tools/hex-to-bin.md | 14 + data/generated/wiki/tools/hexdump.md | 20 + data/generated/wiki/tools/httpd.md | 29 + .../generated/wiki/tools/i386-architecture.md | 4 + data/generated/wiki/tools/ibus.md | 14 + data/generated/wiki/tools/ilspy.md | 19 + data/generated/wiki/tools/ilspycmd.md | 21 + data/generated/wiki/tools/imagemagick.md | 14 + data/generated/wiki/tools/inetsim.md | 30 ++ data/generated/wiki/tools/inspircd.md | 14 + data/generated/wiki/tools/ioc-parser.md | 19 + data/generated/wiki/tools/iproute2.md | 4 + data/generated/wiki/tools/iptables.md | 22 + data/generated/wiki/tools/iputils-ping.md | 4 + data/generated/wiki/tools/ipwhois.md | 14 + data/generated/wiki/tools/ipython3.md | 4 + data/generated/wiki/tools/jadx.md | 26 + data/generated/wiki/tools/java-idx-parser.md | 13 + data/generated/wiki/tools/javassist.md | 13 + .../wiki/tools/jd-gui-java-decompiler.md | 13 + data/generated/wiki/tools/jd-gui.md | 14 + data/generated/wiki/tools/jq.md | 25 + data/generated/wiki/tools/js-beautify.md | 26 + data/generated/wiki/tools/jstillery.md | 16 + data/generated/wiki/tools/lame.md | 4 + data/generated/wiki/tools/libboost-dev.md | 4 + .../wiki/tools/libboost-python-dev.md | 4 + .../wiki/tools/libboost-system-dev.md | 4 + data/generated/wiki/tools/libdpkg-perl.md | 4 + .../tools/libemail-outlook-message-perl.md | 4 + data/generated/wiki/tools/libemu.md | 13 + data/generated/wiki/tools/libffi-dev.md | 4 + data/generated/wiki/tools/libfuse2.md | 4 + data/generated/wiki/tools/libfuzzy-dev.md | 4 + data/generated/wiki/tools/libfuzzy2.md | 4 + data/generated/wiki/tools/libglib2.md | 4 + data/generated/wiki/tools/libglu1-mesa-dev.md | 4 + data/generated/wiki/tools/libgraphviz-dev.md | 4 + data/generated/wiki/tools/libgtk-3-0.md | 4 + .../generated/wiki/tools/libjavassist-java.md | 4 + data/generated/wiki/tools/libjpeg-dev.md | 4 + data/generated/wiki/tools/libjpeg8-dev.md | 4 + data/generated/wiki/tools/liblzma-dev.md | 4 + data/generated/wiki/tools/liblzo2-dev.md | 4 + data/generated/wiki/tools/libmagic-dev.md | 4 + data/generated/wiki/tools/libmysqlclient21.md | 4 + data/generated/wiki/tools/libncurses.md | 4 + .../wiki/tools/libnetfilter-queue-dev.md | 4 + data/generated/wiki/tools/libnfnetlink-dev.md | 4 + data/generated/wiki/tools/libolecf.md | 14 + data/generated/wiki/tools/libpq5.md | 4 + .../wiki/tools/libqt5scripttools5.md | 4 + data/generated/wiki/tools/libre2.md | 4 + data/generated/wiki/tools/libsm6.md | 4 + data/generated/wiki/tools/libsqlite3-dev.md | 4 + data/generated/wiki/tools/libssl-dev.md | 4 + data/generated/wiki/tools/libtool.md | 4 + data/generated/wiki/tools/libtre5.md | 4 + data/generated/wiki/tools/libusb-1.md | 4 + data/generated/wiki/tools/libxml2-dev.md | 4 + data/generated/wiki/tools/libxslt1-dev.md | 4 + data/generated/wiki/tools/lief.md | 14 + data/generated/wiki/tools/linux-headers.md | 4 + data/generated/wiki/tools/ltrace.md | 4 + data/generated/wiki/tools/magika.md | 14 + data/generated/wiki/tools/mail-parser.md | 20 + data/generated/wiki/tools/malcat-lite.md | 14 + data/generated/wiki/tools/malcat.md | 4 + data/generated/wiki/tools/malchive.md | 19 + data/generated/wiki/tools/malwoverview.md | 23 + data/generated/wiki/tools/manalyze.md | 4 + data/generated/wiki/tools/mbcscan.md | 12 + data/generated/wiki/tools/mercurial.md | 4 + data/generated/wiki/tools/microsoft-vscode.md | 4 + data/generated/wiki/tools/microsoft.md | 4 + data/generated/wiki/tools/mitmproxy.md | 24 + data/generated/wiki/tools/mono-devel.md | 4 + data/generated/wiki/tools/mono-utils.md | 4 + data/generated/wiki/tools/mono.md | 4 + data/generated/wiki/tools/monodis.md | 14 + data/generated/wiki/tools/msg-extractor.md | 21 + data/generated/wiki/tools/msgconvert.md | 12 + data/generated/wiki/tools/msitools.md | 14 + .../generated/wiki/tools/msoffcrypto-crack.md | 14 + data/generated/wiki/tools/msoffcrypto-tool.md | 26 + data/generated/wiki/tools/msoffice-crypt.md | 14 + data/generated/wiki/tools/myip.md | 14 + data/generated/wiki/tools/myjson-filter.md | 14 + data/generated/wiki/tools/mynic.md | 4 + data/generated/wiki/tools/name-that-hash.md | 14 + data/generated/wiki/tools/nano.md | 4 + data/generated/wiki/tools/nasm.md | 14 + data/generated/wiki/tools/nautilus.md | 14 + data/generated/wiki/tools/nc.md | 23 + data/generated/wiki/tools/ndg-httpsclient.md | 4 + data/generated/wiki/tools/net-tools.md | 4 + .../wiki/tools/network-miner-free-edition.md | 14 + data/generated/wiki/tools/networkminer.md | 17 + data/generated/wiki/tools/nginx.md | 14 + data/generated/wiki/tools/ngrep.md | 23 + data/generated/wiki/tools/nodejs.md | 4 + data/generated/wiki/tools/nomorexor.md | 14 + data/generated/wiki/tools/nslookup.md | 19 + data/generated/wiki/tools/nsrllookup.md | 14 + .../generated/wiki/tools/numbers-to-string.md | 29 + data/generated/wiki/tools/objdump.md | 13 + data/generated/wiki/tools/objects-js.md | 13 + data/generated/wiki/tools/oledump.md | 34 ++ data/generated/wiki/tools/olefile.md | 14 + data/generated/wiki/tools/olevba.md | 26 + data/generated/wiki/tools/onedump.md | 17 + data/generated/wiki/tools/opencode.md | 11 + data/generated/wiki/tools/openjdk.md | 4 + data/generated/wiki/tools/openssh.md | 14 + data/generated/wiki/tools/openssl.md | 4 + data/generated/wiki/tools/origamindee.md | 14 + data/generated/wiki/tools/osarch.md | 4 + data/generated/wiki/tools/pcode2code.md | 25 + data/generated/wiki/tools/pcodedmp.md | 17 + data/generated/wiki/tools/pdf-parser.md | 34 ++ data/generated/wiki/tools/pdfid.md | 31 ++ data/generated/wiki/tools/pdfresurrect.md | 22 + data/generated/wiki/tools/pdftk.md | 23 + data/generated/wiki/tools/pdftool.md | 22 + data/generated/wiki/tools/pdnstool.md | 14 + data/generated/wiki/tools/pe-tree.md | 4 + data/generated/wiki/tools/pedump.md | 4 + data/generated/wiki/tools/peepdf.md | 26 + data/generated/wiki/tools/peframe.md | 24 + data/generated/wiki/tools/perl.md | 4 + data/generated/wiki/tools/pestr.md | 21 + data/generated/wiki/tools/pev.md | 4 + data/generated/wiki/tools/pgadmin.md | 4 + data/generated/wiki/tools/pip.md | 4 + data/generated/wiki/tools/pkg-config.md | 4 + data/generated/wiki/tools/polarproxy.md | 22 + data/generated/wiki/tools/portex.md | 4 + data/generated/wiki/tools/powershell.md | 13 + data/generated/wiki/tools/prefer-ipv4.md | 4 + data/generated/wiki/tools/procdot.md | 23 + .../wiki/tools/procyon-decompiler.md | 4 + data/generated/wiki/tools/procyon.md | 16 + data/generated/wiki/tools/protobuf.md | 4 + data/generated/wiki/tools/pycdc.md | 4 + data/generated/wiki/tools/pyelftools.md | 4 + .../wiki/tools/pyinstaller-extractor.md | 12 + .../generated/wiki/tools/pyinstxtractor-ng.md | 17 + data/generated/wiki/tools/python-debian.md | 4 + .../wiki/tools/python3-cryptography.md | 4 + data/generated/wiki/tools/python3-dev.md | 4 + .../generated/wiki/tools/python3-dnspython.md | 4 + data/generated/wiki/tools/python3-magic.md | 4 + .../generated/wiki/tools/python3-netifaces.md | 4 + data/generated/wiki/tools/python3-numpy.md | 4 + data/generated/wiki/tools/python3-pil.md | 4 + data/generated/wiki/tools/python3-pip.md | 4 + data/generated/wiki/tools/python3-pyasn1.md | 4 + data/generated/wiki/tools/python3-pyqt5.md | 4 + data/generated/wiki/tools/python3-requests.md | 4 + .../wiki/tools/python3-setuptools.md | 4 + data/generated/wiki/tools/python3-ssdeep.md | 4 + data/generated/wiki/tools/python3-tk.md | 4 + data/generated/wiki/tools/python3-venv.md | 4 + .../wiki/tools/python3-virtualenv.md | 4 + data/generated/wiki/tools/python3-wheel.md | 4 + data/generated/wiki/tools/python3.md | 4 + data/generated/wiki/tools/qiling.md | 21 + data/generated/wiki/tools/qpdf.md | 22 + data/generated/wiki/tools/qtbase5-dev.md | 4 + data/generated/wiki/tools/radare2.md | 23 + data/generated/wiki/tools/rar.md | 23 + data/generated/wiki/tools/re-search.md | 14 + data/generated/wiki/tools/redress.md | 10 + data/generated/wiki/tools/refresh.md | 4 + data/generated/wiki/tools/remnux-installer.md | 14 + .../generated/wiki/tools/remnux-mcp-server.md | 11 + data/generated/wiki/tools/remnux.md | 4 + data/generated/wiki/tools/remove-app-icons.md | 4 + data/generated/wiki/tools/rhino.md | 4 + data/generated/wiki/tools/rsakeyfind.md | 4 + data/generated/wiki/tools/rsakeyfinder.md | 11 + data/generated/wiki/tools/rtfdump.md | 31 ++ data/generated/wiki/tools/ruby-dev.md | 4 + data/generated/wiki/tools/ruby.md | 4 + data/generated/wiki/tools/runsc32.md | 22 + data/generated/wiki/tools/salt-minion.md | 4 + .../wiki/tools/sandfly-processdecloak.md | 11 + data/generated/wiki/tools/scalpel.md | 14 + data/generated/wiki/tools/scdbgc.md | 33 ++ data/generated/wiki/tools/scite.md | 14 + data/generated/wiki/tools/sets.md | 14 + data/generated/wiki/tools/sharutils.md | 4 + data/generated/wiki/tools/shcode2exe.md | 24 + .../generated/wiki/tools/shellcode2exe-bat.md | 13 + data/generated/wiki/tools/sift.md | 4 + data/generated/wiki/tools/signsrch.md | 14 + data/generated/wiki/tools/sleuth-kit.md | 14 + data/generated/wiki/tools/sleuthkit.md | 4 + data/generated/wiki/tools/snap.md | 4 + data/generated/wiki/tools/snapd.md | 4 + .../wiki/tools/software-properties-common.md | 4 + data/generated/wiki/tools/sortcanon.md | 14 + data/generated/wiki/tools/speakeasy.md | 30 ++ data/generated/wiki/tools/spidermonkey.md | 30 ++ data/generated/wiki/tools/sqlite.md | 14 + data/generated/wiki/tools/ssdeep.md | 21 + data/generated/wiki/tools/ssh.md | 4 + data/generated/wiki/tools/ssview.md | 14 + data/generated/wiki/tools/strace.md | 7 + data/generated/wiki/tools/strdeob.md | 29 + data/generated/wiki/tools/strings.md | 35 ++ data/generated/wiki/tools/subversion.md | 4 + data/generated/wiki/tools/sudo.md | 4 + data/generated/wiki/tools/sudoers.md | 4 + data/generated/wiki/tools/tcpdump.md | 27 + data/generated/wiki/tools/tcpflow.md | 25 + data/generated/wiki/tools/tcpick.md | 14 + data/generated/wiki/tools/tcpxtract.md | 25 + data/generated/wiki/tools/tesseract-ocr.md | 7 + data/generated/wiki/tools/texteditor.md | 14 + data/generated/wiki/tools/thefuzz.md | 14 + data/generated/wiki/tools/thug.md | 22 + data/generated/wiki/tools/time-decode.md | 14 + data/generated/wiki/tools/tor.md | 14 + data/generated/wiki/tools/torsocks.md | 18 + data/generated/wiki/tools/translate.md | 31 ++ data/generated/wiki/tools/trid.md | 28 + data/generated/wiki/tools/tshark.md | 26 + data/generated/wiki/tools/tzdata.md | 4 + data/generated/wiki/tools/ubuntu-universe.md | 4 + data/generated/wiki/tools/ubuntu.md | 4 + data/generated/wiki/tools/uncompyle6.md | 18 + data/generated/wiki/tools/unfurl.md | 22 + data/generated/wiki/tools/unhide.md | 11 + data/generated/wiki/tools/unicode.md | 14 + data/generated/wiki/tools/unxor.md | 14 + data/generated/wiki/tools/unzip.md | 26 + data/generated/wiki/tools/upx.md | 23 + data/generated/wiki/tools/user.md | 4 + data/generated/wiki/tools/vbindiff.md | 14 + data/generated/wiki/tools/vim.md | 4 + .../generated/wiki/tools/virustotal-search.md | 17 + .../generated/wiki/tools/virustotal-submit.md | 14 + .../wiki/tools/visual-studio-code.md | 28 + data/generated/wiki/tools/vivisect.md | 19 + data/generated/wiki/tools/volatility3.md | 28 + data/generated/wiki/tools/vscode.md | 4 + data/generated/wiki/tools/wget.md | 20 + data/generated/wiki/tools/wine.md | 20 + data/generated/wiki/tools/wireshark-dev.md | 4 + data/generated/wiki/tools/wireshark.md | 28 + data/generated/wiki/tools/wxhexeditor.md | 14 + data/generated/wiki/tools/xdg-utils.md | 4 + .../wiki/tools/xlmmacrodeobfuscator.md | 23 + data/generated/wiki/tools/xmldump.md | 14 + data/generated/wiki/tools/xmlstarlet.md | 4 + data/generated/wiki/tools/xor-kpa.md | 14 + data/generated/wiki/tools/xorbruteforcer.md | 14 + data/generated/wiki/tools/xorsearch.md | 33 ++ data/generated/wiki/tools/xorstrings.md | 14 + data/generated/wiki/tools/xortool.md | 26 + data/generated/wiki/tools/xterm.md | 4 + data/generated/wiki/tools/xxd.md | 21 + data/generated/wiki/tools/yara-forge-rules.md | 14 + data/generated/wiki/tools/yara-x.md | 14 + data/generated/wiki/tools/yara.md | 34 ++ data/generated/wiki/tools/zbar-tools.md | 4 + data/generated/wiki/tools/zbarimg.md | 14 + data/generated/wiki/tools/zipdump.md | 22 + data/generated/wiki/tools/zlib1g-dev.md | 4 + .../workflows/android-analysis-workflow.md | 65 +++ .../workflows/behavioral-analysis-workflow.md | 61 +++ .../wiki/workflows/cobalt-strike-workflow.md | 67 +++ .../wiki/workflows/code-injection-workflow.md | 74 +++ .../workflows/document-analysis-workflow.md | 75 +++ .../workflows/dotnet-analysis-workflow.md | 74 +++ .../wiki/workflows/email-analysis-workflow.md | 54 ++ .../wiki/workflows/java-analysis-workflow.md | 57 ++ .../javascript-deobfuscation-workflow.md | 57 ++ .../workflows/memory-forensics-workflow.md | 79 +++ .../network-interception-workflow.md | 86 +++ .../workflows/shellcode-analysis-workflow.md | 74 +++ .../workflows/static-analysis-workflow.md | 84 +++ .../string-deobfuscation-workflow.md | 62 +++ .../wiki/workflows/unpacking-workflow.md | 69 +++ scripts/fhelp | 71 ++- scripts/generate-wiki.py | 500 ++++++++++++++++++ 478 files changed, 7683 insertions(+), 5 deletions(-) create mode 100644 data/generated/wiki/.zk/config.toml create mode 100644 data/generated/wiki/categories/analyze-documents-email-messages.md create mode 100644 data/generated/wiki/categories/analyze-documents-general.md create mode 100644 data/generated/wiki/categories/analyze-documents-microsoft-office.md create mode 100644 data/generated/wiki/categories/analyze-documents-pdf.md create mode 100644 data/generated/wiki/categories/dotnet-analysis.md create mode 100644 data/generated/wiki/categories/dynamically-reverse-engineer-code-general.md create mode 100644 data/generated/wiki/categories/dynamically-reverse-engineer-code-scripts.md create mode 100644 data/generated/wiki/categories/dynamically-reverse-engineer-code-shellcode.md create mode 100644 data/generated/wiki/categories/examine-static-properties-deobfuscation.md create mode 100644 data/generated/wiki/categories/examine-static-properties-general.md create mode 100644 data/generated/wiki/categories/examine-static-properties-go.md create mode 100644 data/generated/wiki/categories/examine-static-properties-net.md create mode 100644 data/generated/wiki/categories/explore-network-interactions-connecting.md create mode 100644 data/generated/wiki/categories/explore-network-interactions-monitoring.md create mode 100644 data/generated/wiki/categories/explore-network-interactions-services.md create mode 100644 data/generated/wiki/categories/gather-and-analyze-data.md create mode 100644 data/generated/wiki/categories/general-utilities.md create mode 100644 data/generated/wiki/categories/investigate-system-interactions.md create mode 100644 data/generated/wiki/categories/network-analysis.md create mode 100644 data/generated/wiki/categories/perform-memory-forensics.md create mode 100644 data/generated/wiki/categories/static-analysis-pe.md create mode 100644 data/generated/wiki/categories/statically-analyze-code-android.md create mode 100644 data/generated/wiki/categories/statically-analyze-code-general.md create mode 100644 data/generated/wiki/categories/statically-analyze-code-java.md create mode 100644 data/generated/wiki/categories/statically-analyze-code-net.md create mode 100644 data/generated/wiki/categories/statically-analyze-code-pe-files.md create mode 100644 data/generated/wiki/categories/statically-analyze-code-python.md create mode 100644 data/generated/wiki/categories/statically-analyze-code-scripts.md create mode 100644 data/generated/wiki/categories/statically-analyze-code-unpacking.md create mode 100644 data/generated/wiki/categories/string-deobfuscation.md create mode 100644 data/generated/wiki/categories/use-artificial-intelligence.md create mode 100644 data/generated/wiki/categories/utilities.md create mode 100644 data/generated/wiki/categories/view-or-edit-files.md create mode 100644 data/generated/wiki/index.md create mode 100644 data/generated/wiki/recipes/apk-quick-triage.md create mode 100644 data/generated/wiki/recipes/base64-xor-shellcode.md create mode 100644 data/generated/wiki/recipes/capa-capability-filter.md create mode 100644 data/generated/wiki/recipes/cobalt-strike-beacon-parse.md create mode 100644 data/generated/wiki/recipes/cyberchef-xor-decode.md create mode 100644 data/generated/wiki/recipes/dns-interception-setup.md create mode 100644 data/generated/wiki/recipes/dotnet-decompile-cli.md create mode 100644 data/generated/wiki/recipes/email-attachment-extraction.md create mode 100644 data/generated/wiki/recipes/excel-xlm-macros.md create mode 100644 data/generated/wiki/recipes/extract-base64-ps-from-vba.md create mode 100644 data/generated/wiki/recipes/js-deobfuscation-spidermonkey.md create mode 100644 data/generated/wiki/recipes/js-null-byte-cleanup.md create mode 100644 data/generated/wiki/recipes/multi-stage-base64-gzip.md create mode 100644 data/generated/wiki/recipes/office-full-decode-chain.md create mode 100644 data/generated/wiki/recipes/password-protected-office.md create mode 100644 data/generated/wiki/recipes/pcap-file-carving.md create mode 100644 data/generated/wiki/recipes/pdf-javascript-extraction.md create mode 100644 data/generated/wiki/recipes/pdf-object-extraction.md create mode 100644 data/generated/wiki/recipes/rtf-shellcode-extraction.md create mode 100644 data/generated/wiki/recipes/shellcode-emulate-with-offset.md create mode 100644 data/generated/wiki/recipes/shellcode-to-exe.md create mode 100644 data/generated/wiki/recipes/speakeasy-emulation-with-json.md create mode 100644 data/generated/wiki/recipes/stack-string-extraction.md create mode 100644 data/generated/wiki/recipes/vba-number-string-decode.md create mode 100644 data/generated/wiki/recipes/vba-pcode-decompile.md create mode 100644 data/generated/wiki/recipes/volatility-quick-triage.md create mode 100644 data/generated/wiki/recipes/xor-key-brute-force.md create mode 100644 data/generated/wiki/tools/1768.md create mode 100644 data/generated/wiki/tools/7-zip.md create mode 100644 data/generated/wiki/tools/7zip.md create mode 100644 data/generated/wiki/tools/aeskeyfind.md create mode 100644 data/generated/wiki/tools/aeskeyfinder.md create mode 100644 data/generated/wiki/tools/androguard.md create mode 100644 data/generated/wiki/tools/android-project-creator.md create mode 100644 data/generated/wiki/tools/androidprojectcreator.md create mode 100644 data/generated/wiki/tools/anomy.md create mode 100644 data/generated/wiki/tools/apkid.md create mode 100644 data/generated/wiki/tools/apktool.md create mode 100644 data/generated/wiki/tools/apt-utils.md create mode 100644 data/generated/wiki/tools/archive-zip.md create mode 100644 data/generated/wiki/tools/autoconf.md create mode 100644 data/generated/wiki/tools/autoit-ripper.md create mode 100644 data/generated/wiki/tools/autologin.md create mode 100644 data/generated/wiki/tools/automake.md create mode 100644 data/generated/wiki/tools/baksmali.md create mode 100644 data/generated/wiki/tools/balbuzard.md create mode 100644 data/generated/wiki/tools/base64dump.md create mode 100644 data/generated/wiki/tools/bash-history.md create mode 100644 data/generated/wiki/tools/bash-rc.md create mode 100644 data/generated/wiki/tools/bbcrack.md create mode 100644 data/generated/wiki/tools/bearparser.md create mode 100644 data/generated/wiki/tools/binee-binary-emulation-environment.md create mode 100644 data/generated/wiki/tools/binee.md create mode 100644 data/generated/wiki/tools/binutils.md create mode 100644 data/generated/wiki/tools/binwalk.md create mode 100644 data/generated/wiki/tools/box-js.md create mode 100644 data/generated/wiki/tools/brxor.md create mode 100644 data/generated/wiki/tools/build-essential.md create mode 100644 data/generated/wiki/tools/bulk-extractor.md create mode 100644 data/generated/wiki/tools/bundler.md create mode 100644 data/generated/wiki/tools/burp-suite-community-edition.md create mode 100644 data/generated/wiki/tools/burpsuite-community.md create mode 100644 data/generated/wiki/tools/bytehist.md create mode 100644 data/generated/wiki/tools/cabextract.md create mode 100644 data/generated/wiki/tools/capa.md create mode 100644 data/generated/wiki/tools/cast.md create mode 100644 data/generated/wiki/tools/cffi.md create mode 100644 data/generated/wiki/tools/cfr.md create mode 100644 data/generated/wiki/tools/chepy.md create mode 100644 data/generated/wiki/tools/clamav-daemon.md create mode 100644 data/generated/wiki/tools/clamav.md create mode 100644 data/generated/wiki/tools/cobalt-strike-configuration-extractor-csce-and-parser.md create mode 100644 data/generated/wiki/tools/compatibility.md create mode 100644 data/generated/wiki/tools/cs-analyze-processdump.md create mode 100644 data/generated/wiki/tools/cs-decrypt-metadata.md create mode 100644 data/generated/wiki/tools/cs-extract-key.md create mode 100644 data/generated/wiki/tools/cs-parse-traffic.md create mode 100644 data/generated/wiki/tools/curl.md create mode 100644 data/generated/wiki/tools/cut-bytes.md create mode 100644 data/generated/wiki/tools/cutter.md create mode 100644 data/generated/wiki/tools/cyberchef.md create mode 100644 data/generated/wiki/tools/dc3-mwcp.md create mode 100644 data/generated/wiki/tools/de4dot.md create mode 100644 data/generated/wiki/tools/decode-vbe.md create mode 100644 data/generated/wiki/tools/decompyle.md create mode 100644 data/generated/wiki/tools/default-jdk.md create mode 100644 data/generated/wiki/tools/default-jre.md create mode 100644 data/generated/wiki/tools/dex2jar.md create mode 100644 data/generated/wiki/tools/dexray.md create mode 100644 data/generated/wiki/tools/dialog.md create mode 100644 data/generated/wiki/tools/didier-stevens-scripts.md create mode 100644 data/generated/wiki/tools/diec.md create mode 100644 data/generated/wiki/tools/disitool.md create mode 100644 data/generated/wiki/tools/display.md create mode 100644 data/generated/wiki/tools/dissect.md create mode 100644 data/generated/wiki/tools/distro-info.md create mode 100644 data/generated/wiki/tools/dllcharacteristics.md create mode 100644 data/generated/wiki/tools/dnfile.md create mode 100644 data/generated/wiki/tools/dnslib.md create mode 100644 data/generated/wiki/tools/dnsresolver.md create mode 100644 data/generated/wiki/tools/docker.md create mode 100644 data/generated/wiki/tools/dog.md create mode 100644 data/generated/wiki/tools/dos2unix.md create mode 100644 data/generated/wiki/tools/dot-cache.md create mode 100644 data/generated/wiki/tools/dot-config.md create mode 100644 data/generated/wiki/tools/dot-cpan.md create mode 100644 data/generated/wiki/tools/dot-dbus.md create mode 100644 data/generated/wiki/tools/dot-local.md create mode 100644 data/generated/wiki/tools/dotnet-runtime-3-1.md create mode 100644 data/generated/wiki/tools/dotnetfile.md create mode 100644 data/generated/wiki/tools/droidlysis.md create mode 100644 data/generated/wiki/tools/edb-debugger.md create mode 100644 data/generated/wiki/tools/emldump.md create mode 100644 data/generated/wiki/tools/enchant.md create mode 100644 data/generated/wiki/tools/epic-irc-client.md create mode 100644 data/generated/wiki/tools/epic5.md create mode 100644 data/generated/wiki/tools/evilclippy.md create mode 100644 data/generated/wiki/tools/evince.md create mode 100644 data/generated/wiki/tools/ex-pe-xor.md create mode 100644 data/generated/wiki/tools/exfat-utils.md create mode 100644 data/generated/wiki/tools/exiftool.md create mode 100644 data/generated/wiki/tools/fakedns.md create mode 100644 data/generated/wiki/tools/fakemail.md create mode 100644 data/generated/wiki/tools/fakenet-ng.md create mode 100644 data/generated/wiki/tools/feh.md create mode 100644 data/generated/wiki/tools/file-magic.md create mode 100644 data/generated/wiki/tools/file.md create mode 100644 data/generated/wiki/tools/firefox.md create mode 100644 data/generated/wiki/tools/flare-floss.md create mode 100644 data/generated/wiki/tools/flex.md create mode 100644 data/generated/wiki/tools/floss.md create mode 100644 data/generated/wiki/tools/format-bytes.md create mode 100644 data/generated/wiki/tools/frida.md create mode 100644 data/generated/wiki/tools/galculator.md create mode 100644 data/generated/wiki/tools/gdb.md create mode 100644 data/generated/wiki/tools/gdm3.md create mode 100644 data/generated/wiki/tools/ghidra.md create mode 100644 data/generated/wiki/tools/ghidrassistmcp.md create mode 100644 data/generated/wiki/tools/gift.md create mode 100644 data/generated/wiki/tools/git.md create mode 100644 data/generated/wiki/tools/gnome-calculator.md create mode 100644 data/generated/wiki/tools/gnome-session.md create mode 100644 data/generated/wiki/tools/gnome-shell-extensions.md create mode 100644 data/generated/wiki/tools/gnome-terminal.md create mode 100644 data/generated/wiki/tools/gnome-tweaks.md create mode 100644 data/generated/wiki/tools/gnu-wget.md create mode 100644 data/generated/wiki/tools/gnutls-bin.md create mode 100644 data/generated/wiki/tools/goresym.md create mode 100644 data/generated/wiki/tools/graphviz.md create mode 100644 data/generated/wiki/tools/grub-kvm.md create mode 100644 data/generated/wiki/tools/guest-tools.md create mode 100644 data/generated/wiki/tools/gunzip.md create mode 100644 data/generated/wiki/tools/hachoir.md create mode 100644 data/generated/wiki/tools/hash-id.md create mode 100644 data/generated/wiki/tools/hex-to-bin.md create mode 100644 data/generated/wiki/tools/hexdump.md create mode 100644 data/generated/wiki/tools/httpd.md create mode 100644 data/generated/wiki/tools/i386-architecture.md create mode 100644 data/generated/wiki/tools/ibus.md create mode 100644 data/generated/wiki/tools/ilspy.md create mode 100644 data/generated/wiki/tools/ilspycmd.md create mode 100644 data/generated/wiki/tools/imagemagick.md create mode 100644 data/generated/wiki/tools/inetsim.md create mode 100644 data/generated/wiki/tools/inspircd.md create mode 100644 data/generated/wiki/tools/ioc-parser.md create mode 100644 data/generated/wiki/tools/iproute2.md create mode 100644 data/generated/wiki/tools/iptables.md create mode 100644 data/generated/wiki/tools/iputils-ping.md create mode 100644 data/generated/wiki/tools/ipwhois.md create mode 100644 data/generated/wiki/tools/ipython3.md create mode 100644 data/generated/wiki/tools/jadx.md create mode 100644 data/generated/wiki/tools/java-idx-parser.md create mode 100644 data/generated/wiki/tools/javassist.md create mode 100644 data/generated/wiki/tools/jd-gui-java-decompiler.md create mode 100644 data/generated/wiki/tools/jd-gui.md create mode 100644 data/generated/wiki/tools/jq.md create mode 100644 data/generated/wiki/tools/js-beautify.md create mode 100644 data/generated/wiki/tools/jstillery.md create mode 100644 data/generated/wiki/tools/lame.md create mode 100644 data/generated/wiki/tools/libboost-dev.md create mode 100644 data/generated/wiki/tools/libboost-python-dev.md create mode 100644 data/generated/wiki/tools/libboost-system-dev.md create mode 100644 data/generated/wiki/tools/libdpkg-perl.md create mode 100644 data/generated/wiki/tools/libemail-outlook-message-perl.md create mode 100644 data/generated/wiki/tools/libemu.md create mode 100644 data/generated/wiki/tools/libffi-dev.md create mode 100644 data/generated/wiki/tools/libfuse2.md create mode 100644 data/generated/wiki/tools/libfuzzy-dev.md create mode 100644 data/generated/wiki/tools/libfuzzy2.md create mode 100644 data/generated/wiki/tools/libglib2.md create mode 100644 data/generated/wiki/tools/libglu1-mesa-dev.md create mode 100644 data/generated/wiki/tools/libgraphviz-dev.md create mode 100644 data/generated/wiki/tools/libgtk-3-0.md create mode 100644 data/generated/wiki/tools/libjavassist-java.md create mode 100644 data/generated/wiki/tools/libjpeg-dev.md create mode 100644 data/generated/wiki/tools/libjpeg8-dev.md create mode 100644 data/generated/wiki/tools/liblzma-dev.md create mode 100644 data/generated/wiki/tools/liblzo2-dev.md create mode 100644 data/generated/wiki/tools/libmagic-dev.md create mode 100644 data/generated/wiki/tools/libmysqlclient21.md create mode 100644 data/generated/wiki/tools/libncurses.md create mode 100644 data/generated/wiki/tools/libnetfilter-queue-dev.md create mode 100644 data/generated/wiki/tools/libnfnetlink-dev.md create mode 100644 data/generated/wiki/tools/libolecf.md create mode 100644 data/generated/wiki/tools/libpq5.md create mode 100644 data/generated/wiki/tools/libqt5scripttools5.md create mode 100644 data/generated/wiki/tools/libre2.md create mode 100644 data/generated/wiki/tools/libsm6.md create mode 100644 data/generated/wiki/tools/libsqlite3-dev.md create mode 100644 data/generated/wiki/tools/libssl-dev.md create mode 100644 data/generated/wiki/tools/libtool.md create mode 100644 data/generated/wiki/tools/libtre5.md create mode 100644 data/generated/wiki/tools/libusb-1.md create mode 100644 data/generated/wiki/tools/libxml2-dev.md create mode 100644 data/generated/wiki/tools/libxslt1-dev.md create mode 100644 data/generated/wiki/tools/lief.md create mode 100644 data/generated/wiki/tools/linux-headers.md create mode 100644 data/generated/wiki/tools/ltrace.md create mode 100644 data/generated/wiki/tools/magika.md create mode 100644 data/generated/wiki/tools/mail-parser.md create mode 100644 data/generated/wiki/tools/malcat-lite.md create mode 100644 data/generated/wiki/tools/malcat.md create mode 100644 data/generated/wiki/tools/malchive.md create mode 100644 data/generated/wiki/tools/malwoverview.md create mode 100644 data/generated/wiki/tools/manalyze.md create mode 100644 data/generated/wiki/tools/mbcscan.md create mode 100644 data/generated/wiki/tools/mercurial.md create mode 100644 data/generated/wiki/tools/microsoft-vscode.md create mode 100644 data/generated/wiki/tools/microsoft.md create mode 100644 data/generated/wiki/tools/mitmproxy.md create mode 100644 data/generated/wiki/tools/mono-devel.md create mode 100644 data/generated/wiki/tools/mono-utils.md create mode 100644 data/generated/wiki/tools/mono.md create mode 100644 data/generated/wiki/tools/monodis.md create mode 100644 data/generated/wiki/tools/msg-extractor.md create mode 100644 data/generated/wiki/tools/msgconvert.md create mode 100644 data/generated/wiki/tools/msitools.md create mode 100644 data/generated/wiki/tools/msoffcrypto-crack.md create mode 100644 data/generated/wiki/tools/msoffcrypto-tool.md create mode 100644 data/generated/wiki/tools/msoffice-crypt.md create mode 100644 data/generated/wiki/tools/myip.md create mode 100644 data/generated/wiki/tools/myjson-filter.md create mode 100644 data/generated/wiki/tools/mynic.md create mode 100644 data/generated/wiki/tools/name-that-hash.md create mode 100644 data/generated/wiki/tools/nano.md create mode 100644 data/generated/wiki/tools/nasm.md create mode 100644 data/generated/wiki/tools/nautilus.md create mode 100644 data/generated/wiki/tools/nc.md create mode 100644 data/generated/wiki/tools/ndg-httpsclient.md create mode 100644 data/generated/wiki/tools/net-tools.md create mode 100644 data/generated/wiki/tools/network-miner-free-edition.md create mode 100644 data/generated/wiki/tools/networkminer.md create mode 100644 data/generated/wiki/tools/nginx.md create mode 100644 data/generated/wiki/tools/ngrep.md create mode 100644 data/generated/wiki/tools/nodejs.md create mode 100644 data/generated/wiki/tools/nomorexor.md create mode 100644 data/generated/wiki/tools/nslookup.md create mode 100644 data/generated/wiki/tools/nsrllookup.md create mode 100644 data/generated/wiki/tools/numbers-to-string.md create mode 100644 data/generated/wiki/tools/objdump.md create mode 100644 data/generated/wiki/tools/objects-js.md create mode 100644 data/generated/wiki/tools/oledump.md create mode 100644 data/generated/wiki/tools/olefile.md create mode 100644 data/generated/wiki/tools/olevba.md create mode 100644 data/generated/wiki/tools/onedump.md create mode 100644 data/generated/wiki/tools/opencode.md create mode 100644 data/generated/wiki/tools/openjdk.md create mode 100644 data/generated/wiki/tools/openssh.md create mode 100644 data/generated/wiki/tools/openssl.md create mode 100644 data/generated/wiki/tools/origamindee.md create mode 100644 data/generated/wiki/tools/osarch.md create mode 100644 data/generated/wiki/tools/pcode2code.md create mode 100644 data/generated/wiki/tools/pcodedmp.md create mode 100644 data/generated/wiki/tools/pdf-parser.md create mode 100644 data/generated/wiki/tools/pdfid.md create mode 100644 data/generated/wiki/tools/pdfresurrect.md create mode 100644 data/generated/wiki/tools/pdftk.md create mode 100644 data/generated/wiki/tools/pdftool.md create mode 100644 data/generated/wiki/tools/pdnstool.md create mode 100644 data/generated/wiki/tools/pe-tree.md create mode 100644 data/generated/wiki/tools/pedump.md create mode 100644 data/generated/wiki/tools/peepdf.md create mode 100644 data/generated/wiki/tools/peframe.md create mode 100644 data/generated/wiki/tools/perl.md create mode 100644 data/generated/wiki/tools/pestr.md create mode 100644 data/generated/wiki/tools/pev.md create mode 100644 data/generated/wiki/tools/pgadmin.md create mode 100644 data/generated/wiki/tools/pip.md create mode 100644 data/generated/wiki/tools/pkg-config.md create mode 100644 data/generated/wiki/tools/polarproxy.md create mode 100644 data/generated/wiki/tools/portex.md create mode 100644 data/generated/wiki/tools/powershell.md create mode 100644 data/generated/wiki/tools/prefer-ipv4.md create mode 100644 data/generated/wiki/tools/procdot.md create mode 100644 data/generated/wiki/tools/procyon-decompiler.md create mode 100644 data/generated/wiki/tools/procyon.md create mode 100644 data/generated/wiki/tools/protobuf.md create mode 100644 data/generated/wiki/tools/pycdc.md create mode 100644 data/generated/wiki/tools/pyelftools.md create mode 100644 data/generated/wiki/tools/pyinstaller-extractor.md create mode 100644 data/generated/wiki/tools/pyinstxtractor-ng.md create mode 100644 data/generated/wiki/tools/python-debian.md create mode 100644 data/generated/wiki/tools/python3-cryptography.md create mode 100644 data/generated/wiki/tools/python3-dev.md create mode 100644 data/generated/wiki/tools/python3-dnspython.md create mode 100644 data/generated/wiki/tools/python3-magic.md create mode 100644 data/generated/wiki/tools/python3-netifaces.md create mode 100644 data/generated/wiki/tools/python3-numpy.md create mode 100644 data/generated/wiki/tools/python3-pil.md create mode 100644 data/generated/wiki/tools/python3-pip.md create mode 100644 data/generated/wiki/tools/python3-pyasn1.md create mode 100644 data/generated/wiki/tools/python3-pyqt5.md create mode 100644 data/generated/wiki/tools/python3-requests.md create mode 100644 data/generated/wiki/tools/python3-setuptools.md create mode 100644 data/generated/wiki/tools/python3-ssdeep.md create mode 100644 data/generated/wiki/tools/python3-tk.md create mode 100644 data/generated/wiki/tools/python3-venv.md create mode 100644 data/generated/wiki/tools/python3-virtualenv.md create mode 100644 data/generated/wiki/tools/python3-wheel.md create mode 100644 data/generated/wiki/tools/python3.md create mode 100644 data/generated/wiki/tools/qiling.md create mode 100644 data/generated/wiki/tools/qpdf.md create mode 100644 data/generated/wiki/tools/qtbase5-dev.md create mode 100644 data/generated/wiki/tools/radare2.md create mode 100644 data/generated/wiki/tools/rar.md create mode 100644 data/generated/wiki/tools/re-search.md create mode 100644 data/generated/wiki/tools/redress.md create mode 100644 data/generated/wiki/tools/refresh.md create mode 100644 data/generated/wiki/tools/remnux-installer.md create mode 100644 data/generated/wiki/tools/remnux-mcp-server.md create mode 100644 data/generated/wiki/tools/remnux.md create mode 100644 data/generated/wiki/tools/remove-app-icons.md create mode 100644 data/generated/wiki/tools/rhino.md create mode 100644 data/generated/wiki/tools/rsakeyfind.md create mode 100644 data/generated/wiki/tools/rsakeyfinder.md create mode 100644 data/generated/wiki/tools/rtfdump.md create mode 100644 data/generated/wiki/tools/ruby-dev.md create mode 100644 data/generated/wiki/tools/ruby.md create mode 100644 data/generated/wiki/tools/runsc32.md create mode 100644 data/generated/wiki/tools/salt-minion.md create mode 100644 data/generated/wiki/tools/sandfly-processdecloak.md create mode 100644 data/generated/wiki/tools/scalpel.md create mode 100644 data/generated/wiki/tools/scdbgc.md create mode 100644 data/generated/wiki/tools/scite.md create mode 100644 data/generated/wiki/tools/sets.md create mode 100644 data/generated/wiki/tools/sharutils.md create mode 100644 data/generated/wiki/tools/shcode2exe.md create mode 100644 data/generated/wiki/tools/shellcode2exe-bat.md create mode 100644 data/generated/wiki/tools/sift.md create mode 100644 data/generated/wiki/tools/signsrch.md create mode 100644 data/generated/wiki/tools/sleuth-kit.md create mode 100644 data/generated/wiki/tools/sleuthkit.md create mode 100644 data/generated/wiki/tools/snap.md create mode 100644 data/generated/wiki/tools/snapd.md create mode 100644 data/generated/wiki/tools/software-properties-common.md create mode 100644 data/generated/wiki/tools/sortcanon.md create mode 100644 data/generated/wiki/tools/speakeasy.md create mode 100644 data/generated/wiki/tools/spidermonkey.md create mode 100644 data/generated/wiki/tools/sqlite.md create mode 100644 data/generated/wiki/tools/ssdeep.md create mode 100644 data/generated/wiki/tools/ssh.md create mode 100644 data/generated/wiki/tools/ssview.md create mode 100644 data/generated/wiki/tools/strace.md create mode 100644 data/generated/wiki/tools/strdeob.md create mode 100644 data/generated/wiki/tools/strings.md create mode 100644 data/generated/wiki/tools/subversion.md create mode 100644 data/generated/wiki/tools/sudo.md create mode 100644 data/generated/wiki/tools/sudoers.md create mode 100644 data/generated/wiki/tools/tcpdump.md create mode 100644 data/generated/wiki/tools/tcpflow.md create mode 100644 data/generated/wiki/tools/tcpick.md create mode 100644 data/generated/wiki/tools/tcpxtract.md create mode 100644 data/generated/wiki/tools/tesseract-ocr.md create mode 100644 data/generated/wiki/tools/texteditor.md create mode 100644 data/generated/wiki/tools/thefuzz.md create mode 100644 data/generated/wiki/tools/thug.md create mode 100644 data/generated/wiki/tools/time-decode.md create mode 100644 data/generated/wiki/tools/tor.md create mode 100644 data/generated/wiki/tools/torsocks.md create mode 100644 data/generated/wiki/tools/translate.md create mode 100644 data/generated/wiki/tools/trid.md create mode 100644 data/generated/wiki/tools/tshark.md create mode 100644 data/generated/wiki/tools/tzdata.md create mode 100644 data/generated/wiki/tools/ubuntu-universe.md create mode 100644 data/generated/wiki/tools/ubuntu.md create mode 100644 data/generated/wiki/tools/uncompyle6.md create mode 100644 data/generated/wiki/tools/unfurl.md create mode 100644 data/generated/wiki/tools/unhide.md create mode 100644 data/generated/wiki/tools/unicode.md create mode 100644 data/generated/wiki/tools/unxor.md create mode 100644 data/generated/wiki/tools/unzip.md create mode 100644 data/generated/wiki/tools/upx.md create mode 100644 data/generated/wiki/tools/user.md create mode 100644 data/generated/wiki/tools/vbindiff.md create mode 100644 data/generated/wiki/tools/vim.md create mode 100644 data/generated/wiki/tools/virustotal-search.md create mode 100644 data/generated/wiki/tools/virustotal-submit.md create mode 100644 data/generated/wiki/tools/visual-studio-code.md create mode 100644 data/generated/wiki/tools/vivisect.md create mode 100644 data/generated/wiki/tools/volatility3.md create mode 100644 data/generated/wiki/tools/vscode.md create mode 100644 data/generated/wiki/tools/wget.md create mode 100644 data/generated/wiki/tools/wine.md create mode 100644 data/generated/wiki/tools/wireshark-dev.md create mode 100644 data/generated/wiki/tools/wireshark.md create mode 100644 data/generated/wiki/tools/wxhexeditor.md create mode 100644 data/generated/wiki/tools/xdg-utils.md create mode 100644 data/generated/wiki/tools/xlmmacrodeobfuscator.md create mode 100644 data/generated/wiki/tools/xmldump.md create mode 100644 data/generated/wiki/tools/xmlstarlet.md create mode 100644 data/generated/wiki/tools/xor-kpa.md create mode 100644 data/generated/wiki/tools/xorbruteforcer.md create mode 100644 data/generated/wiki/tools/xorsearch.md create mode 100644 data/generated/wiki/tools/xorstrings.md create mode 100644 data/generated/wiki/tools/xortool.md create mode 100644 data/generated/wiki/tools/xterm.md create mode 100644 data/generated/wiki/tools/xxd.md create mode 100644 data/generated/wiki/tools/yara-forge-rules.md create mode 100644 data/generated/wiki/tools/yara-x.md create mode 100644 data/generated/wiki/tools/yara.md create mode 100644 data/generated/wiki/tools/zbar-tools.md create mode 100644 data/generated/wiki/tools/zbarimg.md create mode 100644 data/generated/wiki/tools/zipdump.md create mode 100644 data/generated/wiki/tools/zlib1g-dev.md create mode 100644 data/generated/wiki/workflows/android-analysis-workflow.md create mode 100644 data/generated/wiki/workflows/behavioral-analysis-workflow.md create mode 100644 data/generated/wiki/workflows/cobalt-strike-workflow.md create mode 100644 data/generated/wiki/workflows/code-injection-workflow.md create mode 100644 data/generated/wiki/workflows/document-analysis-workflow.md create mode 100644 data/generated/wiki/workflows/dotnet-analysis-workflow.md create mode 100644 data/generated/wiki/workflows/email-analysis-workflow.md create mode 100644 data/generated/wiki/workflows/java-analysis-workflow.md create mode 100644 data/generated/wiki/workflows/javascript-deobfuscation-workflow.md create mode 100644 data/generated/wiki/workflows/memory-forensics-workflow.md create mode 100644 data/generated/wiki/workflows/network-interception-workflow.md create mode 100644 data/generated/wiki/workflows/shellcode-analysis-workflow.md create mode 100644 data/generated/wiki/workflows/static-analysis-workflow.md create mode 100644 data/generated/wiki/workflows/string-deobfuscation-workflow.md create mode 100644 data/generated/wiki/workflows/unpacking-workflow.md create mode 100644 scripts/generate-wiki.py diff --git a/Dockerfile b/Dockerfile index f6887be..bb94464 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,6 +44,11 @@ RUN PIPX_HOME=/opt/pipx PIPX_BIN_DIR=/usr/local/bin pipx install --include-deps RUN curl -sL https://raw.githubusercontent.com/denisidoro/navi/master/scripts/install | BIN_DIR=/usr/local/bin bash 2>/dev/null \ || echo "navi installation skipped (offline build)" +# Install zk (wiki browser with [[wiki-links]], fzf search, backlinks) +RUN curl -sL https://github.com/zk-org/zk/releases/latest/download/zk-linux-amd64.tar.gz \ + | tar xz -C /usr/local/bin/ 2>/dev/null \ + || echo "zk installation skipped (offline build)" + # Create data directory and set permissions RUN mkdir -p /data \ && chown remnux:remnux /data @@ -67,6 +72,7 @@ ADD data/generated/tools.db /opt/remnux-docs/tools.db ADD data/generated/cheatsheets/ /opt/cheatsheets/personal/ ADD data/generated/workflows/ /opt/remnux-docs/workflows/ ADD cheatsheets/ /opt/cheatsheets/ +ADD data/generated/wiki/ /opt/wiki/ # Install legacy help scripts (kept for compatibility) ADD scripts/create-offline-help-system.sh /usr/local/bin/create-offline-help-system.sh diff --git a/Makefile b/Makefile index 6a184ad..dc3661e 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: help build-upstream build-scratch build-kali build-all test clean push generate-data generate-master coverage-report +.PHONY: help build-upstream build-scratch build-kali build-all test clean push generate-data generate-master generate-wiki coverage-report # Default target help: @@ -18,6 +18,7 @@ help: @echo " coverage Check help coverage" @echo " generate-data Convert FOR610 YAML to JSON" @echo " generate-master Build master inventory and all help artifacts" + @echo " generate-wiki Generate markdown wiki (473 pages)" @echo " coverage-report Generate tool coverage gap report" @echo "" @@ -88,6 +89,11 @@ generate-master: generate-data python3 scripts/generate-coverage-report.py @echo "✓ Master inventory and all artifacts generated" +# Generate markdown wiki with [[wiki-links]] for zk browser +generate-wiki: + python3 scripts/generate-wiki.py + @echo "Wiki: data/generated/wiki/ (browse with: zk list --interactive)" + # Generate coverage report only (requires tools-master.yaml to exist) coverage-report: python3 scripts/generate-coverage-report.py diff --git a/data/generated/wiki/.zk/config.toml b/data/generated/wiki/.zk/config.toml new file mode 100644 index 0000000..80e324c --- /dev/null +++ b/data/generated/wiki/.zk/config.toml @@ -0,0 +1,10 @@ +[note] +default-title = "untitled" +filename = "{{slug title}}" +extension = "md" + +[tool] +fzf-preview = "cat {-1}" + +[format.markdown] +link-format = "wiki" diff --git a/data/generated/wiki/categories/analyze-documents-email-messages.md b/data/generated/wiki/categories/analyze-documents-email-messages.md new file mode 100644 index 0000000..0a49654 --- /dev/null +++ b/data/generated/wiki/categories/analyze-documents-email-messages.md @@ -0,0 +1,15 @@ +# Analyze Documents > Email Messages + +**4 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/emldump|emldump.py]] — Parse and analyze EML email message files +- [[tools/mail-parser|mail-parser]] — Parse raw SMTP email messages and extract headers, body, and +- [[tools/msg-extractor|msg-extractor]] — Extract emails and attachments from Microsoft Outlook MSG fi + +### Standard +- [[tools/msgconvert|msgconvert]] — Convert MSG files to MBOX files. + +#analyze-documents-email-messages #category diff --git a/data/generated/wiki/categories/analyze-documents-general.md b/data/generated/wiki/categories/analyze-documents-general.md new file mode 100644 index 0000000..5384d15 --- /dev/null +++ b/data/generated/wiki/categories/analyze-documents-general.md @@ -0,0 +1,10 @@ +# Analyze Documents > General + +**1 tools** in this category. + +## Tools + +### Standard +- [[tools/tesseract-ocr|tesseract-ocr]] — Examine images to identify and extract text using optical ch + +#analyze-documents-general #category diff --git a/data/generated/wiki/categories/analyze-documents-microsoft-office.md b/data/generated/wiki/categories/analyze-documents-microsoft-office.md new file mode 100644 index 0000000..a0bf5f8 --- /dev/null +++ b/data/generated/wiki/categories/analyze-documents-microsoft-office.md @@ -0,0 +1,27 @@ +# Analyze Documents > Microsoft Office + +**16 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/xlmmacrodeobfuscator|XLMMacroDeobfuscator]] — Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sh +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V +- [[tools/olevba|olevba]] — Extract and analyze VBA macros from Office documents with de +- [[tools/pcode2code|pcode2code]] — Decompile VBA p-code from Office documents — works even when +- [[tools/rtfdump|rtfdump.py]] — Analyze RTF file structure, identify hex-encoded groups and +- [[tools/zipdump|zipdump.py]] — Parse and analyze ZIP archive structure + +### Standard +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. +- [[tools/olefile|olefile]] — Python package to parse, read and write MS OLE2 files. +- [[tools/onedump|onedump.py]] — Extract and analyze embedded files from OneNote documents. +- [[tools/pcodedmp|pcodedmp]] — Disassemble VBA p-code. +- [[tools/ssview|ssview]] — Analyze OLE2 Structured Storage files. +- [[tools/xmldump|xmldump.py]] — Extract contents of XML files, in particular OOXML-formatted + +#analyze-documents-microsoft-office #category diff --git a/data/generated/wiki/categories/analyze-documents-pdf.md b/data/generated/wiki/categories/analyze-documents-pdf.md new file mode 100644 index 0000000..99c76b0 --- /dev/null +++ b/data/generated/wiki/categories/analyze-documents-pdf.md @@ -0,0 +1,19 @@ +# Analyze Documents > PDF + +**8 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e +- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates +- [[tools/peepdf|peepdf]] — Interactive PDF analysis framework with JavaScript detection +- [[tools/qpdf|qpdf]] — Decrypt, linearize, and transform PDF files — useful for rem + +### Standard +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. + +#analyze-documents-pdf #category diff --git a/data/generated/wiki/categories/dotnet-analysis.md b/data/generated/wiki/categories/dotnet-analysis.md new file mode 100644 index 0000000..1a75f57 --- /dev/null +++ b/data/generated/wiki/categories/dotnet-analysis.md @@ -0,0 +1,10 @@ +# dotnet-analysis + +**1 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/ilspycmd|ilspycmd]] — Command-line .NET decompiler (CLI version of ILSpy) + +#dotnet-analysis #category diff --git a/data/generated/wiki/categories/dynamically-reverse-engineer-code-general.md b/data/generated/wiki/categories/dynamically-reverse-engineer-code-general.md new file mode 100644 index 0000000..beeaf9f --- /dev/null +++ b/data/generated/wiki/categories/dynamically-reverse-engineer-code-general.md @@ -0,0 +1,12 @@ +# Dynamically Reverse-Engineer Code > General + +**3 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/frida|Frida]] — Dynamic instrumentation toolkit — hook and trace running pro +- [[tools/wine|Wine]] — Windows compatibility layer — run Windows executables on Lin +- [[tools/radare2|radare2]] — Open-source reverse engineering command-line framework + +#dynamically-reverse-engineer-code-general #category diff --git a/data/generated/wiki/categories/dynamically-reverse-engineer-code-scripts.md b/data/generated/wiki/categories/dynamically-reverse-engineer-code-scripts.md new file mode 100644 index 0000000..655b8a7 --- /dev/null +++ b/data/generated/wiki/categories/dynamically-reverse-engineer-code-scripts.md @@ -0,0 +1,16 @@ +# Dynamically Reverse-Engineer Code > Scripts + +**5 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou +- [[tools/box-js|box-js]] — JavaScript sandbox for analyzing malicious scripts by emulat + +### Standard +- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat +- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and +- [[tools/powershell|powershell]] — Run PowerShell scripts and commands. + +#dynamically-reverse-engineer-code-scripts #category diff --git a/data/generated/wiki/categories/dynamically-reverse-engineer-code-shellcode.md b/data/generated/wiki/categories/dynamically-reverse-engineer-code-shellcode.md new file mode 100644 index 0000000..993efec --- /dev/null +++ b/data/generated/wiki/categories/dynamically-reverse-engineer-code-shellcode.md @@ -0,0 +1,16 @@ +# Dynamically Reverse-Engineer Code > Shellcode + +**5 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/runsc32|runsc32]] — Execute extracted shellcode for dynamic analysis +- [[tools/scdbgc|scdbgc]] — Shellcode emulator — analyze shellcode behavior through API- +- [[tools/shcode2exe|shcode2exe]] — Convert raw shellcode to a Windows PE executable for analysi + +### Standard +- [[tools/libemu|libemu]] — A library for x86 code emulation and shellcode detection. +- [[tools/shellcode2exe-bat|shellcode2exe-bat]] — Convert 32 and 64-bit shellcode to a Windows executable file + +#dynamically-reverse-engineer-code-shellcode #category diff --git a/data/generated/wiki/categories/examine-static-properties-deobfuscation.md b/data/generated/wiki/categories/examine-static-properties-deobfuscation.md new file mode 100644 index 0000000..ef6f17b --- /dev/null +++ b/data/generated/wiki/categories/examine-static-properties-deobfuscation.md @@ -0,0 +1,39 @@ +# Examine Static Properties > Deobfuscation + +**28 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/cyberchef|CyberChef]] — Web-based data transformation tool — decode Base64, XOR, hex +- [[tools/floss|FLOSS]] — Automatically extract obfuscated strings from malware using +- [[tools/malchive|Malchive]] — Multi-purpose malware analysis library — config extraction, +- [[tools/xorsearch|XORSearch]] — Search for XOR/ROL/ROT/SHIFT-encoded patterns including shel +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/cs-analyze-processdump|cs-analyze-processdump.py]] — Analyze Cobalt Strike beacon process dumps for sleep mask en +- [[tools/cs-decrypt-metadata|cs-decrypt-metadata.py]] — Decrypt Cobalt Strike beacon metadata from network captures +- [[tools/cs-extract-key|cs-extract-key.py]] — Extract AES and HMAC encryption keys from Cobalt Strike beac +- [[tools/dc3-mwcp|dc3-mwcp]] — DC3 Malware Configuration Parser — extract C2 configs from k +- [[tools/strdeob|strdeob.pl]] — Automatically decode stack-built strings from disassembled m +- [[tools/translate|translate.py]] — Transform data using Python expressions (XOR, ADD, etc.) +- [[tools/xortool|xortool]] — Analyze XOR-encoded data — guess key length and probable key + +### Standard +- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons. +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to +- [[tools/cut-bytes|cut-bytes.py]] — Cut out a part of a data stream. +- [[tools/ex-pe-xor|ex-pe-xor]] — Search an XOR'ed file for indications of executable bin +- [[tools/format-bytes|format-bytes.py]] — Decompose structured binary data with format strings. +- [[tools/hex-to-bin|hex-to-bin.py]] — Convert hexadecimal text dumps to binary data. +- [[tools/nomorexor|nomorexor]] — Help guess a file's 256-byte XOR by using frequency ana +- [[tools/sets|sets.py]] — Perform set operations on lines or bytes in text files. +- [[tools/unicode|unicode]] — Display Unicode character properties. +- [[tools/unxor|unxor]] — Deobfuscate XOR'ed files. +- [[tools/xor-kpa|xor-kpa.py]] — Implement a XOR known plaintext attack. +- [[tools/xorbruteforcer|xorbruteforcer]] — Bruteforce an XOR-encoded file. +- [[tools/xorstrings|xorstrings]] — Search for XOR encoded strings in a file. + +#examine-static-properties-deobfuscation #category diff --git a/data/generated/wiki/categories/examine-static-properties-general.md b/data/generated/wiki/categories/examine-static-properties-general.md new file mode 100644 index 0000000..e3e1dca --- /dev/null +++ b/data/generated/wiki/categories/examine-static-properties-general.md @@ -0,0 +1,39 @@ +# Examine Static Properties > General + +**28 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab +- [[tools/exiftool|exiftool]] — Extract metadata from files (PDF, images, documents, executa +- [[tools/file|file]] — Determine file type and MIME type using magic bytes +- [[tools/numbers-to-string|numbers-to-string.py]] — Convert sequences of decimal numbers to readable characters +- [[tools/ssdeep|ssdeep]] — Compute fuzzy hashes (CTPH) for finding similar files — usef +- [[tools/strings|strings]] — Extract printable ASCII and Unicode strings from binary file +- [[tools/trid|trid]] — Identify file type by scanning binary signatures database +- [[tools/yara|yara]] — Pattern matching tool for identifying and classifying malwar + +### Standard +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/hachoir|Hachoir]] — View, edit, and carve contents of various binary file types. +- [[tools/hash-id|Hash ID]] — Identify different types of hashes. +- [[tools/malcat-lite|Malcat Lite]] — Analyze binary files using a hex editor, disassembler, and f +- [[tools/sleuth-kit|Sleuth Kit]] — Analyze disk images and recover files from them. +- [[tools/yara-forge-rules|YARA-Forge Rules]] — Scan files with curated YARA rules from 45+ sources for malw +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/disitool|disitool]] — Manipulate embedded digital signatures. +- [[tools/droidlysis|droidlysis]] — Perform static analysis of Android applications. +- [[tools/file-magic|file-magic.py]] — Identify file types using the Python magic module. +- [[tools/lief|lief]] — Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and D +- [[tools/magika|magika]] — Identify file type using signatures. +- [[tools/msitools|msitools]] — Create, inspect and extract Windows Installer (. +- [[tools/name-that-hash|name-that-hash]] — Identify dfferent types of hashes. +- [[tools/re-search|re-search.py]] — Search the file for built-in regular expressions of common s +- [[tools/signsrch|signsrch]] — Find patterns of common encryption, compression, or encoding +- [[tools/thefuzz|thefuzz]] — Fuzzy String Matching in Python. +- [[tools/wxhexeditor|wxhexeditor]] — Hex editor. + +#examine-static-properties-general #category diff --git a/data/generated/wiki/categories/examine-static-properties-go.md b/data/generated/wiki/categories/examine-static-properties-go.md new file mode 100644 index 0000000..ee4d278 --- /dev/null +++ b/data/generated/wiki/categories/examine-static-properties-go.md @@ -0,0 +1,11 @@ +# Examine Static Properties > Go + +**2 tools** in this category. + +## Tools + +### Standard +- [[tools/goresym|goresym]] — Extract metadata and symbols from Go binaries, including str +- [[tools/redress|redress]] — Analyze stripped Go binaries to recover symbols, types, sour + +#examine-static-properties-go #category diff --git a/data/generated/wiki/categories/examine-static-properties-net.md b/data/generated/wiki/categories/examine-static-properties-net.md new file mode 100644 index 0000000..3fc944c --- /dev/null +++ b/data/generated/wiki/categories/examine-static-properties-net.md @@ -0,0 +1,12 @@ +# Examine Static Properties > .NET + +**3 tools** in this category. + +## Tools + +### Standard +- [[tools/dnfile|dnfile]] — Analyze static properties of. +- [[tools/dotnetfile|dotnetfile]] — Analyze static properties of. +- [[tools/monodis|monodis]] — Disassemble and extract resources from. + +#examine-static-properties-net #category diff --git a/data/generated/wiki/categories/explore-network-interactions-connecting.md b/data/generated/wiki/categories/explore-network-interactions-connecting.md new file mode 100644 index 0000000..b1e5e38 --- /dev/null +++ b/data/generated/wiki/categories/explore-network-interactions-connecting.md @@ -0,0 +1,20 @@ +# Explore Network Interactions > Connecting + +**9 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites +- [[tools/unfurl|Unfurl]] — Deconstruct and decode URLs — reveal tracking parameters, en +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn + +### Standard +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/tor|tor]] — Obfuscate your origins by routing traffic through a network +- [[tools/zbarimg|zbarimg]] — Decode QR codes and barcodes from image files. + +#explore-network-interactions-connecting #category diff --git a/data/generated/wiki/categories/explore-network-interactions-monitoring.md b/data/generated/wiki/categories/explore-network-interactions-monitoring.md new file mode 100644 index 0000000..cb2bc23 --- /dev/null +++ b/data/generated/wiki/categories/explore-network-interactions-monitoring.md @@ -0,0 +1,23 @@ +# Explore Network Interactions > Monitoring + +**12 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/wireshark|Wireshark]] — GUI network protocol analyzer for capturing and inspecting p +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets +- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as +- [[tools/tcpdump|tcpdump]] — Command-line packet capture tool +- [[tools/tcpflow|tcpflow]] — Extract and reassemble TCP streams from PCAP files into indi +- [[tools/tcpxtract|tcpxtract]] — Carve files from network traffic using file signatures +- [[tools/tshark|tshark]] — Command-line interface to Wireshark for packet capture and a + +### Standard +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/tcpick|tcpick]] — Capture and analyze network traffic with this command-line s + +#explore-network-interactions-monitoring #category diff --git a/data/generated/wiki/categories/explore-network-interactions-services.md b/data/generated/wiki/categories/explore-network-interactions-services.md new file mode 100644 index 0000000..50e5f82 --- /dev/null +++ b/data/generated/wiki/categories/explore-network-interactions-services.md @@ -0,0 +1,19 @@ +# Explore Network Interactions > Services + +**8 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers + +### Standard +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/inspircd|inspircd]] — Examine IRC activity with this IRC server. +- [[tools/nginx|nginx]] — Web server. + +#explore-network-interactions-services #category diff --git a/data/generated/wiki/categories/gather-and-analyze-data.md b/data/generated/wiki/categories/gather-and-analyze-data.md new file mode 100644 index 0000000..8e67899 --- /dev/null +++ b/data/generated/wiki/categories/gather-and-analyze-data.md @@ -0,0 +1,24 @@ +# Gather and Analyze Data + +**13 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal + +### Standard +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. +- [[tools/nsrllookup|nsrllookup]] — Look up MD5 file hashes in the NIST National Software Refere +- [[tools/pdnstool|pdnstool]] — Query passive DNS databases for DNS data. +- [[tools/scalpel|scalpel]] — Carve contents out of binary files, such as partitions. +- [[tools/time-decode|time-decode]] — Decode and encode date and timestamps. +- [[tools/virustotal-search|virustotal-search]] — Search VirusTotal for file hashes. +- [[tools/virustotal-submit|virustotal-submit]] — Submit files to VirusTotal. +- [[tools/yara-x|yara-x]] — Scan files using YARA rules, the next generation of YARA wri + +#gather-and-analyze-data #category diff --git a/data/generated/wiki/categories/general-utilities.md b/data/generated/wiki/categories/general-utilities.md new file mode 100644 index 0000000..13c4ae2 --- /dev/null +++ b/data/generated/wiki/categories/general-utilities.md @@ -0,0 +1,28 @@ +# General Utilities + +**17 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/rar|rar]] — Extract RAR archives (including self-extracting RAR payloads +- [[tools/unzip|unzip]] — Extract ZIP archives containing malware samples + +### Standard +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. +- [[tools/remnux-installer|REMnux Installer]] — Install and update the REMnux distro. +- [[tools/sqlite|SQLite]] — Manage and interact with SQL database files. +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/ibus|ibus]] — Adjust input methods for the GUI. +- [[tools/myip|myip]] — Determine the IP address of the default network interface. +- [[tools/myjson-filter|myjson-filter.py]] — Filter data formatted using the JSON format used by Didier S +- [[tools/nasm|nasm]] — An x86-64 assembler. +- [[tools/nautilus|nautilus]] — Graphical file manager. +- [[tools/openssh|openssh]] — Initiate and receive SSH and SFTP connections. +- [[tools/sortcanon|sortcanon.py]] — Sort text files using canonicalization functions built into +- [[tools/texteditor|texteditor.py]] — Edit text files from the command line using search-and-repla + +#general-utilities #category diff --git a/data/generated/wiki/categories/investigate-system-interactions.md b/data/generated/wiki/categories/investigate-system-interactions.md new file mode 100644 index 0000000..6a542bc --- /dev/null +++ b/data/generated/wiki/categories/investigate-system-interactions.md @@ -0,0 +1,14 @@ +# Investigate System Interactions + +**3 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/procdot|ProcDOT]] — Visualize Process Monitor logs as interactive graphs for beh + +### Standard +- [[tools/sandfly-processdecloak|sandfly-processdecloak]] — Find hidden processes on the local Linux system. +- [[tools/unhide|unhide]] — Find hidden processes or connections on the local Linux syst + +#investigate-system-interactions #category diff --git a/data/generated/wiki/categories/network-analysis.md b/data/generated/wiki/categories/network-analysis.md new file mode 100644 index 0000000..2940557 --- /dev/null +++ b/data/generated/wiki/categories/network-analysis.md @@ -0,0 +1,12 @@ +# network-analysis + +**3 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/iptables|iptables]] — Linux firewall and NAT tool for redirecting IP-based malware +- [[tools/nslookup|nslookup]] — DNS query tool for testing name resolution +- [[tools/torsocks|torsocks]] — Route network traffic through the Tor anonymity network + +#network-analysis #category diff --git a/data/generated/wiki/categories/perform-memory-forensics.md b/data/generated/wiki/categories/perform-memory-forensics.md new file mode 100644 index 0000000..f44db69 --- /dev/null +++ b/data/generated/wiki/categories/perform-memory-forensics.md @@ -0,0 +1,14 @@ +# Perform Memory Forensics + +**3 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/volatility3|volatility3]] — Memory forensics framework — analyze RAM dumps to find malwa + +### Standard +- [[tools/aeskeyfinder|AESKeyFinder]] — Find 128-bit and 256-bit AES keys in a memory image. +- [[tools/rsakeyfinder|RSAKeyFinder]] — Find BER-encoded RSA private keys in a memory image. + +#perform-memory-forensics #category diff --git a/data/generated/wiki/categories/static-analysis-pe.md b/data/generated/wiki/categories/static-analysis-pe.md new file mode 100644 index 0000000..f9f44ff --- /dev/null +++ b/data/generated/wiki/categories/static-analysis-pe.md @@ -0,0 +1,11 @@ +# static-analysis-pe + +**2 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/peframe|peframe]] — Static analysis of PE files — extract properties, detect ano +- [[tools/pestr|pestr]] — Extract ASCII and Unicode strings from PE files + +#static-analysis-pe #category diff --git a/data/generated/wiki/categories/statically-analyze-code-android.md b/data/generated/wiki/categories/statically-analyze-code-android.md new file mode 100644 index 0000000..e33361e --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-android.md @@ -0,0 +1,18 @@ +# Statically Analyze Code > Android + +**7 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/jadx|jadx]] — Decompile Android DEX/APK to Java source code with a GUI or + +### Standard +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' +- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files. + +#statically-analyze-code-android #category diff --git a/data/generated/wiki/categories/statically-analyze-code-general.md b/data/generated/wiki/categories/statically-analyze-code-general.md new file mode 100644 index 0000000..9fda376 --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-general.md @@ -0,0 +1,16 @@ +# Statically Analyze Code > General + +**5 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/cutter|Cutter]] — Open-source reverse engineering platform — Qt-based GUI for +- [[tools/ghidra|Ghidra]] — Open-source disassembler and decompiler from NSA with script +- [[tools/vivisect|Vivisect]] — Binary analysis and emulation framework — static analysis wi +- [[tools/qiling|qiling]] — Multi-platform binary emulation framework — emulate PE, ELF, + +### Standard +- [[tools/objdump|objdump]] — Disassemble binary files. + +#statically-analyze-code-general #category diff --git a/data/generated/wiki/categories/statically-analyze-code-java.md b/data/generated/wiki/categories/statically-analyze-code-java.md new file mode 100644 index 0000000..30db026 --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-java.md @@ -0,0 +1,16 @@ +# Statically Analyze Code > Java + +**5 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/cfr|cfr]] — Modern Java decompiler — handles Java 8+ features including + +### Standard +- [[tools/jd-gui-java-decompiler|JD-GUI Java Decompiler]] — Java decompiler with GUI. +- [[tools/javassist|Javassist]] — Java bytecode engineering toolkit/library. +- [[tools/procyon|Procyon]] — Java decompiler. +- [[tools/java-idx-parser|java-idx-parser]] — Analyze Java IDX files. + +#statically-analyze-code-java #category diff --git a/data/generated/wiki/categories/statically-analyze-code-net.md b/data/generated/wiki/categories/statically-analyze-code-net.md new file mode 100644 index 0000000..8dbb650 --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-net.md @@ -0,0 +1,11 @@ +# Statically Analyze Code > .NET + +**2 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/ilspy|ILSpy]] — .NET assembly decompiler — view C#/VB.NET source from compil +- [[tools/de4dot|de4dot]] — .NET deobfuscator — remove obfuscation from .NET assemblies + +#statically-analyze-code-net #category diff --git a/data/generated/wiki/categories/statically-analyze-code-pe-files.md b/data/generated/wiki/categories/statically-analyze-code-pe-files.md new file mode 100644 index 0000000..47195a5 --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-pe-files.md @@ -0,0 +1,15 @@ +# Statically Analyze Code > PE Files + +**4 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/capa|capa]] — Identify malware capabilities mapped to MITRE ATT&CK framewo +- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw + +### Standard +- [[tools/binee-binary-emulation-environment|binee (Binary Emulation Environment)]] — Analyze I/O operations of a suspicious PE file by emulating +- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal + +#statically-analyze-code-pe-files #category diff --git a/data/generated/wiki/categories/statically-analyze-code-python.md b/data/generated/wiki/categories/statically-analyze-code-python.md new file mode 100644 index 0000000..c136a8f --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-python.md @@ -0,0 +1,15 @@ +# Statically Analyze Code > Python + +**4 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/pyinstxtractor-ng|pyinstxtractor-ng]] — Extract contents of PyInstaller-generated executables withou +- [[tools/uncompyle6|uncompyle6]] — Decompile Python bytecode (.pyc) back to source — supports P + +### Standard +- [[tools/decompyle|Decompyle++]] — Python bytecode disassembler and decompiler. +- [[tools/pyinstaller-extractor|pyinstaller-extractor]] — Extract contents of a PyInstaller-generated PE files. + +#statically-analyze-code-python #category diff --git a/data/generated/wiki/categories/statically-analyze-code-scripts.md b/data/generated/wiki/categories/statically-analyze-code-scripts.md new file mode 100644 index 0000000..6b965e6 --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-scripts.md @@ -0,0 +1,14 @@ +# Statically Analyze Code > Scripts + +**3 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/js-beautify|js-beautify]] — Format and beautify obfuscated JavaScript code for readabili + +### Standard +- [[tools/autoit-ripper|autoit-ripper]] — Extract AutoIt scripts embedded in PE binaries. +- [[tools/decode-vbe|decode-vbe.py]] — Decode encoded VBS scripts (VBE). + +#statically-analyze-code-scripts #category diff --git a/data/generated/wiki/categories/statically-analyze-code-unpacking.md b/data/generated/wiki/categories/statically-analyze-code-unpacking.md new file mode 100644 index 0000000..b9cd9b8 --- /dev/null +++ b/data/generated/wiki/categories/statically-analyze-code-unpacking.md @@ -0,0 +1,11 @@ +# Statically Analyze Code > Unpacking + +**2 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/bytehist|Bytehist]] — Generate byte-usage histograms to visually identify packed o +- [[tools/upx|UPX]] — Universal Packer for eXecutables — compress and decompress P + +#statically-analyze-code-unpacking #category diff --git a/data/generated/wiki/categories/string-deobfuscation.md b/data/generated/wiki/categories/string-deobfuscation.md new file mode 100644 index 0000000..d58e79e --- /dev/null +++ b/data/generated/wiki/categories/string-deobfuscation.md @@ -0,0 +1,10 @@ +# string-deobfuscation + +**1 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/bbcrack|bbcrack]] — Detect and decode strings obfuscated with XOR, ROL, and ADD + +#string-deobfuscation #category diff --git a/data/generated/wiki/categories/use-artificial-intelligence.md b/data/generated/wiki/categories/use-artificial-intelligence.md new file mode 100644 index 0000000..dc6fec6 --- /dev/null +++ b/data/generated/wiki/categories/use-artificial-intelligence.md @@ -0,0 +1,12 @@ +# Use Artificial Intelligence + +**3 tools** in this category. + +## Tools + +### Standard +- [[tools/ghidrassistmcp|GhidrAssistMCP]] — MCP server for AI-assisted reverse engineering in Ghidra. +- [[tools/opencode|opencode]] — Open-source AI coding agent for the terminal. +- [[tools/remnux-mcp-server|remnux-mcp-server]] — MCP server for using the REMnux malware analysis toolkit via + +#use-artificial-intelligence #category diff --git a/data/generated/wiki/categories/utilities.md b/data/generated/wiki/categories/utilities.md new file mode 100644 index 0000000..11a986e --- /dev/null +++ b/data/generated/wiki/categories/utilities.md @@ -0,0 +1,14 @@ +# utilities + +**5 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/gunzip|gunzip]] — Decompress gzip-compressed data (often used in multi-stage p +- [[tools/hexdump|hexdump]] — Display file content in hexadecimal format +- [[tools/jq|jq]] — Command-line JSON processor for extracting and transforming +- [[tools/wget|wget]] — Download files from HTTP/HTTPS/FTP servers +- [[tools/xxd|xxd]] — Create hex dump of a file or reverse a hex dump back to bina + +#utilities #category diff --git a/data/generated/wiki/categories/view-or-edit-files.md b/data/generated/wiki/categories/view-or-edit-files.md new file mode 100644 index 0000000..ed46f2e --- /dev/null +++ b/data/generated/wiki/categories/view-or-edit-files.md @@ -0,0 +1,18 @@ +# View or Edit Files + +**7 tools** in this category. + +## Tools + +### Rich (FOR610) +- [[tools/visual-studio-code|Visual Studio Code]] — Code editor used for viewing decompiled output, scripts, and +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d + +### Standard +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/scite|scite]] — Edit text files. +- [[tools/vbindiff|vbindiff]] — Compare binary files. + +#view-or-edit-files #category diff --git a/data/generated/wiki/index.md b/data/generated/wiki/index.md new file mode 100644 index 0000000..79173e9 --- /dev/null +++ b/data/generated/wiki/index.md @@ -0,0 +1,102 @@ +# REMnux Analysis Wiki + +> 397 tools | 15 workflows | 27 recipes + +## Browse by Category + +- [[categories/analyze-documents-email-messages|Analyze Documents > Email Messages]] (4 tools) +- [[categories/analyze-documents-general|Analyze Documents > General]] (1 tools) +- [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] (16 tools) +- [[categories/analyze-documents-pdf|Analyze Documents > PDF]] (8 tools) +- [[categories/dynamically-reverse-engineer-code-general|Dynamically Reverse-Engineer Code > General]] (3 tools) +- [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] (5 tools) +- [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] (5 tools) +- [[categories/examine-static-properties-net|Examine Static Properties > .NET]] (3 tools) +- [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] (28 tools) +- [[categories/examine-static-properties-general|Examine Static Properties > General]] (28 tools) +- [[categories/examine-static-properties-go|Examine Static Properties > Go]] (2 tools) +- [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] (9 tools) +- [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] (12 tools) +- [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] (8 tools) +- [[categories/gather-and-analyze-data|Gather and Analyze Data]] (13 tools) +- [[categories/general-utilities|General Utilities]] (17 tools) +- [[categories/investigate-system-interactions|Investigate System Interactions]] (3 tools) +- [[categories/perform-memory-forensics|Perform Memory Forensics]] (3 tools) +- [[categories/statically-analyze-code-net|Statically Analyze Code > .NET]] (2 tools) +- [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] (7 tools) +- [[categories/statically-analyze-code-general|Statically Analyze Code > General]] (5 tools) +- [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] (5 tools) +- [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] (4 tools) +- [[categories/statically-analyze-code-python|Statically Analyze Code > Python]] (4 tools) +- [[categories/statically-analyze-code-scripts|Statically Analyze Code > Scripts]] (3 tools) +- [[categories/statically-analyze-code-unpacking|Statically Analyze Code > Unpacking]] (2 tools) +- [[categories/use-artificial-intelligence|Use Artificial Intelligence]] (3 tools) +- [[categories/view-or-edit-files|View or Edit Files]] (7 tools) +- [[categories/dotnet-analysis|dotnet-analysis]] (1 tools) +- [[categories/network-analysis|network-analysis]] (3 tools) +- [[categories/static-analysis-pe|static-analysis-pe]] (2 tools) +- [[categories/string-deobfuscation|string-deobfuscation]] (1 tools) +- [[categories/utilities|utilities]] (5 tools) + +## Workflows + +- [[workflows/static-analysis-workflow|Static Properties Analysis]] +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] +- [[workflows/network-interception-workflow|Network Traffic Interception]] +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] +- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] +- [[workflows/code-injection-workflow|Code Injection Analysis]] +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] +- [[workflows/memory-forensics-workflow|Memory Forensics]] +- [[workflows/android-analysis-workflow|Android Malware Analysis]] +- [[workflows/java-analysis-workflow|Java Malware Analysis]] +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] + +## Recipes + +- [[recipes/extract-base64-ps-from-vba|Extract Base64 PowerShell from Office Macro]] +- [[recipes/vba-number-string-decode|Decode VBA Number Arrays to Strings]] +- [[recipes/multi-stage-base64-gzip|Decode Base64 + Gzip Payload]] +- [[recipes/base64-xor-shellcode|Decode Base64 + XOR Shellcode]] +- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]] +- [[recipes/password-protected-office|Decrypt Password-Protected Office Document]] +- [[recipes/excel-xlm-macros|Deobfuscate Excel 4.0 (XLM) Macros]] +- [[recipes/vba-pcode-decompile|Recover VBA from p-code (source removed)]] +- [[recipes/rtf-shellcode-extraction|Extract Shellcode from RTF Document]] +- [[recipes/pdf-object-extraction|Extract Embedded Object from PDF]] +- [[recipes/pdf-javascript-extraction|Extract JavaScript from PDF]] +- [[recipes/js-deobfuscation-spidermonkey|Deobfuscate JavaScript with SpiderMonkey]] +- [[recipes/js-null-byte-cleanup|Clean Null Bytes from UTF-16 JavaScript]] +- [[recipes/shellcode-emulate-with-offset|Emulate Shellcode at Specific Offset]] +- [[recipes/cobalt-strike-beacon-parse|Parse Cobalt Strike Beacon Configuration]] +- [[recipes/shellcode-to-exe|Convert Shellcode to Executable]] +- [[recipes/xor-key-brute-force|Brute-Force XOR Key]] +- [[recipes/stack-string-extraction|Extract Stack-Built Strings]] +- [[recipes/cyberchef-xor-decode|Visual XOR/Base64 Decode with CyberChef]] +- [[recipes/speakeasy-emulation-with-json|Emulate Malware and Extract API Calls]] +- [[recipes/capa-capability-filter|Filter Capabilities by Technique]] +- [[recipes/pcap-file-carving|Extract Files from Network Capture]] +- [[recipes/dns-interception-setup|Set Up DNS + HTTP Interception]] +- [[recipes/dotnet-decompile-cli|Decompile .NET on Command Line]] +- [[recipes/volatility-quick-triage|Quick Memory Dump Triage]] +- [[recipes/apk-quick-triage|Quick APK Triage]] +- [[recipes/email-attachment-extraction|Extract and Triage Email Attachments]] + +## Quick Access + +```bash +# Browse interactively +zk list --interactive + +# Search by tag +zk list --tag pdf + +# Find what links to a tool +zk list --mention pdfid +``` + +#index #wiki diff --git a/data/generated/wiki/recipes/apk-quick-triage.md b/data/generated/wiki/recipes/apk-quick-triage.md new file mode 100644 index 0000000..7df3a6e --- /dev/null +++ b/data/generated/wiki/recipes/apk-quick-triage.md @@ -0,0 +1,18 @@ +# Quick APK Triage +> Fast initial assessment of a suspicious Android app + +**Tools:** [[tools/apkid|apkid]], [[tools/apktool|apktool]], [[tools/jadx|jadx]] + +## Commands +```bash +# Check for packers/obfuscators +apkid +# Decompile to smali + resources +apktool d -o output/ +# Check permissions +grep 'uses-permission' output/AndroidManifest.xml +# Decompile to Java source +jadx -d src/ +``` + +#recipe #apkid #apktool #jadx diff --git a/data/generated/wiki/recipes/base64-xor-shellcode.md b/data/generated/wiki/recipes/base64-xor-shellcode.md new file mode 100644 index 0000000..cbd637d --- /dev/null +++ b/data/generated/wiki/recipes/base64-xor-shellcode.md @@ -0,0 +1,15 @@ +# Decode Base64 + XOR Shellcode +> Extract shellcode encoded as Base64 with an XOR key + +**Tools:** [[tools/base64dump-py|base64dump-py]], [[tools/translate-py|translate-py]] +**FOR610 Lab:** 3.4 + +## Commands +```bash +# Find Base64 strings +base64dump.py -n 10 +# Decode Base64, then XOR with key +base64dump.py -s -d | translate.py 'byte ^ ' > shellcode.bin +``` + +#recipe #base64dump-py #translate-py diff --git a/data/generated/wiki/recipes/capa-capability-filter.md b/data/generated/wiki/recipes/capa-capability-filter.md new file mode 100644 index 0000000..9473069 --- /dev/null +++ b/data/generated/wiki/recipes/capa-capability-filter.md @@ -0,0 +1,19 @@ +# Filter Capabilities by Technique +> Find specific capabilities in capa output + +**Tools:** [[tools/capa|capa]] +**FOR610 Lab:** 1.4, 5.4 + +## Commands +```bash +# Full capabilities report +capa +# Verbose with rule matches +capa -vv +# Filter for specific technique +capa -vv | grep -A7 '' +# Find injection-related capabilities +capa -vv | grep -A7 'inject\|hollow\|suspend' +``` + +#recipe #capa diff --git a/data/generated/wiki/recipes/cobalt-strike-beacon-parse.md b/data/generated/wiki/recipes/cobalt-strike-beacon-parse.md new file mode 100644 index 0000000..6ff8f79 --- /dev/null +++ b/data/generated/wiki/recipes/cobalt-strike-beacon-parse.md @@ -0,0 +1,15 @@ +# Parse Cobalt Strike Beacon Configuration +> Extract C2 config from a Cobalt Strike beacon or shellcode + +**Tools:** [[tools/1768-py|1768-py]], [[tools/yara|yara]] +**FOR610 Lab:** 3.4 + +## Commands +```bash +# Scan with YARA for CS signatures +yara-rules +# Extract beacon configuration +1768.py +``` + +#recipe #1768-py #yara diff --git a/data/generated/wiki/recipes/cyberchef-xor-decode.md b/data/generated/wiki/recipes/cyberchef-xor-decode.md new file mode 100644 index 0000000..0a0e16e --- /dev/null +++ b/data/generated/wiki/recipes/cyberchef-xor-decode.md @@ -0,0 +1,14 @@ +# Visual XOR/Base64 Decode with CyberChef +> Use CyberChef's recipe builder for multi-step decoding + +**Tools:** [[tools/cyberchef|cyberchef]] + +## Commands +```bash +# Launch CyberChef +cyberchef +# Common recipe: From Hex → XOR (key) → extract strings +# Common recipe: From Base64 → Decode text UTF-16LE +``` + +#recipe #cyberchef diff --git a/data/generated/wiki/recipes/dns-interception-setup.md b/data/generated/wiki/recipes/dns-interception-setup.md new file mode 100644 index 0000000..ba0cf45 --- /dev/null +++ b/data/generated/wiki/recipes/dns-interception-setup.md @@ -0,0 +1,19 @@ +# Set Up DNS + HTTP Interception +> Redirect all malware DNS queries and serve fake HTTP responses + +**Tools:** [[tools/fakedns|fakedns]], [[tools/httpd|httpd]], [[tools/inetsim|inetsim]] + +## Commands +```bash +# Option A: Simple DNS + HTTP +fakedns & +httpd & +# Option B: Full service emulation (HTTP, HTTPS, DNS, FTP, SMTP) +inetsim +# Verify DNS is working +nslookup anything.com +# Redirect hardcoded IPs too +iptables -t nat -A PREROUTING -i eth0 -j REDIRECT +``` + +#recipe #fakedns #httpd #inetsim diff --git a/data/generated/wiki/recipes/dotnet-decompile-cli.md b/data/generated/wiki/recipes/dotnet-decompile-cli.md new file mode 100644 index 0000000..bc083a5 --- /dev/null +++ b/data/generated/wiki/recipes/dotnet-decompile-cli.md @@ -0,0 +1,18 @@ +# Decompile .NET on Command Line +> Decompile a .NET assembly to C# source on REMnux + +**Tools:** [[tools/ilspycmd|ilspycmd]], [[tools/de4dot|de4dot]] +**FOR610 Lab:** 4.8 + +## Commands +```bash +# Decompile to C# source +ilspycmd > source.cs +# Search for suspicious patterns +grep -n 'Assembly.Load\|WebClient\|Process.Start' source.cs +# If obfuscated, deobfuscate first +de4dot +ilspycmd > source_clean.cs +``` + +#recipe #ilspycmd #de4dot diff --git a/data/generated/wiki/recipes/email-attachment-extraction.md b/data/generated/wiki/recipes/email-attachment-extraction.md new file mode 100644 index 0000000..422d2d1 --- /dev/null +++ b/data/generated/wiki/recipes/email-attachment-extraction.md @@ -0,0 +1,18 @@ +# Extract and Triage Email Attachments +> Pull attachments from an email and identify their types + +**Tools:** [[tools/emldump-py|emldump-py]], [[tools/file|file]], [[tools/sha256sum|sha256sum]] + +## Commands +```bash +# List email structure +emldump.py +# Extract all attachments +emldump.py -d +# Identify file types +file attachment_* +# Compute hashes for lookup +sha256sum attachment_* +``` + +#recipe #emldump-py #file #sha256sum diff --git a/data/generated/wiki/recipes/excel-xlm-macros.md b/data/generated/wiki/recipes/excel-xlm-macros.md new file mode 100644 index 0000000..e6897bf --- /dev/null +++ b/data/generated/wiki/recipes/excel-xlm-macros.md @@ -0,0 +1,12 @@ +# Deobfuscate Excel 4.0 (XLM) Macros +> Extract and decode legacy Excel macros hidden in sheets + +**Tools:** [[tools/xlmmacrodeobfuscator|xlmmacrodeobfuscator]] + +## Commands +```bash +# Deobfuscate XLM macros +xlmdeobfuscator --file +``` + +#recipe #xlmmacrodeobfuscator diff --git a/data/generated/wiki/recipes/extract-base64-ps-from-vba.md b/data/generated/wiki/recipes/extract-base64-ps-from-vba.md new file mode 100644 index 0000000..b44b781 --- /dev/null +++ b/data/generated/wiki/recipes/extract-base64-ps-from-vba.md @@ -0,0 +1,19 @@ +# Extract Base64 PowerShell from Office Macro +> Get encoded PowerShell payload hidden in a VBA UserForm stream + +**Tools:** [[tools/oledump-py|oledump-py]], [[tools/base64dump-py|base64dump-py]] +**FOR610 Lab:** 3.4 + +## Commands +```bash +# List streams — find macro (M) and data streams +oledump.py +# Extract VBA source to understand what the macro does +oledump.py -s -v +# Scan data stream for Base64 strings +oledump.py -s -d | base64dump.py -n 10 +# Decode the longest Base64 hit to file +oledump.py -s -d | base64dump.py -s 1 -d > payload.ps1 +``` + +#recipe #oledump-py #base64dump-py diff --git a/data/generated/wiki/recipes/js-deobfuscation-spidermonkey.md b/data/generated/wiki/recipes/js-deobfuscation-spidermonkey.md new file mode 100644 index 0000000..91e87d0 --- /dev/null +++ b/data/generated/wiki/recipes/js-deobfuscation-spidermonkey.md @@ -0,0 +1,19 @@ +# Deobfuscate JavaScript with SpiderMonkey +> Execute obfuscated JS safely using SpiderMonkey with API simulation + +**Tools:** [[tools/js-beautify|js-beautify]], [[tools/spidermonkey|spidermonkey]] +**FOR610 Lab:** 3.6, 3.7 + +## Commands +```bash +# Beautify compressed JavaScript +js-beautify > readable.js +# Execute with objects.js to simulate browser/WScript APIs +js -f /usr/share/remnux/objects.js -f > decoded.js +# If script expects location.href, edit objects.js first: +cp /usr/share/remnux/objects.js . +# Edit objects.js to set: location = { href: 'http://expected-url' } +js -f objects.js -f > decoded.js +``` + +#recipe #js-beautify #spidermonkey diff --git a/data/generated/wiki/recipes/js-null-byte-cleanup.md b/data/generated/wiki/recipes/js-null-byte-cleanup.md new file mode 100644 index 0000000..6c61d32 --- /dev/null +++ b/data/generated/wiki/recipes/js-null-byte-cleanup.md @@ -0,0 +1,19 @@ +# Clean Null Bytes from UTF-16 JavaScript +> Remove null byte padding from UTF-16 encoded JavaScript before analysis + +**Tools:** [[tools/spidermonkey|spidermonkey]] +**FOR610 Lab:** 4.5 + +## Commands +```bash +# Check for null bytes (look for 00 in hex) +xxd | head -2 +# Remove null bytes +cat | tr -d '\00' > clean.js +# Then deobfuscate +js -f /usr/share/remnux/objects.js -f clean.js > decoded.js +# Beautify the result +js-beautify decoded.js > final.js +``` + +#recipe #spidermonkey diff --git a/data/generated/wiki/recipes/multi-stage-base64-gzip.md b/data/generated/wiki/recipes/multi-stage-base64-gzip.md new file mode 100644 index 0000000..903c47c --- /dev/null +++ b/data/generated/wiki/recipes/multi-stage-base64-gzip.md @@ -0,0 +1,15 @@ +# Decode Base64 + Gzip Payload +> Handle double-encoded payloads: Base64 wrapping gzip-compressed content + +**Tools:** [[tools/base64dump-py|base64dump-py]], [[tools/gunzip|gunzip]] +**FOR610 Lab:** 3.4 + +## Commands +```bash +# Find Base64 strings in the script +base64dump.py -n 10 +# Decode Base64 and decompress gzip in one chain +base64dump.py -s -d | gunzip > decoded.ps1 +``` + +#recipe #base64dump-py #gunzip diff --git a/data/generated/wiki/recipes/office-full-decode-chain.md b/data/generated/wiki/recipes/office-full-decode-chain.md new file mode 100644 index 0000000..fbf3378 --- /dev/null +++ b/data/generated/wiki/recipes/office-full-decode-chain.md @@ -0,0 +1,22 @@ +# Full Office Macro Decode Chain +> Complete pipeline: Office doc → VBA → Base64 → gunzip → XOR → shellcode + +**Tools:** [[tools/oledump-py|oledump-py]], [[tools/base64dump-py|base64dump-py]], [[tools/gunzip|gunzip]], [[tools/translate-py|translate-py]], [[tools/scdbgc|scdbgc]] +**FOR610 Lab:** 3.4 + +## Commands +```bash +# Step 1: List streams and extract VBA +oledump.py +oledump.py -s -v +# Step 2: Extract Base64 from data stream +oledump.py -s -d | base64dump.py -s 1 -d > stage1.ps1 +# Step 3: Decode second Base64 layer + decompress +base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1 +# Step 4: XOR decode the shellcode +base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin +# Step 5: Emulate the shellcode +scdbgc /f shellcode.bin /s -1 +``` + +#recipe #oledump-py #base64dump-py #gunzip #translate-py #scdbgc diff --git a/data/generated/wiki/recipes/password-protected-office.md b/data/generated/wiki/recipes/password-protected-office.md new file mode 100644 index 0000000..bcc6048 --- /dev/null +++ b/data/generated/wiki/recipes/password-protected-office.md @@ -0,0 +1,12 @@ +# Decrypt Password-Protected Office Document +> Remove password protection before analysis + +**Tools:** [[tools/msoffcrypto-tool|msoffcrypto-tool]] + +## Commands +```bash +# Common malware passwords: infected, malware, password, 123456 +msoffcrypto-tool -p infected +``` + +#recipe #msoffcrypto-tool diff --git a/data/generated/wiki/recipes/pcap-file-carving.md b/data/generated/wiki/recipes/pcap-file-carving.md new file mode 100644 index 0000000..4aaef10 --- /dev/null +++ b/data/generated/wiki/recipes/pcap-file-carving.md @@ -0,0 +1,16 @@ +# Extract Files from Network Capture +> Carve downloaded payloads and exfiltrated data from PCAP + +**Tools:** [[tools/tcpxtract|tcpxtract]], [[tools/tcpflow|tcpflow]], [[tools/networkminer|networkminer]] + +## Commands +```bash +# Carve files using signatures +tcpxtract -f -o carved/ +# Extract individual TCP streams +tcpflow -r -o streams/ +# Or use NetworkMiner for automated extraction +NetworkMiner --pcap +``` + +#recipe #tcpxtract #tcpflow #networkminer diff --git a/data/generated/wiki/recipes/pdf-javascript-extraction.md b/data/generated/wiki/recipes/pdf-javascript-extraction.md new file mode 100644 index 0000000..ab7546b --- /dev/null +++ b/data/generated/wiki/recipes/pdf-javascript-extraction.md @@ -0,0 +1,16 @@ +# Extract JavaScript from PDF +> Find and extract embedded JavaScript from a PDF file + +**Tools:** [[tools/pdfid-py|pdfid-py]], [[tools/pdf-parser-py|pdf-parser-py]], [[tools/peepdf|peepdf]] + +## Commands +```bash +# Check if PDF contains JavaScript +pdfid.py +# Find objects with JavaScript +pdf-parser.py -s /JavaScript +# Interactive analysis with peepdf +peepdf -i +``` + +#recipe #pdfid-py #pdf-parser-py #peepdf diff --git a/data/generated/wiki/recipes/pdf-object-extraction.md b/data/generated/wiki/recipes/pdf-object-extraction.md new file mode 100644 index 0000000..ecbc4cf --- /dev/null +++ b/data/generated/wiki/recipes/pdf-object-extraction.md @@ -0,0 +1,21 @@ +# Extract Embedded Object from PDF +> Pull out an embedded image, JavaScript, or file from a PDF object + +**Tools:** [[tools/pdfid-py|pdfid-py]], [[tools/pdf-parser-py|pdf-parser-py]], [[tools/feh|feh]] +**FOR610 Lab:** 3.1 + +## Commands +```bash +# Scan for suspicious keywords +pdfid.py +# Find objects containing the keyword +pdf-parser.py -s /URI +# Extract all values for that keyword +pdf-parser.py -k /URI +# Dump a specific object to file +pdf-parser.py -o -d extracted_object +# View extracted image +feh extracted_object & +``` + +#recipe #pdfid-py #pdf-parser-py #feh diff --git a/data/generated/wiki/recipes/rtf-shellcode-extraction.md b/data/generated/wiki/recipes/rtf-shellcode-extraction.md new file mode 100644 index 0000000..0dee9a1 --- /dev/null +++ b/data/generated/wiki/recipes/rtf-shellcode-extraction.md @@ -0,0 +1,19 @@ +# Extract Shellcode from RTF Document +> Find and extract embedded shellcode from a malicious RTF file + +**Tools:** [[tools/rtfdump-py|rtfdump-py]], [[tools/xorsearch|xorsearch]], [[tools/scdbgc|scdbgc]] +**FOR610 Lab:** 3.5 + +## Commands +```bash +# Scan RTF structure — look for groups with lots of hex data +rtfdump.py +# Extract the hex-heavy group as binary +rtfdump.py -s -H -d > extracted.bin +# Scan for shellcode patterns (even XOR-encoded) +XORSearch -W -d 3 extracted.bin +# Emulate shellcode at found offset +scdbgc /f extracted.bin /foff /s -1 +``` + +#recipe #rtfdump-py #xorsearch #scdbgc diff --git a/data/generated/wiki/recipes/shellcode-emulate-with-offset.md b/data/generated/wiki/recipes/shellcode-emulate-with-offset.md new file mode 100644 index 0000000..944e8b4 --- /dev/null +++ b/data/generated/wiki/recipes/shellcode-emulate-with-offset.md @@ -0,0 +1,17 @@ +# Emulate Shellcode at Specific Offset +> Run shellcode that starts at an offset within a larger binary + +**Tools:** [[tools/scdbgc|scdbgc]] +**FOR610 Lab:** 3.5, 4.6 + +## Commands +```bash +# Emulate from file start +scdbgc /f /s -1 +# Emulate from specific offset (hex) +scdbgc /f /foff /s -1 +# Emulate with a file handle pre-opened (for exploits) +scdbgc /f /foff /fopen /s -1 +``` + +#recipe #scdbgc diff --git a/data/generated/wiki/recipes/shellcode-to-exe.md b/data/generated/wiki/recipes/shellcode-to-exe.md new file mode 100644 index 0000000..dc70d87 --- /dev/null +++ b/data/generated/wiki/recipes/shellcode-to-exe.md @@ -0,0 +1,12 @@ +# Convert Shellcode to Executable +> Wrap raw shellcode in a PE for analysis in disassemblers + +**Tools:** [[tools/shcode2exe|shcode2exe]] + +## Commands +```bash +# Convert 32-bit shellcode to EXE +shcode2exe +``` + +#recipe #shcode2exe diff --git a/data/generated/wiki/recipes/speakeasy-emulation-with-json.md b/data/generated/wiki/recipes/speakeasy-emulation-with-json.md new file mode 100644 index 0000000..8ab7076 --- /dev/null +++ b/data/generated/wiki/recipes/speakeasy-emulation-with-json.md @@ -0,0 +1,17 @@ +# Emulate Malware and Extract API Calls +> Emulate a Windows binary on Linux and analyze its API usage + +**Tools:** [[tools/speakeasy|speakeasy]], [[tools/jq|jq]] +**FOR610 Lab:** 1.4 + +## Commands +```bash +# Emulate and capture both JSON report and text log +speakeasy -t -o report.json 2> report.txt +# Extract all API names called +jq '.entry_points[].apis[].api_name' report.json +# Extract unique API names +jq -r '.entry_points[].apis[].api_name' report.json | sort -u +``` + +#recipe #speakeasy #jq diff --git a/data/generated/wiki/recipes/stack-string-extraction.md b/data/generated/wiki/recipes/stack-string-extraction.md new file mode 100644 index 0000000..e85ae1a --- /dev/null +++ b/data/generated/wiki/recipes/stack-string-extraction.md @@ -0,0 +1,17 @@ +# Extract Stack-Built Strings +> Decode strings assembled byte-by-byte on the stack + +**Tools:** [[tools/strdeob-pl|strdeob-pl]], [[tools/floss|floss]] +**FOR610 Lab:** 5.2 + +## Commands +```bash +# Automatic stack string recovery +strdeob.pl +# FLOSS automatic deobfuscation (static + stack + decoded) +floss +# FLOSS skip static strings, only show decoded +floss --no-static -- +``` + +#recipe #strdeob-pl #floss diff --git a/data/generated/wiki/recipes/vba-number-string-decode.md b/data/generated/wiki/recipes/vba-number-string-decode.md new file mode 100644 index 0000000..30b02ff --- /dev/null +++ b/data/generated/wiki/recipes/vba-number-string-decode.md @@ -0,0 +1,15 @@ +# Decode VBA Number Arrays to Strings +> Convert VBA macros that use Chr() number sequences into readable text + +**Tools:** [[tools/oledump-py|oledump-py]], [[tools/numbers-to-string-py|numbers-to-string-py]] +**FOR610 Lab:** 3.3 + +## Commands +```bash +# Extract VBA and convert number sequences to text +oledump.py -s -v | numbers-to-string.py -j +# Same but with line-break formatting for readability +oledump.py -s -v | numbers-to-string.py -j | sed 's/;/;\n/g' +``` + +#recipe #oledump-py #numbers-to-string-py diff --git a/data/generated/wiki/recipes/vba-pcode-decompile.md b/data/generated/wiki/recipes/vba-pcode-decompile.md new file mode 100644 index 0000000..ecded77 --- /dev/null +++ b/data/generated/wiki/recipes/vba-pcode-decompile.md @@ -0,0 +1,14 @@ +# Recover VBA from p-code (source removed) +> Decompile VBA when source code has been stripped, only p-code remains + +**Tools:** [[tools/pcode2code|pcode2code]], [[tools/pcodedmp|pcodedmp]] + +## Commands +```bash +# Decompile p-code back to VBA source +pcode2code +# Or disassemble p-code to assembly +pcodedmp +``` + +#recipe #pcode2code #pcodedmp diff --git a/data/generated/wiki/recipes/volatility-quick-triage.md b/data/generated/wiki/recipes/volatility-quick-triage.md new file mode 100644 index 0000000..e0ab178 --- /dev/null +++ b/data/generated/wiki/recipes/volatility-quick-triage.md @@ -0,0 +1,18 @@ +# Quick Memory Dump Triage +> Fast initial assessment of a memory dump + +**Tools:** [[tools/volatility3|volatility3]] + +## Commands +```bash +# Identify OS +vol3 -f windows.info +# Process tree (spot anomalies) +vol3 -f windows.pstree +# Network connections +vol3 -f windows.netscan +# Injected code detection +vol3 -f windows.malfind +``` + +#recipe #volatility3 diff --git a/data/generated/wiki/recipes/xor-key-brute-force.md b/data/generated/wiki/recipes/xor-key-brute-force.md new file mode 100644 index 0000000..b38738b --- /dev/null +++ b/data/generated/wiki/recipes/xor-key-brute-force.md @@ -0,0 +1,21 @@ +# Brute-Force XOR Key +> Find the XOR key used to encode strings in a binary + +**Tools:** [[tools/brxor-py|brxor-py]], [[tools/bbcrack|bbcrack]], [[tools/xorsearch|xorsearch]], [[tools/xortool|xortool]] +**FOR610 Lab:** 5.2 + +## Commands +```bash +# Quick check for XOR-encoded URLs/PE headers +XORSearch http: +# Brute-force single-byte XOR keys +brxor.py +# Try XOR, ROL, ADD combinations +bbcrack -l 1 +# Guess multi-byte XOR key length and value +xortool +# Decode with known key +xortool-xor -s '' -i -o +``` + +#recipe #brxor-py #bbcrack #xorsearch #xortool diff --git a/data/generated/wiki/tools/1768.md b/data/generated/wiki/tools/1768.md new file mode 100644 index 0000000..0c7075a --- /dev/null +++ b/data/generated/wiki/tools/1768.md @@ -0,0 +1,31 @@ +# 1768.py +> Parse Cobalt Strike beacon configuration from shellcode or memory dumps + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +1768.py shellcode.bin +``` + +## Recipes +- [[recipes/cobalt-strike-beacon-parse|Parse Cobalt Strike Beacon Configuration]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 6: Embedded Object Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 4: Framework Identification +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 2: Configuration Extraction + +## Related Tools +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to +- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons. + +## FOR610 +**Labs:** 3.4 +**Sections:** 3 + +#cobalt-strike #beacon #c2-config #didier-stevens diff --git a/data/generated/wiki/tools/7-zip.md b/data/generated/wiki/tools/7-zip.md new file mode 100644 index 0000000..b8d43da --- /dev/null +++ b/data/generated/wiki/tools/7-zip.md @@ -0,0 +1,14 @@ +# 7-Zip +> Compress and decompress files using a variety of algorithms. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab +- [[tools/disitool|disitool]] — Manipulate embedded digital signatures. + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/7zip.md b/data/generated/wiki/tools/7zip.md new file mode 100644 index 0000000..5a46feb --- /dev/null +++ b/data/generated/wiki/tools/7zip.md @@ -0,0 +1,4 @@ +# 7zip + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/aeskeyfind.md b/data/generated/wiki/tools/aeskeyfind.md new file mode 100644 index 0000000..2f4fc4b --- /dev/null +++ b/data/generated/wiki/tools/aeskeyfind.md @@ -0,0 +1,4 @@ +# aeskeyfind + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/aeskeyfinder.md b/data/generated/wiki/tools/aeskeyfinder.md new file mode 100644 index 0000000..63cb755 --- /dev/null +++ b/data/generated/wiki/tools/aeskeyfinder.md @@ -0,0 +1,11 @@ +# AESKeyFinder +> Find 128-bit and 256-bit AES keys in a memory image. + +**Category:** [[categories/perform-memory-forensics|Perform Memory Forensics]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/perform+memory+forensics](https://docs.remnux.org/discover-the-tools/perform+memory+forensics) + +## Related Tools +- [[tools/rsakeyfinder|RSAKeyFinder]] — Find BER-encoded RSA private keys in a memory image. +- [[tools/volatility3|volatility3]] — Memory forensics framework — analyze RAM dumps to find malwa + +#perform-memory-forensics diff --git a/data/generated/wiki/tools/androguard.md b/data/generated/wiki/tools/androguard.md new file mode 100644 index 0000000..c92db73 --- /dev/null +++ b/data/generated/wiki/tools/androguard.md @@ -0,0 +1,24 @@ +# androguard +> Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Usage +```bash +androguard analyze +androguard decompile -o output/ +androgui.py +``` + +## Workflows +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 4: Static Analysis + +## Related Tools +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' +- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files. + +#android #apk #permissions #decompilation diff --git a/data/generated/wiki/tools/android-project-creator.md b/data/generated/wiki/tools/android-project-creator.md new file mode 100644 index 0000000..1806f7f --- /dev/null +++ b/data/generated/wiki/tools/android-project-creator.md @@ -0,0 +1,4 @@ +# android-project-creator + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/androidprojectcreator.md b/data/generated/wiki/tools/androidprojectcreator.md new file mode 100644 index 0000000..5bf7bd8 --- /dev/null +++ b/data/generated/wiki/tools/androidprojectcreator.md @@ -0,0 +1,14 @@ +# AndroidProjectCreator +> Convert an Android APK application file into an Android Studio project for easier analysis. + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Related Tools +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' +- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files. + +#statically-analyze-code-android diff --git a/data/generated/wiki/tools/anomy.md b/data/generated/wiki/tools/anomy.md new file mode 100644 index 0000000..5a52fd8 --- /dev/null +++ b/data/generated/wiki/tools/anomy.md @@ -0,0 +1,14 @@ +# anomy +> A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections through Tor to anonymize your traffic. + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Related Tools +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn +- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites + +#explore-network-interactions-connecting diff --git a/data/generated/wiki/tools/apkid.md b/data/generated/wiki/tools/apkid.md new file mode 100644 index 0000000..2a8afb5 --- /dev/null +++ b/data/generated/wiki/tools/apkid.md @@ -0,0 +1,20 @@ +# apkid +> Identify compilers, packers, and obfuscators used to protect Android APK and DEX files. + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Recipes +- [[recipes/apk-quick-triage|Quick APK Triage]] + +## Workflows +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 1: APK Triage + +## Related Tools +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' +- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files. + +#statically-analyze-code-android diff --git a/data/generated/wiki/tools/apktool.md b/data/generated/wiki/tools/apktool.md new file mode 100644 index 0000000..c4bee7a --- /dev/null +++ b/data/generated/wiki/tools/apktool.md @@ -0,0 +1,26 @@ +# apktool +> Decompile and recompile Android APK files — extract resources, smali code, and manifest + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Usage +```bash +apktool d -o output/ +apktool b output/ -o rebuilt.apk +``` + +## Recipes +- [[recipes/apk-quick-triage|Quick APK Triage]] + +## Workflows +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 2: Manifest Analysis + +## Related Tools +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' +- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files. + +#android #apk #decompilation #resources diff --git a/data/generated/wiki/tools/apt-utils.md b/data/generated/wiki/tools/apt-utils.md new file mode 100644 index 0000000..8158ec9 --- /dev/null +++ b/data/generated/wiki/tools/apt-utils.md @@ -0,0 +1,4 @@ +# apt-utils + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/archive-zip.md b/data/generated/wiki/tools/archive-zip.md new file mode 100644 index 0000000..1e99bf7 --- /dev/null +++ b/data/generated/wiki/tools/archive-zip.md @@ -0,0 +1,4 @@ +# archive-zip + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/autoconf.md b/data/generated/wiki/tools/autoconf.md new file mode 100644 index 0000000..ec52faa --- /dev/null +++ b/data/generated/wiki/tools/autoconf.md @@ -0,0 +1,4 @@ +# autoconf + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/autoit-ripper.md b/data/generated/wiki/tools/autoit-ripper.md new file mode 100644 index 0000000..9416324 --- /dev/null +++ b/data/generated/wiki/tools/autoit-ripper.md @@ -0,0 +1,11 @@ +# autoit-ripper +> Extract AutoIt scripts embedded in PE binaries. + +**Category:** [[categories/statically-analyze-code-scripts|Statically Analyze Code > Scripts]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts](https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts) + +## Related Tools +- [[tools/decode-vbe|decode-vbe.py]] — Decode encoded VBS scripts (VBE). +- [[tools/js-beautify|js-beautify]] — Format and beautify obfuscated JavaScript code for readabili + +#statically-analyze-code-scripts diff --git a/data/generated/wiki/tools/autologin.md b/data/generated/wiki/tools/autologin.md new file mode 100644 index 0000000..48c3411 --- /dev/null +++ b/data/generated/wiki/tools/autologin.md @@ -0,0 +1,4 @@ +# autologin + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/automake.md b/data/generated/wiki/tools/automake.md new file mode 100644 index 0000000..6482c90 --- /dev/null +++ b/data/generated/wiki/tools/automake.md @@ -0,0 +1,4 @@ +# automake + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/baksmali.md b/data/generated/wiki/tools/baksmali.md new file mode 100644 index 0000000..d7db08d --- /dev/null +++ b/data/generated/wiki/tools/baksmali.md @@ -0,0 +1,14 @@ +# baksmali +> Disassembler for the dex format used by Dalvik, Android's Java VM implementation. + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Related Tools +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files. + +#statically-analyze-code-android diff --git a/data/generated/wiki/tools/balbuzard.md b/data/generated/wiki/tools/balbuzard.md new file mode 100644 index 0000000..3f0218f --- /dev/null +++ b/data/generated/wiki/tools/balbuzard.md @@ -0,0 +1,14 @@ +# balbuzard +> Extract and deobfuscate patterns from suspicious files. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to +- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons. + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/base64dump.md b/data/generated/wiki/tools/base64dump.md new file mode 100644 index 0000000..d8724b0 --- /dev/null +++ b/data/generated/wiki/tools/base64dump.md @@ -0,0 +1,34 @@ +# base64dump.py +> Extract and decode Base64-encoded strings from files + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +base64dump.py file.txt +base64dump.py file.ps1 -n 10 +base64dump.py file.ps1 -s 2 -d +``` + +## Recipes +- [[recipes/extract-base64-ps-from-vba|Extract Base64 PowerShell from Office Macro]] +- [[recipes/multi-stage-base64-gzip|Decode Base64 + Gzip Payload]] +- [[recipes/base64-xor-shellcode|Decode Base64 + XOR Shellcode]] +- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to +- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons. + +## FOR610 +**Labs:** 3.4, 4.5 +**Sections:** 3, 4 + +#base64 #decoding #didier-stevens diff --git a/data/generated/wiki/tools/bash-history.md b/data/generated/wiki/tools/bash-history.md new file mode 100644 index 0000000..5fcd3ae --- /dev/null +++ b/data/generated/wiki/tools/bash-history.md @@ -0,0 +1,4 @@ +# bash-history + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/bash-rc.md b/data/generated/wiki/tools/bash-rc.md new file mode 100644 index 0000000..e1d01eb --- /dev/null +++ b/data/generated/wiki/tools/bash-rc.md @@ -0,0 +1,4 @@ +# bash-rc + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/bbcrack.md b/data/generated/wiki/tools/bbcrack.md new file mode 100644 index 0000000..b4d05e2 --- /dev/null +++ b/data/generated/wiki/tools/bbcrack.md @@ -0,0 +1,21 @@ +# bbcrack +> Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms + +**Category:** [[categories/string-deobfuscation|string-deobfuscation]] | **Tier:** Rich (FOR610) + +## Usage +```bash +bbcrack -l 1 specimen.dll +``` + +## Recipes +- [[recipes/xor-key-brute-force|Brute-Force XOR Key]] + +## Workflows +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 2: Encoding Detection + +## FOR610 +**Labs:** 5.2 +**Sections:** 5 + +#xor #rol #add #deobfuscation #balbuzard diff --git a/data/generated/wiki/tools/bearparser.md b/data/generated/wiki/tools/bearparser.md new file mode 100644 index 0000000..9b22f0c --- /dev/null +++ b/data/generated/wiki/tools/bearparser.md @@ -0,0 +1,4 @@ +# bearparser + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/binee-binary-emulation-environment.md b/data/generated/wiki/tools/binee-binary-emulation-environment.md new file mode 100644 index 0000000..2bb4b64 --- /dev/null +++ b/data/generated/wiki/tools/binee-binary-emulation-environment.md @@ -0,0 +1,12 @@ +# binee (Binary Emulation Environment) +> Analyze I/O operations of a suspicious PE file by emulating its execution. + +**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files) + +## Related Tools +- [[tools/capa|capa]] — Identify malware capabilities mapped to MITRE ATT&CK framewo +- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal +- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw + +#statically-analyze-code-pe-files diff --git a/data/generated/wiki/tools/binee.md b/data/generated/wiki/tools/binee.md new file mode 100644 index 0000000..6c31010 --- /dev/null +++ b/data/generated/wiki/tools/binee.md @@ -0,0 +1,4 @@ +# binee + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/binutils.md b/data/generated/wiki/tools/binutils.md new file mode 100644 index 0000000..1294287 --- /dev/null +++ b/data/generated/wiki/tools/binutils.md @@ -0,0 +1,4 @@ +# binutils + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/binwalk.md b/data/generated/wiki/tools/binwalk.md new file mode 100644 index 0000000..5a85356 --- /dev/null +++ b/data/generated/wiki/tools/binwalk.md @@ -0,0 +1,23 @@ +# binwalk +> Analyze and extract embedded files and firmware images + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +binwalk firmware.bin +binwalk -e firmware.bin +``` + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab +- [[tools/disitool|disitool]] — Manipulate embedded digital signatures. + +## FOR610 +**Sections:** 1 + +#firmware #extraction #embedded-files diff --git a/data/generated/wiki/tools/box-js.md b/data/generated/wiki/tools/box-js.md new file mode 100644 index 0000000..3960260 --- /dev/null +++ b/data/generated/wiki/tools/box-js.md @@ -0,0 +1,24 @@ +# box-js +> JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs + +**Category:** [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts) + +## Usage +```bash +box-js --output-dir=/tmp suspicious.js +``` + +## Workflows +- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] — Step 5: Alternative Analysis + +## Related Tools +- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat +- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and +- [[tools/powershell|powershell]] — Run PowerShell scripts and commands. +- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou + +## FOR610 +**Sections:** 3 + +#javascript #sandbox #emulation diff --git a/data/generated/wiki/tools/brxor.md b/data/generated/wiki/tools/brxor.md new file mode 100644 index 0000000..b843203 --- /dev/null +++ b/data/generated/wiki/tools/brxor.md @@ -0,0 +1,29 @@ +# brxor.py +> Brute-force XOR key detection for single-byte XOR-encoded strings + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +brxor.py specimen.dll +``` + +## Recipes +- [[recipes/xor-key-brute-force|Brute-Force XOR Key]] + +## Workflows +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 3: Single-Byte XOR Recovery + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to +- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons. + +## FOR610 +**Labs:** 5.2 +**Sections:** 5 + +#xor #brute-force #deobfuscation diff --git a/data/generated/wiki/tools/build-essential.md b/data/generated/wiki/tools/build-essential.md new file mode 100644 index 0000000..fbcd1f6 --- /dev/null +++ b/data/generated/wiki/tools/build-essential.md @@ -0,0 +1,4 @@ +# build-essential + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/bulk-extractor.md b/data/generated/wiki/tools/bulk-extractor.md new file mode 100644 index 0000000..aea5e96 --- /dev/null +++ b/data/generated/wiki/tools/bulk-extractor.md @@ -0,0 +1,14 @@ +# bulk-extractor +> Extract interesting strings from binary files. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab +- [[tools/disitool|disitool]] — Manipulate embedded digital signatures. + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/bundler.md b/data/generated/wiki/tools/bundler.md new file mode 100644 index 0000000..c8f77e7 --- /dev/null +++ b/data/generated/wiki/tools/bundler.md @@ -0,0 +1,4 @@ +# bundler + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/burp-suite-community-edition.md b/data/generated/wiki/tools/burp-suite-community-edition.md new file mode 100644 index 0000000..9c30c73 --- /dev/null +++ b/data/generated/wiki/tools/burp-suite-community-edition.md @@ -0,0 +1,14 @@ +# Burp Suite Community Edition +> Investigate website interactions using this web proxy. + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Related Tools +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets +- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as + +#explore-network-interactions-monitoring diff --git a/data/generated/wiki/tools/burpsuite-community.md b/data/generated/wiki/tools/burpsuite-community.md new file mode 100644 index 0000000..422b97a --- /dev/null +++ b/data/generated/wiki/tools/burpsuite-community.md @@ -0,0 +1,4 @@ +# burpsuite-community + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/bytehist.md b/data/generated/wiki/tools/bytehist.md new file mode 100644 index 0000000..2249abb --- /dev/null +++ b/data/generated/wiki/tools/bytehist.md @@ -0,0 +1,18 @@ +# Bytehist +> Generate byte-usage histograms to visually identify packed or encrypted sections in binaries + +**Category:** [[categories/statically-analyze-code-unpacking|Statically Analyze Code > Unpacking]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking](https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking) + +## Usage +```bash +bytehist specimen.exe +``` + +## Related Tools +- [[tools/upx|UPX]] — Universal Packer for eXecutables — compress and decompress P + +## FOR610 +**Sections:** 1, 4 + +#pe #entropy #packing-detection #histogram diff --git a/data/generated/wiki/tools/cabextract.md b/data/generated/wiki/tools/cabextract.md new file mode 100644 index 0000000..65294f8 --- /dev/null +++ b/data/generated/wiki/tools/cabextract.md @@ -0,0 +1,14 @@ +# cabextract +> Extract Microsoft cabinet (cab) files. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. +- [[tools/ibus|ibus]] — Adjust input methods for the GUI. + +#general-utilities diff --git a/data/generated/wiki/tools/capa.md b/data/generated/wiki/tools/capa.md new file mode 100644 index 0000000..1ab66fa --- /dev/null +++ b/data/generated/wiki/tools/capa.md @@ -0,0 +1,34 @@ +# capa +> Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog + +**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files) + +## Usage +```bash +capa specimen.exe +capa -vv specimen.exe +capa -vv specimen.exe | grep -A7 'Suspended Process' +``` + +## Recipes +- [[recipes/capa-capability-filter|Filter Capabilities by Technique]] + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 5: Capability Detection +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 4: Emulation (Safe Alternative) +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 8: Verification +- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 1: Capability Detection +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 1: Shellcode Detection +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 1: Beacon Detection + +## Related Tools +- [[tools/binee-binary-emulation-environment|binee (Binary Emulation Environment)]] — Analyze I/O operations of a suspicious PE file by emulating +- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal +- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw + +## FOR610 +**Labs:** 1.4, 5.4 +**Sections:** 1, 5 + +#capabilities #mitre-attack #automated-analysis diff --git a/data/generated/wiki/tools/cast.md b/data/generated/wiki/tools/cast.md new file mode 100644 index 0000000..4991aab --- /dev/null +++ b/data/generated/wiki/tools/cast.md @@ -0,0 +1,14 @@ +# cast +> Install and manage SaltStack-based Linux distributions. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. +- [[tools/ibus|ibus]] — Adjust input methods for the GUI. + +#general-utilities diff --git a/data/generated/wiki/tools/cffi.md b/data/generated/wiki/tools/cffi.md new file mode 100644 index 0000000..3fa2d72 --- /dev/null +++ b/data/generated/wiki/tools/cffi.md @@ -0,0 +1,4 @@ +# cffi + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/cfr.md b/data/generated/wiki/tools/cfr.md new file mode 100644 index 0000000..67f9c05 --- /dev/null +++ b/data/generated/wiki/tools/cfr.md @@ -0,0 +1,22 @@ +# cfr +> Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources + +**Category:** [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/java](https://docs.remnux.org/discover-the-tools/statically+analyze+code/java) + +## Usage +```bash +cfr --outputdir output/ +cfr +``` + +## Workflows +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 2: Decompilation + +## Related Tools +- [[tools/java-idx-parser|java-idx-parser]] — Analyze Java IDX files. +- [[tools/javassist|Javassist]] — Java bytecode engineering toolkit/library. +- [[tools/jd-gui-java-decompiler|JD-GUI Java Decompiler]] — Java decompiler with GUI. +- [[tools/procyon|Procyon]] — Java decompiler. + +#java #decompilation #jar diff --git a/data/generated/wiki/tools/chepy.md b/data/generated/wiki/tools/chepy.md new file mode 100644 index 0000000..e0cec53 --- /dev/null +++ b/data/generated/wiki/tools/chepy.md @@ -0,0 +1,14 @@ +# chepy +> Decode and otherwise analyze data using this command-line tool and Python library. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons. + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/clamav-daemon.md b/data/generated/wiki/tools/clamav-daemon.md new file mode 100644 index 0000000..0fe5764 --- /dev/null +++ b/data/generated/wiki/tools/clamav-daemon.md @@ -0,0 +1,4 @@ +# clamav-daemon + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/clamav.md b/data/generated/wiki/tools/clamav.md new file mode 100644 index 0000000..a226a9c --- /dev/null +++ b/data/generated/wiki/tools/clamav.md @@ -0,0 +1,21 @@ +# ClamAV +> Open-source antivirus — scan files for known malware signatures + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +clamscan +clamscan -r / +freshclam +``` + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab +- [[tools/disitool|disitool]] — Manipulate embedded digital signatures. + +#antivirus #scanning #signatures diff --git a/data/generated/wiki/tools/cobalt-strike-configuration-extractor-csce-and-parser.md b/data/generated/wiki/tools/cobalt-strike-configuration-extractor-csce-and-parser.md new file mode 100644 index 0000000..5f4625e --- /dev/null +++ b/data/generated/wiki/tools/cobalt-strike-configuration-extractor-csce-and-parser.md @@ -0,0 +1,14 @@ +# Cobalt Strike Configuration Extractor (CSCE) and Parser +> Analyze Cobalt Strike beacons. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/compatibility.md b/data/generated/wiki/tools/compatibility.md new file mode 100644 index 0000000..b0d43ec --- /dev/null +++ b/data/generated/wiki/tools/compatibility.md @@ -0,0 +1,4 @@ +# compatibility + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/cs-analyze-processdump.md b/data/generated/wiki/tools/cs-analyze-processdump.md new file mode 100644 index 0000000..0199dd0 --- /dev/null +++ b/data/generated/wiki/tools/cs-analyze-processdump.md @@ -0,0 +1,22 @@ +# cs-analyze-processdump.py +> Analyze Cobalt Strike beacon process dumps for sleep mask encoding + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +cs-analyze-processdump.py +``` + +## Workflows +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 6: Sleep Mask Analysis + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#cobalt-strike #sleep-mask #memory diff --git a/data/generated/wiki/tools/cs-decrypt-metadata.md b/data/generated/wiki/tools/cs-decrypt-metadata.md new file mode 100644 index 0000000..c5a696b --- /dev/null +++ b/data/generated/wiki/tools/cs-decrypt-metadata.md @@ -0,0 +1,22 @@ +# cs-decrypt-metadata.py +> Decrypt Cobalt Strike beacon metadata from network captures + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +cs-decrypt-metadata.py +``` + +## Workflows +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 3: Metadata Decryption + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#cobalt-strike #decryption #metadata diff --git a/data/generated/wiki/tools/cs-extract-key.md b/data/generated/wiki/tools/cs-extract-key.md new file mode 100644 index 0000000..9175733 --- /dev/null +++ b/data/generated/wiki/tools/cs-extract-key.md @@ -0,0 +1,22 @@ +# cs-extract-key.py +> Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +cs-extract-key.py -f +``` + +## Workflows +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 4: Key Extraction + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#cobalt-strike #encryption #key-extraction diff --git a/data/generated/wiki/tools/cs-parse-traffic.md b/data/generated/wiki/tools/cs-parse-traffic.md new file mode 100644 index 0000000..d41c051 --- /dev/null +++ b/data/generated/wiki/tools/cs-parse-traffic.md @@ -0,0 +1,22 @@ +# cs-parse-traffic.py +> Decrypt and parse Cobalt Strike beacon network traffic using extracted keys + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +cs-parse-traffic.py -f -k +``` + +## Workflows +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 5: Traffic Decryption + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets +- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as + +#cobalt-strike #traffic #decryption diff --git a/data/generated/wiki/tools/curl.md b/data/generated/wiki/tools/curl.md new file mode 100644 index 0000000..f3f2648 --- /dev/null +++ b/data/generated/wiki/tools/curl.md @@ -0,0 +1,23 @@ +# curl +> Transfer data to/from servers using various protocols + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Usage +```bash +curl -L http://example.com +curl -o output.bin http://example.com/file +``` + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn +- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites + +## FOR610 +**Sections:** 1 + +#download #http #transfer diff --git a/data/generated/wiki/tools/cut-bytes.md b/data/generated/wiki/tools/cut-bytes.md new file mode 100644 index 0000000..faa012e --- /dev/null +++ b/data/generated/wiki/tools/cut-bytes.md @@ -0,0 +1,14 @@ +# cut-bytes.py +> Cut out a part of a data stream. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/cutter.md b/data/generated/wiki/tools/cutter.md new file mode 100644 index 0000000..f290046 --- /dev/null +++ b/data/generated/wiki/tools/cutter.md @@ -0,0 +1,25 @@ +# Cutter +> Open-source reverse engineering platform — Qt-based GUI for radare2 + +**Category:** [[categories/statically-analyze-code-general|Statically Analyze Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/general](https://docs.remnux.org/discover-the-tools/statically+analyze+code/general) + +## Usage +```bash +cutter specimen.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 7: Disassembly (if needed) +- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 2: Injection Type Classification + +## Related Tools +- [[tools/ghidra|Ghidra]] — Open-source disassembler and decompiler from NSA with script +- [[tools/objdump|objdump]] — Disassemble binary files. +- [[tools/qiling|qiling]] — Multi-platform binary emulation framework — emulate PE, ELF, +- [[tools/vivisect|Vivisect]] — Binary analysis and emulation framework — static analysis wi + +## FOR610 +**Sections:** 2 + +#disassembly #radare2 #open-source diff --git a/data/generated/wiki/tools/cyberchef.md b/data/generated/wiki/tools/cyberchef.md new file mode 100644 index 0000000..40ea909 --- /dev/null +++ b/data/generated/wiki/tools/cyberchef.md @@ -0,0 +1,31 @@ +# CyberChef +> Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +cyberchef +``` + +## Recipes +- [[recipes/cyberchef-xor-decode|Visual XOR/Base64 Decode with CyberChef]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 6: String & IOC Extraction +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 4: Multi-Byte / Custom Decoding + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +## FOR610 +**Labs:** 1.5, 3.8, 3.12 +**Sections:** 1, 3 + +#decoding #encoding #transformation #web-based diff --git a/data/generated/wiki/tools/dc3-mwcp.md b/data/generated/wiki/tools/dc3-mwcp.md new file mode 100644 index 0000000..36c95d1 --- /dev/null +++ b/data/generated/wiki/tools/dc3-mwcp.md @@ -0,0 +1,20 @@ +# dc3-mwcp +> DC3 Malware Configuration Parser — extract C2 configs from known malware families + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +mwcp parse +mwcp parse -p Emotet +``` + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#malware #config-extraction #c2 diff --git a/data/generated/wiki/tools/de4dot.md b/data/generated/wiki/tools/de4dot.md new file mode 100644 index 0000000..a3c2406 --- /dev/null +++ b/data/generated/wiki/tools/de4dot.md @@ -0,0 +1,26 @@ +# de4dot +> .NET deobfuscator — remove obfuscation from .NET assemblies + +**Category:** [[categories/statically-analyze-code-net|Statically Analyze Code > .NET]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net](https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net) + +## Usage +```bash +de4dot obfuscated.exe +``` + +## Recipes +- [[recipes/dotnet-decompile-cli|Decompile .NET on Command Line]] + +## Workflows +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 2: Automated Unpacking +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 2: Obfuscator Detection + +## Related Tools +- [[tools/ilspy|ILSpy]] — .NET assembly decompiler — view C#/VB.NET source from compil + +## FOR610 +**Labs:** 4.8 +**Sections:** 4 + +#dotnet #deobfuscation diff --git a/data/generated/wiki/tools/decode-vbe.md b/data/generated/wiki/tools/decode-vbe.md new file mode 100644 index 0000000..e1042e3 --- /dev/null +++ b/data/generated/wiki/tools/decode-vbe.md @@ -0,0 +1,11 @@ +# decode-vbe.py +> Decode encoded VBS scripts (VBE). + +**Category:** [[categories/statically-analyze-code-scripts|Statically Analyze Code > Scripts]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts](https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts) + +## Related Tools +- [[tools/autoit-ripper|autoit-ripper]] — Extract AutoIt scripts embedded in PE binaries. +- [[tools/js-beautify|js-beautify]] — Format and beautify obfuscated JavaScript code for readabili + +#statically-analyze-code-scripts diff --git a/data/generated/wiki/tools/decompyle.md b/data/generated/wiki/tools/decompyle.md new file mode 100644 index 0000000..8fc12a5 --- /dev/null +++ b/data/generated/wiki/tools/decompyle.md @@ -0,0 +1,12 @@ +# Decompyle++ +> Python bytecode disassembler and decompiler. + +**Category:** [[categories/statically-analyze-code-python|Statically Analyze Code > Python]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/python](https://docs.remnux.org/discover-the-tools/statically+analyze+code/python) + +## Related Tools +- [[tools/pyinstaller-extractor|pyinstaller-extractor]] — Extract contents of a PyInstaller-generated PE files. +- [[tools/pyinstxtractor-ng|pyinstxtractor-ng]] — Extract contents of PyInstaller-generated executables withou +- [[tools/uncompyle6|uncompyle6]] — Decompile Python bytecode (.pyc) back to source — supports P + +#statically-analyze-code-python diff --git a/data/generated/wiki/tools/default-jdk.md b/data/generated/wiki/tools/default-jdk.md new file mode 100644 index 0000000..87dacc6 --- /dev/null +++ b/data/generated/wiki/tools/default-jdk.md @@ -0,0 +1,4 @@ +# default-jdk + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/default-jre.md b/data/generated/wiki/tools/default-jre.md new file mode 100644 index 0000000..b463c06 --- /dev/null +++ b/data/generated/wiki/tools/default-jre.md @@ -0,0 +1,4 @@ +# default-jre + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dex2jar.md b/data/generated/wiki/tools/dex2jar.md new file mode 100644 index 0000000..5a1cab2 --- /dev/null +++ b/data/generated/wiki/tools/dex2jar.md @@ -0,0 +1,14 @@ +# dex2jar +> Examine Dalvik Executable (dex) files. + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Related Tools +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' + +#statically-analyze-code-android diff --git a/data/generated/wiki/tools/dexray.md b/data/generated/wiki/tools/dexray.md new file mode 100644 index 0000000..3089f97 --- /dev/null +++ b/data/generated/wiki/tools/dexray.md @@ -0,0 +1,14 @@ +# dexray +> Extract and decode data from antivirus quarantine files. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. +- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/dialog.md b/data/generated/wiki/tools/dialog.md new file mode 100644 index 0000000..6416af3 --- /dev/null +++ b/data/generated/wiki/tools/dialog.md @@ -0,0 +1,4 @@ +# dialog + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/didier-stevens-scripts.md b/data/generated/wiki/tools/didier-stevens-scripts.md new file mode 100644 index 0000000..a2f1e25 --- /dev/null +++ b/data/generated/wiki/tools/didier-stevens-scripts.md @@ -0,0 +1,4 @@ +# didier-stevens-scripts + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/diec.md b/data/generated/wiki/tools/diec.md new file mode 100644 index 0000000..033603b --- /dev/null +++ b/data/generated/wiki/tools/diec.md @@ -0,0 +1,28 @@ +# diec +> Detect packers, compilers, and tools used to create executables + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +diec specimen.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 3: Packing & Entropy Check +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 1: Packing Identification +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 1: Identification & Metadata + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/disitool|disitool]] — Manipulate embedded digital signatures. + +## FOR610 +**Labs:** 4.1 +**Sections:** 1, 4 + +#pe #packer-detection #compiler-detection diff --git a/data/generated/wiki/tools/disitool.md b/data/generated/wiki/tools/disitool.md new file mode 100644 index 0000000..f78c2d1 --- /dev/null +++ b/data/generated/wiki/tools/disitool.md @@ -0,0 +1,14 @@ +# disitool +> Manipulate embedded digital signatures. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/display.md b/data/generated/wiki/tools/display.md new file mode 100644 index 0000000..e3a4ec5 --- /dev/null +++ b/data/generated/wiki/tools/display.md @@ -0,0 +1,4 @@ +# display + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dissect.md b/data/generated/wiki/tools/dissect.md new file mode 100644 index 0000000..04ce219 --- /dev/null +++ b/data/generated/wiki/tools/dissect.md @@ -0,0 +1,14 @@ +# dissect +> Perform a variety of forensics and incident response tasks using this DFIR framework and toolset. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. +- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/distro-info.md b/data/generated/wiki/tools/distro-info.md new file mode 100644 index 0000000..29d9d60 --- /dev/null +++ b/data/generated/wiki/tools/distro-info.md @@ -0,0 +1,4 @@ +# distro-info + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dllcharacteristics.md b/data/generated/wiki/tools/dllcharacteristics.md new file mode 100644 index 0000000..1faecb4 --- /dev/null +++ b/data/generated/wiki/tools/dllcharacteristics.md @@ -0,0 +1,4 @@ +# dllcharacteristics + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dnfile.md b/data/generated/wiki/tools/dnfile.md new file mode 100644 index 0000000..a450fbf --- /dev/null +++ b/data/generated/wiki/tools/dnfile.md @@ -0,0 +1,14 @@ +# dnfile +> Analyze static properties of. + +**Category:** [[categories/examine-static-properties-net|Examine Static Properties > .NET]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/.net](https://docs.remnux.org/discover-the-tools/examine+static+properties/.net) + +## Workflows +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 1: Identification & Metadata + +## Related Tools +- [[tools/dotnetfile|dotnetfile]] — Analyze static properties of. +- [[tools/monodis|monodis]] — Disassemble and extract resources from. + +#examine-static-properties-net diff --git a/data/generated/wiki/tools/dnslib.md b/data/generated/wiki/tools/dnslib.md new file mode 100644 index 0000000..7e6b1c4 --- /dev/null +++ b/data/generated/wiki/tools/dnslib.md @@ -0,0 +1,14 @@ +# dnslib +> Python library to encode/decode DNS wire-format packets. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. +- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/dnsresolver.md b/data/generated/wiki/tools/dnsresolver.md new file mode 100644 index 0000000..b33bef8 --- /dev/null +++ b/data/generated/wiki/tools/dnsresolver.md @@ -0,0 +1,14 @@ +# dnsresolver.py +> DNS resolver tool for dynamic analysis with wildcard and tracking support. + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Related Tools +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers +- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for + +#explore-network-interactions-services diff --git a/data/generated/wiki/tools/docker.md b/data/generated/wiki/tools/docker.md new file mode 100644 index 0000000..ffb9a3a --- /dev/null +++ b/data/generated/wiki/tools/docker.md @@ -0,0 +1,14 @@ +# docker +> Run and manage containers. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. +- [[tools/ibus|ibus]] — Adjust input methods for the GUI. + +#general-utilities diff --git a/data/generated/wiki/tools/dog.md b/data/generated/wiki/tools/dog.md new file mode 100644 index 0000000..a6ba0a7 --- /dev/null +++ b/data/generated/wiki/tools/dog.md @@ -0,0 +1,4 @@ +# dog + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dos2unix.md b/data/generated/wiki/tools/dos2unix.md new file mode 100644 index 0000000..4974808 --- /dev/null +++ b/data/generated/wiki/tools/dos2unix.md @@ -0,0 +1,14 @@ +# dos2unix +> Convert text files with Windows or macOS line breaks to Unix line breaks and vice versa. + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Related Tools +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/scite|scite]] — Edit text files. +- [[tools/vbindiff|vbindiff]] — Compare binary files. + +#view-or-edit-files diff --git a/data/generated/wiki/tools/dot-cache.md b/data/generated/wiki/tools/dot-cache.md new file mode 100644 index 0000000..3cc81a6 --- /dev/null +++ b/data/generated/wiki/tools/dot-cache.md @@ -0,0 +1,4 @@ +# dot-cache + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dot-config.md b/data/generated/wiki/tools/dot-config.md new file mode 100644 index 0000000..1c296cc --- /dev/null +++ b/data/generated/wiki/tools/dot-config.md @@ -0,0 +1,4 @@ +# dot-config + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dot-cpan.md b/data/generated/wiki/tools/dot-cpan.md new file mode 100644 index 0000000..57f3462 --- /dev/null +++ b/data/generated/wiki/tools/dot-cpan.md @@ -0,0 +1,4 @@ +# dot-cpan + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dot-dbus.md b/data/generated/wiki/tools/dot-dbus.md new file mode 100644 index 0000000..bcbed1a --- /dev/null +++ b/data/generated/wiki/tools/dot-dbus.md @@ -0,0 +1,4 @@ +# dot-dbus + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dot-local.md b/data/generated/wiki/tools/dot-local.md new file mode 100644 index 0000000..0e2f0d3 --- /dev/null +++ b/data/generated/wiki/tools/dot-local.md @@ -0,0 +1,4 @@ +# dot-local + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dotnet-runtime-3-1.md b/data/generated/wiki/tools/dotnet-runtime-3-1.md new file mode 100644 index 0000000..2a65170 --- /dev/null +++ b/data/generated/wiki/tools/dotnet-runtime-3-1.md @@ -0,0 +1,4 @@ +# dotnet-runtime-3-1 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/dotnetfile.md b/data/generated/wiki/tools/dotnetfile.md new file mode 100644 index 0000000..0a9f33f --- /dev/null +++ b/data/generated/wiki/tools/dotnetfile.md @@ -0,0 +1,14 @@ +# dotnetfile +> Analyze static properties of. + +**Category:** [[categories/examine-static-properties-net|Examine Static Properties > .NET]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/.net](https://docs.remnux.org/discover-the-tools/examine+static+properties/.net) + +## Workflows +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 1: Identification & Metadata + +## Related Tools +- [[tools/dnfile|dnfile]] — Analyze static properties of. +- [[tools/monodis|monodis]] — Disassemble and extract resources from. + +#examine-static-properties-net diff --git a/data/generated/wiki/tools/droidlysis.md b/data/generated/wiki/tools/droidlysis.md new file mode 100644 index 0000000..8f86bf9 --- /dev/null +++ b/data/generated/wiki/tools/droidlysis.md @@ -0,0 +1,17 @@ +# droidlysis +> Perform static analysis of Android applications. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Workflows +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 4: Static Analysis + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/edb-debugger.md b/data/generated/wiki/tools/edb-debugger.md new file mode 100644 index 0000000..387ecb9 --- /dev/null +++ b/data/generated/wiki/tools/edb-debugger.md @@ -0,0 +1,4 @@ +# edb-debugger + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/emldump.md b/data/generated/wiki/tools/emldump.md new file mode 100644 index 0000000..cf5e61f --- /dev/null +++ b/data/generated/wiki/tools/emldump.md @@ -0,0 +1,26 @@ +# emldump.py +> Parse and analyze EML email message files + +**Category:** [[categories/analyze-documents-email-messages|Analyze Documents > Email Messages]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages](https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages) + +## Usage +```bash +emldump.py message.eml +``` + +## Recipes +- [[recipes/email-attachment-extraction|Extract and Triage Email Attachments]] + +## Workflows +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 1: Header Analysis + +## Related Tools +- [[tools/mail-parser|mail-parser]] — Parse raw SMTP email messages and extract headers, body, and +- [[tools/msg-extractor|msg-extractor]] — Extract emails and attachments from Microsoft Outlook MSG fi +- [[tools/msgconvert|msgconvert]] — Convert MSG files to MBOX files. + +## FOR610 +**Sections:** 3 + +#email #eml #didier-stevens diff --git a/data/generated/wiki/tools/enchant.md b/data/generated/wiki/tools/enchant.md new file mode 100644 index 0000000..2694024 --- /dev/null +++ b/data/generated/wiki/tools/enchant.md @@ -0,0 +1,4 @@ +# enchant + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/epic-irc-client.md b/data/generated/wiki/tools/epic-irc-client.md new file mode 100644 index 0000000..196d38e --- /dev/null +++ b/data/generated/wiki/tools/epic-irc-client.md @@ -0,0 +1,14 @@ +# EPIC IRC Client +> Examine IRC activities with this IRC client. + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn +- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites + +#explore-network-interactions-connecting diff --git a/data/generated/wiki/tools/epic5.md b/data/generated/wiki/tools/epic5.md new file mode 100644 index 0000000..78cd997 --- /dev/null +++ b/data/generated/wiki/tools/epic5.md @@ -0,0 +1,4 @@ +# epic5 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/evilclippy.md b/data/generated/wiki/tools/evilclippy.md new file mode 100644 index 0000000..d1fde99 --- /dev/null +++ b/data/generated/wiki/tools/evilclippy.md @@ -0,0 +1,22 @@ +# evilclippy +> Remove VBA project password protection and manipulate Office macro settings + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +evilclippy -uu document.docm +``` + +## Related Tools +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. +- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V + +## FOR610 +**Sections:** 3 + +#office #vba #password-removal diff --git a/data/generated/wiki/tools/evince.md b/data/generated/wiki/tools/evince.md new file mode 100644 index 0000000..d0d3eba --- /dev/null +++ b/data/generated/wiki/tools/evince.md @@ -0,0 +1,14 @@ +# evince +> View documents in a variety of formats, including PDF. + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Related Tools +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/scite|scite]] — Edit text files. +- [[tools/vbindiff|vbindiff]] — Compare binary files. + +#view-or-edit-files diff --git a/data/generated/wiki/tools/ex-pe-xor.md b/data/generated/wiki/tools/ex-pe-xor.md new file mode 100644 index 0000000..5c22096 --- /dev/null +++ b/data/generated/wiki/tools/ex-pe-xor.md @@ -0,0 +1,14 @@ +# ex-pe-xor +> Search an XOR'ed file for indications of executable binaries. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/exfat-utils.md b/data/generated/wiki/tools/exfat-utils.md new file mode 100644 index 0000000..f650907 --- /dev/null +++ b/data/generated/wiki/tools/exfat-utils.md @@ -0,0 +1,4 @@ +# exfat-utils + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/exiftool.md b/data/generated/wiki/tools/exiftool.md new file mode 100644 index 0000000..eb2e047 --- /dev/null +++ b/data/generated/wiki/tools/exiftool.md @@ -0,0 +1,26 @@ +# exiftool +> Extract metadata from files (PDF, images, documents, executables) + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +exiftool document.pdf +exiftool specimen.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 1: File Identification & Hashing + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +## FOR610 +**Sections:** 1 + +#metadata #triage diff --git a/data/generated/wiki/tools/fakedns.md b/data/generated/wiki/tools/fakedns.md new file mode 100644 index 0000000..48afc5b --- /dev/null +++ b/data/generated/wiki/tools/fakedns.md @@ -0,0 +1,30 @@ +# fakedns +> Fake DNS server that resolves all queries to a specified IP for traffic interception + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Usage +```bash +fakedns +``` + +## Recipes +- [[recipes/dns-interception-setup|Set Up DNS + HTTP Interception]] + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 2: Network Interception Setup +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 1: DNS Interception + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers +- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for + +## FOR610 +**Labs:** 1.3, 1.6, 1.7, 1.8 +**Sections:** 1 + +#dns #spoofing #interception #lab-setup diff --git a/data/generated/wiki/tools/fakemail.md b/data/generated/wiki/tools/fakemail.md new file mode 100644 index 0000000..41c05a6 --- /dev/null +++ b/data/generated/wiki/tools/fakemail.md @@ -0,0 +1,14 @@ +# fakemail +> Intercept and examine SMTP email activity with this fake SMTP server. + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers +- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for + +#explore-network-interactions-services diff --git a/data/generated/wiki/tools/fakenet-ng.md b/data/generated/wiki/tools/fakenet-ng.md new file mode 100644 index 0000000..f2eb8cd --- /dev/null +++ b/data/generated/wiki/tools/fakenet-ng.md @@ -0,0 +1,24 @@ +# fakenet-ng +> Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Usage +```bash +fakenet +fakenet -c custom_config.ini +``` + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 2: Network Interception Setup +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 2: Service Emulation + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers +- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for + +#network #emulation #dynamic-analysis #c2 diff --git a/data/generated/wiki/tools/feh.md b/data/generated/wiki/tools/feh.md new file mode 100644 index 0000000..295ce67 --- /dev/null +++ b/data/generated/wiki/tools/feh.md @@ -0,0 +1,26 @@ +# feh +> Lightweight image viewer for viewing extracted images from documents + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Usage +```bash +feh extracted_image.jpg +``` + +## Recipes +- [[recipes/pdf-object-extraction|Extract Embedded Object from PDF]] + +## Related Tools +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/scite|scite]] — Edit text files. +- [[tools/vbindiff|vbindiff]] — Compare binary files. + +## FOR610 +**Labs:** 3.1 +**Sections:** 3 + +#image-viewer diff --git a/data/generated/wiki/tools/file-magic.md b/data/generated/wiki/tools/file-magic.md new file mode 100644 index 0000000..11f4082 --- /dev/null +++ b/data/generated/wiki/tools/file-magic.md @@ -0,0 +1,14 @@ +# file-magic.py +> Identify file types using the Python magic module. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/file.md b/data/generated/wiki/tools/file.md new file mode 100644 index 0000000..4176208 --- /dev/null +++ b/data/generated/wiki/tools/file.md @@ -0,0 +1,34 @@ +# file +> Determine file type and MIME type using magic bytes + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +file specimen.exe +file document.doc +``` + +## Recipes +- [[recipes/email-attachment-extraction|Extract and Triage Email Attachments]] + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 1: File Identification & Hashing +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 1: Format Identification +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 1: APK Triage +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 1: Archive Inspection +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 3: Attachment Triage + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +## FOR610 +**Labs:** 3.4, 3.5 +**Sections:** 3 + +#file-identification #triage diff --git a/data/generated/wiki/tools/firefox.md b/data/generated/wiki/tools/firefox.md new file mode 100644 index 0000000..eb21cf1 --- /dev/null +++ b/data/generated/wiki/tools/firefox.md @@ -0,0 +1,14 @@ +# firefox +> Web browser. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. +- [[tools/ibus|ibus]] — Adjust input methods for the GUI. + +#general-utilities diff --git a/data/generated/wiki/tools/flare-floss.md b/data/generated/wiki/tools/flare-floss.md new file mode 100644 index 0000000..c3263b4 --- /dev/null +++ b/data/generated/wiki/tools/flare-floss.md @@ -0,0 +1,4 @@ +# flare-floss + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/flex.md b/data/generated/wiki/tools/flex.md new file mode 100644 index 0000000..f6a328b --- /dev/null +++ b/data/generated/wiki/tools/flex.md @@ -0,0 +1,4 @@ +# flex + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/floss.md b/data/generated/wiki/tools/floss.md new file mode 100644 index 0000000..155dfb2 --- /dev/null +++ b/data/generated/wiki/tools/floss.md @@ -0,0 +1,33 @@ +# FLOSS +> Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +floss specimen.exe +floss specimen.exe > strings-output.txt +floss --no-static -- specimen.exe +``` + +## Recipes +- [[recipes/stack-string-extraction|Extract Stack-Built Strings]] + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 4: String Extraction +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 6: String & IOC Extraction +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 1: Automated Extraction + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +## FOR610 +**Labs:** 5.2, 5.3 +**Sections:** 5 + +#strings #deobfuscation #automated diff --git a/data/generated/wiki/tools/format-bytes.md b/data/generated/wiki/tools/format-bytes.md new file mode 100644 index 0000000..c4c02de --- /dev/null +++ b/data/generated/wiki/tools/format-bytes.md @@ -0,0 +1,14 @@ +# format-bytes.py +> Decompose structured binary data with format strings. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/frida.md b/data/generated/wiki/tools/frida.md new file mode 100644 index 0000000..ea9e133 --- /dev/null +++ b/data/generated/wiki/tools/frida.md @@ -0,0 +1,21 @@ +# Frida +> Dynamic instrumentation toolkit — hook and trace running processes, intercept function calls in real time + +**Category:** [[categories/dynamically-reverse-engineer-code-general|Dynamically Reverse-Engineer Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general) + +## Usage +```bash +frida -l hook.js +frida-trace -i 'recv*' +frida-ps -U +``` + +## Workflows +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 6: Dynamic Instrumentation + +## Related Tools +- [[tools/radare2|radare2]] — Open-source reverse engineering command-line framework +- [[tools/wine|Wine]] — Windows compatibility layer — run Windows executables on Lin + +#dynamic #instrumentation #hooking #tracing diff --git a/data/generated/wiki/tools/galculator.md b/data/generated/wiki/tools/galculator.md new file mode 100644 index 0000000..8c4737f --- /dev/null +++ b/data/generated/wiki/tools/galculator.md @@ -0,0 +1,4 @@ +# galculator + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gdb.md b/data/generated/wiki/tools/gdb.md new file mode 100644 index 0000000..c836586 --- /dev/null +++ b/data/generated/wiki/tools/gdb.md @@ -0,0 +1,4 @@ +# gdb + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gdm3.md b/data/generated/wiki/tools/gdm3.md new file mode 100644 index 0000000..ae48ece --- /dev/null +++ b/data/generated/wiki/tools/gdm3.md @@ -0,0 +1,4 @@ +# gdm3 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ghidra.md b/data/generated/wiki/tools/ghidra.md new file mode 100644 index 0000000..21f9a07 --- /dev/null +++ b/data/generated/wiki/tools/ghidra.md @@ -0,0 +1,26 @@ +# Ghidra +> Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management + +**Category:** [[categories/statically-analyze-code-general|Statically Analyze Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/general](https://docs.remnux.org/discover-the-tools/statically+analyze+code/general) + +## Usage +```bash +ghidra +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 7: Disassembly (if needed) +- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 2: Injection Type Classification + +## Related Tools +- [[tools/cutter|Cutter]] — Open-source reverse engineering platform — Qt-based GUI for +- [[tools/objdump|objdump]] — Disassemble binary files. +- [[tools/qiling|qiling]] — Multi-platform binary emulation framework — emulate PE, ELF, +- [[tools/vivisect|Vivisect]] — Binary analysis and emulation framework — static analysis wi + +## FOR610 +**Labs:** 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 4.9, 5.2, 5.4, 5.5, 5.6, 5.7, 5.9 +**Sections:** 2, 4, 5 + +#disassembly #decompilation #code-analysis #function-graph diff --git a/data/generated/wiki/tools/ghidrassistmcp.md b/data/generated/wiki/tools/ghidrassistmcp.md new file mode 100644 index 0000000..18afaa9 --- /dev/null +++ b/data/generated/wiki/tools/ghidrassistmcp.md @@ -0,0 +1,11 @@ +# GhidrAssistMCP +> MCP server for AI-assisted reverse engineering in Ghidra. + +**Category:** [[categories/use-artificial-intelligence|Use Artificial Intelligence]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/use+artificial+intelligence](https://docs.remnux.org/discover-the-tools/use+artificial+intelligence) + +## Related Tools +- [[tools/opencode|opencode]] — Open-source AI coding agent for the terminal. +- [[tools/remnux-mcp-server|remnux-mcp-server]] — MCP server for using the REMnux malware analysis toolkit via + +#use-artificial-intelligence diff --git a/data/generated/wiki/tools/gift.md b/data/generated/wiki/tools/gift.md new file mode 100644 index 0000000..e387fcd --- /dev/null +++ b/data/generated/wiki/tools/gift.md @@ -0,0 +1,4 @@ +# gift + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/git.md b/data/generated/wiki/tools/git.md new file mode 100644 index 0000000..66496a8 --- /dev/null +++ b/data/generated/wiki/tools/git.md @@ -0,0 +1,4 @@ +# git + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gnome-calculator.md b/data/generated/wiki/tools/gnome-calculator.md new file mode 100644 index 0000000..1c5ef7c --- /dev/null +++ b/data/generated/wiki/tools/gnome-calculator.md @@ -0,0 +1,14 @@ +# GNOME Calculator +> Calculator. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/ibus|ibus]] — Adjust input methods for the GUI. + +#general-utilities diff --git a/data/generated/wiki/tools/gnome-session.md b/data/generated/wiki/tools/gnome-session.md new file mode 100644 index 0000000..f64765d --- /dev/null +++ b/data/generated/wiki/tools/gnome-session.md @@ -0,0 +1,4 @@ +# gnome-session + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gnome-shell-extensions.md b/data/generated/wiki/tools/gnome-shell-extensions.md new file mode 100644 index 0000000..94c10ba --- /dev/null +++ b/data/generated/wiki/tools/gnome-shell-extensions.md @@ -0,0 +1,4 @@ +# gnome-shell-extensions + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gnome-terminal.md b/data/generated/wiki/tools/gnome-terminal.md new file mode 100644 index 0000000..9211073 --- /dev/null +++ b/data/generated/wiki/tools/gnome-terminal.md @@ -0,0 +1,4 @@ +# gnome-terminal + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gnome-tweaks.md b/data/generated/wiki/tools/gnome-tweaks.md new file mode 100644 index 0000000..5bbf80f --- /dev/null +++ b/data/generated/wiki/tools/gnome-tweaks.md @@ -0,0 +1,4 @@ +# gnome-tweaks + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gnu-wget.md b/data/generated/wiki/tools/gnu-wget.md new file mode 100644 index 0000000..eb6bd8c --- /dev/null +++ b/data/generated/wiki/tools/gnu-wget.md @@ -0,0 +1,14 @@ +# GNU Wget +> Interact with servers via HTTP, HTTPS, FTP, and FTPS using this command-line tool. + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn +- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites + +#explore-network-interactions-connecting diff --git a/data/generated/wiki/tools/gnutls-bin.md b/data/generated/wiki/tools/gnutls-bin.md new file mode 100644 index 0000000..e44c8e2 --- /dev/null +++ b/data/generated/wiki/tools/gnutls-bin.md @@ -0,0 +1,4 @@ +# gnutls-bin + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/goresym.md b/data/generated/wiki/tools/goresym.md new file mode 100644 index 0000000..056bc3d --- /dev/null +++ b/data/generated/wiki/tools/goresym.md @@ -0,0 +1,10 @@ +# goresym +> Extract metadata and symbols from Go binaries, including stripped ones. + +**Category:** [[categories/examine-static-properties-go|Examine Static Properties > Go]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/go](https://docs.remnux.org/discover-the-tools/examine+static+properties/go) + +## Related Tools +- [[tools/redress|redress]] — Analyze stripped Go binaries to recover symbols, types, sour + +#examine-static-properties-go diff --git a/data/generated/wiki/tools/graphviz.md b/data/generated/wiki/tools/graphviz.md new file mode 100644 index 0000000..fedb80d --- /dev/null +++ b/data/generated/wiki/tools/graphviz.md @@ -0,0 +1,4 @@ +# graphviz + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/grub-kvm.md b/data/generated/wiki/tools/grub-kvm.md new file mode 100644 index 0000000..da050de --- /dev/null +++ b/data/generated/wiki/tools/grub-kvm.md @@ -0,0 +1,4 @@ +# grub-kvm + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/guest-tools.md b/data/generated/wiki/tools/guest-tools.md new file mode 100644 index 0000000..0c99b56 --- /dev/null +++ b/data/generated/wiki/tools/guest-tools.md @@ -0,0 +1,4 @@ +# guest-tools + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/gunzip.md b/data/generated/wiki/tools/gunzip.md new file mode 100644 index 0000000..2b76d5b --- /dev/null +++ b/data/generated/wiki/tools/gunzip.md @@ -0,0 +1,28 @@ +# gunzip +> Decompress gzip-compressed data (often used in multi-stage payload extraction) + +**Category:** [[categories/utilities|utilities]] | **Tier:** Rich (FOR610) + +## Usage +```bash +gunzip -c compressed.gz > output.bin +``` + +## Recipes +- [[recipes/multi-stage-base64-gzip|Decode Base64 + Gzip Payload]] +- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding + +## Related Tools +- [[tools/hexdump|hexdump]] — Display file content in hexadecimal format +- [[tools/jq|jq]] — Command-line JSON processor for extracting and transforming +- [[tools/wget|wget]] — Download files from HTTP/HTTPS/FTP servers +- [[tools/xxd|xxd]] — Create hex dump of a file or reverse a hex dump back to bina + +## FOR610 +**Labs:** 3.4 +**Sections:** 3 + +#compression #extraction diff --git a/data/generated/wiki/tools/hachoir.md b/data/generated/wiki/tools/hachoir.md new file mode 100644 index 0000000..cf83b1d --- /dev/null +++ b/data/generated/wiki/tools/hachoir.md @@ -0,0 +1,14 @@ +# Hachoir +> View, edit, and carve contents of various binary file types. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/hash-id.md b/data/generated/wiki/tools/hash-id.md new file mode 100644 index 0000000..de9588c --- /dev/null +++ b/data/generated/wiki/tools/hash-id.md @@ -0,0 +1,14 @@ +# Hash ID +> Identify different types of hashes. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/hex-to-bin.md b/data/generated/wiki/tools/hex-to-bin.md new file mode 100644 index 0000000..84c1137 --- /dev/null +++ b/data/generated/wiki/tools/hex-to-bin.md @@ -0,0 +1,14 @@ +# hex-to-bin.py +> Convert hexadecimal text dumps to binary data. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/hexdump.md b/data/generated/wiki/tools/hexdump.md new file mode 100644 index 0000000..36e4228 --- /dev/null +++ b/data/generated/wiki/tools/hexdump.md @@ -0,0 +1,20 @@ +# hexdump +> Display file content in hexadecimal format + +**Category:** [[categories/utilities|utilities]] | **Tier:** Rich (FOR610) + +## Usage +```bash +hexdump -C binary.dat +``` + +## Related Tools +- [[tools/gunzip|gunzip]] — Decompress gzip-compressed data (often used in multi-stage p +- [[tools/jq|jq]] — Command-line JSON processor for extracting and transforming +- [[tools/wget|wget]] — Download files from HTTP/HTTPS/FTP servers +- [[tools/xxd|xxd]] — Create hex dump of a file or reverse a hex dump back to bina + +## FOR610 +**Sections:** 1 + +#hex #binary-viewing diff --git a/data/generated/wiki/tools/httpd.md b/data/generated/wiki/tools/httpd.md new file mode 100644 index 0000000..396c0db --- /dev/null +++ b/data/generated/wiki/tools/httpd.md @@ -0,0 +1,29 @@ +# httpd +> Simple HTTP server on REMnux for simulating C2 web servers + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Usage +```bash +httpd +``` + +## Recipes +- [[recipes/dns-interception-setup|Set Up DNS + HTTP Interception]] + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 2: Service Emulation + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for + +## FOR610 +**Labs:** 1.3, 1.6, 1.8 +**Sections:** 1 + +#http #web-server #c2-simulation #lab-setup diff --git a/data/generated/wiki/tools/i386-architecture.md b/data/generated/wiki/tools/i386-architecture.md new file mode 100644 index 0000000..17ba3f5 --- /dev/null +++ b/data/generated/wiki/tools/i386-architecture.md @@ -0,0 +1,4 @@ +# i386-architecture + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ibus.md b/data/generated/wiki/tools/ibus.md new file mode 100644 index 0000000..2f6cca9 --- /dev/null +++ b/data/generated/wiki/tools/ibus.md @@ -0,0 +1,14 @@ +# ibus +> Adjust input methods for the GUI. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/ilspy.md b/data/generated/wiki/tools/ilspy.md new file mode 100644 index 0000000..c55915f --- /dev/null +++ b/data/generated/wiki/tools/ilspy.md @@ -0,0 +1,19 @@ +# ILSpy +> .NET assembly decompiler — view C#/VB.NET source from compiled .NET binaries + +**Category:** [[categories/statically-analyze-code-net|Statically Analyze Code > .NET]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net](https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net) + +## Usage +```bash +ILSpy.exe assembly.exe +``` + +## Related Tools +- [[tools/de4dot|de4dot]] — .NET deobfuscator — remove obfuscation from .NET assemblies + +## FOR610 +**Labs:** 3.12, 4.8 +**Sections:** 3, 4 + +#dotnet #decompiler #csharp diff --git a/data/generated/wiki/tools/ilspycmd.md b/data/generated/wiki/tools/ilspycmd.md new file mode 100644 index 0000000..81d110a --- /dev/null +++ b/data/generated/wiki/tools/ilspycmd.md @@ -0,0 +1,21 @@ +# ilspycmd +> Command-line .NET decompiler (CLI version of ILSpy) + +**Category:** [[categories/dotnet-analysis|dotnet-analysis]] | **Tier:** Rich (FOR610) + +## Usage +```bash +ilspycmd assembly.exe > decompiled.cs +``` + +## Recipes +- [[recipes/dotnet-decompile-cli|Decompile .NET on Command Line]] + +## Workflows +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 3: Decompilation + +## FOR610 +**Labs:** 4.8 +**Sections:** 4 + +#dotnet #decompiler #cli diff --git a/data/generated/wiki/tools/imagemagick.md b/data/generated/wiki/tools/imagemagick.md new file mode 100644 index 0000000..bd4dd25 --- /dev/null +++ b/data/generated/wiki/tools/imagemagick.md @@ -0,0 +1,14 @@ +# imagemagick +> View and manipulate image and related files. + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Related Tools +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d +- [[tools/scite|scite]] — Edit text files. +- [[tools/vbindiff|vbindiff]] — Compare binary files. + +#view-or-edit-files diff --git a/data/generated/wiki/tools/inetsim.md b/data/generated/wiki/tools/inetsim.md new file mode 100644 index 0000000..ffa3f31 --- /dev/null +++ b/data/generated/wiki/tools/inetsim.md @@ -0,0 +1,30 @@ +# INetSim +> Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Usage +```bash +inetsim +``` + +## Recipes +- [[recipes/dns-interception-setup|Set Up DNS + HTTP Interception]] + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 2: Network Interception Setup +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 2: Service Emulation + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers + +## FOR610 +**Labs:** 1.7 +**Sections:** 1 + +#service-emulation #network-simulation #lab-setup diff --git a/data/generated/wiki/tools/inspircd.md b/data/generated/wiki/tools/inspircd.md new file mode 100644 index 0000000..1d69b72 --- /dev/null +++ b/data/generated/wiki/tools/inspircd.md @@ -0,0 +1,14 @@ +# inspircd +> Examine IRC activity with this IRC server. + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers + +#explore-network-interactions-services diff --git a/data/generated/wiki/tools/ioc-parser.md b/data/generated/wiki/tools/ioc-parser.md new file mode 100644 index 0000000..6189b1c --- /dev/null +++ b/data/generated/wiki/tools/ioc-parser.md @@ -0,0 +1,19 @@ +# ioc-parser +> Extract indicators of compromise (IOCs) from PDF reports and text files + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Usage +```bash +ioc_parser +``` + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. +- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal + +#ioc #extraction #threat-intel diff --git a/data/generated/wiki/tools/iproute2.md b/data/generated/wiki/tools/iproute2.md new file mode 100644 index 0000000..08e7392 --- /dev/null +++ b/data/generated/wiki/tools/iproute2.md @@ -0,0 +1,4 @@ +# iproute2 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/iptables.md b/data/generated/wiki/tools/iptables.md new file mode 100644 index 0000000..107827d --- /dev/null +++ b/data/generated/wiki/tools/iptables.md @@ -0,0 +1,22 @@ +# iptables +> Linux firewall and NAT tool for redirecting IP-based malware traffic + +**Category:** [[categories/network-analysis|network-analysis]] | **Tier:** Rich (FOR610) + +## Usage +```bash +iptables -t nat -A PREROUTING -i ens32 -j REDIRECT +``` + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 8: IP-Based Redirection (if needed) + +## Related Tools +- [[tools/nslookup|nslookup]] — DNS query tool for testing name resolution +- [[tools/torsocks|torsocks]] — Route network traffic through the Tor anonymity network + +## FOR610 +**Labs:** 1.8 +**Sections:** 1 + +#firewall #nat #traffic-redirection diff --git a/data/generated/wiki/tools/iputils-ping.md b/data/generated/wiki/tools/iputils-ping.md new file mode 100644 index 0000000..ce939f3 --- /dev/null +++ b/data/generated/wiki/tools/iputils-ping.md @@ -0,0 +1,4 @@ +# iputils-ping + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ipwhois.md b/data/generated/wiki/tools/ipwhois.md new file mode 100644 index 0000000..171f1a6 --- /dev/null +++ b/data/generated/wiki/tools/ipwhois.md @@ -0,0 +1,14 @@ +# ipwhois +> Retrieve and parse whois data for IP addresses. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/ipython3.md b/data/generated/wiki/tools/ipython3.md new file mode 100644 index 0000000..85f7260 --- /dev/null +++ b/data/generated/wiki/tools/ipython3.md @@ -0,0 +1,4 @@ +# ipython3 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/jadx.md b/data/generated/wiki/tools/jadx.md new file mode 100644 index 0000000..7789ee2 --- /dev/null +++ b/data/generated/wiki/tools/jadx.md @@ -0,0 +1,26 @@ +# jadx +> Decompile Android DEX/APK to Java source code with a GUI or command line + +**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android) + +## Usage +```bash +jadx -d output/ +jadx-gui +``` + +## Recipes +- [[recipes/apk-quick-triage|Quick APK Triage]] + +## Workflows +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 3: Source Code Recovery + +## Related Tools +- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities, +- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud +- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect +- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource +- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android' + +#android #dex #java #decompilation diff --git a/data/generated/wiki/tools/java-idx-parser.md b/data/generated/wiki/tools/java-idx-parser.md new file mode 100644 index 0000000..cb002c3 --- /dev/null +++ b/data/generated/wiki/tools/java-idx-parser.md @@ -0,0 +1,13 @@ +# java-idx-parser +> Analyze Java IDX files. + +**Category:** [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/java](https://docs.remnux.org/discover-the-tools/statically+analyze+code/java) + +## Related Tools +- [[tools/cfr|cfr]] — Modern Java decompiler — handles Java 8+ features including +- [[tools/javassist|Javassist]] — Java bytecode engineering toolkit/library. +- [[tools/jd-gui-java-decompiler|JD-GUI Java Decompiler]] — Java decompiler with GUI. +- [[tools/procyon|Procyon]] — Java decompiler. + +#statically-analyze-code-java diff --git a/data/generated/wiki/tools/javassist.md b/data/generated/wiki/tools/javassist.md new file mode 100644 index 0000000..1bff3c0 --- /dev/null +++ b/data/generated/wiki/tools/javassist.md @@ -0,0 +1,13 @@ +# Javassist +> Java bytecode engineering toolkit/library. + +**Category:** [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/java](https://docs.remnux.org/discover-the-tools/statically+analyze+code/java) + +## Related Tools +- [[tools/cfr|cfr]] — Modern Java decompiler — handles Java 8+ features including +- [[tools/java-idx-parser|java-idx-parser]] — Analyze Java IDX files. +- [[tools/jd-gui-java-decompiler|JD-GUI Java Decompiler]] — Java decompiler with GUI. +- [[tools/procyon|Procyon]] — Java decompiler. + +#statically-analyze-code-java diff --git a/data/generated/wiki/tools/jd-gui-java-decompiler.md b/data/generated/wiki/tools/jd-gui-java-decompiler.md new file mode 100644 index 0000000..29fa10e --- /dev/null +++ b/data/generated/wiki/tools/jd-gui-java-decompiler.md @@ -0,0 +1,13 @@ +# JD-GUI Java Decompiler +> Java decompiler with GUI. + +**Category:** [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/java](https://docs.remnux.org/discover-the-tools/statically+analyze+code/java) + +## Related Tools +- [[tools/cfr|cfr]] — Modern Java decompiler — handles Java 8+ features including +- [[tools/java-idx-parser|java-idx-parser]] — Analyze Java IDX files. +- [[tools/javassist|Javassist]] — Java bytecode engineering toolkit/library. +- [[tools/procyon|Procyon]] — Java decompiler. + +#statically-analyze-code-java diff --git a/data/generated/wiki/tools/jd-gui.md b/data/generated/wiki/tools/jd-gui.md new file mode 100644 index 0000000..afe9e45 --- /dev/null +++ b/data/generated/wiki/tools/jd-gui.md @@ -0,0 +1,14 @@ +# jd-gui +> Visual Java decompiler with GUI — browse and search decompiled JAR/class files + +**Tier:** Rich (FOR610) + +## Usage +```bash +jd-gui +``` + +## Workflows +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 2: Decompilation + +#java #decompilation #gui diff --git a/data/generated/wiki/tools/jq.md b/data/generated/wiki/tools/jq.md new file mode 100644 index 0000000..9b40dd5 --- /dev/null +++ b/data/generated/wiki/tools/jq.md @@ -0,0 +1,25 @@ +# jq +> Command-line JSON processor for extracting and transforming structured data + +**Category:** [[categories/utilities|utilities]] | **Tier:** Rich (FOR610) + +## Usage +```bash +cat report.json | jq '.apis' +jq -r '.entry' report.json +``` + +## Recipes +- [[recipes/speakeasy-emulation-with-json|Emulate Malware and Extract API Calls]] + +## Related Tools +- [[tools/gunzip|gunzip]] — Decompress gzip-compressed data (often used in multi-stage p +- [[tools/hexdump|hexdump]] — Display file content in hexadecimal format +- [[tools/wget|wget]] — Download files from HTTP/HTTPS/FTP servers +- [[tools/xxd|xxd]] — Create hex dump of a file or reverse a hex dump back to bina + +## FOR610 +**Labs:** 1.4 +**Sections:** 1 + +#json #data-processing diff --git a/data/generated/wiki/tools/js-beautify.md b/data/generated/wiki/tools/js-beautify.md new file mode 100644 index 0000000..64c8352 --- /dev/null +++ b/data/generated/wiki/tools/js-beautify.md @@ -0,0 +1,26 @@ +# js-beautify +> Format and beautify obfuscated JavaScript code for readability + +**Category:** [[categories/statically-analyze-code-scripts|Statically Analyze Code > Scripts]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts](https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts) + +## Usage +```bash +js-beautify malicious.js > beautified.js +``` + +## Recipes +- [[recipes/js-deobfuscation-spidermonkey|Deobfuscate JavaScript with SpiderMonkey]] + +## Workflows +- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] — Step 1: Beautification + +## Related Tools +- [[tools/autoit-ripper|autoit-ripper]] — Extract AutoIt scripts embedded in PE binaries. +- [[tools/decode-vbe|decode-vbe.py]] — Decode encoded VBS scripts (VBE). + +## FOR610 +**Labs:** 3.6, 4.5 +**Sections:** 3 + +#javascript #formatting #readability diff --git a/data/generated/wiki/tools/jstillery.md b/data/generated/wiki/tools/jstillery.md new file mode 100644 index 0000000..0646af3 --- /dev/null +++ b/data/generated/wiki/tools/jstillery.md @@ -0,0 +1,16 @@ +# jstillery +> Deobfuscate JavaScript scripts using AST and Partial Evaluation techniques. + +**Category:** [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts) + +## Workflows +- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] — Step 5: Alternative Analysis + +## Related Tools +- [[tools/box-js|box-js]] — JavaScript sandbox for analyzing malicious scripts by emulat +- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and +- [[tools/powershell|powershell]] — Run PowerShell scripts and commands. +- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou + +#dynamically-reverse-engineer-code-scripts diff --git a/data/generated/wiki/tools/lame.md b/data/generated/wiki/tools/lame.md new file mode 100644 index 0000000..f29ed88 --- /dev/null +++ b/data/generated/wiki/tools/lame.md @@ -0,0 +1,4 @@ +# lame + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libboost-dev.md b/data/generated/wiki/tools/libboost-dev.md new file mode 100644 index 0000000..5f16ba3 --- /dev/null +++ b/data/generated/wiki/tools/libboost-dev.md @@ -0,0 +1,4 @@ +# libboost-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libboost-python-dev.md b/data/generated/wiki/tools/libboost-python-dev.md new file mode 100644 index 0000000..af76fc6 --- /dev/null +++ b/data/generated/wiki/tools/libboost-python-dev.md @@ -0,0 +1,4 @@ +# libboost-python-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libboost-system-dev.md b/data/generated/wiki/tools/libboost-system-dev.md new file mode 100644 index 0000000..b451642 --- /dev/null +++ b/data/generated/wiki/tools/libboost-system-dev.md @@ -0,0 +1,4 @@ +# libboost-system-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libdpkg-perl.md b/data/generated/wiki/tools/libdpkg-perl.md new file mode 100644 index 0000000..5a29fac --- /dev/null +++ b/data/generated/wiki/tools/libdpkg-perl.md @@ -0,0 +1,4 @@ +# libdpkg-perl + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libemail-outlook-message-perl.md b/data/generated/wiki/tools/libemail-outlook-message-perl.md new file mode 100644 index 0000000..493e603 --- /dev/null +++ b/data/generated/wiki/tools/libemail-outlook-message-perl.md @@ -0,0 +1,4 @@ +# libemail-outlook-message-perl + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libemu.md b/data/generated/wiki/tools/libemu.md new file mode 100644 index 0000000..64da7c3 --- /dev/null +++ b/data/generated/wiki/tools/libemu.md @@ -0,0 +1,13 @@ +# libemu +> A library for x86 code emulation and shellcode detection. + +**Category:** [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode) + +## Related Tools +- [[tools/runsc32|runsc32]] — Execute extracted shellcode for dynamic analysis +- [[tools/scdbgc|scdbgc]] — Shellcode emulator — analyze shellcode behavior through API- +- [[tools/shcode2exe|shcode2exe]] — Convert raw shellcode to a Windows PE executable for analysi +- [[tools/shellcode2exe-bat|shellcode2exe-bat]] — Convert 32 and 64-bit shellcode to a Windows executable file + +#dynamically-reverse-engineer-code-shellcode diff --git a/data/generated/wiki/tools/libffi-dev.md b/data/generated/wiki/tools/libffi-dev.md new file mode 100644 index 0000000..1d5603b --- /dev/null +++ b/data/generated/wiki/tools/libffi-dev.md @@ -0,0 +1,4 @@ +# libffi-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libfuse2.md b/data/generated/wiki/tools/libfuse2.md new file mode 100644 index 0000000..861c80d --- /dev/null +++ b/data/generated/wiki/tools/libfuse2.md @@ -0,0 +1,4 @@ +# libfuse2 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libfuzzy-dev.md b/data/generated/wiki/tools/libfuzzy-dev.md new file mode 100644 index 0000000..ab24348 --- /dev/null +++ b/data/generated/wiki/tools/libfuzzy-dev.md @@ -0,0 +1,4 @@ +# libfuzzy-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libfuzzy2.md b/data/generated/wiki/tools/libfuzzy2.md new file mode 100644 index 0000000..2b4b43b --- /dev/null +++ b/data/generated/wiki/tools/libfuzzy2.md @@ -0,0 +1,4 @@ +# libfuzzy2 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libglib2.md b/data/generated/wiki/tools/libglib2.md new file mode 100644 index 0000000..872f12d --- /dev/null +++ b/data/generated/wiki/tools/libglib2.md @@ -0,0 +1,4 @@ +# libglib2 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libglu1-mesa-dev.md b/data/generated/wiki/tools/libglu1-mesa-dev.md new file mode 100644 index 0000000..6d9117c --- /dev/null +++ b/data/generated/wiki/tools/libglu1-mesa-dev.md @@ -0,0 +1,4 @@ +# libglu1-mesa-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libgraphviz-dev.md b/data/generated/wiki/tools/libgraphviz-dev.md new file mode 100644 index 0000000..fcbaea4 --- /dev/null +++ b/data/generated/wiki/tools/libgraphviz-dev.md @@ -0,0 +1,4 @@ +# libgraphviz-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libgtk-3-0.md b/data/generated/wiki/tools/libgtk-3-0.md new file mode 100644 index 0000000..5240ccf --- /dev/null +++ b/data/generated/wiki/tools/libgtk-3-0.md @@ -0,0 +1,4 @@ +# libgtk-3-0 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libjavassist-java.md b/data/generated/wiki/tools/libjavassist-java.md new file mode 100644 index 0000000..e973cb7 --- /dev/null +++ b/data/generated/wiki/tools/libjavassist-java.md @@ -0,0 +1,4 @@ +# libjavassist-java + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libjpeg-dev.md b/data/generated/wiki/tools/libjpeg-dev.md new file mode 100644 index 0000000..424d020 --- /dev/null +++ b/data/generated/wiki/tools/libjpeg-dev.md @@ -0,0 +1,4 @@ +# libjpeg-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libjpeg8-dev.md b/data/generated/wiki/tools/libjpeg8-dev.md new file mode 100644 index 0000000..25d1a27 --- /dev/null +++ b/data/generated/wiki/tools/libjpeg8-dev.md @@ -0,0 +1,4 @@ +# libjpeg8-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/liblzma-dev.md b/data/generated/wiki/tools/liblzma-dev.md new file mode 100644 index 0000000..de6c8ba --- /dev/null +++ b/data/generated/wiki/tools/liblzma-dev.md @@ -0,0 +1,4 @@ +# liblzma-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/liblzo2-dev.md b/data/generated/wiki/tools/liblzo2-dev.md new file mode 100644 index 0000000..27ed1ed --- /dev/null +++ b/data/generated/wiki/tools/liblzo2-dev.md @@ -0,0 +1,4 @@ +# liblzo2-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libmagic-dev.md b/data/generated/wiki/tools/libmagic-dev.md new file mode 100644 index 0000000..096e48c --- /dev/null +++ b/data/generated/wiki/tools/libmagic-dev.md @@ -0,0 +1,4 @@ +# libmagic-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libmysqlclient21.md b/data/generated/wiki/tools/libmysqlclient21.md new file mode 100644 index 0000000..6f8d45f --- /dev/null +++ b/data/generated/wiki/tools/libmysqlclient21.md @@ -0,0 +1,4 @@ +# libmysqlclient21 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libncurses.md b/data/generated/wiki/tools/libncurses.md new file mode 100644 index 0000000..deea444 --- /dev/null +++ b/data/generated/wiki/tools/libncurses.md @@ -0,0 +1,4 @@ +# libncurses + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libnetfilter-queue-dev.md b/data/generated/wiki/tools/libnetfilter-queue-dev.md new file mode 100644 index 0000000..c24fd66 --- /dev/null +++ b/data/generated/wiki/tools/libnetfilter-queue-dev.md @@ -0,0 +1,4 @@ +# libnetfilter-queue-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libnfnetlink-dev.md b/data/generated/wiki/tools/libnfnetlink-dev.md new file mode 100644 index 0000000..f5a2fd0 --- /dev/null +++ b/data/generated/wiki/tools/libnfnetlink-dev.md @@ -0,0 +1,4 @@ +# libnfnetlink-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libolecf.md b/data/generated/wiki/tools/libolecf.md new file mode 100644 index 0000000..16c5920 --- /dev/null +++ b/data/generated/wiki/tools/libolecf.md @@ -0,0 +1,14 @@ +# libolecf +> Microsoft Office OLE2 compound documents. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. +- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/libpq5.md b/data/generated/wiki/tools/libpq5.md new file mode 100644 index 0000000..2acbdfd --- /dev/null +++ b/data/generated/wiki/tools/libpq5.md @@ -0,0 +1,4 @@ +# libpq5 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libqt5scripttools5.md b/data/generated/wiki/tools/libqt5scripttools5.md new file mode 100644 index 0000000..07d074b --- /dev/null +++ b/data/generated/wiki/tools/libqt5scripttools5.md @@ -0,0 +1,4 @@ +# libqt5scripttools5 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libre2.md b/data/generated/wiki/tools/libre2.md new file mode 100644 index 0000000..f8f9edd --- /dev/null +++ b/data/generated/wiki/tools/libre2.md @@ -0,0 +1,4 @@ +# libre2 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libsm6.md b/data/generated/wiki/tools/libsm6.md new file mode 100644 index 0000000..eee4e9b --- /dev/null +++ b/data/generated/wiki/tools/libsm6.md @@ -0,0 +1,4 @@ +# libsm6 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libsqlite3-dev.md b/data/generated/wiki/tools/libsqlite3-dev.md new file mode 100644 index 0000000..d464309 --- /dev/null +++ b/data/generated/wiki/tools/libsqlite3-dev.md @@ -0,0 +1,4 @@ +# libsqlite3-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libssl-dev.md b/data/generated/wiki/tools/libssl-dev.md new file mode 100644 index 0000000..376a62c --- /dev/null +++ b/data/generated/wiki/tools/libssl-dev.md @@ -0,0 +1,4 @@ +# libssl-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libtool.md b/data/generated/wiki/tools/libtool.md new file mode 100644 index 0000000..58c8e2a --- /dev/null +++ b/data/generated/wiki/tools/libtool.md @@ -0,0 +1,4 @@ +# libtool + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libtre5.md b/data/generated/wiki/tools/libtre5.md new file mode 100644 index 0000000..ee9c996 --- /dev/null +++ b/data/generated/wiki/tools/libtre5.md @@ -0,0 +1,4 @@ +# libtre5 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libusb-1.md b/data/generated/wiki/tools/libusb-1.md new file mode 100644 index 0000000..774a6bb --- /dev/null +++ b/data/generated/wiki/tools/libusb-1.md @@ -0,0 +1,4 @@ +# libusb-1 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libxml2-dev.md b/data/generated/wiki/tools/libxml2-dev.md new file mode 100644 index 0000000..55aaba2 --- /dev/null +++ b/data/generated/wiki/tools/libxml2-dev.md @@ -0,0 +1,4 @@ +# libxml2-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/libxslt1-dev.md b/data/generated/wiki/tools/libxslt1-dev.md new file mode 100644 index 0000000..c814194 --- /dev/null +++ b/data/generated/wiki/tools/libxslt1-dev.md @@ -0,0 +1,4 @@ +# libxslt1-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/lief.md b/data/generated/wiki/tools/lief.md new file mode 100644 index 0000000..a36018c --- /dev/null +++ b/data/generated/wiki/tools/lief.md @@ -0,0 +1,14 @@ +# lief +> Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and DWARF executable formats. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/linux-headers.md b/data/generated/wiki/tools/linux-headers.md new file mode 100644 index 0000000..4d1dc18 --- /dev/null +++ b/data/generated/wiki/tools/linux-headers.md @@ -0,0 +1,4 @@ +# linux-headers + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ltrace.md b/data/generated/wiki/tools/ltrace.md new file mode 100644 index 0000000..11cc544 --- /dev/null +++ b/data/generated/wiki/tools/ltrace.md @@ -0,0 +1,4 @@ +# ltrace + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/magika.md b/data/generated/wiki/tools/magika.md new file mode 100644 index 0000000..3c07327 --- /dev/null +++ b/data/generated/wiki/tools/magika.md @@ -0,0 +1,14 @@ +# magika +> Identify file type using signatures. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/mail-parser.md b/data/generated/wiki/tools/mail-parser.md new file mode 100644 index 0000000..4715c98 --- /dev/null +++ b/data/generated/wiki/tools/mail-parser.md @@ -0,0 +1,20 @@ +# mail-parser +> Parse raw SMTP email messages and extract headers, body, and attachments + +**Category:** [[categories/analyze-documents-email-messages|Analyze Documents > Email Messages]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages](https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages) + +## Usage +```bash +python3 -c "import mailparser; mail = mailparser.parse_from_file(''); print(mail.subject)" +``` + +## Workflows +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 1: Header Analysis + +## Related Tools +- [[tools/emldump|emldump.py]] — Parse and analyze EML email message files +- [[tools/msg-extractor|msg-extractor]] — Extract emails and attachments from Microsoft Outlook MSG fi +- [[tools/msgconvert|msgconvert]] — Convert MSG files to MBOX files. + +#email #parsing #attachments diff --git a/data/generated/wiki/tools/malcat-lite.md b/data/generated/wiki/tools/malcat-lite.md new file mode 100644 index 0000000..389f325 --- /dev/null +++ b/data/generated/wiki/tools/malcat-lite.md @@ -0,0 +1,14 @@ +# Malcat Lite +> Analyze binary files using a hex editor, disassembler, and file dissector. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/malcat.md b/data/generated/wiki/tools/malcat.md new file mode 100644 index 0000000..619467a --- /dev/null +++ b/data/generated/wiki/tools/malcat.md @@ -0,0 +1,4 @@ +# malcat + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/malchive.md b/data/generated/wiki/tools/malchive.md new file mode 100644 index 0000000..fcb9103 --- /dev/null +++ b/data/generated/wiki/tools/malchive.md @@ -0,0 +1,19 @@ +# Malchive +> Multi-purpose malware analysis library — config extraction, deobfuscation, and static analysis + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +malchive +``` + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#malware #config-extraction #deobfuscation diff --git a/data/generated/wiki/tools/malwoverview.md b/data/generated/wiki/tools/malwoverview.md new file mode 100644 index 0000000..80bac25 --- /dev/null +++ b/data/generated/wiki/tools/malwoverview.md @@ -0,0 +1,23 @@ +# malwoverview +> Query VirusTotal, Hybrid Analysis, and MalwareBazaar for malware intelligence + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Usage +```bash +malwoverview -v +malwoverview -f +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 2: Reputation Check + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#threat-intel #virustotal #malware-bazaar diff --git a/data/generated/wiki/tools/manalyze.md b/data/generated/wiki/tools/manalyze.md new file mode 100644 index 0000000..d50ab8c --- /dev/null +++ b/data/generated/wiki/tools/manalyze.md @@ -0,0 +1,4 @@ +# manalyze + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/mbcscan.md b/data/generated/wiki/tools/mbcscan.md new file mode 100644 index 0000000..bec421e --- /dev/null +++ b/data/generated/wiki/tools/mbcscan.md @@ -0,0 +1,12 @@ +# mbcscan +> Scan a PE file to list the associated Malware Behavior Catalog (MBC) details. + +**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files) + +## Related Tools +- [[tools/binee-binary-emulation-environment|binee (Binary Emulation Environment)]] — Analyze I/O operations of a suspicious PE file by emulating +- [[tools/capa|capa]] — Identify malware capabilities mapped to MITRE ATT&CK framewo +- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw + +#statically-analyze-code-pe-files diff --git a/data/generated/wiki/tools/mercurial.md b/data/generated/wiki/tools/mercurial.md new file mode 100644 index 0000000..6eb1c62 --- /dev/null +++ b/data/generated/wiki/tools/mercurial.md @@ -0,0 +1,4 @@ +# mercurial + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/microsoft-vscode.md b/data/generated/wiki/tools/microsoft-vscode.md new file mode 100644 index 0000000..cda4efb --- /dev/null +++ b/data/generated/wiki/tools/microsoft-vscode.md @@ -0,0 +1,4 @@ +# microsoft-vscode + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/microsoft.md b/data/generated/wiki/tools/microsoft.md new file mode 100644 index 0000000..37111c5 --- /dev/null +++ b/data/generated/wiki/tools/microsoft.md @@ -0,0 +1,4 @@ +# microsoft + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/mitmproxy.md b/data/generated/wiki/tools/mitmproxy.md new file mode 100644 index 0000000..bde8529 --- /dev/null +++ b/data/generated/wiki/tools/mitmproxy.md @@ -0,0 +1,24 @@ +# mitmproxy +> Interactive HTTPS proxy for intercepting, inspecting, and modifying encrypted web traffic + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +mitmproxy +mitmdump -w capture.flow +mitmproxy --mode transparent +``` + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 3: TLS/HTTPS Interception (if needed) + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets +- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as + +#network #https #proxy #tls #interception diff --git a/data/generated/wiki/tools/mono-devel.md b/data/generated/wiki/tools/mono-devel.md new file mode 100644 index 0000000..6f5143f --- /dev/null +++ b/data/generated/wiki/tools/mono-devel.md @@ -0,0 +1,4 @@ +# mono-devel + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/mono-utils.md b/data/generated/wiki/tools/mono-utils.md new file mode 100644 index 0000000..bb79c15 --- /dev/null +++ b/data/generated/wiki/tools/mono-utils.md @@ -0,0 +1,4 @@ +# mono-utils + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/mono.md b/data/generated/wiki/tools/mono.md new file mode 100644 index 0000000..48f737c --- /dev/null +++ b/data/generated/wiki/tools/mono.md @@ -0,0 +1,4 @@ +# mono + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/monodis.md b/data/generated/wiki/tools/monodis.md new file mode 100644 index 0000000..cd48ba3 --- /dev/null +++ b/data/generated/wiki/tools/monodis.md @@ -0,0 +1,14 @@ +# monodis +> Disassemble and extract resources from. + +**Category:** [[categories/examine-static-properties-net|Examine Static Properties > .NET]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/.net](https://docs.remnux.org/discover-the-tools/examine+static+properties/.net) + +## Workflows +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 3: Decompilation + +## Related Tools +- [[tools/dnfile|dnfile]] — Analyze static properties of. +- [[tools/dotnetfile|dotnetfile]] — Analyze static properties of. + +#examine-static-properties-net diff --git a/data/generated/wiki/tools/msg-extractor.md b/data/generated/wiki/tools/msg-extractor.md new file mode 100644 index 0000000..05b61bd --- /dev/null +++ b/data/generated/wiki/tools/msg-extractor.md @@ -0,0 +1,21 @@ +# msg-extractor +> Extract emails and attachments from Microsoft Outlook MSG files + +**Category:** [[categories/analyze-documents-email-messages|Analyze Documents > Email Messages]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages](https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages) + +## Usage +```bash +extract_msg +extract_msg --out-dir output/ +``` + +## Workflows +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 2: Attachment Extraction + +## Related Tools +- [[tools/emldump|emldump.py]] — Parse and analyze EML email message files +- [[tools/mail-parser|mail-parser]] — Parse raw SMTP email messages and extract headers, body, and +- [[tools/msgconvert|msgconvert]] — Convert MSG files to MBOX files. + +#email #msg #outlook #attachments diff --git a/data/generated/wiki/tools/msgconvert.md b/data/generated/wiki/tools/msgconvert.md new file mode 100644 index 0000000..0bbc7bf --- /dev/null +++ b/data/generated/wiki/tools/msgconvert.md @@ -0,0 +1,12 @@ +# msgconvert +> Convert MSG files to MBOX files. + +**Category:** [[categories/analyze-documents-email-messages|Analyze Documents > Email Messages]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages](https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages) + +## Related Tools +- [[tools/emldump|emldump.py]] — Parse and analyze EML email message files +- [[tools/mail-parser|mail-parser]] — Parse raw SMTP email messages and extract headers, body, and +- [[tools/msg-extractor|msg-extractor]] — Extract emails and attachments from Microsoft Outlook MSG fi + +#analyze-documents-email-messages diff --git a/data/generated/wiki/tools/msitools.md b/data/generated/wiki/tools/msitools.md new file mode 100644 index 0000000..ee8dbc6 --- /dev/null +++ b/data/generated/wiki/tools/msitools.md @@ -0,0 +1,14 @@ +# msitools +> Create, inspect and extract Windows Installer (. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/msoffcrypto-crack.md b/data/generated/wiki/tools/msoffcrypto-crack.md new file mode 100644 index 0000000..4e22acd --- /dev/null +++ b/data/generated/wiki/tools/msoffcrypto-crack.md @@ -0,0 +1,14 @@ +# msoffcrypto-crack.py +> Recover the password of an encrypted Microsoft Office document. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. +- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/msoffcrypto-tool.md b/data/generated/wiki/tools/msoffcrypto-tool.md new file mode 100644 index 0000000..8c05037 --- /dev/null +++ b/data/generated/wiki/tools/msoffcrypto-tool.md @@ -0,0 +1,26 @@ +# msoffcrypto-tool +> Decrypt password-protected Microsoft Office documents (OLE and OOXML) + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +msoffcrypto-tool -p infected +msoffcrypto-tool -p password +``` + +## Recipes +- [[recipes/password-protected-office|Decrypt Password-Protected Office Document]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 3: Password Handling (if encrypted) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. +- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V + +#office #decryption #password diff --git a/data/generated/wiki/tools/msoffice-crypt.md b/data/generated/wiki/tools/msoffice-crypt.md new file mode 100644 index 0000000..77afb8b --- /dev/null +++ b/data/generated/wiki/tools/msoffice-crypt.md @@ -0,0 +1,14 @@ +# msoffice-crypt +> Encrypt and decrypt OOXML Microsoft Office documents. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/myip.md b/data/generated/wiki/tools/myip.md new file mode 100644 index 0000000..1b68e38 --- /dev/null +++ b/data/generated/wiki/tools/myip.md @@ -0,0 +1,14 @@ +# myip +> Determine the IP address of the default network interface. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/myjson-filter.md b/data/generated/wiki/tools/myjson-filter.md new file mode 100644 index 0000000..223e456 --- /dev/null +++ b/data/generated/wiki/tools/myjson-filter.md @@ -0,0 +1,14 @@ +# myjson-filter.py +> Filter data formatted using the JSON format used by Didier Stevens' tools. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/mynic.md b/data/generated/wiki/tools/mynic.md new file mode 100644 index 0000000..79a00f0 --- /dev/null +++ b/data/generated/wiki/tools/mynic.md @@ -0,0 +1,4 @@ +# mynic + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/name-that-hash.md b/data/generated/wiki/tools/name-that-hash.md new file mode 100644 index 0000000..8ef24e0 --- /dev/null +++ b/data/generated/wiki/tools/name-that-hash.md @@ -0,0 +1,14 @@ +# name-that-hash +> Identify dfferent types of hashes. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/nano.md b/data/generated/wiki/tools/nano.md new file mode 100644 index 0000000..2450131 --- /dev/null +++ b/data/generated/wiki/tools/nano.md @@ -0,0 +1,4 @@ +# nano + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/nasm.md b/data/generated/wiki/tools/nasm.md new file mode 100644 index 0000000..608bc34 --- /dev/null +++ b/data/generated/wiki/tools/nasm.md @@ -0,0 +1,14 @@ +# nasm +> An x86-64 assembler. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/nautilus.md b/data/generated/wiki/tools/nautilus.md new file mode 100644 index 0000000..f849666 --- /dev/null +++ b/data/generated/wiki/tools/nautilus.md @@ -0,0 +1,14 @@ +# nautilus +> Graphical file manager. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/nc.md b/data/generated/wiki/tools/nc.md new file mode 100644 index 0000000..0d6e4a1 --- /dev/null +++ b/data/generated/wiki/tools/nc.md @@ -0,0 +1,23 @@ +# nc +> Network utility for reading/writing data across TCP/UDP connections + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Usage +```bash +nc -l -p 3127 +nc target_ip 80 +``` + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites + +## FOR610 +**Sections:** 1 + +#network #tcp #listener diff --git a/data/generated/wiki/tools/ndg-httpsclient.md b/data/generated/wiki/tools/ndg-httpsclient.md new file mode 100644 index 0000000..8440af1 --- /dev/null +++ b/data/generated/wiki/tools/ndg-httpsclient.md @@ -0,0 +1,4 @@ +# ndg-httpsclient + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/net-tools.md b/data/generated/wiki/tools/net-tools.md new file mode 100644 index 0000000..307e963 --- /dev/null +++ b/data/generated/wiki/tools/net-tools.md @@ -0,0 +1,4 @@ +# net-tools + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/network-miner-free-edition.md b/data/generated/wiki/tools/network-miner-free-edition.md new file mode 100644 index 0000000..4b36d15 --- /dev/null +++ b/data/generated/wiki/tools/network-miner-free-edition.md @@ -0,0 +1,14 @@ +# Network Miner Free Edition +> Examine network traffic and carve PCAP capture files. + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets +- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as + +#explore-network-interactions-monitoring diff --git a/data/generated/wiki/tools/networkminer.md b/data/generated/wiki/tools/networkminer.md new file mode 100644 index 0000000..2afb649 --- /dev/null +++ b/data/generated/wiki/tools/networkminer.md @@ -0,0 +1,17 @@ +# networkminer +> Passive network traffic analyzer — extracts files, images, credentials from PCAP captures + +**Tier:** Rich (FOR610) + +## Usage +```bash +NetworkMiner --pcap +``` + +## Recipes +- [[recipes/pcap-file-carving|Extract Files from Network Capture]] + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 7: File Extraction + +#network #pcap #file-carving #passive diff --git a/data/generated/wiki/tools/nginx.md b/data/generated/wiki/tools/nginx.md new file mode 100644 index 0000000..cf9541d --- /dev/null +++ b/data/generated/wiki/tools/nginx.md @@ -0,0 +1,14 @@ +# nginx +> Web server. + +**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services) + +## Related Tools +- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra +- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP +- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT +- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept +- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers + +#explore-network-interactions-services diff --git a/data/generated/wiki/tools/ngrep.md b/data/generated/wiki/tools/ngrep.md new file mode 100644 index 0000000..c181ca7 --- /dev/null +++ b/data/generated/wiki/tools/ngrep.md @@ -0,0 +1,23 @@ +# ngrep +> Search network traffic for patterns — like grep for packets + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +ngrep -I 'password' +ngrep -d eth0 'GET|POST' 'tcp port 80' +``` + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 6: Traffic Analysis + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as + +#network #search #pattern-matching diff --git a/data/generated/wiki/tools/nodejs.md b/data/generated/wiki/tools/nodejs.md new file mode 100644 index 0000000..59f21f3 --- /dev/null +++ b/data/generated/wiki/tools/nodejs.md @@ -0,0 +1,4 @@ +# nodejs + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/nomorexor.md b/data/generated/wiki/tools/nomorexor.md new file mode 100644 index 0000000..268c2d2 --- /dev/null +++ b/data/generated/wiki/tools/nomorexor.md @@ -0,0 +1,14 @@ +# nomorexor +> Help guess a file's 256-byte XOR by using frequency analysis. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/nslookup.md b/data/generated/wiki/tools/nslookup.md new file mode 100644 index 0000000..8f0c06d --- /dev/null +++ b/data/generated/wiki/tools/nslookup.md @@ -0,0 +1,19 @@ +# nslookup +> DNS query tool for testing name resolution + +**Category:** [[categories/network-analysis|network-analysis]] | **Tier:** Rich (FOR610) + +## Usage +```bash +nslookup domain.com +``` + +## Related Tools +- [[tools/iptables|iptables]] — Linux firewall and NAT tool for redirecting IP-based malware +- [[tools/torsocks|torsocks]] — Route network traffic through the Tor anonymity network + +## FOR610 +**Labs:** 1.3 +**Sections:** 1 + +#dns #testing diff --git a/data/generated/wiki/tools/nsrllookup.md b/data/generated/wiki/tools/nsrllookup.md new file mode 100644 index 0000000..5aed864 --- /dev/null +++ b/data/generated/wiki/tools/nsrllookup.md @@ -0,0 +1,14 @@ +# nsrllookup +> Look up MD5 file hashes in the NIST National Software Reference Library (NSRL). + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/numbers-to-string.md b/data/generated/wiki/tools/numbers-to-string.md new file mode 100644 index 0000000..37145e1 --- /dev/null +++ b/data/generated/wiki/tools/numbers-to-string.md @@ -0,0 +1,29 @@ +# numbers-to-string.py +> Convert sequences of decimal numbers to readable characters + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +oledump.py doc.docm -s A3 -v | numbers-to-string.py -j +``` + +## Recipes +- [[recipes/vba-number-string-decode|Decode VBA Number Arrays to Strings]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +## FOR610 +**Labs:** 3.3 +**Sections:** 3 + +#decoding #deobfuscation #didier-stevens diff --git a/data/generated/wiki/tools/objdump.md b/data/generated/wiki/tools/objdump.md new file mode 100644 index 0000000..6c69863 --- /dev/null +++ b/data/generated/wiki/tools/objdump.md @@ -0,0 +1,13 @@ +# objdump +> Disassemble binary files. + +**Category:** [[categories/statically-analyze-code-general|Statically Analyze Code > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/general](https://docs.remnux.org/discover-the-tools/statically+analyze+code/general) + +## Related Tools +- [[tools/cutter|Cutter]] — Open-source reverse engineering platform — Qt-based GUI for +- [[tools/ghidra|Ghidra]] — Open-source disassembler and decompiler from NSA with script +- [[tools/qiling|qiling]] — Multi-platform binary emulation framework — emulate PE, ELF, +- [[tools/vivisect|Vivisect]] — Binary analysis and emulation framework — static analysis wi + +#statically-analyze-code-general diff --git a/data/generated/wiki/tools/objects-js.md b/data/generated/wiki/tools/objects-js.md new file mode 100644 index 0000000..6d8541c --- /dev/null +++ b/data/generated/wiki/tools/objects-js.md @@ -0,0 +1,13 @@ +# objects.js +> Emulate common browser and PDF viewer objects, methods, and properties when deobfuscating JavaScript. + +**Category:** [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts) + +## Related Tools +- [[tools/box-js|box-js]] — JavaScript sandbox for analyzing malicious scripts by emulat +- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat +- [[tools/powershell|powershell]] — Run PowerShell scripts and commands. +- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou + +#dynamically-reverse-engineer-code-scripts diff --git a/data/generated/wiki/tools/oledump.md b/data/generated/wiki/tools/oledump.md new file mode 100644 index 0000000..f78df02 --- /dev/null +++ b/data/generated/wiki/tools/oledump.md @@ -0,0 +1,34 @@ +# oledump.py +> Analyze OLE2 files (Office documents), extract streams and VBA macros + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +oledump.py document.docm +oledump.py document.docm -s A3 -v +oledump.py document.docm -i +``` + +## Recipes +- [[recipes/extract-base64-ps-from-vba|Extract Base64 PowerShell from Office Macro]] +- [[recipes/vba-number-string-decode|Decode VBA Number Arrays to Strings]] +- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 2: Structure Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 2: Extraction + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +## FOR610 +**Labs:** 3.3, 3.4, 4.5 +**Sections:** 3, 4 + +#office #vba #macro #ole #didier-stevens diff --git a/data/generated/wiki/tools/olefile.md b/data/generated/wiki/tools/olefile.md new file mode 100644 index 0000000..fa1fd80 --- /dev/null +++ b/data/generated/wiki/tools/olefile.md @@ -0,0 +1,14 @@ +# olefile +> Python package to parse, read and write MS OLE2 files. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/olevba.md b/data/generated/wiki/tools/olevba.md new file mode 100644 index 0000000..190afad --- /dev/null +++ b/data/generated/wiki/tools/olevba.md @@ -0,0 +1,26 @@ +# olevba +> Extract and analyze VBA macros from Office documents with deobfuscation + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +olevba document.docm +olevba --deobf document.docm +``` + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 4: Macro/Script Extraction + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +## FOR610 +**Sections:** 3 + +#office #vba #macro #deobfuscation diff --git a/data/generated/wiki/tools/onedump.md b/data/generated/wiki/tools/onedump.md new file mode 100644 index 0000000..08006d2 --- /dev/null +++ b/data/generated/wiki/tools/onedump.md @@ -0,0 +1,17 @@ +# onedump.py +> Extract and analyze embedded files from OneNote documents. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 2: Structure Analysis + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/opencode.md b/data/generated/wiki/tools/opencode.md new file mode 100644 index 0000000..dcf2614 --- /dev/null +++ b/data/generated/wiki/tools/opencode.md @@ -0,0 +1,11 @@ +# opencode +> Open-source AI coding agent for the terminal. + +**Category:** [[categories/use-artificial-intelligence|Use Artificial Intelligence]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/use+artificial+intelligence](https://docs.remnux.org/discover-the-tools/use+artificial+intelligence) + +## Related Tools +- [[tools/ghidrassistmcp|GhidrAssistMCP]] — MCP server for AI-assisted reverse engineering in Ghidra. +- [[tools/remnux-mcp-server|remnux-mcp-server]] — MCP server for using the REMnux malware analysis toolkit via + +#use-artificial-intelligence diff --git a/data/generated/wiki/tools/openjdk.md b/data/generated/wiki/tools/openjdk.md new file mode 100644 index 0000000..5e56d6b --- /dev/null +++ b/data/generated/wiki/tools/openjdk.md @@ -0,0 +1,4 @@ +# openjdk + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/openssh.md b/data/generated/wiki/tools/openssh.md new file mode 100644 index 0000000..5300519 --- /dev/null +++ b/data/generated/wiki/tools/openssh.md @@ -0,0 +1,14 @@ +# openssh +> Initiate and receive SSH and SFTP connections. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/openssl.md b/data/generated/wiki/tools/openssl.md new file mode 100644 index 0000000..8c42bbc --- /dev/null +++ b/data/generated/wiki/tools/openssl.md @@ -0,0 +1,4 @@ +# openssl + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/origamindee.md b/data/generated/wiki/tools/origamindee.md new file mode 100644 index 0000000..e2f435b --- /dev/null +++ b/data/generated/wiki/tools/origamindee.md @@ -0,0 +1,14 @@ +# origamindee +> Parse, modify, generate PDF files. + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Related Tools +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e +- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates + +#analyze-documents-pdf diff --git a/data/generated/wiki/tools/osarch.md b/data/generated/wiki/tools/osarch.md new file mode 100644 index 0000000..6493e19 --- /dev/null +++ b/data/generated/wiki/tools/osarch.md @@ -0,0 +1,4 @@ +# osarch + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pcode2code.md b/data/generated/wiki/tools/pcode2code.md new file mode 100644 index 0000000..dda5880 --- /dev/null +++ b/data/generated/wiki/tools/pcode2code.md @@ -0,0 +1,25 @@ +# pcode2code +> Decompile VBA p-code from Office documents — works even when VBA source is removed + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +pcode2code +``` + +## Recipes +- [[recipes/vba-pcode-decompile|Recover VBA from p-code (source removed)]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 4: Macro/Script Extraction + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#office #vba #p-code #decompilation diff --git a/data/generated/wiki/tools/pcodedmp.md b/data/generated/wiki/tools/pcodedmp.md new file mode 100644 index 0000000..4ac032d --- /dev/null +++ b/data/generated/wiki/tools/pcodedmp.md @@ -0,0 +1,17 @@ +# pcodedmp +> Disassemble VBA p-code. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Recipes +- [[recipes/vba-pcode-decompile|Recover VBA from p-code (source removed)]] + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/pdf-parser.md b/data/generated/wiki/tools/pdf-parser.md new file mode 100644 index 0000000..9639e2f --- /dev/null +++ b/data/generated/wiki/tools/pdf-parser.md @@ -0,0 +1,34 @@ +# pdf-parser.py +> Parse PDF structure, locate objects, extract content, and search for strings + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +pdf-parser.py document.pdf -a +pdf-parser.py document.pdf -s /URI +pdf-parser.py document.pdf -k /URI +pdf-parser.py document.pdf -o 6 -d object6.jpg +``` + +## Recipes +- [[recipes/pdf-object-extraction|Extract Embedded Object from PDF]] +- [[recipes/pdf-javascript-extraction|Extract JavaScript from PDF]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 2: Structure Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 2: Extraction + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e +- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates + +## FOR610 +**Labs:** 3.1 +**Sections:** 1, 3 + +#pdf #static-analysis #object-extraction #didier-stevens diff --git a/data/generated/wiki/tools/pdfid.md b/data/generated/wiki/tools/pdfid.md new file mode 100644 index 0000000..a5368f1 --- /dev/null +++ b/data/generated/wiki/tools/pdfid.md @@ -0,0 +1,31 @@ +# pdfid.py +> Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +pdfid.py document.pdf +pdfid.py -n document.pdf +``` + +## Recipes +- [[recipes/pdf-object-extraction|Extract Embedded Object from PDF]] +- [[recipes/pdf-javascript-extraction|Extract JavaScript from PDF]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 2: Structure Analysis + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e +- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates + +## FOR610 +**Labs:** 3.1 +**Sections:** 1, 3 + +#pdf #static-analysis #triage #didier-stevens diff --git a/data/generated/wiki/tools/pdfresurrect.md b/data/generated/wiki/tools/pdfresurrect.md new file mode 100644 index 0000000..8ce6dee --- /dev/null +++ b/data/generated/wiki/tools/pdfresurrect.md @@ -0,0 +1,22 @@ +# pdfresurrect +> Extract and analyze previous versions from PDF files + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +pdfresurrect document.pdf +``` + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e +- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates + +## FOR610 +**Sections:** 1 + +#pdf #versioning diff --git a/data/generated/wiki/tools/pdftk.md b/data/generated/wiki/tools/pdftk.md new file mode 100644 index 0000000..ab9bdc7 --- /dev/null +++ b/data/generated/wiki/tools/pdftk.md @@ -0,0 +1,23 @@ +# pdftk +> Manipulate PDF files — merge, split, flatten, encrypt, and extract embedded content + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +pdftk input.pdf cat output output.pdf flatten +pdftk input.pdf unpack_files +``` + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftool|pdftool.py]] — Analyze PDF incremental updates + +## FOR610 +**Sections:** 3 + +#pdf #manipulation #extraction diff --git a/data/generated/wiki/tools/pdftool.md b/data/generated/wiki/tools/pdftool.md new file mode 100644 index 0000000..c803460 --- /dev/null +++ b/data/generated/wiki/tools/pdftool.md @@ -0,0 +1,22 @@ +# pdftool.py +> Analyze PDF incremental updates + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +pdftool.py document.pdf +``` + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e + +## FOR610 +**Sections:** 1 + +#pdf #didier-stevens diff --git a/data/generated/wiki/tools/pdnstool.md b/data/generated/wiki/tools/pdnstool.md new file mode 100644 index 0000000..5c8181f --- /dev/null +++ b/data/generated/wiki/tools/pdnstool.md @@ -0,0 +1,14 @@ +# pdnstool +> Query passive DNS databases for DNS data. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/pe-tree.md b/data/generated/wiki/tools/pe-tree.md new file mode 100644 index 0000000..bb685d8 --- /dev/null +++ b/data/generated/wiki/tools/pe-tree.md @@ -0,0 +1,4 @@ +# pe-tree + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pedump.md b/data/generated/wiki/tools/pedump.md new file mode 100644 index 0000000..b0f1d98 --- /dev/null +++ b/data/generated/wiki/tools/pedump.md @@ -0,0 +1,4 @@ +# pedump + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/peepdf.md b/data/generated/wiki/tools/peepdf.md new file mode 100644 index 0000000..ab8b1c1 --- /dev/null +++ b/data/generated/wiki/tools/peepdf.md @@ -0,0 +1,26 @@ +# peepdf +> Interactive PDF analysis framework with JavaScript detection and exploitation capabilities + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +peepdf -i malicious.pdf +peepdf -f -i malicious.pdf +``` + +## Recipes +- [[recipes/pdf-javascript-extraction|Extract JavaScript from PDF]] + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e + +## FOR610 +**Sections:** 1 + +#pdf #interactive #javascript-detection diff --git a/data/generated/wiki/tools/peframe.md b/data/generated/wiki/tools/peframe.md new file mode 100644 index 0000000..15eb3b2 --- /dev/null +++ b/data/generated/wiki/tools/peframe.md @@ -0,0 +1,24 @@ +# peframe +> Static analysis of PE files — extract properties, detect anomalies, identify packers + +**Category:** [[categories/static-analysis-pe|static-analysis-pe]] | **Tier:** Rich (FOR610) + +## Usage +```bash +peframe specimen.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 3: Packing & Entropy Check +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 1: Packing Identification +- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 7: Extracted Payload Analysis +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 1: Identification & Metadata + +## Related Tools +- [[tools/pestr|pestr]] — Extract ASCII and Unicode strings from PE files + +## FOR610 +**Labs:** 1.1, 4.8 +**Sections:** 1, 4 + +#pe #static-analysis #triage diff --git a/data/generated/wiki/tools/perl.md b/data/generated/wiki/tools/perl.md new file mode 100644 index 0000000..e376cdb --- /dev/null +++ b/data/generated/wiki/tools/perl.md @@ -0,0 +1,4 @@ +# perl + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pestr.md b/data/generated/wiki/tools/pestr.md new file mode 100644 index 0000000..7dd2f84 --- /dev/null +++ b/data/generated/wiki/tools/pestr.md @@ -0,0 +1,21 @@ +# pestr +> Extract ASCII and Unicode strings from PE files + +**Category:** [[categories/static-analysis-pe|static-analysis-pe]] | **Tier:** Rich (FOR610) + +## Usage +```bash +pestr specimen.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 4: String Extraction + +## Related Tools +- [[tools/peframe|peframe]] — Static analysis of PE files — extract properties, detect ano + +## FOR610 +**Labs:** 1.1, 4.8 +**Sections:** 1, 4 + +#pe #strings #static-analysis diff --git a/data/generated/wiki/tools/pev.md b/data/generated/wiki/tools/pev.md new file mode 100644 index 0000000..3c5b01f --- /dev/null +++ b/data/generated/wiki/tools/pev.md @@ -0,0 +1,4 @@ +# pev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pgadmin.md b/data/generated/wiki/tools/pgadmin.md new file mode 100644 index 0000000..8e9f409 --- /dev/null +++ b/data/generated/wiki/tools/pgadmin.md @@ -0,0 +1,4 @@ +# pgadmin + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pip.md b/data/generated/wiki/tools/pip.md new file mode 100644 index 0000000..98533a7 --- /dev/null +++ b/data/generated/wiki/tools/pip.md @@ -0,0 +1,4 @@ +# pip + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pkg-config.md b/data/generated/wiki/tools/pkg-config.md new file mode 100644 index 0000000..5b301c5 --- /dev/null +++ b/data/generated/wiki/tools/pkg-config.md @@ -0,0 +1,4 @@ +# pkg-config + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/polarproxy.md b/data/generated/wiki/tools/polarproxy.md new file mode 100644 index 0000000..602150e --- /dev/null +++ b/data/generated/wiki/tools/polarproxy.md @@ -0,0 +1,22 @@ +# polarproxy +> Transparent TLS proxy that decrypts traffic and saves it as PCAP for analysis in Wireshark + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +PolarProxy -p 443,80 -w captured.pcap +``` + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 3: TLS/HTTPS Interception (if needed) + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +#network #tls #decryption #pcap diff --git a/data/generated/wiki/tools/portex.md b/data/generated/wiki/tools/portex.md new file mode 100644 index 0000000..5180303 --- /dev/null +++ b/data/generated/wiki/tools/portex.md @@ -0,0 +1,4 @@ +# portex + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/powershell.md b/data/generated/wiki/tools/powershell.md new file mode 100644 index 0000000..acb414c --- /dev/null +++ b/data/generated/wiki/tools/powershell.md @@ -0,0 +1,13 @@ +# powershell +> Run PowerShell scripts and commands. + +**Category:** [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts) + +## Related Tools +- [[tools/box-js|box-js]] — JavaScript sandbox for analyzing malicious scripts by emulat +- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat +- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and +- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou + +#dynamically-reverse-engineer-code-scripts diff --git a/data/generated/wiki/tools/prefer-ipv4.md b/data/generated/wiki/tools/prefer-ipv4.md new file mode 100644 index 0000000..b4266e6 --- /dev/null +++ b/data/generated/wiki/tools/prefer-ipv4.md @@ -0,0 +1,4 @@ +# prefer-ipv4 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/procdot.md b/data/generated/wiki/tools/procdot.md new file mode 100644 index 0000000..a527bc2 --- /dev/null +++ b/data/generated/wiki/tools/procdot.md @@ -0,0 +1,23 @@ +# ProcDOT +> Visualize Process Monitor logs as interactive graphs for behavioral analysis + +**Category:** [[categories/investigate-system-interactions|Investigate System Interactions]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/investigate+system+interactions](https://docs.remnux.org/discover-the-tools/investigate+system+interactions) + +## Usage +```bash +procdot +``` + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 6: Analyze Results + +## Related Tools +- [[tools/sandfly-processdecloak|sandfly-processdecloak]] — Find hidden processes on the local Linux system. +- [[tools/unhide|unhide]] — Find hidden processes or connections on the local Linux syst + +## FOR610 +**Labs:** 1.2, 4.5 +**Sections:** 1, 4 + +#visualization #process-monitor #behavioral diff --git a/data/generated/wiki/tools/procyon-decompiler.md b/data/generated/wiki/tools/procyon-decompiler.md new file mode 100644 index 0000000..db1fcb5 --- /dev/null +++ b/data/generated/wiki/tools/procyon-decompiler.md @@ -0,0 +1,4 @@ +# procyon-decompiler + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/procyon.md b/data/generated/wiki/tools/procyon.md new file mode 100644 index 0000000..252371b --- /dev/null +++ b/data/generated/wiki/tools/procyon.md @@ -0,0 +1,16 @@ +# Procyon +> Java decompiler. + +**Category:** [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/java](https://docs.remnux.org/discover-the-tools/statically+analyze+code/java) + +## Workflows +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 3: Multi-Decompiler Comparison + +## Related Tools +- [[tools/cfr|cfr]] — Modern Java decompiler — handles Java 8+ features including +- [[tools/java-idx-parser|java-idx-parser]] — Analyze Java IDX files. +- [[tools/javassist|Javassist]] — Java bytecode engineering toolkit/library. +- [[tools/jd-gui-java-decompiler|JD-GUI Java Decompiler]] — Java decompiler with GUI. + +#statically-analyze-code-java diff --git a/data/generated/wiki/tools/protobuf.md b/data/generated/wiki/tools/protobuf.md new file mode 100644 index 0000000..79211ae --- /dev/null +++ b/data/generated/wiki/tools/protobuf.md @@ -0,0 +1,4 @@ +# protobuf + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pycdc.md b/data/generated/wiki/tools/pycdc.md new file mode 100644 index 0000000..1e1f0a8 --- /dev/null +++ b/data/generated/wiki/tools/pycdc.md @@ -0,0 +1,4 @@ +# pycdc + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pyelftools.md b/data/generated/wiki/tools/pyelftools.md new file mode 100644 index 0000000..ae549c5 --- /dev/null +++ b/data/generated/wiki/tools/pyelftools.md @@ -0,0 +1,4 @@ +# pyelftools + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/pyinstaller-extractor.md b/data/generated/wiki/tools/pyinstaller-extractor.md new file mode 100644 index 0000000..338d17f --- /dev/null +++ b/data/generated/wiki/tools/pyinstaller-extractor.md @@ -0,0 +1,12 @@ +# pyinstaller-extractor +> Extract contents of a PyInstaller-generated PE files. + +**Category:** [[categories/statically-analyze-code-python|Statically Analyze Code > Python]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/python](https://docs.remnux.org/discover-the-tools/statically+analyze+code/python) + +## Related Tools +- [[tools/decompyle|Decompyle++]] — Python bytecode disassembler and decompiler. +- [[tools/pyinstxtractor-ng|pyinstxtractor-ng]] — Extract contents of PyInstaller-generated executables withou +- [[tools/uncompyle6|uncompyle6]] — Decompile Python bytecode (.pyc) back to source — supports P + +#statically-analyze-code-python diff --git a/data/generated/wiki/tools/pyinstxtractor-ng.md b/data/generated/wiki/tools/pyinstxtractor-ng.md new file mode 100644 index 0000000..647b7b3 --- /dev/null +++ b/data/generated/wiki/tools/pyinstxtractor-ng.md @@ -0,0 +1,17 @@ +# pyinstxtractor-ng +> Extract contents of PyInstaller-generated executables without needing matching Python version + +**Category:** [[categories/statically-analyze-code-python|Statically Analyze Code > Python]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/python](https://docs.remnux.org/discover-the-tools/statically+analyze+code/python) + +## Usage +```bash +pyinstxtractor-ng +``` + +## Related Tools +- [[tools/decompyle|Decompyle++]] — Python bytecode disassembler and decompiler. +- [[tools/pyinstaller-extractor|pyinstaller-extractor]] — Extract contents of a PyInstaller-generated PE files. +- [[tools/uncompyle6|uncompyle6]] — Decompile Python bytecode (.pyc) back to source — supports P + +#python #pyinstaller #extraction diff --git a/data/generated/wiki/tools/python-debian.md b/data/generated/wiki/tools/python-debian.md new file mode 100644 index 0000000..19c9adb --- /dev/null +++ b/data/generated/wiki/tools/python-debian.md @@ -0,0 +1,4 @@ +# python-debian + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-cryptography.md b/data/generated/wiki/tools/python3-cryptography.md new file mode 100644 index 0000000..55098b3 --- /dev/null +++ b/data/generated/wiki/tools/python3-cryptography.md @@ -0,0 +1,4 @@ +# python3-cryptography + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-dev.md b/data/generated/wiki/tools/python3-dev.md new file mode 100644 index 0000000..ff82add --- /dev/null +++ b/data/generated/wiki/tools/python3-dev.md @@ -0,0 +1,4 @@ +# python3-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-dnspython.md b/data/generated/wiki/tools/python3-dnspython.md new file mode 100644 index 0000000..61cfb27 --- /dev/null +++ b/data/generated/wiki/tools/python3-dnspython.md @@ -0,0 +1,4 @@ +# python3-dnspython + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-magic.md b/data/generated/wiki/tools/python3-magic.md new file mode 100644 index 0000000..e241598 --- /dev/null +++ b/data/generated/wiki/tools/python3-magic.md @@ -0,0 +1,4 @@ +# python3-magic + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-netifaces.md b/data/generated/wiki/tools/python3-netifaces.md new file mode 100644 index 0000000..49edb4e --- /dev/null +++ b/data/generated/wiki/tools/python3-netifaces.md @@ -0,0 +1,4 @@ +# python3-netifaces + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-numpy.md b/data/generated/wiki/tools/python3-numpy.md new file mode 100644 index 0000000..532ef42 --- /dev/null +++ b/data/generated/wiki/tools/python3-numpy.md @@ -0,0 +1,4 @@ +# python3-numpy + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-pil.md b/data/generated/wiki/tools/python3-pil.md new file mode 100644 index 0000000..f7dd626 --- /dev/null +++ b/data/generated/wiki/tools/python3-pil.md @@ -0,0 +1,4 @@ +# python3-pil + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-pip.md b/data/generated/wiki/tools/python3-pip.md new file mode 100644 index 0000000..d8cc57c --- /dev/null +++ b/data/generated/wiki/tools/python3-pip.md @@ -0,0 +1,4 @@ +# python3-pip + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-pyasn1.md b/data/generated/wiki/tools/python3-pyasn1.md new file mode 100644 index 0000000..f82d5e9 --- /dev/null +++ b/data/generated/wiki/tools/python3-pyasn1.md @@ -0,0 +1,4 @@ +# python3-pyasn1 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-pyqt5.md b/data/generated/wiki/tools/python3-pyqt5.md new file mode 100644 index 0000000..2194fdf --- /dev/null +++ b/data/generated/wiki/tools/python3-pyqt5.md @@ -0,0 +1,4 @@ +# python3-pyqt5 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-requests.md b/data/generated/wiki/tools/python3-requests.md new file mode 100644 index 0000000..9f35d34 --- /dev/null +++ b/data/generated/wiki/tools/python3-requests.md @@ -0,0 +1,4 @@ +# python3-requests + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-setuptools.md b/data/generated/wiki/tools/python3-setuptools.md new file mode 100644 index 0000000..5dd4436 --- /dev/null +++ b/data/generated/wiki/tools/python3-setuptools.md @@ -0,0 +1,4 @@ +# python3-setuptools + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-ssdeep.md b/data/generated/wiki/tools/python3-ssdeep.md new file mode 100644 index 0000000..04115d8 --- /dev/null +++ b/data/generated/wiki/tools/python3-ssdeep.md @@ -0,0 +1,4 @@ +# python3-ssdeep + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-tk.md b/data/generated/wiki/tools/python3-tk.md new file mode 100644 index 0000000..df3779f --- /dev/null +++ b/data/generated/wiki/tools/python3-tk.md @@ -0,0 +1,4 @@ +# python3-tk + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-venv.md b/data/generated/wiki/tools/python3-venv.md new file mode 100644 index 0000000..aef5379 --- /dev/null +++ b/data/generated/wiki/tools/python3-venv.md @@ -0,0 +1,4 @@ +# python3-venv + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-virtualenv.md b/data/generated/wiki/tools/python3-virtualenv.md new file mode 100644 index 0000000..95f3fe1 --- /dev/null +++ b/data/generated/wiki/tools/python3-virtualenv.md @@ -0,0 +1,4 @@ +# python3-virtualenv + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3-wheel.md b/data/generated/wiki/tools/python3-wheel.md new file mode 100644 index 0000000..9372231 --- /dev/null +++ b/data/generated/wiki/tools/python3-wheel.md @@ -0,0 +1,4 @@ +# python3-wheel + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/python3.md b/data/generated/wiki/tools/python3.md new file mode 100644 index 0000000..9038bac --- /dev/null +++ b/data/generated/wiki/tools/python3.md @@ -0,0 +1,4 @@ +# python3 + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/qiling.md b/data/generated/wiki/tools/qiling.md new file mode 100644 index 0000000..ee3a896 --- /dev/null +++ b/data/generated/wiki/tools/qiling.md @@ -0,0 +1,21 @@ +# qiling +> Multi-platform binary emulation framework — emulate PE, ELF, shellcode across OS/arch combinations + +**Category:** [[categories/statically-analyze-code-general|Statically Analyze Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/general](https://docs.remnux.org/discover-the-tools/statically+analyze+code/general) + +## Usage +```bash +python3 -c "from qiling import Qiling; ql = Qiling([''], '/path/to/rootfs')" +``` + +## Workflows +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 3: Emulation-Based Unpacking + +## Related Tools +- [[tools/cutter|Cutter]] — Open-source reverse engineering platform — Qt-based GUI for +- [[tools/ghidra|Ghidra]] — Open-source disassembler and decompiler from NSA with script +- [[tools/objdump|objdump]] — Disassemble binary files. +- [[tools/vivisect|Vivisect]] — Binary analysis and emulation framework — static analysis wi + +#emulation #multi-platform #binary-analysis diff --git a/data/generated/wiki/tools/qpdf.md b/data/generated/wiki/tools/qpdf.md new file mode 100644 index 0000000..5174f45 --- /dev/null +++ b/data/generated/wiki/tools/qpdf.md @@ -0,0 +1,22 @@ +# qpdf +> Decrypt, linearize, and transform PDF files — useful for removing password protection + +**Category:** [[categories/analyze-documents-pdf|Analyze Documents > PDF]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/pdf](https://docs.remnux.org/discover-the-tools/analyze+documents/pdf) + +## Usage +```bash +qpdf --decrypt encrypted.pdf output.pdf +``` + +## Related Tools +- [[tools/origamindee|origamindee]] — Parse, modify, generate PDF files. +- [[tools/pdf-parser|pdf-parser.py]] — Parse PDF structure, locate objects, extract content, and se +- [[tools/pdfid|pdfid.py]] — Scan PDF files for suspicious keywords like /JavaScript, /Op +- [[tools/pdfresurrect|pdfresurrect]] — Extract and analyze previous versions from PDF files +- [[tools/pdftk|pdftk]] — Manipulate PDF files — merge, split, flatten, encrypt, and e + +## FOR610 +**Sections:** 3 + +#pdf #decryption #transformation diff --git a/data/generated/wiki/tools/qtbase5-dev.md b/data/generated/wiki/tools/qtbase5-dev.md new file mode 100644 index 0000000..313d2de --- /dev/null +++ b/data/generated/wiki/tools/qtbase5-dev.md @@ -0,0 +1,4 @@ +# qtbase5-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/radare2.md b/data/generated/wiki/tools/radare2.md new file mode 100644 index 0000000..e2c4dda --- /dev/null +++ b/data/generated/wiki/tools/radare2.md @@ -0,0 +1,23 @@ +# radare2 +> Open-source reverse engineering command-line framework + +**Category:** [[categories/dynamically-reverse-engineer-code-general|Dynamically Reverse-Engineer Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general) + +## Usage +```bash +r2 specimen.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 7: Disassembly (if needed) +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 5: Native Library Analysis + +## Related Tools +- [[tools/frida|Frida]] — Dynamic instrumentation toolkit — hook and trace running pro +- [[tools/wine|Wine]] — Windows compatibility layer — run Windows executables on Lin + +## FOR610 +**Sections:** 2 + +#disassembly #cli #open-source diff --git a/data/generated/wiki/tools/rar.md b/data/generated/wiki/tools/rar.md new file mode 100644 index 0000000..3de09b6 --- /dev/null +++ b/data/generated/wiki/tools/rar.md @@ -0,0 +1,23 @@ +# rar +> Extract RAR archives (including self-extracting RAR payloads) + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Usage +```bash +rar x archive.rar +``` + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +## FOR610 +**Labs:** 3.5 +**Sections:** 3 + +#archive #extraction diff --git a/data/generated/wiki/tools/re-search.md b/data/generated/wiki/tools/re-search.md new file mode 100644 index 0000000..81ca6d0 --- /dev/null +++ b/data/generated/wiki/tools/re-search.md @@ -0,0 +1,14 @@ +# re-search.py +> Search the file for built-in regular expressions of common suspicious artifacts. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/redress.md b/data/generated/wiki/tools/redress.md new file mode 100644 index 0000000..aee71be --- /dev/null +++ b/data/generated/wiki/tools/redress.md @@ -0,0 +1,10 @@ +# redress +> Analyze stripped Go binaries to recover symbols, types, source structure, and integrate with Radare2. + +**Category:** [[categories/examine-static-properties-go|Examine Static Properties > Go]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/go](https://docs.remnux.org/discover-the-tools/examine+static+properties/go) + +## Related Tools +- [[tools/goresym|goresym]] — Extract metadata and symbols from Go binaries, including str + +#examine-static-properties-go diff --git a/data/generated/wiki/tools/refresh.md b/data/generated/wiki/tools/refresh.md new file mode 100644 index 0000000..5fd223a --- /dev/null +++ b/data/generated/wiki/tools/refresh.md @@ -0,0 +1,4 @@ +# refresh + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/remnux-installer.md b/data/generated/wiki/tools/remnux-installer.md new file mode 100644 index 0000000..17f65b1 --- /dev/null +++ b/data/generated/wiki/tools/remnux-installer.md @@ -0,0 +1,14 @@ +# REMnux Installer +> Install and update the REMnux distro. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/remnux-mcp-server.md b/data/generated/wiki/tools/remnux-mcp-server.md new file mode 100644 index 0000000..c20e153 --- /dev/null +++ b/data/generated/wiki/tools/remnux-mcp-server.md @@ -0,0 +1,11 @@ +# remnux-mcp-server +> MCP server for using the REMnux malware analysis toolkit via AI assistants. + +**Category:** [[categories/use-artificial-intelligence|Use Artificial Intelligence]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/use+artificial+intelligence](https://docs.remnux.org/discover-the-tools/use+artificial+intelligence) + +## Related Tools +- [[tools/ghidrassistmcp|GhidrAssistMCP]] — MCP server for AI-assisted reverse engineering in Ghidra. +- [[tools/opencode|opencode]] — Open-source AI coding agent for the terminal. + +#use-artificial-intelligence diff --git a/data/generated/wiki/tools/remnux.md b/data/generated/wiki/tools/remnux.md new file mode 100644 index 0000000..11f43e0 --- /dev/null +++ b/data/generated/wiki/tools/remnux.md @@ -0,0 +1,4 @@ +# remnux + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/remove-app-icons.md b/data/generated/wiki/tools/remove-app-icons.md new file mode 100644 index 0000000..8072825 --- /dev/null +++ b/data/generated/wiki/tools/remove-app-icons.md @@ -0,0 +1,4 @@ +# remove-app-icons + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/rhino.md b/data/generated/wiki/tools/rhino.md new file mode 100644 index 0000000..8d307bd --- /dev/null +++ b/data/generated/wiki/tools/rhino.md @@ -0,0 +1,4 @@ +# rhino + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/rsakeyfind.md b/data/generated/wiki/tools/rsakeyfind.md new file mode 100644 index 0000000..27a87a3 --- /dev/null +++ b/data/generated/wiki/tools/rsakeyfind.md @@ -0,0 +1,4 @@ +# rsakeyfind + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/rsakeyfinder.md b/data/generated/wiki/tools/rsakeyfinder.md new file mode 100644 index 0000000..f70cb24 --- /dev/null +++ b/data/generated/wiki/tools/rsakeyfinder.md @@ -0,0 +1,11 @@ +# RSAKeyFinder +> Find BER-encoded RSA private keys in a memory image. + +**Category:** [[categories/perform-memory-forensics|Perform Memory Forensics]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/perform+memory+forensics](https://docs.remnux.org/discover-the-tools/perform+memory+forensics) + +## Related Tools +- [[tools/aeskeyfinder|AESKeyFinder]] — Find 128-bit and 256-bit AES keys in a memory image. +- [[tools/volatility3|volatility3]] — Memory forensics framework — analyze RAM dumps to find malwa + +#perform-memory-forensics diff --git a/data/generated/wiki/tools/rtfdump.md b/data/generated/wiki/tools/rtfdump.md new file mode 100644 index 0000000..929d030 --- /dev/null +++ b/data/generated/wiki/tools/rtfdump.md @@ -0,0 +1,31 @@ +# rtfdump.py +> Analyze RTF file structure, identify hex-encoded groups and embedded objects + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +rtfdump.py document.rtf +rtfdump.py document.rtf -s 5 -H -d > extracted.bin +``` + +## Recipes +- [[recipes/rtf-shellcode-extraction|Extract Shellcode from RTF Document]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 2: Structure Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 2: Extraction + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +## FOR610 +**Labs:** 3.5 +**Sections:** 3 + +#rtf #document #didier-stevens diff --git a/data/generated/wiki/tools/ruby-dev.md b/data/generated/wiki/tools/ruby-dev.md new file mode 100644 index 0000000..346e95b --- /dev/null +++ b/data/generated/wiki/tools/ruby-dev.md @@ -0,0 +1,4 @@ +# ruby-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ruby.md b/data/generated/wiki/tools/ruby.md new file mode 100644 index 0000000..7b49372 --- /dev/null +++ b/data/generated/wiki/tools/ruby.md @@ -0,0 +1,4 @@ +# ruby + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/runsc32.md b/data/generated/wiki/tools/runsc32.md new file mode 100644 index 0000000..f384f07 --- /dev/null +++ b/data/generated/wiki/tools/runsc32.md @@ -0,0 +1,22 @@ +# runsc32 +> Execute extracted shellcode for dynamic analysis + +**Category:** [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode) + +## Usage +```bash +runsc32 -f shellcode.bin -o 0x3B -d qa.doc +``` + +## Related Tools +- [[tools/libemu|libemu]] — A library for x86 code emulation and shellcode detection. +- [[tools/scdbgc|scdbgc]] — Shellcode emulator — analyze shellcode behavior through API- +- [[tools/shcode2exe|shcode2exe]] — Convert raw shellcode to a Windows PE executable for analysi +- [[tools/shellcode2exe-bat|shellcode2exe-bat]] — Convert 32 and 64-bit shellcode to a Windows executable file + +## FOR610 +**Labs:** 3.5, 4.6 +**Sections:** 3, 4 + +#shellcode #execution #dynamic-analysis diff --git a/data/generated/wiki/tools/salt-minion.md b/data/generated/wiki/tools/salt-minion.md new file mode 100644 index 0000000..ff24e85 --- /dev/null +++ b/data/generated/wiki/tools/salt-minion.md @@ -0,0 +1,4 @@ +# salt-minion + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/sandfly-processdecloak.md b/data/generated/wiki/tools/sandfly-processdecloak.md new file mode 100644 index 0000000..b8db137 --- /dev/null +++ b/data/generated/wiki/tools/sandfly-processdecloak.md @@ -0,0 +1,11 @@ +# sandfly-processdecloak +> Find hidden processes on the local Linux system. + +**Category:** [[categories/investigate-system-interactions|Investigate System Interactions]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/investigate+system+interactions](https://docs.remnux.org/discover-the-tools/investigate+system+interactions) + +## Related Tools +- [[tools/procdot|ProcDOT]] — Visualize Process Monitor logs as interactive graphs for beh +- [[tools/unhide|unhide]] — Find hidden processes or connections on the local Linux syst + +#investigate-system-interactions diff --git a/data/generated/wiki/tools/scalpel.md b/data/generated/wiki/tools/scalpel.md new file mode 100644 index 0000000..7a45179 --- /dev/null +++ b/data/generated/wiki/tools/scalpel.md @@ -0,0 +1,14 @@ +# scalpel +> Carve contents out of binary files, such as partitions. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/scdbgc.md b/data/generated/wiki/tools/scdbgc.md new file mode 100644 index 0000000..a5cd2aa --- /dev/null +++ b/data/generated/wiki/tools/scdbgc.md @@ -0,0 +1,33 @@ +# scdbgc +> Shellcode emulator — analyze shellcode behavior through API-level emulation + +**Category:** [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode) + +## Usage +```bash +scdbgc /f shellcode.bin /s -1 +scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc +scdbgc /f shellcode.bin /s -1 /norw +``` + +## Recipes +- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]] +- [[recipes/rtf-shellcode-extraction|Extract Shellcode from RTF Document]] +- [[recipes/shellcode-emulate-with-offset|Emulate Shellcode at Specific Offset]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 6: Embedded Object Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 3: Emulation + +## Related Tools +- [[tools/libemu|libemu]] — A library for x86 code emulation and shellcode detection. +- [[tools/runsc32|runsc32]] — Execute extracted shellcode for dynamic analysis +- [[tools/shcode2exe|shcode2exe]] — Convert raw shellcode to a Windows PE executable for analysi +- [[tools/shellcode2exe-bat|shellcode2exe-bat]] — Convert 32 and 64-bit shellcode to a Windows executable file + +## FOR610 +**Labs:** 3.4, 3.5, 4.6 +**Sections:** 3, 4 + +#shellcode #emulation #api-calls diff --git a/data/generated/wiki/tools/scite.md b/data/generated/wiki/tools/scite.md new file mode 100644 index 0000000..f901f87 --- /dev/null +++ b/data/generated/wiki/tools/scite.md @@ -0,0 +1,14 @@ +# scite +> Edit text files. + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Related Tools +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/vbindiff|vbindiff]] — Compare binary files. + +#view-or-edit-files diff --git a/data/generated/wiki/tools/sets.md b/data/generated/wiki/tools/sets.md new file mode 100644 index 0000000..8bbf87e --- /dev/null +++ b/data/generated/wiki/tools/sets.md @@ -0,0 +1,14 @@ +# sets.py +> Perform set operations on lines or bytes in text files. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/sharutils.md b/data/generated/wiki/tools/sharutils.md new file mode 100644 index 0000000..dd84b21 --- /dev/null +++ b/data/generated/wiki/tools/sharutils.md @@ -0,0 +1,4 @@ +# sharutils + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/shcode2exe.md b/data/generated/wiki/tools/shcode2exe.md new file mode 100644 index 0000000..1b03ed5 --- /dev/null +++ b/data/generated/wiki/tools/shcode2exe.md @@ -0,0 +1,24 @@ +# shcode2exe +> Convert raw shellcode to a Windows PE executable for analysis in disassemblers + +**Category:** [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode) + +## Usage +```bash +shcode2exe +``` + +## Recipes +- [[recipes/shellcode-to-exe|Convert Shellcode to Executable]] + +## Workflows +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 5: Conversion to EXE + +## Related Tools +- [[tools/libemu|libemu]] — A library for x86 code emulation and shellcode detection. +- [[tools/runsc32|runsc32]] — Execute extracted shellcode for dynamic analysis +- [[tools/scdbgc|scdbgc]] — Shellcode emulator — analyze shellcode behavior through API- +- [[tools/shellcode2exe-bat|shellcode2exe-bat]] — Convert 32 and 64-bit shellcode to a Windows executable file + +#shellcode #conversion #pe diff --git a/data/generated/wiki/tools/shellcode2exe-bat.md b/data/generated/wiki/tools/shellcode2exe-bat.md new file mode 100644 index 0000000..7f2b315 --- /dev/null +++ b/data/generated/wiki/tools/shellcode2exe-bat.md @@ -0,0 +1,13 @@ +# shellcode2exe-bat +> Convert 32 and 64-bit shellcode to a Windows executable file. + +**Category:** [[categories/dynamically-reverse-engineer-code-shellcode|Dynamically Reverse-Engineer Code > Shellcode]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode) + +## Related Tools +- [[tools/libemu|libemu]] — A library for x86 code emulation and shellcode detection. +- [[tools/runsc32|runsc32]] — Execute extracted shellcode for dynamic analysis +- [[tools/scdbgc|scdbgc]] — Shellcode emulator — analyze shellcode behavior through API- +- [[tools/shcode2exe|shcode2exe]] — Convert raw shellcode to a Windows PE executable for analysi + +#dynamically-reverse-engineer-code-shellcode diff --git a/data/generated/wiki/tools/sift.md b/data/generated/wiki/tools/sift.md new file mode 100644 index 0000000..4366454 --- /dev/null +++ b/data/generated/wiki/tools/sift.md @@ -0,0 +1,4 @@ +# sift + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/signsrch.md b/data/generated/wiki/tools/signsrch.md new file mode 100644 index 0000000..3739ada --- /dev/null +++ b/data/generated/wiki/tools/signsrch.md @@ -0,0 +1,14 @@ +# signsrch +> Find patterns of common encryption, compression, or encoding algorithms. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/sleuth-kit.md b/data/generated/wiki/tools/sleuth-kit.md new file mode 100644 index 0000000..d3c3f4c --- /dev/null +++ b/data/generated/wiki/tools/sleuth-kit.md @@ -0,0 +1,14 @@ +# Sleuth Kit +> Analyze disk images and recover files from them. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/sleuthkit.md b/data/generated/wiki/tools/sleuthkit.md new file mode 100644 index 0000000..6d89535 --- /dev/null +++ b/data/generated/wiki/tools/sleuthkit.md @@ -0,0 +1,4 @@ +# sleuthkit + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/snap.md b/data/generated/wiki/tools/snap.md new file mode 100644 index 0000000..28e5525 --- /dev/null +++ b/data/generated/wiki/tools/snap.md @@ -0,0 +1,4 @@ +# snap + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/snapd.md b/data/generated/wiki/tools/snapd.md new file mode 100644 index 0000000..f74770e --- /dev/null +++ b/data/generated/wiki/tools/snapd.md @@ -0,0 +1,4 @@ +# snapd + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/software-properties-common.md b/data/generated/wiki/tools/software-properties-common.md new file mode 100644 index 0000000..7f8d802 --- /dev/null +++ b/data/generated/wiki/tools/software-properties-common.md @@ -0,0 +1,4 @@ +# software-properties-common + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/sortcanon.md b/data/generated/wiki/tools/sortcanon.md new file mode 100644 index 0000000..b13033c --- /dev/null +++ b/data/generated/wiki/tools/sortcanon.md @@ -0,0 +1,14 @@ +# sortcanon.py +> Sort text files using canonicalization functions built into this tool. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/speakeasy.md b/data/generated/wiki/tools/speakeasy.md new file mode 100644 index 0000000..b81ca7a --- /dev/null +++ b/data/generated/wiki/tools/speakeasy.md @@ -0,0 +1,30 @@ +# speakeasy +> Windows binary emulator — emulates API calls to analyze malware behavior without native execution + +**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files) + +## Usage +```bash +speakeasy -t specimen.exe -o report.json 2> report.txt +speakeasy -t shellcode.bin -r -a x86 +``` + +## Recipes +- [[recipes/speakeasy-emulation-with-json|Emulate Malware and Extract API Calls]] + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 4: Emulation (Safe Alternative) +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 3: Emulation-Based Unpacking +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 3: Emulation + +## Related Tools +- [[tools/binee-binary-emulation-environment|binee (Binary Emulation Environment)]] — Analyze I/O operations of a suspicious PE file by emulating +- [[tools/capa|capa]] — Identify malware capabilities mapped to MITRE ATT&CK framewo +- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal + +## FOR610 +**Labs:** 1.4 +**Sections:** 1 + +#emulation #api-calls #behavioral-analysis diff --git a/data/generated/wiki/tools/spidermonkey.md b/data/generated/wiki/tools/spidermonkey.md new file mode 100644 index 0000000..62cba31 --- /dev/null +++ b/data/generated/wiki/tools/spidermonkey.md @@ -0,0 +1,30 @@ +# SpiderMonkey +> Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript outside a browser + +**Category:** [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts) + +## Usage +```bash +js -f malicious.js +js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js +``` + +## Recipes +- [[recipes/js-deobfuscation-spidermonkey|Deobfuscate JavaScript with SpiderMonkey]] +- [[recipes/js-null-byte-cleanup|Clean Null Bytes from UTF-16 JavaScript]] + +## Workflows +- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] — Step 3: Safe Execution (SpiderMonkey) + +## Related Tools +- [[tools/box-js|box-js]] — JavaScript sandbox for analyzing malicious scripts by emulat +- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat +- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and +- [[tools/powershell|powershell]] — Run PowerShell scripts and commands. + +## FOR610 +**Labs:** 3.6, 3.7, 4.5 +**Sections:** 3, 4 + +#javascript #deobfuscation #execution diff --git a/data/generated/wiki/tools/sqlite.md b/data/generated/wiki/tools/sqlite.md new file mode 100644 index 0000000..0865e72 --- /dev/null +++ b/data/generated/wiki/tools/sqlite.md @@ -0,0 +1,14 @@ +# SQLite +> Manage and interact with SQL database files. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/ssdeep.md b/data/generated/wiki/tools/ssdeep.md new file mode 100644 index 0000000..32f4cef --- /dev/null +++ b/data/generated/wiki/tools/ssdeep.md @@ -0,0 +1,21 @@ +# ssdeep +> Compute fuzzy hashes (CTPH) for finding similar files — useful for malware variant clustering + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +ssdeep +ssdeep -m +ssdeep -d +``` + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#hashing #fuzzy #similarity #clustering diff --git a/data/generated/wiki/tools/ssh.md b/data/generated/wiki/tools/ssh.md new file mode 100644 index 0000000..45706a0 --- /dev/null +++ b/data/generated/wiki/tools/ssh.md @@ -0,0 +1,4 @@ +# ssh + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ssview.md b/data/generated/wiki/tools/ssview.md new file mode 100644 index 0000000..1a8bce5 --- /dev/null +++ b/data/generated/wiki/tools/ssview.md @@ -0,0 +1,14 @@ +# ssview +> Analyze OLE2 Structured Storage files. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/strace.md b/data/generated/wiki/tools/strace.md new file mode 100644 index 0000000..9ce3a5f --- /dev/null +++ b/data/generated/wiki/tools/strace.md @@ -0,0 +1,7 @@ +# strace + +**Tier:** Basic + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 3: Monitoring Setup + diff --git a/data/generated/wiki/tools/strdeob.md b/data/generated/wiki/tools/strdeob.md new file mode 100644 index 0000000..ae46e70 --- /dev/null +++ b/data/generated/wiki/tools/strdeob.md @@ -0,0 +1,29 @@ +# strdeob.pl +> Automatically decode stack-built strings from disassembled malware + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +strdeob.pl specimen.exe +``` + +## Recipes +- [[recipes/stack-string-extraction|Extract Stack-Built Strings]] + +## Workflows +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 5: Stack String Recovery + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +## FOR610 +**Labs:** 5.2 +**Sections:** 5 + +#stack-strings #deobfuscation diff --git a/data/generated/wiki/tools/strings.md b/data/generated/wiki/tools/strings.md new file mode 100644 index 0000000..577e1eb --- /dev/null +++ b/data/generated/wiki/tools/strings.md @@ -0,0 +1,35 @@ +# strings +> Extract printable ASCII and Unicode strings from binary files + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +strings binary.exe +strings -n 10 binary.exe +strings --encoding=l binary.exe +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 4: String Extraction +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 8: Verification +- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 7: Extracted Payload Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 6: String & IOC Extraction +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 1: Automated Extraction +- [[workflows/memory-forensics-workflow|Memory Forensics]] — Step 6: String Search +- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 5: Native Library Analysis +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 5: Resource Extraction + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +## FOR610 +**Labs:** 3.4, 5.2 +**Sections:** 1, 3 + +#strings #static-analysis #triage diff --git a/data/generated/wiki/tools/subversion.md b/data/generated/wiki/tools/subversion.md new file mode 100644 index 0000000..558dcc8 --- /dev/null +++ b/data/generated/wiki/tools/subversion.md @@ -0,0 +1,4 @@ +# subversion + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/sudo.md b/data/generated/wiki/tools/sudo.md new file mode 100644 index 0000000..6d26f2f --- /dev/null +++ b/data/generated/wiki/tools/sudo.md @@ -0,0 +1,4 @@ +# sudo + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/sudoers.md b/data/generated/wiki/tools/sudoers.md new file mode 100644 index 0000000..99d4586 --- /dev/null +++ b/data/generated/wiki/tools/sudoers.md @@ -0,0 +1,4 @@ +# sudoers + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/tcpdump.md b/data/generated/wiki/tools/tcpdump.md new file mode 100644 index 0000000..9540e89 --- /dev/null +++ b/data/generated/wiki/tools/tcpdump.md @@ -0,0 +1,27 @@ +# tcpdump +> Command-line packet capture tool + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +tcpdump -i eth0 -w capture.pcap +tcpdump -r capture.pcap +``` + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 3: Monitoring Setup +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 4: Packet Capture + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +## FOR610 +**Sections:** 1 + +#packet-capture #cli #network diff --git a/data/generated/wiki/tools/tcpflow.md b/data/generated/wiki/tools/tcpflow.md new file mode 100644 index 0000000..0c9fb23 --- /dev/null +++ b/data/generated/wiki/tools/tcpflow.md @@ -0,0 +1,25 @@ +# tcpflow +> Extract and reassemble TCP streams from PCAP files into individual files + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +tcpflow -r -o output/ +``` + +## Recipes +- [[recipes/pcap-file-carving|Extract Files from Network Capture]] + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 6: Traffic Analysis + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +#network #tcp #stream-extraction diff --git a/data/generated/wiki/tools/tcpick.md b/data/generated/wiki/tools/tcpick.md new file mode 100644 index 0000000..b6c739d --- /dev/null +++ b/data/generated/wiki/tools/tcpick.md @@ -0,0 +1,14 @@ +# tcpick +> Capture and analyze network traffic with this command-line sniffer. + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +#explore-network-interactions-monitoring diff --git a/data/generated/wiki/tools/tcpxtract.md b/data/generated/wiki/tools/tcpxtract.md new file mode 100644 index 0000000..063d2e9 --- /dev/null +++ b/data/generated/wiki/tools/tcpxtract.md @@ -0,0 +1,25 @@ +# tcpxtract +> Carve files from network traffic using file signatures + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +tcpxtract -f -o output/ +``` + +## Recipes +- [[recipes/pcap-file-carving|Extract Files from Network Capture]] + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 7: File Extraction + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +#network #file-carving #pcap diff --git a/data/generated/wiki/tools/tesseract-ocr.md b/data/generated/wiki/tools/tesseract-ocr.md new file mode 100644 index 0000000..3d4e809 --- /dev/null +++ b/data/generated/wiki/tools/tesseract-ocr.md @@ -0,0 +1,7 @@ +# tesseract-ocr +> Examine images to identify and extract text using optical character recognition (OCR). + +**Category:** [[categories/analyze-documents-general|Analyze Documents > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/general](https://docs.remnux.org/discover-the-tools/analyze+documents/general) + +#analyze-documents-general diff --git a/data/generated/wiki/tools/texteditor.md b/data/generated/wiki/tools/texteditor.md new file mode 100644 index 0000000..5a5e811 --- /dev/null +++ b/data/generated/wiki/tools/texteditor.md @@ -0,0 +1,14 @@ +# texteditor.py +> Edit text files from the command line using search-and-replace commands. + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +#general-utilities diff --git a/data/generated/wiki/tools/thefuzz.md b/data/generated/wiki/tools/thefuzz.md new file mode 100644 index 0000000..fcd9793 --- /dev/null +++ b/data/generated/wiki/tools/thefuzz.md @@ -0,0 +1,14 @@ +# thefuzz +> Fuzzy String Matching in Python. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/thug.md b/data/generated/wiki/tools/thug.md new file mode 100644 index 0000000..4810585 --- /dev/null +++ b/data/generated/wiki/tools/thug.md @@ -0,0 +1,22 @@ +# Thug +> Low-interaction honeyclient for analyzing malicious websites and drive-by downloads + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Usage +```bash +thug -u win7chrome49 http://suspicious-site.com +``` + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn + +## FOR610 +**Sections:** 3 + +#honeyclient #web-analysis #drive-by diff --git a/data/generated/wiki/tools/time-decode.md b/data/generated/wiki/tools/time-decode.md new file mode 100644 index 0000000..a2dfab5 --- /dev/null +++ b/data/generated/wiki/tools/time-decode.md @@ -0,0 +1,14 @@ +# time-decode +> Decode and encode date and timestamps. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/tor.md b/data/generated/wiki/tools/tor.md new file mode 100644 index 0000000..2ebdada --- /dev/null +++ b/data/generated/wiki/tools/tor.md @@ -0,0 +1,14 @@ +# tor +> Obfuscate your origins by routing traffic through a network of anonymizing nodes. + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn + +#explore-network-interactions-connecting diff --git a/data/generated/wiki/tools/torsocks.md b/data/generated/wiki/tools/torsocks.md new file mode 100644 index 0000000..a3b55e5 --- /dev/null +++ b/data/generated/wiki/tools/torsocks.md @@ -0,0 +1,18 @@ +# torsocks +> Route network traffic through the Tor anonymity network + +**Category:** [[categories/network-analysis|network-analysis]] | **Tier:** Rich (FOR610) + +## Usage +```bash +torsocks curl http://example.onion +``` + +## Related Tools +- [[tools/iptables|iptables]] — Linux firewall and NAT tool for redirecting IP-based malware +- [[tools/nslookup|nslookup]] — DNS query tool for testing name resolution + +## FOR610 +**Sections:** 1 + +#tor #anonymity #network-routing diff --git a/data/generated/wiki/tools/translate.md b/data/generated/wiki/tools/translate.md new file mode 100644 index 0000000..7b0ef5e --- /dev/null +++ b/data/generated/wiki/tools/translate.md @@ -0,0 +1,31 @@ +# translate.py +> Transform data using Python expressions (XOR, ADD, etc.) + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +translate.py "byte ^ 35" < input.bin > output.bin +``` + +## Recipes +- [[recipes/base64-xor-shellcode|Decode Base64 + XOR Shellcode]] +- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 4: Multi-Byte / Custom Decoding + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +## FOR610 +**Labs:** 3.4 +**Sections:** 3 + +#xor #transformation #decoding #didier-stevens diff --git a/data/generated/wiki/tools/trid.md b/data/generated/wiki/tools/trid.md new file mode 100644 index 0000000..e0a20c1 --- /dev/null +++ b/data/generated/wiki/tools/trid.md @@ -0,0 +1,28 @@ +# trid +> Identify file type by scanning binary signatures database + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +trid document.doc +``` + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 1: File Identification & Hashing +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 1: Format Identification +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 3: Attachment Triage + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +## FOR610 +**Labs:** 3.3, 3.4 +**Sections:** 3 + +#file-identification #triage diff --git a/data/generated/wiki/tools/tshark.md b/data/generated/wiki/tools/tshark.md new file mode 100644 index 0000000..0de0794 --- /dev/null +++ b/data/generated/wiki/tools/tshark.md @@ -0,0 +1,26 @@ +# tshark +> Command-line interface to Wireshark for packet capture and analysis + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +tshark -r capture.pcap +tshark -i eth0 -w capture.pcap +``` + +## Workflows +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 6: Traffic Analysis + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +## FOR610 +**Sections:** 1 + +#packet-capture #cli #network diff --git a/data/generated/wiki/tools/tzdata.md b/data/generated/wiki/tools/tzdata.md new file mode 100644 index 0000000..de15ed1 --- /dev/null +++ b/data/generated/wiki/tools/tzdata.md @@ -0,0 +1,4 @@ +# tzdata + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ubuntu-universe.md b/data/generated/wiki/tools/ubuntu-universe.md new file mode 100644 index 0000000..ed63645 --- /dev/null +++ b/data/generated/wiki/tools/ubuntu-universe.md @@ -0,0 +1,4 @@ +# ubuntu-universe + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/ubuntu.md b/data/generated/wiki/tools/ubuntu.md new file mode 100644 index 0000000..61a5279 --- /dev/null +++ b/data/generated/wiki/tools/ubuntu.md @@ -0,0 +1,4 @@ +# ubuntu + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/uncompyle6.md b/data/generated/wiki/tools/uncompyle6.md new file mode 100644 index 0000000..c1274bd --- /dev/null +++ b/data/generated/wiki/tools/uncompyle6.md @@ -0,0 +1,18 @@ +# uncompyle6 +> Decompile Python bytecode (.pyc) back to source — supports Python 1.0 through 3.8 + +**Category:** [[categories/statically-analyze-code-python|Statically Analyze Code > Python]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/python](https://docs.remnux.org/discover-the-tools/statically+analyze+code/python) + +## Usage +```bash +uncompyle6 +uncompyle6 -o output/ +``` + +## Related Tools +- [[tools/decompyle|Decompyle++]] — Python bytecode disassembler and decompiler. +- [[tools/pyinstaller-extractor|pyinstaller-extractor]] — Extract contents of a PyInstaller-generated PE files. +- [[tools/pyinstxtractor-ng|pyinstxtractor-ng]] — Extract contents of PyInstaller-generated executables withou + +#python #decompilation #bytecode diff --git a/data/generated/wiki/tools/unfurl.md b/data/generated/wiki/tools/unfurl.md new file mode 100644 index 0000000..82fa8b8 --- /dev/null +++ b/data/generated/wiki/tools/unfurl.md @@ -0,0 +1,22 @@ +# Unfurl +> Deconstruct and decode URLs — reveal tracking parameters, encoded data, and redirect chains + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Usage +```bash +unfurl parse +``` + +## Workflows +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 4: Link Analysis + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn + +#url #decoding #phishing #tracking diff --git a/data/generated/wiki/tools/unhide.md b/data/generated/wiki/tools/unhide.md new file mode 100644 index 0000000..9eb794b --- /dev/null +++ b/data/generated/wiki/tools/unhide.md @@ -0,0 +1,11 @@ +# unhide +> Find hidden processes or connections on the local Linux system. + +**Category:** [[categories/investigate-system-interactions|Investigate System Interactions]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/investigate+system+interactions](https://docs.remnux.org/discover-the-tools/investigate+system+interactions) + +## Related Tools +- [[tools/procdot|ProcDOT]] — Visualize Process Monitor logs as interactive graphs for beh +- [[tools/sandfly-processdecloak|sandfly-processdecloak]] — Find hidden processes on the local Linux system. + +#investigate-system-interactions diff --git a/data/generated/wiki/tools/unicode.md b/data/generated/wiki/tools/unicode.md new file mode 100644 index 0000000..8e586aa --- /dev/null +++ b/data/generated/wiki/tools/unicode.md @@ -0,0 +1,14 @@ +# unicode +> Display Unicode character properties. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/unxor.md b/data/generated/wiki/tools/unxor.md new file mode 100644 index 0000000..f1d9870 --- /dev/null +++ b/data/generated/wiki/tools/unxor.md @@ -0,0 +1,14 @@ +# unxor +> Deobfuscate XOR'ed files. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/unzip.md b/data/generated/wiki/tools/unzip.md new file mode 100644 index 0000000..e1a582d --- /dev/null +++ b/data/generated/wiki/tools/unzip.md @@ -0,0 +1,26 @@ +# unzip +> Extract ZIP archives containing malware samples + +**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities) + +## Usage +```bash +unzip -P infected sample.zip +``` + +## Workflows +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 1: Archive Inspection + +## Related Tools +- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files. +- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions. +- [[tools/docker|docker]] — Run and manage containers. +- [[tools/firefox|firefox]] — Web browser. +- [[tools/gnome-calculator|GNOME Calculator]] — Calculator. + +## FOR610 +**Labs:** 1.1, 3.1, 3.3, 3.4, 3.5, 3.6, 3.7, 4.1, 4.8, 5.2, 5.3, 5.4 +**Sections:** 1, 3, 4, 5 + +#archive #extraction diff --git a/data/generated/wiki/tools/upx.md b/data/generated/wiki/tools/upx.md new file mode 100644 index 0000000..4069292 --- /dev/null +++ b/data/generated/wiki/tools/upx.md @@ -0,0 +1,23 @@ +# UPX +> Universal Packer for eXecutables — compress and decompress PE files + +**Category:** [[categories/statically-analyze-code-unpacking|Statically Analyze Code > Unpacking]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking](https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking) + +## Usage +```bash +upx -d packed.exe +upx -d packed.exe -o unpacked.exe +``` + +## Workflows +- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 2: Automated Unpacking + +## Related Tools +- [[tools/bytehist|Bytehist]] — Generate byte-usage histograms to visually identify packed o + +## FOR610 +**Labs:** 4.2 +**Sections:** 4 + +#packer #unpacker #compression diff --git a/data/generated/wiki/tools/user.md b/data/generated/wiki/tools/user.md new file mode 100644 index 0000000..5c07d51 --- /dev/null +++ b/data/generated/wiki/tools/user.md @@ -0,0 +1,4 @@ +# user + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/vbindiff.md b/data/generated/wiki/tools/vbindiff.md new file mode 100644 index 0000000..df578e7 --- /dev/null +++ b/data/generated/wiki/tools/vbindiff.md @@ -0,0 +1,14 @@ +# vbindiff +> Compare binary files. + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Related Tools +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/scite|scite]] — Edit text files. + +#view-or-edit-files diff --git a/data/generated/wiki/tools/vim.md b/data/generated/wiki/tools/vim.md new file mode 100644 index 0000000..45c460b --- /dev/null +++ b/data/generated/wiki/tools/vim.md @@ -0,0 +1,4 @@ +# vim + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/virustotal-search.md b/data/generated/wiki/tools/virustotal-search.md new file mode 100644 index 0000000..ac45d97 --- /dev/null +++ b/data/generated/wiki/tools/virustotal-search.md @@ -0,0 +1,17 @@ +# virustotal-search +> Search VirusTotal for file hashes. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 2: Reputation Check + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/virustotal-submit.md b/data/generated/wiki/tools/virustotal-submit.md new file mode 100644 index 0000000..89ad1f7 --- /dev/null +++ b/data/generated/wiki/tools/virustotal-submit.md @@ -0,0 +1,14 @@ +# virustotal-submit +> Submit files to VirusTotal. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/visual-studio-code.md b/data/generated/wiki/tools/visual-studio-code.md new file mode 100644 index 0000000..9837a1b --- /dev/null +++ b/data/generated/wiki/tools/visual-studio-code.md @@ -0,0 +1,28 @@ +# Visual Studio Code +> Code editor used for viewing decompiled output, scripts, and analysis results + +**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files) + +## Usage +```bash +code filename.js +``` + +## Workflows +- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] — Step 2: Static Review +- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 4: Dynamic Loading Detection +- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 4: Code Analysis + +## Related Tools +- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix +- [[tools/evince|evince]] — View documents in a variety of formats, including PDF. +- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d +- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files. +- [[tools/scite|scite]] — Edit text files. + +## FOR610 +**Labs:** 1.3, 1.4, 1.5, 3.3, 3.6, 3.7, 4.5, 4.8, 5.2, 5.3 +**Sections:** 1, 3, 4, 5 + +#editor #code-viewer diff --git a/data/generated/wiki/tools/vivisect.md b/data/generated/wiki/tools/vivisect.md new file mode 100644 index 0000000..a094ef3 --- /dev/null +++ b/data/generated/wiki/tools/vivisect.md @@ -0,0 +1,19 @@ +# Vivisect +> Binary analysis and emulation framework — static analysis with emulation capabilities + +**Category:** [[categories/statically-analyze-code-general|Statically Analyze Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/general](https://docs.remnux.org/discover-the-tools/statically+analyze+code/general) + +## Usage +```bash +vivbin +python3 -c "import vivisect; vw = vivisect.VivWorkspace(); vw.loadFromFile('')" +``` + +## Related Tools +- [[tools/cutter|Cutter]] — Open-source reverse engineering platform — Qt-based GUI for +- [[tools/ghidra|Ghidra]] — Open-source disassembler and decompiler from NSA with script +- [[tools/objdump|objdump]] — Disassemble binary files. +- [[tools/qiling|qiling]] — Multi-platform binary emulation framework — emulate PE, ELF, + +#emulation #static-analysis #binary-analysis diff --git a/data/generated/wiki/tools/volatility3.md b/data/generated/wiki/tools/volatility3.md new file mode 100644 index 0000000..f9a0ade --- /dev/null +++ b/data/generated/wiki/tools/volatility3.md @@ -0,0 +1,28 @@ +# volatility3 +> Memory forensics framework — analyze RAM dumps to find malware, hidden processes, network connections, and injected code + +**Category:** [[categories/perform-memory-forensics|Perform Memory Forensics]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/perform+memory+forensics](https://docs.remnux.org/discover-the-tools/perform+memory+forensics) + +## Usage +```bash +vol3 -f windows.info +vol3 -f windows.pslist +vol3 -f windows.pstree +vol3 -f windows.netscan +vol3 -f windows.malfind +vol3 -f windows.dlllist --pid +vol3 -f windows.dumpfiles --pid +``` + +## Recipes +- [[recipes/volatility-quick-triage|Quick Memory Dump Triage]] + +## Workflows +- [[workflows/memory-forensics-workflow|Memory Forensics]] — Step 1: Image Identification + +## Related Tools +- [[tools/aeskeyfinder|AESKeyFinder]] — Find 128-bit and 256-bit AES keys in a memory image. +- [[tools/rsakeyfinder|RSAKeyFinder]] — Find BER-encoded RSA private keys in a memory image. + +#memory #forensics #volatility #incident-response diff --git a/data/generated/wiki/tools/vscode.md b/data/generated/wiki/tools/vscode.md new file mode 100644 index 0000000..73a84c7 --- /dev/null +++ b/data/generated/wiki/tools/vscode.md @@ -0,0 +1,4 @@ +# vscode + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/wget.md b/data/generated/wiki/tools/wget.md new file mode 100644 index 0000000..2e4de43 --- /dev/null +++ b/data/generated/wiki/tools/wget.md @@ -0,0 +1,20 @@ +# wget +> Download files from HTTP/HTTPS/FTP servers + +**Category:** [[categories/utilities|utilities]] | **Tier:** Rich (FOR610) + +## Usage +```bash +wget http://example.com/file.bin +``` + +## Related Tools +- [[tools/gunzip|gunzip]] — Decompress gzip-compressed data (often used in multi-stage p +- [[tools/hexdump|hexdump]] — Display file content in hexadecimal format +- [[tools/jq|jq]] — Command-line JSON processor for extracting and transforming +- [[tools/xxd|xxd]] — Create hex dump of a file or reverse a hex dump back to bina + +## FOR610 +**Sections:** 1 + +#download #http diff --git a/data/generated/wiki/tools/wine.md b/data/generated/wiki/tools/wine.md new file mode 100644 index 0000000..8e40531 --- /dev/null +++ b/data/generated/wiki/tools/wine.md @@ -0,0 +1,20 @@ +# Wine +> Windows compatibility layer — run Windows executables on Linux + +**Category:** [[categories/dynamically-reverse-engineer-code-general|Dynamically Reverse-Engineer Code > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general) + +## Usage +```bash +wine program.exe +``` + +## Related Tools +- [[tools/frida|Frida]] — Dynamic instrumentation toolkit — hook and trace running pro +- [[tools/radare2|radare2]] — Open-source reverse engineering command-line framework + +## FOR610 +**Labs:** 3.5 +**Sections:** 3 + +#windows-compat #execution diff --git a/data/generated/wiki/tools/wireshark-dev.md b/data/generated/wiki/tools/wireshark-dev.md new file mode 100644 index 0000000..932f243 --- /dev/null +++ b/data/generated/wiki/tools/wireshark-dev.md @@ -0,0 +1,4 @@ +# wireshark-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/wireshark.md b/data/generated/wiki/tools/wireshark.md new file mode 100644 index 0000000..4610c87 --- /dev/null +++ b/data/generated/wiki/tools/wireshark.md @@ -0,0 +1,28 @@ +# Wireshark +> GUI network protocol analyzer for capturing and inspecting packet-level traffic + +**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring) + +## Usage +```bash +wireshark +wireshark -r capture.pcap +``` + +## Workflows +- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 3: Monitoring Setup +- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 4: Packet Capture + +## Related Tools +- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy. +- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using +- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo +- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files. +- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets + +## FOR610 +**Labs:** 1.2, 1.3, 1.6, 1.7, 1.8, 5.1 +**Sections:** 1, 5 + +#packet-capture #protocol-analysis #network diff --git a/data/generated/wiki/tools/wxhexeditor.md b/data/generated/wiki/tools/wxhexeditor.md new file mode 100644 index 0000000..1fd3f09 --- /dev/null +++ b/data/generated/wiki/tools/wxhexeditor.md @@ -0,0 +1,14 @@ +# wxhexeditor +> Hex editor. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/xdg-utils.md b/data/generated/wiki/tools/xdg-utils.md new file mode 100644 index 0000000..34b4a59 --- /dev/null +++ b/data/generated/wiki/tools/xdg-utils.md @@ -0,0 +1,4 @@ +# xdg-utils + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/xlmmacrodeobfuscator.md b/data/generated/wiki/tools/xlmmacrodeobfuscator.md new file mode 100644 index 0000000..1c4decd --- /dev/null +++ b/data/generated/wiki/tools/xlmmacrodeobfuscator.md @@ -0,0 +1,23 @@ +# XLMMacroDeobfuscator +> Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sheets and are hard to detect + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +xlmdeobfuscator --file +xlmdeobfuscator --file --no-indent +``` + +## Recipes +- [[recipes/excel-xlm-macros|Deobfuscate Excel 4.0 (XLM) Macros]] + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#office #excel #xlm #macro #deobfuscation diff --git a/data/generated/wiki/tools/xmldump.md b/data/generated/wiki/tools/xmldump.md new file mode 100644 index 0000000..03f36f4 --- /dev/null +++ b/data/generated/wiki/tools/xmldump.md @@ -0,0 +1,14 @@ +# xmldump.py +> Extract contents of XML files, in particular OOXML-formatted Microsoft Office documents. + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +#analyze-documents-microsoft-office diff --git a/data/generated/wiki/tools/xmlstarlet.md b/data/generated/wiki/tools/xmlstarlet.md new file mode 100644 index 0000000..611d879 --- /dev/null +++ b/data/generated/wiki/tools/xmlstarlet.md @@ -0,0 +1,4 @@ +# xmlstarlet + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/xor-kpa.md b/data/generated/wiki/tools/xor-kpa.md new file mode 100644 index 0000000..4eb7d21 --- /dev/null +++ b/data/generated/wiki/tools/xor-kpa.md @@ -0,0 +1,14 @@ +# xor-kpa.py +> Implement a XOR known plaintext attack. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/xorbruteforcer.md b/data/generated/wiki/tools/xorbruteforcer.md new file mode 100644 index 0000000..323285e --- /dev/null +++ b/data/generated/wiki/tools/xorbruteforcer.md @@ -0,0 +1,14 @@ +# xorbruteforcer +> Bruteforce an XOR-encoded file. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/xorsearch.md b/data/generated/wiki/tools/xorsearch.md new file mode 100644 index 0000000..32cb5a3 --- /dev/null +++ b/data/generated/wiki/tools/xorsearch.md @@ -0,0 +1,33 @@ +# XORSearch +> Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +XORSearch -W -d 3 file.bin +XORSearch -i -s specimen.exe http: +``` + +## Recipes +- [[recipes/rtf-shellcode-extraction|Extract Shellcode from RTF Document]] +- [[recipes/xor-key-brute-force|Brute-Force XOR Key]] + +## Workflows +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 6: Embedded Object Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 1: Shellcode Detection +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 2: Encoding Detection + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +## FOR610 +**Labs:** 3.5, 5.2 +**Sections:** 3, 5 + +#xor #shellcode-detection #pattern-search #didier-stevens diff --git a/data/generated/wiki/tools/xorstrings.md b/data/generated/wiki/tools/xorstrings.md new file mode 100644 index 0000000..04b4edb --- /dev/null +++ b/data/generated/wiki/tools/xorstrings.md @@ -0,0 +1,14 @@ +# xorstrings +> Search for XOR encoded strings in a file. + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#examine-static-properties-deobfuscation diff --git a/data/generated/wiki/tools/xortool.md b/data/generated/wiki/tools/xortool.md new file mode 100644 index 0000000..f44a382 --- /dev/null +++ b/data/generated/wiki/tools/xortool.md @@ -0,0 +1,26 @@ +# xortool +> Analyze XOR-encoded data — guess key length and probable key bytes + +**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation) + +## Usage +```bash +xortool +xortool-xor -s 'key' -i -o +``` + +## Recipes +- [[recipes/xor-key-brute-force|Brute-Force XOR Key]] + +## Workflows +- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 3: Single-Byte XOR Recovery + +## Related Tools +- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m +- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files. +- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files +- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st +- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to + +#xor #deobfuscation #key-recovery diff --git a/data/generated/wiki/tools/xterm.md b/data/generated/wiki/tools/xterm.md new file mode 100644 index 0000000..ba73c3a --- /dev/null +++ b/data/generated/wiki/tools/xterm.md @@ -0,0 +1,4 @@ +# xterm + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/xxd.md b/data/generated/wiki/tools/xxd.md new file mode 100644 index 0000000..a11ffa1 --- /dev/null +++ b/data/generated/wiki/tools/xxd.md @@ -0,0 +1,21 @@ +# xxd +> Create hex dump of a file or reverse a hex dump back to binary + +**Category:** [[categories/utilities|utilities]] | **Tier:** Rich (FOR610) + +## Usage +```bash +xxd binary.exe +xxd -r hexdump.txt > binary.exe +``` + +## Related Tools +- [[tools/gunzip|gunzip]] — Decompress gzip-compressed data (often used in multi-stage p +- [[tools/hexdump|hexdump]] — Display file content in hexadecimal format +- [[tools/jq|jq]] — Command-line JSON processor for extracting and transforming +- [[tools/wget|wget]] — Download files from HTTP/HTTPS/FTP servers + +## FOR610 +**Sections:** 1 + +#hex #binary-conversion diff --git a/data/generated/wiki/tools/yara-forge-rules.md b/data/generated/wiki/tools/yara-forge-rules.md new file mode 100644 index 0000000..94fa2c4 --- /dev/null +++ b/data/generated/wiki/tools/yara-forge-rules.md @@ -0,0 +1,14 @@ +# YARA-Forge Rules +> Scan files with curated YARA rules from 45+ sources for malware family identification. + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +#examine-static-properties-general diff --git a/data/generated/wiki/tools/yara-x.md b/data/generated/wiki/tools/yara-x.md new file mode 100644 index 0000000..943ba35 --- /dev/null +++ b/data/generated/wiki/tools/yara-x.md @@ -0,0 +1,14 @@ +# yara-x +> Scan files using YARA rules, the next generation of YARA written in Rust. + +**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data) + +## Related Tools +- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files. +- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u +- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets. +- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and +- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses. + +#gather-and-analyze-data diff --git a/data/generated/wiki/tools/yara.md b/data/generated/wiki/tools/yara.md new file mode 100644 index 0000000..315354f --- /dev/null +++ b/data/generated/wiki/tools/yara.md @@ -0,0 +1,34 @@ +# yara +> Pattern matching tool for identifying and classifying malware using custom rules + +**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610) +**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general) + +## Usage +```bash +yara-rules specimen.bin +yara rule.yar specimen.exe +``` + +## Recipes +- [[recipes/cobalt-strike-beacon-parse|Parse Cobalt Strike Beacon Configuration]] + +## Workflows +- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 5: Capability Detection +- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 6: Embedded Object Analysis +- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 1: Shellcode Detection +- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 3: Attachment Triage +- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 1: Beacon Detection + +## Related Tools +- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms. +- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images +- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files. +- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu +- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab + +## FOR610 +**Labs:** 3.4 +**Sections:** 3 + +#pattern-matching #classification #rules diff --git a/data/generated/wiki/tools/zbar-tools.md b/data/generated/wiki/tools/zbar-tools.md new file mode 100644 index 0000000..bfd4e93 --- /dev/null +++ b/data/generated/wiki/tools/zbar-tools.md @@ -0,0 +1,4 @@ +# zbar-tools + +**Tier:** Basic + diff --git a/data/generated/wiki/tools/zbarimg.md b/data/generated/wiki/tools/zbarimg.md new file mode 100644 index 0000000..fe98855 --- /dev/null +++ b/data/generated/wiki/tools/zbarimg.md @@ -0,0 +1,14 @@ +# zbarimg +> Decode QR codes and barcodes from image files. + +**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs) +**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting) + +## Related Tools +- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t +- [[tools/curl|curl]] — Transfer data to/from servers using various protocols +- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client. +- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t +- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn + +#explore-network-interactions-connecting diff --git a/data/generated/wiki/tools/zipdump.md b/data/generated/wiki/tools/zipdump.md new file mode 100644 index 0000000..6b292aa --- /dev/null +++ b/data/generated/wiki/tools/zipdump.md @@ -0,0 +1,22 @@ +# zipdump.py +> Parse and analyze ZIP archive structure + +**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens +**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office) + +## Usage +```bash +zipdump.py archive.zip +``` + +## Related Tools +- [[tools/evilclippy|evilclippy]] — Remove VBA project password protection and manipulate Office +- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents. +- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume +- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a +- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents. + +## FOR610 +**Sections:** 3 + +#zip #archive #didier-stevens diff --git a/data/generated/wiki/tools/zlib1g-dev.md b/data/generated/wiki/tools/zlib1g-dev.md new file mode 100644 index 0000000..6ef04b2 --- /dev/null +++ b/data/generated/wiki/tools/zlib1g-dev.md @@ -0,0 +1,4 @@ +# zlib1g-dev + +**Tier:** Basic + diff --git a/data/generated/wiki/workflows/android-analysis-workflow.md b/data/generated/wiki/workflows/android-analysis-workflow.md new file mode 100644 index 0000000..c082ad9 --- /dev/null +++ b/data/generated/wiki/workflows/android-analysis-workflow.md @@ -0,0 +1,65 @@ +# Android Malware Analysis +> Analyze suspicious Android APK files using static and dynamic techniques available in REMnux. + +## Steps + +### Step 1: APK Triage +**Tools:** [[tools/file|file]], [[tools/apkid|apkid]] + +Verify file type and check for packers/obfuscators. APKiD detects: known packers (DexGuard, Bangcle), obfuscators, anti-debug techniques. + +```bash +file specimen.exe +``` + +### Step 2: Manifest Analysis +**Tools:** [[tools/apktool|apktool]] + +Decompile APK: apktool d -o output/. Examine AndroidManifest.xml for: excessive permissions, receivers, services, exported components, intent filters. + +```bash +apktool d -o output/ +``` + +### Step 3: Source Code Recovery +**Tools:** [[tools/jadx|jadx]] + +Decompile DEX to Java: jadx -d output/. Review source code for: C2 URLs, crypto operations, SMS interception, data exfiltration, root checks. + +```bash +jadx -d output/ +``` + +### Step 4: Static Analysis +**Tools:** [[tools/androguard|androguard]], [[tools/droidlysis|droidlysis]] + +androguard: analyze APK structure, permissions, activities. droidlysis: automated static analysis with IOC extraction. Check for: hardcoded keys, URLs, suspicious API usage. + +```bash +androguard analyze +``` + +### Step 5: Native Library Analysis +**Tools:** [[tools/strings|strings]], [[tools/radare2|radare2]] + +If APK contains .so libraries: extract from lib/ directory. Analyze with strings and radare2. Native code often hides C2 logic and crypto. + +```bash +strings binary.exe +r2 specimen.exe +``` + +### Step 6: Dynamic Instrumentation +**Tools:** [[tools/frida|frida]] + +Hook suspicious functions at runtime: frida -U -l hook.js . Intercept: crypto operations, network calls, file access, SMS operations. + +```bash +frida -l hook.js +``` + +### Step 7: Document Findings + +Record: package name, permissions abused, C2 infrastructure, data exfiltrated, persistence mechanism, targeted user data (SMS, contacts, location). + +#android #apk #mobile #frida #jadx #apktool #workflow diff --git a/data/generated/wiki/workflows/behavioral-analysis-workflow.md b/data/generated/wiki/workflows/behavioral-analysis-workflow.md new file mode 100644 index 0000000..f3fa55d --- /dev/null +++ b/data/generated/wiki/workflows/behavioral-analysis-workflow.md @@ -0,0 +1,61 @@ +# Behavioral Analysis +> Monitor runtime behavior in an isolated environment. Applicable to any executable or script on Linux (REMnux) or Windows. + +**FOR610 Labs:** 1.2, 1.4, 1.6, 4.5 + +## Steps + +### Step 1: Environment Preparation + +Revert to clean snapshot. Disconnect from production network. Verify isolation (host-only networking). Set max execution time (2-5 minutes). + +### Step 2: Network Interception Setup +**Tools:** [[tools/fakedns|fakedns]], [[tools/inetsim|inetsim]], [[tools/fakenet-ng|fakenet-ng]] + +Start fake DNS and service emulation so malware gets responses. On REMnux: fakedns for DNS, INetSim or FakeNet-NG for HTTP/HTTPS/SMTP/FTP. + +```bash +fakedns +inetsim +fakenet +``` + +### Step 3: Monitoring Setup +**Tools:** [[tools/wireshark|wireshark]], [[tools/tcpdump|tcpdump]], [[tools/strace|strace]] + +Start packet capture (wireshark or tcpdump). On Linux: strace/ltrace for syscalls. Start filesystem monitoring. + +```bash +wireshark +tcpdump -i eth0 -w capture.pcap +``` + +### Step 4: Emulation (Safe Alternative) +**Tools:** [[tools/speakeasy|speakeasy]], [[tools/capa|capa]] + +Before live execution, try emulation: speakeasy emulates Windows API calls on Linux safely. Use capa -vv for capability overview. + +```bash +speakeasy -t specimen.exe -o report.json 2> report.txt +capa specimen.exe +``` + +### Step 5: Execute & Monitor + +Run the sample with a timeout. Monitor for: new processes spawned, files created/modified, network connections, DNS queries. Kill after 2-5 minutes. + +### Step 6: Analyze Results +**Tools:** [[tools/wireshark|wireshark]], [[tools/procdot|procdot]] + +Review network capture: follow TCP streams, extract payloads, identify C2 patterns. Analyze process activity logs. Map filesystem changes. + +```bash +wireshark +procdot +``` + +### Step 7: Extract IOCs + +Document: contacted domains/IPs, created files/registry keys, spawned processes, persistence mechanisms. Classify behavior: downloader, backdoor, ransomware, etc. + +#behavioral #dynamic #monitoring #emulation #workflow diff --git a/data/generated/wiki/workflows/cobalt-strike-workflow.md b/data/generated/wiki/workflows/cobalt-strike-workflow.md new file mode 100644 index 0000000..1ae6fc9 --- /dev/null +++ b/data/generated/wiki/workflows/cobalt-strike-workflow.md @@ -0,0 +1,67 @@ +# Cobalt Strike Analysis +> Analyze Cobalt Strike beacons, configurations, and network traffic using Didier Stevens' CS toolkit on REMnux. + +**FOR610 Labs:** 3.4 + +## Steps + +### Step 1: Beacon Detection +**Tools:** [[tools/yara|yara]], [[tools/capa|capa]] + +Scan suspect file with YARA rules for CS signatures. capa detects 'receive data from C2' and beacon-like capabilities. Check for: characteristic 200KB+ size, sleep patterns. + +```bash +yara-rules specimen.bin +capa specimen.exe +``` + +### Step 2: Configuration Extraction +**Tools:** [[tools/1768-py|1768-py]] + +Parse beacon config: 1768.py . Extracts: C2 URLs, user-agent, beacon interval, watermark, spawn-to process, named pipes, proxy config. + +```bash +1768.py shellcode.bin +``` + +### Step 3: Metadata Decryption +**Tools:** [[tools/cs-decrypt-metadata-py|cs-decrypt-metadata-py]] + +Decrypt beacon metadata from network captures: cs-decrypt-metadata.py . Reveals: computer name, user, process info sent to team server. + +```bash +cs-decrypt-metadata.py +``` + +### Step 4: Key Extraction +**Tools:** [[tools/cs-extract-key-py|cs-extract-key-py]] + +Extract encryption keys: cs-extract-key.py -f . Recovers AES and HMAC keys used for C2 communication encryption. + +```bash +cs-extract-key.py -f +``` + +### Step 5: Traffic Decryption +**Tools:** [[tools/cs-parse-traffic-py|cs-parse-traffic-py]] + +Decrypt C2 traffic: cs-parse-traffic.py -f -k . Reveals: tasking commands, downloaded payloads, exfiltrated data. + +```bash +cs-parse-traffic.py -f -k +``` + +### Step 6: Sleep Mask Analysis +**Tools:** [[tools/cs-analyze-processdump-py|cs-analyze-processdump-py]] + +Analyze sleep mask: cs-analyze-processdump.py . Detects if beacon encrypts itself in memory during sleep. Useful for memory forensics. + +```bash +cs-analyze-processdump.py +``` + +### Step 7: Document Findings + +Record: C2 domains/IPs, beacon interval, watermark (operator ID), user-agent strings, named pipe patterns, spawn-to process, malleable C2 profile indicators. + +#cobalt-strike #c2 #beacon #didier-stevens #threat-intel #workflow diff --git a/data/generated/wiki/workflows/code-injection-workflow.md b/data/generated/wiki/workflows/code-injection-workflow.md new file mode 100644 index 0000000..47e5dea --- /dev/null +++ b/data/generated/wiki/workflows/code-injection-workflow.md @@ -0,0 +1,74 @@ +# Code Injection Analysis +> Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading. + +**FOR610 Labs:** 4.9, 5.4 + +## Steps + +### Step 1: Capability Detection +**Tools:** [[tools/capa|capa]] + +Run capa to identify injection techniques. Look for: 'inject code', 'create suspended process', 'allocate RWX memory'. Note MITRE ATT&CK technique IDs. + +```bash +capa specimen.exe +``` + +### Step 2: Injection Type Classification +**Tools:** [[tools/ghidra|ghidra]], [[tools/cutter|cutter]] + +Identify which technique: Classic DLL injection (LoadLibrary), Process Hollowing (CreateProcess SUSPENDED + NtUnmapViewOfSection), Reflective DLL (manual PE loading), APC injection (QueueUserAPC). + +```bash +ghidra +cutter specimen.exe +``` + +### Step 3: Target Process Analysis +**Tools:** [[tools/ghidra|ghidra]] + +How does malware choose its target? Look for: CreateToolhelp32Snapshot + Process32First/Next (enumeration), hardcoded process names (svchost.exe, explorer.exe), OpenProcess calls. + +```bash +ghidra +``` + +### Step 4: Payload Identification +**Tools:** [[tools/ghidra|ghidra]] + +What gets injected? Trace data flow to WriteProcessMemory or NtWriteVirtualMemory. Is it: embedded PE, shellcode, encrypted blob? Check size and content. + +```bash +ghidra +``` + +### Step 5: Memory Allocation Analysis +**Tools:** [[tools/ghidra|ghidra]] + +Examine VirtualAllocEx parameters: size (hints at payload type), protection flags (PAGE_EXECUTE_READWRITE = 0x40 = suspicious). Allocation address for base relocation. + +```bash +ghidra +``` + +### Step 6: Injection Verification [W] +**Tools:** [[tools/x32dbg|x32dbg]], [[tools/x64dbg|x64dbg]] + +Set breakpoint on WriteProcessMemory. When hit: examine lpBuffer (injected data), nSize (payload size). Dump the buffer to file for separate analysis. + +### Step 7: Extracted Payload Analysis +**Tools:** [[tools/peframe|peframe]], [[tools/capa|capa]], [[tools/strings|strings]] + +Analyze the injected payload as standalone file. Route to: Static Analysis Workflow (if PE), Shellcode Workflow (if shellcode), .NET Workflow (if .NET assembly). + +```bash +peframe specimen.exe +capa specimen.exe +strings binary.exe +``` + +### Step 8: Document Technique + +Record: injection technique, target process criteria, payload type and hash, API call sequence, memory protection flags. Map to MITRE ATT&CK (T1055.x). + +#code-injection #process-hollowing #dll-injection #reflective-loading #workflow diff --git a/data/generated/wiki/workflows/document-analysis-workflow.md b/data/generated/wiki/workflows/document-analysis-workflow.md new file mode 100644 index 0000000..2055264 --- /dev/null +++ b/data/generated/wiki/workflows/document-analysis-workflow.md @@ -0,0 +1,75 @@ +# Malicious Document Analysis +> Analyze suspicious documents (PDF, Office, RTF, OneNote) for embedded malware, macros, and exploits. Follows Zeltser's 6-step methodology. + +**FOR610 Labs:** 3.1, 3.3, 3.4, 3.5 + +## Steps + +### Step 1: Format Identification +**Tools:** [[tools/file|file]], [[tools/trid|trid]] + +Identify true format: OLE2 (legacy Office), OOXML (modern Office), RTF, PDF, OneNote. Don't trust the file extension — use magic bytes. + +```bash +file specimen.exe +trid document.doc +``` + +### Step 2: Structure Analysis +**Tools:** [[tools/oledump-py|oledump-py]], [[tools/rtfdump-py|rtfdump-py]], [[tools/pdfid-py|pdfid-py]], [[tools/pdf-parser-py|pdf-parser-py]], [[tools/onedump-py|onedump-py]] + +Parse document internals. For Office: oledump.py to list streams (M = macro). For PDF: pdfid.py for risky keywords (/JavaScript, /OpenAction). For RTF: rtfdump.py for hex-heavy groups. + +```bash +oledump.py document.docm +rtfdump.py document.rtf +pdfid.py document.pdf +``` + +### Step 3: Password Handling (if encrypted) +**Tools:** [[tools/msoffcrypto-tool|msoffcrypto-tool]] + +If document is password-protected: msoffcrypto-tool -p . Common passwords: infected, malware, password, 123456. + +```bash +msoffcrypto-tool -p infected +``` + +### Step 4: Macro/Script Extraction +**Tools:** [[tools/oledump-py|oledump-py]], [[tools/olevba|olevba]], [[tools/pcode2code|pcode2code]], [[tools/xlmmacrodeobfuscator|XLMMacroDeobfuscator]] + +Extract VBA: oledump.py -s -v. For p-code: pcode2code. For Excel 4.0 macros: XLMMacroDeobfuscator. Check olevba for auto-execute triggers (AutoOpen, Document_Open). + +```bash +oledump.py document.docm +olevba document.docm +pcode2code +``` + +### Step 5: Payload Decoding +**Tools:** [[tools/base64dump-py|base64dump-py]], [[tools/translate-py|translate-py]], [[tools/gunzip|gunzip]], [[tools/numbers-to-string-py|numbers-to-string-py]], [[tools/cyberchef|cyberchef]] + +Decode embedded payloads. Common chains: Base64 → gunzip → XOR. Use CyberChef for visual multi-step decoding. translate.py for byte-level transforms (byte ^ key). + +```bash +base64dump.py file.txt +translate.py "byte ^ 35" < input.bin > output.bin +gunzip -c compressed.gz > output.bin +``` + +### Step 6: Embedded Object Analysis +**Tools:** [[tools/scdbgc|scdbgc]], [[tools/xorsearch|xorsearch]], [[tools/yara|yara]], [[tools/1768-py|1768-py]] + +If shellcode found: emulate with scdbgc. Scan for known patterns (YARA). Check for Cobalt Strike beacons (1768.py). Route PE payloads to Static Analysis Workflow. + +```bash +scdbgc /f shellcode.bin /s -1 +XORSearch -W -d 3 file.bin +yara-rules specimen.bin +``` + +### Step 7: Document IOCs + +Record: embedded URLs, downloaded payload hashes, C2 addresses, macro behavior (what APIs called), exploit type (CVE if applicable). + +#documents #office #pdf #rtf #macro #onenote #workflow diff --git a/data/generated/wiki/workflows/dotnet-analysis-workflow.md b/data/generated/wiki/workflows/dotnet-analysis-workflow.md new file mode 100644 index 0000000..d6cdb82 --- /dev/null +++ b/data/generated/wiki/workflows/dotnet-analysis-workflow.md @@ -0,0 +1,74 @@ +# .NET Malware Analysis +> Analyze .NET malware using decompilation, debugging, and deobfuscation. Works for .NET Framework, .NET Core, and mixed-mode assemblies. + +**FOR610 Labs:** 3.12, 4.8 + +## Steps + +### Step 1: Identification & Metadata +**Tools:** [[tools/peframe|peframe]], [[tools/diec|diec]], [[tools/dnfile|dnfile]], [[tools/dotnetfile|dotnetfile]] + +Confirm .NET binary (peframe shows 'CLR'). Check runtime version (.NET 2/4/Core). Use dnfile or dotnetfile for .NET-specific metadata. Note entry point and referenced assemblies. + +```bash +peframe specimen.exe +diec specimen.exe +``` + +### Step 2: Obfuscator Detection +**Tools:** [[tools/diec|diec]], [[tools/de4dot|de4dot]] + +Detect obfuscator: DIE identifies ConfuserEx, Eziriz .NET Reactor, Babel, etc. de4dot -d reports detected obfuscator without modifying the file. + +```bash +diec specimen.exe +de4dot obfuscated.exe +``` + +### Step 3: Decompilation +**Tools:** [[tools/ilspycmd|ilspycmd]], [[tools/monodis|monodis]] + +Decompile to C# source: ilspycmd > output.cs. On REMnux use ilspycmd (CLI). Examine: Main() entry, suspicious class/method names, embedded resources. + +```bash +ilspycmd assembly.exe > decompiled.cs +``` + +### Step 4: Dynamic Loading Detection +**Tools:** [[tools/visual-studio-code|visual-studio-code]] + +Search decompiled code for: Assembly.Load(byte[]), Assembly.LoadFrom(), Activator.CreateInstance(), MethodInfo.Invoke(), CSharpCodeProvider. These indicate runtime code loading. + +```bash +code filename.js +``` + +### Step 5: Deobfuscation +**Tools:** [[tools/de4dot|de4dot]] + +Run: de4dot -o . If de4dot fails: try with --dont-rename flag, or manually rename obfuscated symbols. For ConfuserEx: de4dot handles most variants. + +```bash +de4dot obfuscated.exe +``` + +### Step 6: Dynamic Debugging [W] +**Tools:** [[tools/dnspyex|dnspyex]] + +If static analysis insufficient: load in dnSpyEx, set breakpoint on Assembly.Load or suspicious method. Run and inspect Locals window for decrypted payloads. Save byte[] arrays to disk. + +### Step 7: Extracted Payload Analysis +**Tools:** [[tools/ilspycmd|ilspycmd]], [[tools/peframe|peframe]] + +Analyze extracted payload: is it another .NET assembly? (recurse this workflow). Is it a PE file? (route to Static Analysis). Document the unpacking chain. + +```bash +ilspycmd assembly.exe > decompiled.cs +peframe specimen.exe +``` + +### Step 8: Document Findings + +Record: obfuscator type, .NET version, loading mechanism, payload hashes, C2 endpoints found in decompiled code, encryption keys/algorithms. + +#dotnet #decompilation #deobfuscation #ilspy #de4dot #workflow diff --git a/data/generated/wiki/workflows/email-analysis-workflow.md b/data/generated/wiki/workflows/email-analysis-workflow.md new file mode 100644 index 0000000..ccf90d1 --- /dev/null +++ b/data/generated/wiki/workflows/email-analysis-workflow.md @@ -0,0 +1,54 @@ +# Email & Phishing Analysis +> Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links. + +## Steps + +### Step 1: Header Analysis +**Tools:** [[tools/emldump-py|emldump-py]], [[tools/mail-parser|mail-parser]] + +Parse SMTP headers: emldump.py . Check: Received headers (delivery path), Return-Path vs From (spoofing), SPF/DKIM results, X-Mailer. + +```bash +emldump.py message.eml +python3 -c "import mailparser; mail = mailparser.parse_from_file(''); print(mail.subject)" +``` + +### Step 2: Attachment Extraction +**Tools:** [[tools/emldump-py|emldump-py]], [[tools/msg-extractor|msg-extractor]] + +Extract attachments: emldump.py -d. For MSG format: msg-extractor . List all attachments with types and sizes. + +```bash +emldump.py message.eml +extract_msg +``` + +### Step 3: Attachment Triage +**Tools:** [[tools/file|file]], [[tools/trid|trid]], [[tools/yara|yara]], [[tools/sha256sum|sha256sum]] + +For each attachment: identify type, compute hash, scan with YARA. Route to appropriate workflow: Document Analysis (Office/PDF), Static Analysis (PE), JavaScript Deobfuscation (JS/HTML). + +```bash +file specimen.exe +trid document.doc +yara-rules specimen.bin +``` + +### Step 4: Link Analysis +**Tools:** [[tools/unfurl|unfurl]] + +Extract all URLs from email body and headers. Use Unfurl to decompose URLs (reveal tracking pixels, redirect chains, encoded parameters). + +```bash +unfurl parse +``` + +### Step 5: Payload Analysis + +Analyze extracted attachments using the appropriate workflow. Common patterns: Office doc with macro → downloads PE, PDF with link → credential harvester, HTML attachment → phishing page. + +### Step 6: Document IOCs + +Record: sender address and IP, subject line, attachment names and hashes, all URLs, C2/phishing domains, email infrastructure (mail server names). + +#email #phishing #eml #msg #attachments #headers #workflow diff --git a/data/generated/wiki/workflows/java-analysis-workflow.md b/data/generated/wiki/workflows/java-analysis-workflow.md new file mode 100644 index 0000000..4e0e7eb --- /dev/null +++ b/data/generated/wiki/workflows/java-analysis-workflow.md @@ -0,0 +1,57 @@ +# Java Malware Analysis +> Analyze malicious Java archives (JAR), applets, and compiled classes. Covers decompilation and code analysis. + +## Steps + +### Step 1: Archive Inspection +**Tools:** [[tools/unzip|unzip]], [[tools/file|file]] + +Extract JAR contents: unzip -d output/. Examine META-INF/MANIFEST.MF for Main-Class entry point. List all .class files. + +```bash +unzip -P infected sample.zip +file specimen.exe +``` + +### Step 2: Decompilation +**Tools:** [[tools/cfr|cfr]], [[tools/jd-gui|jd-gui]] + +Decompile with CFR: cfr --outputdir output/. Or use JD-GUI for visual browsing. CFR handles modern Java (lambdas, try-with-resources) better. + +```bash +cfr --outputdir output/ +jd-gui +``` + +### Step 3: Multi-Decompiler Comparison +**Tools:** [[tools/cfr|cfr]], [[tools/procyon|procyon]] + +If one decompiler fails on a class: try Procyon. Compare outputs. Some obfuscators break specific decompilers while others handle them fine. + +```bash +cfr --outputdir output/ +``` + +### Step 4: Code Analysis +**Tools:** [[tools/visual-studio-code|visual-studio-code]] + +Review decompiled source. Search for: Runtime.exec() (command execution), URLConnection (network), Cipher (crypto), File I/O operations, reflection (Class.forName). + +```bash +code filename.js +``` + +### Step 5: Resource Extraction +**Tools:** [[tools/strings|strings]] + +Extract embedded resources and strings. Check for: encoded payloads in resources, config files, embedded binaries. Base64-encoded content is common. + +```bash +strings binary.exe +``` + +### Step 6: Document Findings + +Record: entry point class, malicious methods, URLs/IPs, downloaded payloads, commands executed, Java version requirements. + +#java #jar #decompilation #cfr #jd-gui #workflow diff --git a/data/generated/wiki/workflows/javascript-deobfuscation-workflow.md b/data/generated/wiki/workflows/javascript-deobfuscation-workflow.md new file mode 100644 index 0000000..5ffa2fb --- /dev/null +++ b/data/generated/wiki/workflows/javascript-deobfuscation-workflow.md @@ -0,0 +1,57 @@ +# JavaScript Deobfuscation +> Deobfuscate and analyze malicious JavaScript from web pages, email attachments, or document macros. + +**FOR610 Labs:** 3.6, 3.7 + +## Steps + +### Step 1: Beautification +**Tools:** [[tools/js-beautify|js-beautify]] + +Format minified/compressed JavaScript for readability. Look for: eval() calls, document.write(), String.fromCharCode(), unescape(), atob(). + +```bash +js-beautify malicious.js > beautified.js +``` + +### Step 2: Static Review +**Tools:** [[tools/visual-studio-code|visual-studio-code]] + +Identify obfuscation layers. Search for: eval/Function constructor (code execution), long encoded strings, variable name patterns (single chars = likely obfuscated). + +```bash +code filename.js +``` + +### Step 3: Safe Execution (SpiderMonkey) +**Tools:** [[tools/spidermonkey|spidermonkey]] + +Execute outside browser with objects.js to simulate browser/WScript APIs. Command: js -f /usr/share/remnux/objects.js -f . Captures eval'd code without running it. + +```bash +js -f malicious.js +``` + +### Step 4: Environment Tuning +**Tools:** [[tools/visual-studio-code|visual-studio-code]] + +If script expects specific environment (location.href, navigator.userAgent): edit objects.js to provide expected values. Re-run SpiderMonkey. + +```bash +code filename.js +``` + +### Step 5: Alternative Analysis +**Tools:** [[tools/box-js|box-js]], [[tools/jstillery|jstillery]] + +box-js: Node.js sandbox with WScript emulation. JStillery: AST-based deobfuscation. Use when SpiderMonkey can't handle the obfuscation. + +```bash +box-js --output-dir=/tmp suspicious.js +``` + +### Step 6: Payload Identification + +What does the deobfuscated JS do? Common patterns: download & execute (dropper), redirect to exploit kit, credential harvesting. Extract all URLs, IPs, file paths. + +#javascript #deobfuscation #spidermonkey #box-js #web #workflow diff --git a/data/generated/wiki/workflows/memory-forensics-workflow.md b/data/generated/wiki/workflows/memory-forensics-workflow.md new file mode 100644 index 0000000..f242e04 --- /dev/null +++ b/data/generated/wiki/workflows/memory-forensics-workflow.md @@ -0,0 +1,79 @@ +# Memory Forensics +> Analyze memory dumps to find malware artifacts, injected code, and hidden processes. Uses Volatility 3 framework on REMnux. + +## Steps + +### Step 1: Image Identification +**Tools:** [[tools/volatility3|volatility3]] + +Determine OS and profile: vol3 -f windows.info (or linux.info). Verify image is valid and identify OS version, build, architecture. + +```bash +vol3 -f windows.info +``` + +### Step 2: Process Analysis +**Tools:** [[tools/volatility3|volatility3]] + +List processes: vol3 -f windows.pslist / windows.pstree. Look for: suspicious names, unusual parent-child relationships, processes with no window title, duplicate system processes. + +```bash +vol3 -f windows.info +``` + +### Step 3: Network Connections +**Tools:** [[tools/volatility3|volatility3]] + +List connections: vol3 -f windows.netscan. Identify: C2 connections, unusual ports, connections to known-bad IPs. Cross-reference with process PIDs. + +```bash +vol3 -f windows.info +``` + +### Step 4: Injection Detection +**Tools:** [[tools/volatility3|volatility3]] + +Detect injected code: vol3 -f windows.malfind. Shows: processes with executable memory not backed by a file. Dump suspicious regions for further analysis. + +```bash +vol3 -f windows.info +``` + +### Step 5: DLL Analysis +**Tools:** [[tools/volatility3|volatility3]] + +List loaded DLLs: vol3 -f windows.dlllist --pid . Look for: DLLs loaded from unusual paths (temp, appdata), unsigned DLLs, DLLs not in known-good baseline. + +```bash +vol3 -f windows.info +``` + +### Step 6: String Search +**Tools:** [[tools/volatility3|volatility3]], [[tools/strings|strings]] + +Search for known IOCs in memory: vol3 -f windows.strings. Also: strings | grep -i ''. Look for URLs, domains, file paths, commands. + +```bash +vol3 -f windows.info +strings binary.exe +``` + +### Step 7: Process & Code Dumping +**Tools:** [[tools/volatility3|volatility3]] + +Extract suspicious processes: vol3 -f windows.dumpfiles --pid . Extract injected code regions from malfind results. Analyze dumped files with Static Analysis Workflow. + +```bash +vol3 -f windows.info +``` + +### Step 8: Timeline Reconstruction +**Tools:** [[tools/volatility3|volatility3]] + +Build timeline: vol3 -f timeliner.Timeliner. Reconstruct: when malware started, what it did, lateral movement. Correlate with process tree and network data. + +```bash +vol3 -f windows.info +``` + +#memory #forensics #volatility #injection #incident-response #workflow diff --git a/data/generated/wiki/workflows/network-interception-workflow.md b/data/generated/wiki/workflows/network-interception-workflow.md new file mode 100644 index 0000000..8217c53 --- /dev/null +++ b/data/generated/wiki/workflows/network-interception-workflow.md @@ -0,0 +1,86 @@ +# Network Traffic Interception +> Redirect and analyze malware network traffic in an isolated REMnux environment. Covers DNS, HTTP, HTTPS, and raw IP interception. + +**FOR610 Labs:** 1.3, 1.7, 1.8 + +## Steps + +### Step 1: DNS Interception +**Tools:** [[tools/fakedns|fakedns]] + +Start fakedns to resolve ALL domains to REMnux IP. Verify: nslookup any-domain.com should return your REMnux IP. + +```bash +fakedns +``` + +### Step 2: Service Emulation +**Tools:** [[tools/inetsim|inetsim]], [[tools/fakenet-ng|fakenet-ng]], [[tools/httpd|httpd]] + +Choose emulator based on needed protocols. INetSim: HTTP, HTTPS, DNS, FTP, SMTP (most complete). FakeNet-NG: similar but different engine. httpd: simple HTTP only. + +```bash +inetsim +fakenet +httpd +``` + +### Step 3: TLS/HTTPS Interception (if needed) +**Tools:** [[tools/mitmproxy|mitmproxy]], [[tools/polarproxy|polarproxy]] + +For HTTPS C2: mitmproxy as transparent proxy, or PolarProxy for TLS decryption. Install proxy CA cert on analysis machine if needed. + +```bash +mitmproxy +PolarProxy -p 443,80 -w captured.pcap +``` + +### Step 4: Packet Capture +**Tools:** [[tools/wireshark|wireshark]], [[tools/tcpdump|tcpdump]] + +Start capture before executing malware. Filter: not arp and not broadcast. Save to PCAP for later analysis. + +```bash +wireshark +tcpdump -i eth0 -w capture.pcap +``` + +### Step 5: Execute & Observe + +Run malware on analysis VM. Watch for: DNS queries (domain names), HTTP requests (URLs, user-agents), raw TCP connections (IP:port). + +### Step 6: Traffic Analysis +**Tools:** [[tools/wireshark|wireshark]], [[tools/tshark|tshark]], [[tools/ngrep|ngrep]], [[tools/tcpflow|tcpflow]] + +Follow TCP streams for full request/response. Use ngrep for pattern search across packets. Use tcpflow to extract individual streams. Identify beaconing (regular intervals). + +```bash +wireshark +tshark -r capture.pcap +ngrep -I 'password' +``` + +### Step 7: File Extraction +**Tools:** [[tools/tcpxtract|tcpxtract]], [[tools/networkminer|networkminer]] + +Carve files from PCAP: downloaded payloads, exfiltrated data, second-stage malware. NetworkMiner does this automatically. + +```bash +tcpxtract -f -o output/ +NetworkMiner --pcap +``` + +### Step 8: IP-Based Redirection (if needed) +**Tools:** [[tools/iptables|iptables]] + +If malware uses hardcoded IPs (no DNS): iptables -t nat -A PREROUTING -i eth0 -j REDIRECT. This redirects ALL traffic to local services. + +```bash +iptables -t nat -A PREROUTING -i ens32 -j REDIRECT +``` + +### Step 9: Document Network IOCs + +Record: C2 domains/IPs, URI paths, user-agent strings, beacon intervals, downloaded file hashes, TLS certificate details. + +#network #interception #c2 #dns #https #pcap #workflow diff --git a/data/generated/wiki/workflows/shellcode-analysis-workflow.md b/data/generated/wiki/workflows/shellcode-analysis-workflow.md new file mode 100644 index 0000000..aaec6ad --- /dev/null +++ b/data/generated/wiki/workflows/shellcode-analysis-workflow.md @@ -0,0 +1,74 @@ +# Shellcode Analysis +> Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification. + +**FOR610 Labs:** 3.4, 3.5, 4.6, 4.7 + +## Steps + +### Step 1: Shellcode Detection +**Tools:** [[tools/xorsearch|xorsearch]], [[tools/yara|yara]], [[tools/capa|capa]] + +Scan carrier file for shellcode patterns. XORSearch -W -d 3 detects common shellcode signatures even when XOR-encoded. YARA rules catch known frameworks. + +```bash +XORSearch -W -d 3 file.bin +yara-rules specimen.bin +capa specimen.exe +``` + +### Step 2: Extraction +**Tools:** [[tools/rtfdump-py|rtfdump-py]], [[tools/oledump-py|oledump-py]], [[tools/pdf-parser-py|pdf-parser-py]] + +Extract shellcode from carrier. For RTF: rtfdump.py -s -H -d > sc.bin. For OLE: oledump.py -s -d > sc.bin. For PDF: pdf-parser.py -o -d sc.bin. + +```bash +rtfdump.py document.rtf +oledump.py document.docm +pdf-parser.py document.pdf -a +``` + +### Step 3: Emulation +**Tools:** [[tools/scdbgc|scdbgc]], [[tools/speakeasy|speakeasy]] + +Emulate without execution. scdbgc /f sc.bin /s -1 shows API calls. speakeasy -t sc.bin -r -a x86 for deeper emulation. Look for: URL downloads, file writes, process creation. + +```bash +scdbgc /f shellcode.bin /s -1 +speakeasy -t specimen.exe -o report.json 2> report.txt +``` + +### Step 4: Framework Identification +**Tools:** [[tools/yara|yara]], [[tools/1768-py|1768-py]] + +Check for known frameworks. 1768.py identifies Cobalt Strike beacons. YARA rules detect Metasploit, Cobalt Strike, custom frameworks. Document beacon config if found. + +```bash +yara-rules specimen.bin +1768.py shellcode.bin +``` + +### Step 5: Conversion to EXE +**Tools:** [[tools/shcode2exe|shcode2exe]] + +Convert shellcode to executable for static analysis: shcode2exe sc.bin sc.exe. Then analyze with peframe, strings, ghidra. + +```bash +shcode2exe +``` + +### Step 6: String & IOC Extraction +**Tools:** [[tools/strings|strings]], [[tools/floss|floss]], [[tools/cyberchef|cyberchef]] + +Extract strings from shellcode. Look for: C2 URLs, download paths, filename markers, encryption keys. Use CyberChef for encoded content. + +```bash +strings binary.exe +floss specimen.exe +cyberchef +``` + +### Step 7: Document Findings + +Record: shellcode offset in carrier, size, encoding/XOR key, framework (Metasploit/CS/custom), C2 address, downloaded payload URL, technique (staged/stageless). + +#shellcode #emulation #cobalt-strike #metasploit #scdbg #workflow diff --git a/data/generated/wiki/workflows/static-analysis-workflow.md b/data/generated/wiki/workflows/static-analysis-workflow.md new file mode 100644 index 0000000..b706c6f --- /dev/null +++ b/data/generated/wiki/workflows/static-analysis-workflow.md @@ -0,0 +1,84 @@ +# Static Properties Analysis +> Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents. + +**FOR610 Labs:** 1.1, 2.1, 4.1 + +## Steps + +### Step 1: File Identification & Hashing +**Tools:** [[tools/file|file]], [[tools/trid|trid]], [[tools/exiftool|exiftool]], [[tools/sha256sum|sha256sum]] + +Determine file type using magic bytes. Compute hashes (MD5, SHA256) for lookup and documentation. Record file size and timestamps. + +```bash +file specimen.exe +trid document.doc +exiftool document.pdf +``` + +### Step 2: Reputation Check +**Tools:** [[tools/malwoverview|malwoverview]], [[tools/virustotal-search|virustotal-search]] + +Look up hash on VirusTotal/MalwareBazaar. If known malware, note family name and detection rate. If clean or unknown, continue analysis. + +```bash +malwoverview -v +``` + +### Step 3: Packing & Entropy Check +**Tools:** [[tools/diec|diec]], [[tools/peframe|peframe]] + +Check for packing indicators and high entropy sections. Look for: unusual section names, small import table, high entropy (>7.0). If packed, consider the Unpacking Workflow. + +```bash +diec specimen.exe +peframe specimen.exe +``` + +### Step 4: String Extraction +**Tools:** [[tools/strings|strings]], [[tools/floss|floss]], [[tools/pestr|pestr]] + +Extract readable strings. Use FLOSS for obfuscated/stack strings. Look for: URLs, IPs, domains, registry keys, file paths, error messages, API names. + +```bash +strings binary.exe +floss specimen.exe +pestr specimen.exe +``` + +### Step 5: Capability Detection +**Tools:** [[tools/capa|capa]], [[tools/yara|yara]] + +Identify capabilities mapped to MITRE ATT&CK. Scan with YARA rules for known malware families. Look for: persistence, C2, evasion, lateral movement capabilities. + +```bash +capa specimen.exe +yara-rules specimen.bin +``` + +### Step 6: Import & Export Analysis +**Tools:** [[tools/peframe|peframe]], [[tools/capa|capa]] + +Examine imported DLLs and functions. Map imports to behavior categories: networking (ws2_32), crypto (advapi32), process manipulation (kernel32). Check exports for DLL functionality. + +```bash +peframe specimen.exe +capa specimen.exe +``` + +### Step 7: Disassembly (if needed) +**Tools:** [[tools/ghidra|ghidra]], [[tools/cutter|cutter]], [[tools/radare2|radare2]] + +Load into disassembler for code-level analysis. Start at entry point, trace key functions. Use decompiler for C-like view. + +```bash +ghidra +cutter specimen.exe +r2 specimen.exe +``` + +### Step 8: Document Findings + +Record IOCs: hashes, IPs, domains, file paths, registry keys, mutexes. Classify: malware family, capabilities, confidence level. Decide: continue to behavioral analysis? + +#static #triage #pe-analysis #elf-analysis #workflow diff --git a/data/generated/wiki/workflows/string-deobfuscation-workflow.md b/data/generated/wiki/workflows/string-deobfuscation-workflow.md new file mode 100644 index 0000000..db1872e --- /dev/null +++ b/data/generated/wiki/workflows/string-deobfuscation-workflow.md @@ -0,0 +1,62 @@ +# String & Data Deobfuscation +> Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding. + +**FOR610 Labs:** 1.5, 5.2 + +## Steps + +### Step 1: Automated Extraction +**Tools:** [[tools/floss|floss]], [[tools/strings|strings]] + +Start with FLOSS for automatic deobfuscation (static + stack + decoded strings). Compare against plain strings output. FLOSS --no-static for only decoded strings. + +```bash +floss specimen.exe +strings binary.exe +``` + +### Step 2: Encoding Detection +**Tools:** [[tools/xorsearch|xorsearch]], [[tools/bbcrack|bbcrack]] + +Identify encoding algorithm. XORSearch: detect XOR with known plaintext (http:, MZ, This program). bbcrack: brute-force XOR, ROL, ADD at multiple levels. + +```bash +XORSearch -W -d 3 file.bin +bbcrack -l 1 specimen.dll +``` + +### Step 3: Single-Byte XOR Recovery +**Tools:** [[tools/brxor-py|brxor-py]], [[tools/xortool|xortool]] + +For single-byte XOR: brxor.py finds English words. xortool guesses key length and probable key. xortool-xor -s -i -o decoded.bin to decode. + +```bash +brxor.py specimen.dll +xortool +``` + +### Step 4: Multi-Byte / Custom Decoding +**Tools:** [[tools/translate-py|translate-py]], [[tools/cyberchef|cyberchef]] + +For custom algorithms: translate.py 'byte ^ key' or complex expressions. CyberChef for visual recipe building (XOR → Base64 → Gunzip chains). Document the recipe. + +```bash +translate.py "byte ^ 35" < input.bin > output.bin +cyberchef +``` + +### Step 5: Stack String Recovery +**Tools:** [[tools/strdeob-pl|strdeob-pl]], [[tools/floss|floss]] + +For strings built on the stack (MOV byte-by-byte): strdeob.pl or FLOSS stack string detection. Common in evasive malware to avoid string extraction. + +```bash +strdeob.pl specimen.exe +floss specimen.exe +``` + +### Step 6: Validation & IOC Extraction + +Review decoded strings. Extract IOCs: C2 addresses, registry keys, file paths, API names, credentials. Compare against known malware family patterns. + +#strings #xor #deobfuscation #floss #cyberchef #encoding #workflow diff --git a/data/generated/wiki/workflows/unpacking-workflow.md b/data/generated/wiki/workflows/unpacking-workflow.md new file mode 100644 index 0000000..f426647 --- /dev/null +++ b/data/generated/wiki/workflows/unpacking-workflow.md @@ -0,0 +1,69 @@ +# Unpacking Packed Executables +> Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques. + +**FOR610 Labs:** 4.1, 4.2, 4.3, 5.3, 5.8, 5.10 + +## Steps + +### Step 1: Packing Identification +**Tools:** [[tools/diec|diec]], [[tools/peframe|peframe]] + +Identify packer: DIE detects UPX, ASPack, PECompact, Themida, etc. Check entropy (>7.0 suggests packing). Look for: few imports, unusual section names (.UPX, .packed). + +```bash +diec specimen.exe +peframe specimen.exe +``` + +### Step 2: Automated Unpacking +**Tools:** [[tools/upx|upx]], [[tools/de4dot|de4dot]] + +Try known unpackers first. UPX: upx -d . .NET: de4dot . If automated unpacking fails (modified packer), proceed to manual. + +```bash +upx -d packed.exe +de4dot obfuscated.exe +``` + +### Step 3: Emulation-Based Unpacking +**Tools:** [[tools/speakeasy|speakeasy]], [[tools/qiling|qiling]] + +Emulate execution to let the unpacker run. Speakeasy and Qiling can trace API calls during unpacking without a debugger. Look for VirtualAlloc followed by memcpy patterns. + +```bash +speakeasy -t specimen.exe -o report.json 2> report.txt +python3 -c "from qiling import Qiling; ql = Qiling([''], '/path/to/rootfs')" +``` + +### Step 4: Debugger-Based Unpacking [W] +**Tools:** [[tools/x64dbg|x64dbg]], [[tools/x32dbg|x32dbg]] + +Set breakpoints on: VirtualAlloc/VirtualProtect (memory allocation), tail JMP to OEP (end of unpacker), or stack breakpoint (ESP trick). Step to OEP. + +### Step 5: Anti-Debug Bypass [W] +**Tools:** [[tools/scyllahide|scyllahide]] + +If malware detects debugger: enable ScyllaHide. Handles IsDebuggerPresent, NtQueryInformationProcess, timing checks. + +### Step 6: Memory Dumping [W] +**Tools:** [[tools/ollydumpex|ollydumpex]], [[tools/scylla|scylla]] + +At OEP: dump process with OllyDumpEx. Fix IAT with Scylla (IAT Autosearch → Get Imports → Fix Dump). + +### Step 7: PE Fixup [W] +**Tools:** [[tools/pe-unmapper|pe-unmapper]] + +If dump has virtual alignment: pe_unmapper /in /base 400000 /out . Only needed if sections have wrong raw sizes. + +### Step 8: Verification +**Tools:** [[tools/strings|strings]], [[tools/peframe|peframe]], [[tools/capa|capa]] + +Verify: strings are now visible, imports are reasonable, capa detects capabilities. If good, route to Static Analysis Workflow for full analysis. + +```bash +strings binary.exe +peframe specimen.exe +capa specimen.exe +``` + +#unpacking #packing #iat #memory-dump #oep #workflow diff --git a/scripts/fhelp b/scripts/fhelp index 44d8444..5125b24 100755 --- a/scripts/fhelp +++ b/scripts/fhelp @@ -13,10 +13,11 @@ MAGENTA='\033[0;35m' NC='\033[0m' # Help system paths -TOOLS_DB="/opt/remnux-docs/tools.db" -CHEAT_DIR="/opt/cheatsheets" -WORKFLOW_DIR="/opt/remnux-docs/workflows" -TLDR_CACHE="/home/remnux/.local/share/tldr" +TOOLS_DB="${TOOLS_DB:-/opt/remnux-docs/tools.db}" +CHEAT_DIR="${CHEAT_DIR:-/opt/cheatsheets}" +WORKFLOW_DIR="${WORKFLOW_DIR:-/opt/remnux-docs/workflows}" +TLDR_CACHE="${TLDR_CACHE:-/home/remnux/.local/share/tldr}" +WIKI_DIR="${WIKI_DIR:-/opt/wiki}" # Resolve cheat file names from a user-provided tool name # Tries several variants: exact, without .py, with .py, hyphen/underscore alternatives @@ -72,6 +73,10 @@ show_main_help() { echo " fhelp workflow - List all 8 analysis workflows" echo " fhelp workflow - Show step-by-step workflow" echo "" + echo -e "${GREEN}Wiki:${NC}" + echo " fhelp wiki - Browse the analysis wiki (zk)" + echo " fhelp wiki - Open a specific wiki page" + echo "" echo -e "${GREEN}Other:${NC}" echo " fhelp coverage - Help coverage statistics" echo " fhelp examples - Browse all cheat sheets" @@ -440,6 +445,60 @@ show_offline_status() { echo -e "${GREEN}Offline help system ready!${NC}" } +show_wiki() { + local query="$1" + + if [[ ! -d "$WIKI_DIR" ]]; then + echo -e "${RED}Wiki not installed at $WIKI_DIR${NC}" + return 1 + fi + + if [[ -z "$query" ]]; then + # Interactive browse + if command -v zk >/dev/null 2>&1; then + cd "$WIKI_DIR" && zk list --interactive + elif command -v fzf >/dev/null 2>&1; then + local selected + selected=$(find "$WIKI_DIR" -name '*.md' -not -path '*/.zk/*' | sort | fzf --preview "cat {}") + if [[ -n "$selected" ]]; then + cat "$selected" + fi + else + echo -e "${CYAN}Wiki pages:${NC}" + find "$WIKI_DIR" -name '*.md' -not -path '*/.zk/*' | sort | sed "s|$WIKI_DIR/||" | sed 's/^/ /' + fi + else + # Search for specific page + local found="" + local search_slug=$(echo "$query" | tr '[:upper:]' '[:lower:]' | sed 's/\.py$//' | sed 's/[^a-z0-9]/-/g' | sed 's/-$//') + + # Try exact matches + for dir in tools workflows recipes categories; do + if [[ -f "$WIKI_DIR/$dir/$search_slug.md" ]]; then + found="$WIKI_DIR/$dir/$search_slug.md" + break + fi + done + + # Try fuzzy match + if [[ -z "$found" ]]; then + found=$(find "$WIKI_DIR" -name "*${search_slug}*" -name '*.md' -not -path '*/.zk/*' | head -1) + fi + + if [[ -n "$found" && -f "$found" ]]; then + echo -e "${CYAN}Wiki: ${YELLOW}$(basename "$found" .md)${NC}" + echo "$(printf '=%.0s' $(seq 1 60))" + echo "" + cat "$found" + else + echo -e "${YELLOW}No wiki page found for '$query'${NC}" + if command -v zk >/dev/null 2>&1; then + echo "Try: fhelp wiki (interactive browse)" + fi + fi + fi +} + show_all() { echo -e "${CYAN}Complete Help System Overview${NC}" echo "=================================" @@ -485,6 +544,10 @@ case "${1:-}" in "forensics") show_workflow "behavioral-analysis" ;; + "wiki") + shift + show_wiki "$@" + ;; "coverage") show_coverage ;; diff --git a/scripts/generate-wiki.py b/scripts/generate-wiki.py new file mode 100644 index 0000000..9757ed7 --- /dev/null +++ b/scripts/generate-wiki.py @@ -0,0 +1,500 @@ +#!/usr/bin/env python3 +"""Generate a markdown wiki with [[wiki-links]] from the master tool inventory. + +Produces interlinked markdown pages for tools, workflows, recipes, and categories. +Designed for browsing with zk (https://github.com/zk-org/zk). + +Output: data/generated/wiki/ +""" + +import os +import re +import yaml + +BASE_DIR = os.path.join(os.path.dirname(__file__), "..") +MASTER = os.path.join(BASE_DIR, "data", "remnux", "tools-master.yaml") +WORKFLOWS_SRC = os.path.join(BASE_DIR, "data", "for610", "workflows.yaml") +RECIPES_SRC = os.path.join(BASE_DIR, "data", "for610", "recipes.yaml") +CATEGORIES_SRC = os.path.join(BASE_DIR, "data", "remnux", "categories-master.yaml") +WIKI_DIR = os.path.join(BASE_DIR, "data", "generated", "wiki") + + +def slug(name): + """Convert a name to a wiki-safe filename slug.""" + s = name.lower().strip() + s = re.sub(r'\.py$', '', s) + s = re.sub(r'\.pl$', '', s) + s = re.sub(r'[^a-z0-9]+', '-', s) + return s.strip('-') + + +def wiki_link(path, label=None): + """Create a [[wiki-link]].""" + if label: + return f"[[{path}|{label}]]" + return f"[[{path}]]" + + +def load_yaml(path): + if not os.path.exists(path): + return {} + with open(path) as f: + return yaml.safe_load(f) or {} + + +# ============================================================ +# Build cross-reference indexes +# ============================================================ + +def build_indexes(tools, workflows, recipes): + """Build lookup indexes for cross-referencing.""" + # Tool ID → list of workflow IDs where it appears + tool_to_workflows = {} + for wf in workflows: + for step in wf.get("steps", []): + for tool_name in step.get("tools", []): + tool_to_workflows.setdefault(tool_name, []).append({ + "workflow_id": wf["id"], + "workflow_name": wf["name"], + "step_order": step["order"], + "step_name": step["name"], + }) + + # Tool ID → list of recipe IDs where it appears + tool_to_recipes = {} + for recipe in recipes: + for tool_id in recipe.get("tools", []): + tool_to_recipes.setdefault(tool_id, []).append({ + "recipe_id": recipe["id"], + "recipe_name": recipe["name"], + }) + + # Category → list of tool IDs + category_to_tools = {} + for t in tools: + cat = "" + if t["sources"]["remnux_docs"].get("covered"): + cat = t["sources"]["remnux_docs"].get("category", "") + elif t["sources"]["for610"].get("covered"): + cat = t["sources"]["for610"].get("category", "") + if cat: + category_to_tools.setdefault(cat, []).append(t) + + # Build related tools index (same category) + tool_related = {} + for cat, cat_tools in category_to_tools.items(): + for t in cat_tools: + related = [rt for rt in cat_tools if rt["id"] != t["id"]][:5] + tool_related[t["id"]] = related + + return tool_to_workflows, tool_to_recipes, category_to_tools, tool_related + + +# ============================================================ +# Generate tool pages +# ============================================================ + +def generate_tool_page(t, tool_to_workflows, tool_to_recipes, tool_related): + """Generate a wiki page for a single tool.""" + name = t["name"] + desc = t.get("description", "") + tier = t.get("help_tier", "basic") + tid = t["id"] + + # Determine category + cat = "" + cat_slug_val = "" + if t["sources"]["remnux_docs"].get("covered"): + cat = t["sources"]["remnux_docs"].get("category", "") + elif t["sources"]["for610"].get("covered"): + cat = t["sources"]["for610"].get("category", "") + if cat: + cat_slug_val = slug(cat) + + # Determine tier label + tier_label = {"rich": "Rich (FOR610)", "standard": "Standard (docs)", "basic": "Basic"}.get(tier, tier) + + lines = [f"# {name}"] + if desc: + lines.append(f"> {desc}") + lines.append("") + + # Metadata + meta_parts = [] + if cat: + meta_parts.append(f"**Category:** {wiki_link(f'categories/{cat_slug_val}', cat)}") + meta_parts.append(f"**Tier:** {tier_label}") + if t["sources"]["for610"].get("author"): + meta_parts.append(f"**Author:** {t['sources']['for610']['author']}") + lines.append(" | ".join(meta_parts)) + + # Docs link + if t["sources"]["remnux_docs"].get("docs_url"): + lines.append(f"**Docs:** [{t['sources']['remnux_docs']['docs_url']}]({t['sources']['remnux_docs']['docs_url']})") + lines.append("") + + # Usage examples + usages = t["sources"]["for610"].get("typical_usage", []) + if usages: + lines.append("## Usage") + lines.append("```bash") + for u in usages: + lines.append(u) + lines.append("```") + lines.append("") + + # Recipes + recipe_refs = tool_to_recipes.get(tid, []) + if recipe_refs: + lines.append("## Recipes") + seen = set() + for r in recipe_refs: + rid = r["recipe_id"] + rname = r["recipe_name"] + if rid not in seen: + seen.add(rid) + rslug = slug(rid) + lines.append(f"- {wiki_link(f'recipes/{rslug}', rname)}") + lines.append("") + + # Workflows + wf_refs = tool_to_workflows.get(tid, []) + if wf_refs: + lines.append("## Workflows") + seen = set() + for w in wf_refs: + if w["workflow_id"] not in seen: + seen.add(w["workflow_id"]) + wf_slug = w["workflow_id"].replace("_", "-") + lines.append(f"- {wiki_link(f'workflows/{wf_slug}', w['workflow_name'])} — Step {w['step_order']}: {w['step_name']}") + lines.append("") + + # Related tools + related = tool_related.get(tid, []) + if related: + lines.append("## Related Tools") + for rt in related: + rt_desc = rt.get("description", "")[:60] + rt_name = rt["name"] + rt_slug = slug(rt_name) + lines.append(f"- {wiki_link(f'tools/{rt_slug}', rt_name)} — {rt_desc}") + lines.append("") + + # FOR610 labs + labs = t["sources"]["for610"].get("labs", []) + sections = t["sources"]["for610"].get("sections", []) + if labs or sections: + lines.append("## FOR610") + if labs: + lines.append(f"**Labs:** {', '.join(labs)}") + if sections: + lines.append(f"**Sections:** {', '.join(str(s) for s in sections)}") + lines.append("") + + # Tags + tags = t["sources"]["for610"].get("tags", []) + if tags: + lines.append(" ".join(f"#{tag}" for tag in tags)) + elif cat: + lines.append(f"#{slug(cat)}") + lines.append("") + + return "\n".join(lines) + + +# ============================================================ +# Generate workflow pages +# ============================================================ + +def generate_workflow_page(wf, tools_by_id): + """Generate a wiki page for a workflow.""" + name = wf["name"] + desc = wf.get("description", "") + steps = wf.get("steps", []) + related_labs = wf.get("related_labs", []) + tags = wf.get("tags", []) + + lines = [ + f"# {name}", + f"> {desc}", + "", + ] + + if related_labs: + lines.append(f"**FOR610 Labs:** {', '.join(related_labs)}") + lines.append("") + + lines.append("## Steps") + lines.append("") + + for step in steps: + order = step.get("order", "?") + step_name = step.get("name", "") + step_desc = step.get("description", "") + step_tools = step.get("tools", []) + + lines.append(f"### Step {order}: {step_name}") + + if step_tools: + tool_links = [] + for tool_name in step_tools: + tool_links.append(wiki_link(f"tools/{slug(tool_name)}", tool_name)) + lines.append(f"**Tools:** {', '.join(tool_links)}") + + if step_desc: + lines.append(f"\n{step_desc}") + + # Add inline examples + if step_tools: + examples = [] + for tool_name in step_tools: + tool = tools_by_id.get(tool_name) or tools_by_id.get(slug(tool_name)) + if tool: + usages = tool["sources"]["for610"].get("typical_usage", []) + if usages: + examples.append(usages[0]) + if examples: + lines.append("\n```bash") + for ex in examples[:3]: + lines.append(ex) + lines.append("```") + + lines.append("") + + if tags: + lines.append(" ".join(f"#{tag}" for tag in tags) + " #workflow") + lines.append("") + + return "\n".join(lines) + + +# ============================================================ +# Generate recipe pages +# ============================================================ + +def generate_recipe_page(recipe): + """Generate a wiki page for a recipe.""" + name = recipe["name"] + task = recipe.get("task", "") + tools = recipe.get("tools", []) + commands = recipe.get("commands", []) + lab = recipe.get("lab", "") + + lines = [ + f"# {name}", + f"> {task}", + "", + ] + + if tools: + tool_links = [wiki_link(f"tools/{slug(t)}", t) for t in tools] + lines.append(f"**Tools:** {', '.join(tool_links)}") + if lab: + lines.append(f"**FOR610 Lab:** {lab}") + lines.append("") + + lines.append("## Commands") + lines.append("```bash") + for cmd in commands: + lines.append(cmd) + lines.append("```") + lines.append("") + + lines.append("#recipe " + " ".join(f"#{slug(t)}" for t in tools)) + lines.append("") + + return "\n".join(lines) + + +# ============================================================ +# Generate category pages +# ============================================================ + +def generate_category_page(cat_name, cat_tools): + """Generate a wiki page for a category.""" + lines = [ + f"# {cat_name}", + "", + f"**{len(cat_tools)} tools** in this category.", + "", + "## Tools", + "", + ] + + # Group by tier + for tier_name, tier_label in [("rich", "Rich (FOR610)"), ("standard", "Standard"), ("basic", "Basic")]: + tier_tools = [t for t in cat_tools if t.get("help_tier") == tier_name] + if tier_tools: + lines.append(f"### {tier_label}") + for t in sorted(tier_tools, key=lambda x: x["name"]): + desc = t.get("description", "")[:60] + tname = t["name"] + tslug = slug(tname) + lines.append(f"- {wiki_link(f'tools/{tslug}', tname)} — {desc}") + lines.append("") + + lines.append(f"#{slug(cat_name)} #category") + lines.append("") + + return "\n".join(lines) + + +# ============================================================ +# Generate index page +# ============================================================ + +def generate_index_page(category_to_tools, workflows, recipes, total_tools): + """Generate the wiki landing page.""" + lines = [ + "# REMnux Analysis Wiki", + "", + f"> {total_tools} tools | {len(workflows)} workflows | {len(recipes)} recipes", + "", + "## Browse by Category", + "", + ] + + for cat_name in sorted(category_to_tools.keys()): + count = len(category_to_tools[cat_name]) + lines.append(f"- {wiki_link(f'categories/{slug(cat_name)}', cat_name)} ({count} tools)") + lines.append("") + + lines.append("## Workflows") + lines.append("") + for wf in workflows: + wf_slug = wf["id"].replace("_", "-") + lines.append(f"- {wiki_link(f'workflows/{wf_slug}', wf['name'])}") + lines.append("") + + lines.append("## Recipes") + lines.append("") + for recipe in recipes: + rec_id = recipe["id"] + rec_name = recipe["name"] + rec_slug = slug(rec_id) + lines.append(f"- {wiki_link(f'recipes/{rec_slug}', rec_name)}") + lines.append("") + + lines.append("## Quick Access") + lines.append("") + lines.append("```bash") + lines.append("# Browse interactively") + lines.append("zk list --interactive") + lines.append("") + lines.append("# Search by tag") + lines.append("zk list --tag pdf") + lines.append("") + lines.append("# Find what links to a tool") + lines.append("zk list --mention pdfid") + lines.append("```") + lines.append("") + lines.append("#index #wiki") + lines.append("") + + return "\n".join(lines) + + +# ============================================================ +# Main +# ============================================================ + +def main(): + print("Generating wiki pages...") + + # Load data + master = load_yaml(MASTER) + tools = master.get("tools", []) + remnux_tools = [t for t in tools if t.get("in_remnux")] + + workflows_data = load_yaml(WORKFLOWS_SRC) + workflows = workflows_data.get("workflows", []) + + recipes_data = load_yaml(RECIPES_SRC) + recipes = recipes_data.get("recipes", []) + + print(f" Input: {len(remnux_tools)} tools, {len(workflows)} workflows, {len(recipes)} recipes") + + # Build indexes + tool_to_workflows, tool_to_recipes, category_to_tools, tool_related = \ + build_indexes(remnux_tools, workflows, recipes) + + # Build tool lookup by id and name variants + tools_by_id = {} + for t in remnux_tools: + tools_by_id[t["id"]] = t + tools_by_id[slug(t["name"])] = t + for alias in t.get("aliases", []): + tools_by_id[slug(alias)] = t + + # Create output directories + for d in ["tools", "workflows", "recipes", "categories", ".zk"]: + os.makedirs(os.path.join(WIKI_DIR, d), exist_ok=True) + + # Generate tool pages + tool_count = 0 + for t in remnux_tools: + filename = slug(t["name"]) + ".md" + content = generate_tool_page(t, tool_to_workflows, tool_to_recipes, tool_related) + with open(os.path.join(WIKI_DIR, "tools", filename), "w") as f: + f.write(content) + tool_count += 1 + + # Generate workflow pages + wf_count = 0 + for wf in workflows: + filename = wf["id"].replace("_", "-") + ".md" + content = generate_workflow_page(wf, tools_by_id) + with open(os.path.join(WIKI_DIR, "workflows", filename), "w") as f: + f.write(content) + wf_count += 1 + + # Generate recipe pages + recipe_count = 0 + for recipe in recipes: + filename = slug(recipe["id"]) + ".md" + content = generate_recipe_page(recipe) + with open(os.path.join(WIKI_DIR, "recipes", filename), "w") as f: + f.write(content) + recipe_count += 1 + + # Generate category pages + cat_count = 0 + for cat_name, cat_tools in category_to_tools.items(): + filename = slug(cat_name) + ".md" + content = generate_category_page(cat_name, cat_tools) + with open(os.path.join(WIKI_DIR, "categories", filename), "w") as f: + f.write(content) + cat_count += 1 + + # Generate index page + content = generate_index_page(category_to_tools, workflows, recipes, len(remnux_tools)) + with open(os.path.join(WIKI_DIR, "index.md"), "w") as f: + f.write(content) + + # Generate zk config + zk_config = """[note] +default-title = "untitled" +filename = "{{slug title}}" +extension = "md" + +[tool] +fzf-preview = "cat {-1}" + +[format.markdown] +link-format = "wiki" +""" + with open(os.path.join(WIKI_DIR, ".zk", "config.toml"), "w") as f: + f.write(zk_config) + + total = tool_count + wf_count + recipe_count + cat_count + 1 # +1 for index + print(f"\nWiki generated: {total} pages") + print(f" tools: {tool_count}") + print(f" workflows: {wf_count}") + print(f" recipes: {recipe_count}") + print(f" categories: {cat_count}") + print(f" index: 1") + print(f"\nOutput: {WIKI_DIR}/") + + +if __name__ == "__main__": + main()